We are working on our pci certification ( fun times right? ) and i was wondering what other people do for server management in the dmz. Few things we are looking at listed below. We will be doing cisco zbfw for firewalling and using NAT.
Servers have 2 nics, 2 ips, gateway ect. One of the networks would be considered a "management vlan/network". Other network would be for all other traffic, including natting to the internet, and traffic to the "internal" zone but locking down traffic to source,destination, and protocol level.
On windows you really on have 1 true default gateway, and because windows doesnt just send traffic out the interface it came in, but looks at the routing table, some network routing issues popped up.
Use only 1 nic/vlan/ip/gateway. Lock down traffic to source,destination, and protocol level for dmz to "internal" traffic and do an "inspect" statement to allow all necessary traffic back in and drop everything else. "Internal" to dmz would just be an inspect all because this traffic wouldnt need to be firewalled so management traffic would work just fine.