Hi,
not sure if this is what you mean but we run Endpoint protection plus on pcs spread across 20 plus locations. Head office pcs obviously connect over our LAN but the remote machines connect into Avast SOA via broadband (We don't have a VPN). We then set up a number of groups within Avast SOA that controls the settings for the various shields depending on the requirements.
The setup involved installing Avast on each client, including netclient, then changing the settings in Avast for each client to include the IP address of the SOA server (settings-troubleshoot-Avast administration console) and making sure that the appropriate ports are open on the client routers, if I recall the details are in the avast SOA install guide. We then get reports of scans and shield activity via the SOA console, can check on definitions update status, schedule scans and amend shield settings from our central console.
This seems to work well for us, apart from the occasional instance where PCs appear offline, and a restart of the netclient service or pc reboot is needed (I have posted another thread about this issue)
Hope this helps.