You could do it, but its not best practice, nor advisable. There are better options. Talk to your JAMF buddy about setting up a limited access JSS in the DMZ that talks to your internal protected JSS over port 3306 (MySQL) This kind of setup is considered a cluster of sorts, since technically the externally facing JSS is writing back to the same database as your internal server. The Casper Suite starting with I think version 8.2 or thereabouts began to include some functions directly in the web interface for helping get this kind of setup off the ground. The external box or VM can be locked down so it can't be "logged into"; it only accepts communication from external Macs and/or iOS devices.
This is much more secure, though not completely bulletproof. You can take extra steps from that point to protect your internal server even further though.
