Man do i understand your frustration with Veritas "answers" - i use the term loosely! - that seem to ignore all the detailed information you have provided!
I am working with this same thing right now.
To get the agent onto the isolated server, I put the agent file set there (ftp) and ran the install locally. On your media server, you need the files in "...\program files\veritas\backup exec\nt\agents\rant32". You can't run setup.exe in Windows, but the two *.cmd files do it for you - setupaa.cmd for just the agent, setupaofo.cmd for the agent + AOFO.
Next, you need to run the installed "...\program files\veritas\backup exec\RANT\vxmon.exe". This puts an icon in the system tray. Right-click and choose options. On the 'advertising' tab, add the IP address of your media server. Apply. (Naturally you need to have in place all the routing to get to that server). Also re-start the Backup Exec remote agent service.
I believe you need the ports specified in that earlier document you referenced.
In addition, on your media server, under 'Tools | Options | Network & Firewall', you want to enable a selected dynamic port range. The help file and wording are a little confusing here. AND, this is where i'm having trouble.
For the media server range, I have 50101 - 50120
For the remote agent range, I have 10000 - 10010
Now, as I understand it, when the connection is first made (on port 10000), that packet should contain the "port to use" for the reply (from my 50101-50120 range). This does not appear to be working - the reply comes back on a random port.
Again, when the data transfer takes place, the remote agent server correctly uses port 10001, the next in the range, but again, the reply comes back on a random port. (You can see all this info in the job log).
I'm working on this today, and will be opening a support call if I can't get it to work.