As adamg23 pointed out, the best method to do this is with an disconnected console configuration method. I use this for a customer and have deployed agents since they have restricted access to netBIOS and RPC ports. The distribution server should assist you though since the console will push the updates to that server instead of the server going out over the internet to get patches and engine information.
My only complaint is that agents are a lot more work and less intiuitive to use than the agentless machines I manage. I've feature requested that agents should be able to function just like agentless machines (for example, policies and on-demand patching) but I haven't heard back on this request.