Web Adaptor in DMZ for use with ArcGIS Online

We haven't actually set the web adaptor up yet in the DMZ. They established one a couple years ago, although it is still behind our firewall completely and defeats the purpose of having one (I could just go to our ArcServer Manager page and grab the rest URL's from there). I've asked them to put a new web adaptor in our DMZ to eliminate VPN needs into our network, since I would be grabbing the URL from the new web machine and web adaptor in the DMZ (like you've noted). Our IT dept. is just skeptical as to when port 80 or 443  is open for web/IIS traffic, if anyone is capable of accessing it and entering our network. I don't believe they have either ports open currently, and were just looking for specifics of configuration. Their concern is port phishing if the ports are open to web/IIS traffic. Granted I am not a network/firewall expert, but this is the gist of what I've understood from their concerns. They have ports open for other applications, but those ports have been configured to specific IP addresses of the servers requesting information, so it is a singular end to end communication. It seems like the web adaptor is not that way?

I just included these links in another thread

Trust | ArcGIS

I would start looking thru this and seeing if you can make your IT folks a little more comfortable.  I know I have gone thru many of the same processes, but however they setup all our public IIS pages, works and they seem to be happy with.  BTW, our IIS and web adaptors are on a different server then the AGS which is behind our firewall.  

I have many of these other links under my "pinned" section, and rather than include them here again...

Web AppBuilder Developer Edition - Customization Resource List

Thanks Rebecca, I'll do some more digging in your provided links. Our IIS and Web Adaptor will also be on a different machine than our AGS. Our AGS is housed on a machine behind our firewall and our IIS and Web Adaptor Machine is currently in the process of being built in our DMZ.

I would not think that would be an issue, but can not answer for sure.  When using the <servername>:6080 you are accessing the server direct, and not thru the web adapter, from what I understand of it.    When using the 443 and web adapter, you are using something like IIS for web access.

We actually have two web adapters installed, one for public services, the other for secure.  Both web adapters will show the public (non-secure) services and will let you login for the secure services.  But when it comes into play for me is in my proxy file.  The public web adapter does not need a token so just passed the requests thru (and secure services will not pass). For the secure web adapter, the proxy has a token.

At the dev summit this year, there was a really good session on using proxies and getting things to work with AGS and AGOL.  Unfortunately, was not listed as one of the free sessions. I purchased the recordings and this is one of my "must watch again, a couple times" sessions. I probably won't be able to really let my brain soak in the info until June/July time frame myself.  If you have access to the recordings, or are going to the UC, look for a session called something like "Use Online Services without End-user Login with Resource-Proxy"  Not sure if it will work for us (I'm looking at OpenData access or secured data) but it had real potential.  Proxies are nothing new, but this got me thinking of them in a different way.

I hope some of the helps.  I find that sometimes you won't really know how things will work until you try them.