No Problems Paul ,
Yeah , would be best in your scenario really.
Agentless Scan/Deploy can run into some difficulty going across Domains , Especially if you are using Machine name to configure your Machine Groups. IPAddress would be best generally.
You have the added complication of the Domains not having trust , so you are going to run into some Security / Credential issues.
Agents the way to go i feel.
Regarding Ports , I found a KB which has a more complete explanation
kb.vmware.com/kb/2007451
Port requirements for Agents are little less, but depending on your configuration. Whether you are using a Distribution Server , Using Listening Agents etc.
Generally Port 4155 and the File Share ports on the Agent Machine
Port 3121 on the Console Server for sure too so Agent can check in.
Best to follow the above KB at first and lock down after.
If you want to delve more into the configuration and setup there is lots of documentation available here.
http://www.shavlik.com/support/onlinehelp.aspx
Any problems or run into any issues you can always open a support ticket. We will be more than happy to help you out
Thanks
Anthony ,