IF: you have a DMZ, incoming FA must go through it, and you have a load balancer on the DMZ that can forward requests to the internal network where FA will be, then the FA and IDM web tier nodes must be placed in the DMZ.