As I know Landesk communicate with the agents via the cba_anonymous user. The users credentials are getting encrypted from the server and if he can connect the client is landesk "pingable" (LDPing). The password is only stored client side. But landesk supporter told me the password regenerated after each communication. About the User you can find more details in this document What is the cba_anonymous account? / How does LANDESK manage client access? / Is there a way to remove the cba_anonymous account after an install and a log off? / Can I disable the cba_anonymous account?
Maybe you don't let all ports through your VPN connections? Ports used by LANDESK Management Suite - Full List