I have a C#.NET, .NET 3.5 web app running on a Windows 2008 box that requires access to AD, calls business services on a back-end server via SOAP and DCOM, and I would like to make it accessable from the Internet.
I already have a back-to-back firewall configuration with a DMZ that has private addresses, although the front firewall is not ISA. Split DNS has been implemented, with the public DNS server in the DMZ not being a member of the AD domain.
The choices I see are either to place the web server in the DMZ and apply rules to the back-firewall ISA server to allow SOAP, DCOM, AD traffic, et.al., or to place the wep app server on the internal network and publish it to the DMZ using the back-firewall ISA server.
I believe the second choice is preferred, but what are the pros and cons of each?