Although it’s not literally true, as a practical matter, an internet-facing web front end in a DMZ must be in a domain (i.e. not some standalone server in its own little workgroup). It doesn’t need to be in the same domain as the internal WFE(s) and other servers (and probably shouldn’t), but it needs to be a domain.
My colleagues and I spent an inordinate amount of time on a proposal which included SharePoint pre-requisites. This included a comprehensive list of firewall configurations that would enable the DMZ server to join the farm and so forth. Sadly, we failed to add a sentence somewhere that said, to the effect, "the whole bloody point of this configuration is to allow your DMZ WFE server, in a domain, to join the internal farm."
A perfect storm of events, where we basically looked left when we might have looked right, conspired to hide this problem from us until fairly late in the process, thus preventing me from invoking my "tell bad news early" rule.
Sigh.
