Scenario D can be split into two main sub-scenarios, depending on the number of Internet gateways between the intranet/demilitarized zone (DMZ) and the extranet. In terms of security, D1 and D2 are identical.
The security problem in this scenario (D1 and D2) is caused by placing the internal content/cache servers in the intranet. Instead of doing this, you might consider the configuration shown for location two in the figures above.
If you have a DMZ at a location, this does not necessarily mean that you also have an Internet gateway. In general, DMZ only implies that you cannot reach intranet addresses from DMZ servers, but the other way around (Intranet → DMZ) does not cause any problems.
If you really need to put the content server inside the intranet, make sure that you introduce subnets and control the IP routing by using the appropriate proxies. For information on configuring proxies, see SAP Note 216419.