We have a vendor that wants us to put an application server in our DMZ that is a web server for information kept internal in a database. They want the application server in the DMZ to be part of our AD domain, and they want a bunch of ports along with SQL ports open between it and the internal servers.
In my mind, given these requirements, wouldn't it be better to just put the application server on the inside, and use an ISA server in the DMZ to interface with the public side?
I just feel that if a server needs to be part of an AD domain and needs many ports open, there isn't much benefit at that point to have it in a DMZ.
Just looking for opinions.