The KB below is packed with information and trouble shooting steps.
Microsoft KB article How to install and manage Microsoft Operations Manager 2005 agent computers that are behind a firewall or in an untrusted domain http://support.microsoft.com/kb/904866

 

The majority of the problems I've encountered are usually related to, Naming resolution and firewall ports.

 

Requirements for MOM agents that are behind a firewall
The following ports must be open TCP port 1270 and UDP port 1270, and it must be bi-directional.
Also note that the agent must be manually installed on the DMZ host, and updates must be manually applied too.

The following should be done prior to manually installing the agent on the DMZ host.

1. Use the host file on mom server to resolve the fqdn name of the DMZ host.
2. Use the host file on the agent computer to resolve the fqdn name(s) of the MOM Server(s).
3. After modifying and saving the changes to the host file, open a command prompt and run the following command nbtstat -RR.
4. To verify that the proper ports are opened up on the firewall, from the MOM 2005
Resource Kit use the MOM Remote Pre-requisite Checker, from the Management Server.
Use the computer name that was added to the host file, to run the diagnostic. The tool runs 14 different tests trying to access the computer that was specified. The Channel test is the one that needs to be passed in order for the MOM agent to function properly.

A problem that I've run into more than once
A DMZ host does not ever send a heartbeat, or the heartbeat stops updating information to Management server.
This is usually a problem with UDP port 1270 going from the DMZ agent to the Management Server.