The attached guide (PDF format) explains how to reduce connectivity risks by using a dual-DMZ topology and WebSphere DMZ Secure Proxy Server in your Sametime Gateway deployment.
WebSphere DMZ Secure Proxy Server
Unlike a traditional proxy server, the DMZ Secure Proxy is designed for use outside the corporate firewall and incorporates a higher level of security to protect your deployment. For example, the DMZ Secure Proxy Server does not include an application server or a web container; limiting the software on the server helps protect it from unauthorized access. This added security comes at a cost, in that the DMZ Secure Proxy Server requires some additional configuration during deployment.
To deploy the DMZ Secure Proxy Server, you will set up a dual DMZ deployment where the Sametime Gateway servers reside in the Application DMZ and the DMZ Secure Proxy Server resides in the Web DMZ. External users can access only the DMZ Secure Proxy Server, which in turn passes on requests for data to the Sametime Gateway servers, which in turn connect to the Sametime Community Servers on the corporate intranet before routing data back to the users.
Note: The IBM WebSphere DMZ SIP Proxy Server has been stabilized in the WebSphere Application Server 8.5.5.x stream -- this feature is supported, but no more new features or significant changes can be added. Beginning with WebSphere Application Server Version 9, the DMZ SIP Proxy Server is deprecated and will not be supported for use in Sametime Gateway deployments.