With zabbix 2.0 you introduced the ability for administration scripts to be run on the agent. As far as I understand zabbix trapper functionality is used for this feature, making it mandatory to have a direct connection to the agent port.

This is great for agents and server in the same network, but with agents behind a NAT, zabbix trapper cannot be used and there is no possibility to run scripts on the host on demand.
An extension of the feature would allow for a new type of script (Zabbix agent (active)). Running this type of script would queue the operation for the specified host and wait for the agent to connect to the server (active checks). When the agent connects to the server it reads the script queue and executes them.

There could be a configurable timeout. When running this type of script, a dialog would stay opened with a message like "Waiting for agent to pickup script command..." and change into an error if the server was not contacted by the agent in the specified timeout.