Publishing Internet-facing Web Services and WCF Services
You can use two approaches for publishing BizTalk Server Web services and WCF services to the Internet:
Use reverse proxy rules in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
Put the computers running BizTalk Server that publish the Web services or WCF services into the perimeter network domain.
We strongly recommend this approach for publishing BizTalk Server Web services and WCF services. Using reverse proxy rules in the perimeter network obviates the need to have BizTalk servers located in the perimeter network. The reverse proxy rules simply forward the HTTP and SOAP requests from the perimeter network to the computers running BizTalk Server in the intranet domain.
For more information about using a reverse proxy, see the following topics in BizTalk Server 2009 Help:
This is not the preferred approach for publishing BizTalk Server Web services or WCF services to the Internet because it requires computers running BizTalk Server to be located in the perimeter network. However, when a reverse proxy is not available in the perimeter network, you can use this approach.
This approach requires the perimeter network domain to enlist in a one-way trust with the intranet domain (but the intranet domain does not trust the perimeter network domain). The IIS application pools that host the Web services or WCF services in the perimeter network domain must be running under an intranet domain account that is in the "BizTalk Isolated Host Users" domain group. This gives the application pool the required rights to publish messages to the BizTalk Server MessageBox database.
You must open specific ports in the firewall to accommodate this. For more information about the required ports, see "Ports for the Receive and Send Servers" in BizTalk Server 2009 Help at http://go.microsoft.com/fwlink/?LinkId=153342.