10-16-2009 08:40 AM
10-17-2009 05:05 PM
Interesting problem. With deployment on multiple servers you need the impersonation user to be a domain user which implies a member of the same Active Directory domain. You will require more than just simple packet filter based firewalls. Depending on the nature of your existing DMZ, you may have to spend money on an ISA server.
Two possible solutions using ISA server;
Security is pretty much a subjective decision as to how secure you would see the second option and of course what money is available. The second option allows you to run ISA as a secondary adjunct to your existing DMZ as distinct from replacing your existing DMZ with an ISA solution.