Here's some things I've noticed for NAT mode SMs.
Canopy:
cnMaestro communications from the SMs happens over the Remote Configuration Interface (in Standalone Config mode). This is good.
ePMP:
cnMaestro communications from the SMs uses the SM's main wireless interface, not the Separate Wireless Management Interface. As far as 2.6.2.1 anway.
The Canopy Remote Configuration Interface has its own preferred and alternate DNS server fields. I like this. ePMP does not. I hate this.
cnMaestro communications from ePMP SMs should originate from the Separate Wireless Management Interface like Canopy.
DNS lookup for the cnMaestro URL on ePMP uses all four configured DNS servers. It's either querying them all simultaneously or quickly round-robbining all four. Canopy uses the Remote Config interface DNS servers to look up the cnMaestro URL.
A secure management domain within a network + cnMaestro + ePMP in NAT mode would not be possible. I see no issues with Canopy in this scenario.
I think it would be a good idea for the ePMP developers to take a close look at the way ePMP NAT mode is actually functioning. Specifically with the separate management interface enabled (hopefully everybody uses this). The main wireless interface should be used for moving/translating LAN traffic ONLY. The separate management interface should be used for all management, cnMaestro, etc. communications.
Just some observations. Don't hit me. :)