We had the same requirement, using hosted JSS, and our security team was NOT going to poke a hole from external all that way into the Internal network to get to a DC. The workaround we used was with "VDS" (Virtual Directory Services), I think it is part of the Novell Identity suite. Basically lets you stand up an LDAP relay in the DMZ that has a very specific "view" of your internal AD domain/forest, with custom login info, etc. The Firewall is also set to only allow the traffic from our JSS host in jamfcloud.com, and it is read-only (though I suppose it could be r/w if that was needed, but it isn't in our current implementation).
So, that might be an option for you...not sure about standing up a L2TP tunnel, particularly in the setup wizard. I think Apple would have to enable that through some heavy changes to the DEP configurations.
