Hi,
It sounds like a valid plan, however there is no need to use a public certificate for the IBCM as all you clients will trust the internal one..
Here are som useful information as well if you haven't seen it already.
http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx
Regards,
Jrgen
SCCM doesn't work with NATs. If you are setting up a DMZ box then you would need to set the site server or Secondary to have a DP, WSUS and MP role depending on what you are trying to accomplish. Then set that box for Https mode. Also you would set the site system to be "site initiated" so the box on the inside of the network reaches into the DMZ and pulls back the data.
You only need a few ports from the inside to the perimeter network box that will be supporting https clients.
The others already touched on this, but you need more than just a DP to support Internet clients as they must also be able to communicate with an MP.
Also, using a cert from a public CA will get expensive real quick as you need more than just server auth certs for your site role. You also need a unique client auth cert for each and every client that you will be managing over the Internet -- buying these from a public CA will get expensive quick and be a nightmare to manage and deploy.
I am going to make a MP as well, keep my current SUP that is for intranet.
If I use godaddy for my cert, the CA is already published with MS. This is not correct thinking?
Is it not like applying a cert to a web server? You cert that webserver with a valid public cert that has a valid public CA?