I know this topic has been discussed to death already on here and the preferred approach is reverse invoke. However, we have setup where we have an IS server only in the DMZ for interface processing. Files are dropped on the WM IS server and is then processed. WM will read the files and update the database which is residing behind the internal firewall. All the login id and passwords can be encrypted in a config file on the WM IS server. This is similar to an web server that faces the internet and updates the application db behind the firewall. It does not appear that this is commonly done so I am interested in hearing what the problem would be with this approach.
An alternative approach we are also looking at is having WM IS behind the internal firewall and having an FTP server in the DMZ. Files will be dropped on this FTP server and WM will pick it up and process as usual.