In some environments, setting up a reverse proxy is preferred over putting a Mobile Management Site Server and SCEP Server in the DMZ, for increased security.  There are different programs that can offer this functionality, on multiple operating systems.  The general way to do this would be:

1. Set up a rule on the proxy server to forward requests for servername.fqdn/certsrv/* to the SCEP Server.
2. Set up a default/catch-all rule to forward any other request to the Mobile Management Site Server

If the reverse proxy is also handling other (non-MMS) related traffic, step 2 can be refined down to the specific sub-folders in IIS on the Mobile Management Site Server, such as /MobileEnrollment, /MobileManagement, and so forth.