Hi Dale
The best resources for architecture / design is the paper:
Let me know if you have any problems accessing it and I can send it to you.
Although we don't have such security restrictions on our machines, some approaches to consider are:
1) Having two separate FW dbs, one for LCF jobs and one for outside jobs. Of course, this assumes that you can separate the workflows neatly into two piles. Some users are currently taking this approach.
2) You can try the "offline" mode (see documentation), but that requires being able to access the database from a login node or similar. e.g. if the LCF login node can access an outside MongoDB service (even if the compute nodes cannot). It might not be the case for your situation.
3) Set up an ssh tunnel, although I am not sure how secure this is.
Other than that, I don't have any great advice forward, but am happy to take a stab at any specific questions you might have.