For some time I have had a web server in a DMZ between two BM servers, with
the outer BM being a reverse proxy for the web server and the inner BM
being a forward proxy for our users. We are making some server changes and
I thought now would be a good time to make any changes I can to be the most
functional and secure as possible. The web server now needs to communicate
with another server on our internal network for data. I would appreciate
your comments on the pro's and con's of the way I have it setup versus one
of the following:

1. Having the web host on our internal network with just one BM acting as
reverse and forward proxy.

2. Keeping both BM servers, but having the web server on the internal
network and still having the outer act as reverse proxy and inner as
forward proxy and just NATing the web server through the inner BM server.

I know there are probably a multitude of ways to set things up, but I would
appreciate any suggestions on the most secure, yet functional.

Thanks,

Jon.