We are looking for options to deploy the Insight Agent in a secured environment. The environment does not have direct internet access. We will place a Collector in a DMZ and allow the agents to talk to the collector. We need a way to point the Agents at the Collector for registration at the time of install. Also, we will need to be able to replicate this using package push to install agent updates in the same environment.
Hey @cpoulter , Did you have a look on this?
https://docs.rapid7.com/insight-agent/proxy-configuration
[Hope this help 
]
You can use the proxy parameter over port 8037 to point a particular agent to a specific collector at install time. Alternatively, if you use the Certificate Package installation method, it comes with the config.json which contains all installed collectors FQDNs for use.
By default the agent will try all available collectors and the endpoint directly on a schedule, this is by design. However the agent will prefer the collector defined as a proxy as documented here
You can specify a Collector as your proxy
If you’ve already deployed one or more Collectors in your environment, you can target one of them to use as a proxy for this use case. The Insight Agent’s collection tasks do not distinguish between a Collector or another proxy type. Specifying either achieves the same goal of reaching the internet.
The proxy-port must be set to 8037 in accordance with Collector requirements.
msiexec /i agentInstaller-x86_64.msi CUSTOMTOKEN=: HTTPSPROXY=10.1.2.3:8037
https://docs.rapid7.com/insight-agent/proxy-configuration/
David