I am considering placing two load balanced Windows Server 2010 R2 non-domain joined web servers in the DMZ for external AIA/CDP and OCSP revocation. I was wondering if there is a good write up about opening the ports to allow the CA to publish the CRL files to the DMZ web servers. I already do this internally with file://\\server\share$ in the CDP for internal web servers but I was wondering the minimum that needs to be open between the web servers and the CA. I would also like to know the risk as it seems it would only need to be a rule between the two web servers and the CA...really only outbound to the DMZ. Maybe SMB protocol and TCP 445? An example of this design would really help. I know it can be done with a script but if the security risks aren't too high, the built in distribution is favored.
Also, can the CES/CEP roles be placed in the DMZ on a non-domain joined IIS server?
Thanks