I have a dilemma I've run into that I am hoping the community can help with...

I have a customer design I'm working on that requires some ISE PSNs in the public-facing DMZ. Specifically to serve up the CWA page to wireless guest users that are coming from another site. The ISE servers reside virtually in the customer's datacenter. The guest users will be accessing the network from a WLC local to the site. The WLC will send it's RADIUS traffic back to PSN interfaces (let's say G0) via a L2L VPN tunnel to the datacenter server network.

For obvious reasons, we don't want the guest user traffic to traverse the L2L tunnel. The goal is to place some of the guest-serving ISE PSNs in a datacenter DMZ. They will have G0 in a DMZ VLAN that is accessible to the other ISE nodes for inter-ISE communication, while G1 interface will be placed in a DMZ VLAN accessible to the wifi guest users. The Wifi guest users will be coming over the internet and are source NATd.

Thus far everything seems to work except when I assign the CWA portal to G1 it sends the G1 private IP in the redirect URL. My question is this: Can the ISE PSNs/web portal be configured so it sends a custom FQDN for the guest portal? I would like to leverage public DNS and point the guests to the public IP of the ISE guest PSNs (which is then destination NATd for tcp/8443 to the guest G1 interface).

Or is there a way I can use a public IP on the G1 interface but still reside behind a F5 load balancer?

Or am I going about this all wrong and is this unsupported?

Huge TIA for any input/help!