This question is not related to specifically Forefront but rather a general architecture question in DMZ. Sorry if I am asking in the wrong place as I am not sure where else to direct this question to.
Scenario:
1. Let's say we want to expose certain internal data to the public via web service
2. We write web service that are hosted on a dedicated internal server
Q - how do we securely expose these web services in DMZ so that
a) our hosted applications in DMZ can call them?
b) so public can hit them directly? (less priority)
3. Network team says they will not allow calls directly from our web DMZ layer to the internal server. We have WAF and IPS protection before any traffic hits the DMZ.
4. Network team prefers us to route our web services calls to DMZ app layer which in turn can call our 'trusted' internal web services. This creates complexity when trying to troubleshoot issues and would like avoid the extra layer if possible.
Q. - How have you guys done this for your company/clients?