Our App server group is getting ready to roll out our OAS 10g upgrade which includes a total reworking of our server and network topology. At the same time our DBA group is getting ready to roll out our first EM server. Because EM can also manager AS10g, I would like to get our EM server deployed somewhere in our topology that will allow us to take advantage of this feature. Our topology comes right out of the 10gAS security guide, we have a dmz for our web servers, a dmz for our J2EE server and a DMZ inside the web DMZ for our infrastructure server. My gut is telling me to put the EM repository inside our intranet(one level past the J2EE dmz) and place the management server out in the j2ee dmz. The main issues is putting the OMS in a place where all of the app servers can talk to it, but not allowing anything in the web dmz to talk back into the intranet. Does putting the OMS in the j2ee dmz sounds like a reasonable idea? what are other people doing?