Hi mugwump,
I would recommend you to take a look at Intel AMT Remote Access Overview.pdf document in the SDK. Second figure in that document clearly indicate the different components needed for vPro Enabled Gateway (aka MPS).

vPro Enabled Gateway is intended to be residing in the DMZ and support internet and intranet facing traffic. For internet facing side of it, all of the communication from vPro Enabled Gateway to Intel AMT clients needs to be encrypted and we use TLS for that. Stunnel is a product that we used in our reference implementation that is responsible for TLS encryption.

On the intranet facing side, we need to support multiple types of traffic from management console(s). Many of operations with Intel AMT are performed using HTTP traffic (both SOAP and WS-Man) and SOL/IDE-R traffic is TCP/IP traffic. So in order to support these two types of traffic, we chose to use HTTP proxy for HTTP traffic, SOCKSv5 proxy for SOL/IDE-R traffic. In the SDK, you will see references to 3Proxy or Apache as the tool being used for proxy server.

For vPro Enabled Gateway, its configuration needs to expose settings for both internet and intranet facing sides of it. For the internet facing side, it needs a port where stunnel can hand off AMT traffic to vPro Enabled Gateway.
For intranet facing side, it needs the SOCKS proxy port, HTTP proxy port and IP address of the proxy server (Apache or 3Proxy).

In addition to these settings, there are other authentication options that can be configured and these are optional. Hope this helps clarify your questions. Once again, please do read the Intel AMT Remote Access Overview.pdf document and will answer most of these commonly asked questions. If you are still confused with that document, let us know how we can improve the document and we will make our best effort to make that happen.

Thanks,
Ajith