By ‘airgap’, do you mean that your Bigfix Server cannot reach the Internet? That works, and works well.
Do you mean that the clients cannot reach the Bigfix Server? You can put Relays in to shape the traffic flow, but you do need network traffic between the clients and the server (or relays). It can be one-direction in that the clients initiate the connection, but they will both download content/patches, and post results to the server.
Bigfix can fully replace WSUS, SCCM, MDT, Satellite Server, and many others.
Microsoft an third-party fixes are downloaded by the Bigfix Server and cached there, and provided to the clients. The few exceptions are third-party that require some kind of paywall or their license requires you to download the files and store them on the server manually (ie Oracle Java).