Jack,
Because the architecture that we used is now in production with our hosted AC servers, I won't lay it out in detail here, as that makes it easier for would-be bad actors.
For the Providers out there that have the interest and inclination, I am thinking about writing up a How-To that they can use on commodity equipment, and doesn't require a Cisco firewall and matching Cisco engineer.
The design approach comes from pouring over firewall logs, and knowing how most edge-attacks are mounted.
In the near term, I can give you the essentials, you'll just need to map those to what the capabilities are of your existing equipment.
If you are so inclined, just drop me a Private Message (PM), and I'll get back to you later this week. Right now I am a bit under the production gun, as we have several other instances to spin up.
