The following diagram shows a good example setup of a secured CA with external OCSP responders and an external RA server that receives certificate requests. The request are periodically pulled by the CA and responses returned to the External RA. No network traffic flows from the right the left across FW2.
The following diagram is a very rough schema of the current architecture of EJBCA.
All the web modules are packaged as Web Archives (WAR) and packaged inside an Enterprise Archive (EAR) together with EJB modules for business logic, code for mapping Java objects to database rows and additional libraries need by the application that isn't provided by the application server.