Security zone configuration for Workspace ONE Assist depends upon whether your on-prem environment is composed of a single server or multiple servers.
The database component can be installed on a database server in the private zone while the rest of the components are installed on the all-in-one server in the public zone. You can deploy the all-in-one server either in the public or private zone but the all-in-one server MUST be accessible from the device network and the user network that uses the Workspace ONE Assist system.
Medium and Multiple Server Deployments
You can deploy Workspace ONE Assist servers across multiple security zones, such as DMZ/public and private. You can deploy all servers in a public zone or a private zone, depending on the network/security requirements. You can also deploy servers across any zone, provided the servers hosting Connection Proctor services and Portal Services are accessible from the device network and user network.
Typically, in multiple server deployments, components must be accessed by the device network and the user network. Because of this dependency, servers deployed in the Public zone include servers hosting Connection Proctor components and Portal services components. Servers deployed in private zones can include Application, Core, and Database components.
Based on hardware scaling, if the Core, Application, and Portal services components are deployed on the same server (CAP server), then this server must be deployed in a public zone. Connection Proctor servers are also deployed in the public zone. The database server is deployed in the private zone.