Load Balancing the Password Portal

All,

We are planning to load balance three password registration and reset portals that will be used by network and non-network users. I haven’t found an official guide from Microsoft on how to do this so I wanted to run the scenario by the group to see if anyone could suggest best practices. I used this document for part of my design solution.

Business Case:

Allow end users on the internal network, as well as external remote users not on the network, to register for and reset their network passwords without calling the company help desk.

Standard Set Up:

1. We already have connectivity to FIMService so all needed ports are open between portal machines, FIM Service and FIM Sync.
2. There are three VMs:  server1.acme.com, server2.acme.com, server3.acme.com
3. These machines are available for internal users on the company network as well as external non-network users via reverse proxy
4. IIS 7.5 installed on the password portal servers and SharePoint is not present
5. Password and registration portal installed on each machine
6. Single network adapter and IP  per machine
7. Single password service account (FIMPassword)
8. There are three DNS entries for password registration that point to each server passwordregistration1.acme.com, passwordregistration 2.acme.com, passwordregistration 3.acme.com
9. There are three DNS entries for password reset  that point to each server passwordreset1.acme.com, passwordreset 2.acme.com, passwordreset 3.acme.com
10. We will have a NLB with the main addresses as passwordreset .acme.com and passwordregistration .acme.com in front of the DNS entries
11. We will set SPNS on FIMPassword passwordregistration1-3  and passwordreset1-3 along with the main passwordreset .acme.com and passwordregistration .acme.com addresses
12. We plan to set up IIS to use the appPool per the document instructions

Questions:

1. Based on the game plan above, is this a valid approach to load balance three servers available to both internal and external users?
2. Are there any other settings that we need to update to make the sites accessible to both network and non-network users?
3. Any other recommendations for items we might have missed?

Cheers!