forward proxy (squid) placement: LAN or DMZ?

view story

http://serverfault.com – some HOWTOs and manuals suggest to install a forward proxy in DMZ and some advice to place it in LAN. The forward proxy doesn't offer anything to the internet users, it could not be directly attacked from the WAN. We put http or smpt servers in DMZ to protect our LAN if they compromised. It is a risk to place the proxy together with them. Another point against the placement in DMZ is the access to a corporate domain controller via the port 445 (microsoft-ds) which required for the user authentication and authorization. From the other side, if we place the proxy in LAN we lose the control (HowTos)