Using Enplug in the DMZ
Enplug devices are designed to work seamlessly with most network and firewall policies, requiring only port 443 outbound. However, there are some benefits to isolating the Enplug device from your protected network.
Application Layer Firewalls
If your layer 7 firewall is configured to block Java, that may prevent the Enplug device from functioning properly. Placing it in the DMZ will circumvent any issues that may occur as a result, without requiring you to allow unwanted application traffic on your protected segment.
The DMZ will require less time and effort spent configuring specific policies as well. For example, many organizations block traffic to sites such as YouTube or Instagram internally. However, they will frequently want to display their social media or video content to employees, creating a conflict that requires an exception.
Accessing content you don't want your employees browsing is most easily accomplished by bypassing web filtering altogether. And, it prevents the need to change policies later, e.g., if the organization was not previously using Twitter but started to use it, no changes would need be made to allow the traffic.
Endpoint security is enhanced when embedded devices are segregated from sensitive traffic, and they can operate worry free without relying on updates and patches being applied immediately. Placing the devices on a dedicated VLAN is not a robust enough measure in many cases. When using the DMZ, you gain the benefit of stateful packet inspection and all the other security features that insulate the protected network from the rest of the world.