Team, starting to reseach what it would take down the line to move out internal CF website to allow
public internet access. From previous work, I do understand this server itself would be locked down with no Internet access/FW rules would be needed for internal DB /share connections. etc Any external links/call from Web would also need to pinholed. We are going to CF 2018 this year. Looking for any documentation/gotchas need to consider this new DMZ server.Our SSL Cert also needs allow access ext/internal.
Well, this is a pretty broad question and doesn't have that much to do with CF itself.
In general, servers in a DMZ are typically set up as "bastion hosts", independent of your larger network. They're not part of your domain (if you're using Windows) and they're not going to have connections to anything they don't need to. They're not going to access any content in your LAN. This goes for your web servers and your databases - you'd want to move both to your DMZ as bastion hosts. Sometimes people will try to keep the database in the LAN and allow connections from the DMZ web server to the LAN database. This is a bad idea, don't do it. If your database is compromised, very bad things can happen.
As far as CF goes, you'll need to ensure that no admin endpoints are exposed to the outside world. This means testing your /CFIDE URLs and removing any specific connection points between your CF server and your web server other than that used to serve public files (this can be done using a variety of configuration options in your web server). Also, in general, you probably want to restrict CF from writing to your web server's file system by default, and only allow it in specific limited circumstances. (You should be doing this anyway but it's more important when things are public.)
Dave Watts, Eidolon LLC
txs for your response. Jose