Security configuration

I have very limited experience with IIS, our current web adaptor was set up by using the tutorial for Securing web services with Integrated Windows Authentication.
How should I configure the second IIS for external users? Do we have to install that web Adaptor in our Perimeter network (DMZ)? or would it be possible to install it on our internal network and use our existing reverse proxy?

I don't have much experience with DMZ or reverse proxies.  To allow non secured services using windows authentication you would install a 2nd web adaptor, disable windows authentication and enable anonymous through the web adaptor in IIS. 

I'm not sure how you would allow external users access to secured services without giving them a windows account.

I'm not sure I was much help.

-Steven

If we would install a 2nd web adaptor and disable windows authentication and enable anonymous through the web adaptor in IIS. Wouldn't all services be fully available through that web adaptor?

I'm not sure how you would allow external users access to secured services without giving them a windows account.

This is what I'm afraid isn't possible... But even if we're limited to only allow access secured services from those with windows account, that will be useful for internal users that want to consume a secured service from outside our internal network using a smartphone or tablet in field.

You would have your services unsecured though ArcGIS Server with anonymous access in IIS.  All the rest of your services would be secured.

-Steven

Sorry but I don't follow. which services would be secured and unsecured when enabling anonymous access?
I thought that enabling anonymous access would kind of revoke the windows authentication and therefor make all services open to everyone regardless each services security settings.
But do you mean that the secured ones would still be secured and require the user to login with a windows user?

The way I have set it up in the past is as such:

Install 2 webadaptors, 1 called arcgis using windows authentication, 1 called public using anonymous authentication.

In ArcGIS Server Manager, you would secure all services that would be called through the arcgis webadaptor such as https://myurl/arcgis/rest/services/mapserver

In ArcGIS Server Manager, you would unsecure all services that would be called through the public webadaptor such as https://myurl/public/rest/services/mapserver

Does that help?

-Steven

Yes now I understand that setup, and what you meant in your previous post. I guess that is a little bit better setup then we have now, to let our reverse proxy point to a 2nd web adaptor instead of going directly to arcgis server without the web adaptor. But the basic functionality is the same.
Would it be possible to also expose some secured services through the "public" web adaptor, that users could access from an external network and be prompt for their windows username and password?

That's what we want but cannot do with our current configuration.

I realize that being able to use other users that our windows users isn't possible while still using Integrated Windows Authentication internally, but allowing our windows user to access services from outside our network would be great.

I'm not 100% sure on this one.  I would defer to ESRI ESRI​

I would guess that you would install a 3rd webadaptor and enable windows authentication and configure it so you can access it outside your network.

-Steven