We run a 5508 anchor in a DMZ, we don't use the Service-Port in this setup. So the management-interface has to be connected as a trunk port.
In order to correctly sync with internal controllers the following ports have to be opened up between them - UDP 1666-7, UDP 5246-7, icmp echo-request (type 8), Ethernet-over-IP protocol 96 and 97.
We also keep the anchor in a seperate mobility-domain but which is connected to the same mobility-group as the internal controller(s). It is important to mirror your guest wlan configuration through all your controllers, if you are using your anchor as the web-authentication route-point, I would recommend using a publically-routable IP address associated with a FQDN (fully qualified domain name) as your virtual-interface IP address; this will allow you to assign a valid publically signed SSL certificte down the track - this is best practice and stops the annoying security error pop-ups in most browsers on most devices.
SSL certification for Web-Auth is poorly documented on the Cisco website so - If you want to get a valid SSL certificate make sure you use version 0.9.8 of OpenSSL to generate your certificate request (there are too many bugs in the latest version of OpenSSL apparently, also most public certificate authorities will only sign a request with a bit depth of 2048 or more - the results you get back from your chosen public certification authority needs to be concatenated into a chained certificate file in PEM format - web-auth SSL supports chained certs on the 5508 so you'll be fine with this. (https management interface does NOT however support chained certs).
Hope this helps?
