I tried to setup the SCCM as secure as possible for our internet facing clients, and here are two architect diagram by using IBCM(Internet Base Client Management) and Microsoft's new Cloud Management Gateway.
For IBCM, we need to open a few ports:
SCCM MP -> DMZ SCCM ( TCP/UDP 135, TCP 49152-65535) ;
SCCM DP -> DMZ SCCM (TCP 445, SMB);
SCCM SQL -> DMZ SQL(TCP 1433);
and two way for:
SCCM WSUS < – > DMZ WSUS (HTTPS8531)
For Cloud Management Gate, it is a much nicer map:
SCCM MP -> Azure Cloud (HTTPS 443)
If you have more than one CMG, then have to open ports (10140-10155, one for each additional CMG).
Detailed steps on how to configure SCCM DMZ MP and DP:
One way network connection from intranet to DMZ
Ports needed in SCCM DMZ
Complete list of ports needed in SCCM