JAMF will be hosted from DMZ which will help users outside Organisation network to communicate with JAMF Server but not with the internal users, vice versa if they are hosting it on the internal network, customer is certain about not opening the ports as it will tarnish the purpose having DMZ.
Do a cluster and put a second Tomcat instance in the DMZ. the main database and Tomcat would be internal, the second Tomcat instance external and the only thing he would have to open in the DMZ is port 3306 from the DMZ server to the internal.
check out this article: https://www.jamf.com/jamf-nation/articles/174/installing-a-jss-web-application-in-the-dmz
This technique will also require the use of split dns.