You will need to be able to obtain the definitions/binaries for vCenter Protect as well as any patch files that are required for applying patches.
The best way is to have a separate console that is online. Then you can just manually copy the files over.
Otherwise this KB article may be helpful:
It will also help to review the following Help article within Protect:
As adamg23 pointed out, the best method to do this is with an disconnected console configuration method. I use this for a customer and have deployed agents since they have restricted access to netBIOS and RPC ports. The distribution server should assist you though since the console will push the updates to that server instead of the server going out over the internet to get patches and engine information.
My only complaint is that agents are a lot more work and less intiuitive to use than the agentless machines I manage. I've feature requested that agents should be able to function just like agentless machines (for example, policies and on-demand patching) but I haven't heard back on this request.
This is a little off topic of the main discussion here, but...
You can do on-demand patching with the agents. From Protect go to Machine View or Agent Manager, and you can right click > choose Agents > Run task from policy > then choose the patch, threat, or asset task you want it to run.
It's a little more limited because you cannot specifically choose the patches to deploy. It just runs the task based on what is set up in your policy, but you can create multiple patch tasks for different purposes to make this a little easier.