natemg

I am working for a client and they currently have one primary and it is in the DMZ. They have other site servers spread out which are not in the DMZ. Everything I have come across seems to tell me that this is not a conventional setup. It seems some most ports that are needed for communication between the primary and the site servers have been opened on the firewall. One thing that is blocked it ping, at least between a box in the DMZ and a subnet outside of the DMZ. My questions are : What effects will they have if they keep the single primary in the DMZ? What will be the effects of blocking ICMP ping between the primary, the clients and the management points? Does anyone have SCCM set up like this? The way I see it right now there really isn't a reason that the primary should be in the DMZ. SCCM is only really currently used for the workstations. If, down the line they want to use it for servers in the DMZ, they could spin up a CAS then another primary in the DMZ. By having the SCCM server in the DMZ, you have to punch a bunch of holes. By doing this you are taking away many of the arguments of it even being in the DMZ. Thanks for your help!