Hi,

 Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.

Proposed Setup

1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.

Requirement

1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment

Questions

1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?

Appreciate your inputs.

Cheers

Mikey