Replica directory nodes and management nodes in the DMZ?


As part of my training (IT specialist / system integration) respectively project-work, I would like to implement a company server.

The virtualization host should be Proxmox and on it different UCS roles. I have worked so far without DMZ and would like to implement this in the project. So there are three bridges on the PVE:

  • vmbr0 (LAN) → NIC1 (
  • vmbr1 (WAN) → NIC2
  • vmbr2 (DMZ) → NIC3 (

the pfSense is “connected” to all three bridges with three virtual LAN adapters. The UCS5 Primary Directory Node (Samba ADS, shares, print services etc.) is “connected” to vmbr0.

The systems that should be accessible from external:

  • UCS5 Replica Directory Node (For Open-Xchange)
  • UCS5 Managed Node (for Nextcloud)

are to be “connected” to vmbr2. Of course I have to regulate the access via pfSense.

So far I had all UCS roles in one subnet which was quite simple.

Is this concept ok? Are there special features that I have to consider when the UCS roles: Replica Directory Node and Managed Node are in another subnet?

with best