To allow the Remote clients to be manageable, they will need to be “reachable”. Either directly by the BigFix Server or from a BigFix Relay that can be reached by the BigFix server. The usual protocols (TCP/52311 from the client to the Relay/Server, and UDP/52311 from the Relay/Server to the Client) still apply. If you are crossing the Internet, I recommend encrypted communications between Relay and Clients.
With the newest BigFix version, I believe there is a new way to do this without the Relays by having a client perform some of the work.