Remote users that utilize VPN connectivity can be serviced by a dedicated
Replica WSUS Server that is configured to not maintain a local content
store. These machines will obtain approvals for updates from the replica
server, but download content from Microsoft.com. The content can be
downloaded anytime the remote user is connected to the Internet, without
being dependent on the VPN connection.

Users that do not implement regular VPN connectivity to the corporate office
should be configured as Automatic Updates clients with installations
scheduled to occur at a specified time or upon restart if the scheduled
event is missed (which is the default behavior of the WUAgent).

WSUS can be published via ISA/TMG; however, you need to implement some sort
of methodology to ensure authentication/identification of the clients. The
WSUS EULA prohibits open publishing of a WSUS server to the "Internet".
Because WSUS is an *anonymous* service, some other form of authentication
must be involved. Typically this is VPN connectivity. Where VPN connectivity
is not employed, two theoretical methodologies are available: Client-Side
Certificates and Reverse-Proxy with Authentication -- neither of which, to
my knowledge, have actually been successfully implemented in a production
environment.