For your first question a cloud agent would be the best option. I have included the linked document below on how to setup and configure the cloud agents. The agent will be installed on the off network machines they will run off a policy you set in the console and have uploaded to our cloud servers. The Agent will check in to our cloud servers and will download patches directly from the vendors making it so you do not need to setup a distribution server. Their scan results will sync down to your console from the cloud servers for reporting.
Your other set of questions may be best addressed by sales but yes that is the product that you would use to patch anything outside of the Windows OS. It does work with CentOS and you should be able to run both on the same server. At this time the interfaces are separate.