If you have agents in an untrusted domain/forest or workgroup you will have to install certificates in the environment and either manag the agents through a gateway (minimal number of certs) or by installing certs on the agents directly (many more certs).
