Hi,

One of the DMZ's function is to host servers that need to be accessed by outsiders and access normally comes from public network/Internet (via outside interface). This allows you to secure your internal network from being indirectly accessible too, eventhough you mapped internal server to a public IP.

But in your case, link between the 2 sites is via internal WAN, which is not passing the internet. Internal link is considered safer, but you still need to consider/justify why DMZ traffic need to pass through your internal network to reach the other side, if they can go via Internet.

There's nothing wrong with the setup/topology. What you really need is to have appropriate security measures to mitigate potential security threats, i.e viruses/worms passing through, misconfiguration that accidentally open up access to your internal network, escalation of attack from remote DMZ server (if hacked) to your DMZ and so on.

Also, consider how big the data to pass through, sensitivity, congestion or bandwidth size between your internal WAN and link to internet.

On Firewll, I believed you'll have a standard configuration like ACL, NAT and so on (depending on you to enable all possible features).

What you need is to weight the possibility risks, and what do you have to mitigate possible threats, i.e layered security layer model where you have IDS/IPS to inspect traffic exchanged between DMZs, AVirus, CSA installed in both servers, additional ACL in internal WAN router, using secure protocol between DMZ servers.

If both DMZ server(s) is accessible to public, maybe sending the data via internet gives you lesser risks as any tampered data/traffic (if servers compromised) will not pass through your internal network at all.

Cheers!

AK