Here goes:

In ZEN 7 we had this "nice" Middle Tier server that we could put in the DMZ and it would get inventory information and we could deploy apps without having to make a "new" app (assuming we used UNC path, as the Middle Tier would find the closest server and use that and translate to XML).

Fast Forward to ZCM

Given that there's no official Middle Tier, I'm thinking which would be the best way to proceed?

As I see it, I have two options:

1) Put a ZCM server in the DMZ. This could be a secondary that is allowed to talk to the Primary server on the LAN. Possible issues:

Firewall holes (whether our security guys would allow for this or not, I don't know).
Bundles. I think I'd have to maintain two separate bundle sets (one set on the server in the DMZ that's set to use HTTP, and another set on the LAN on the Primary server that is set to use UNC paths).

2) I could use a satellite server in the DMZ. Possible issues with that:

Bundles. I still have to maintain two separate bundles, one using UNC for local servers, and another using HTTP.

Are there other options (short of not using ZCM that is) and any other caveats I should be aware of?

Oh, I suppose I should mention that we do have "roaming" users (ie, users with laptops that are sometime on the network and then they are also sometimes off network but connect via Internet connection). With ZEN 7 we had issues because the agent would be setup for Middle Tier only for "outside" and then obviously it wouldn't work internally.