We've got a customer with very high security needs but they would like to implement Novells DataSync Mobility Solution for devices but... we have a problem. The DS server should be installed in the DMZ (makes sense) but this particular customer has security policies inplace that do not allow LDAP requests / logins between their DMZ and LAN... Especially considering that the LDAP User need at least READ rights to the entire tree... not good....

Is there a way to seperate the different NDS Mobility Pack components, for example; The DS Engine & GW Connector, etc.... in the LAN and the Mobility pack (connector) in the DMZ? If so, which ports should be freed up and how would the installation be done? Is it possible that during the installation our firewall crew temporary allows LDAP logins and after adding users they block the ports and we "deactivate" LDAP... Will DS still work or does it need "constant" LDAP access to eDir? Or maybe just during every reboot? We cannot allow the whole DS "Instance" ( Engine, connectors, mobility pack) to be installed in the LAN because then we'll have a bigger security problem by letting the devices through our DMZ and Firewall to our LAN, not acceptable... Has anyone tried this or had to work in such a scenario?

Any help and / or hints would be greatly appreciated.