We have a DMZ with an IIS Web Server, and BizTalk 2009 on a LAN.

I'd like to know what is the best way to deploy a BizTalk Web Service so that it is publicly accessible on the Internet, but inline with security best practices.

Should we deploy the BizTalk-generated Web Service to the IIS box?

Should we host the Web Service on the BizTalk box and expose BizTalk to the world (for specific ports and specific external IP's only)?

Should we use IIS as a reverse proxy and host the Web Service on BizTalk?

Any guidance much appreciated.

I would seriously think about separating the web service from the BizTalk architecture and not use the built in published web service in a DMZ setting. Create a web service on its own and allow that to façade the actual BizTalk web service and just punch a hole in the firewall allowing the connection into the BizTalk web service. Take a look here.

One option is deploy the services internaly using BizTalk but connect them to the Azure Service Bus and use that to expose them to the outside world. BizTalk WCF support the relay bindings used for communication with the service bus.

Once setup it should be less to worry about (except the Azure bill I guess ;)) but it also ties nicely in with the Access Control giving you fine grained access control to who can do what etc.

Adding to Bryan comment, This can be done in a very straight forward way using WSO2 Cloud Services gateway (CSG). What needs to be done is, deploy a CSG outside the firewall ( probably in a DMZ) and publish your service on to it. and thats it.

For more information check out: http://wso2.com/cloud/connectors/services-gateway