Currently, some servers and networks in our network are being updated. I'm also looking for a reality check for our DMZ configuration. I put it together a long time ago and wonder if it is still relevant or if there is a better (safer) way.
I'm thinking specifically of our web server traffic. We have many web applications that users from outside our network need to access. Almost all of them need access to our internal Active Directory and sometimes to other internal services.
I've always hated putting the web servers in the DMZ and punching holes in the internal network for Active Directory and / or LDAP instead of setting up a reverse proxy in the DMZ and forwarding the Web requests from the DMZ to port 443/80 in the servers in the internal network (a bit like this example). It has worked well over the years, some applications work well with it and others are a bit of an attempt.
Anyway, before I update some of the servers in question (some are 2k8 R2, which will soon be EOL), I thought I would check everything. I know you can do this in other ways (for example, by putting the web servers into the DMZ with an RODC). I wonder if I need to change my setup (and what an alternative might look like) or if it is still valid.