We used to have our moodle server in a DMZ, and the firewall had mappings from a DMZ IP address to 2 LDAP servers within our internal network. And that was fine.
We did have HTTPS on the login page, as it was dealing with network passwords.
(the only reason we changed, was to get SSO internally we had to move the server into our AD domain - so now moodle is accessed externally via Forefront TMG)