We used to have a machine in a subnet that had no rights to originate traffic to the console machine. Scanning and deployments still worked, but the deployment tracker never saw the patches run.
The results of your deployments are sent back to the consoel machine on port 3121. If it is not open outbound from your target machines to the console the deployment status is not going to be known for these targets on your console machine.
This will also mean that you would not receive Tracker updates from the Target Machine during the deployment process.
If this is the case then why does the documentation http://www.shavlik.com/assets/docs/bp-prt-8-0-2.pdf pg 4 state that Port 3121 outbound from the Client is only required for Agents? This is very confusing.
I currently only have Port 3121 inbound on my console and have tested a deploy to an agentless system in another domain, I can scant he machine and it reports missing patches and I can also track the deployment succesfully.
I confirmed with development that the deployment tracker is sending outbound on TCP 3121 so chances are that your systems are just not blocking outbound 3121. I apologize for the confusion in the documentation. I'll be escalating this as a documentation defect so the documentation should be updated in a future version.