Backing up a server on the DMZ
Use RSync over SSH, or another appropriate and secure method of file transfer, to get the files from the production DMZ machine to your internal network. Then back that up.
Depending on your security stance, you'll need to determine if you can open up the port(s) for the transfer in both directions. If it's only one, your security stance will determine which direction. Is it more secure for the DMZ machine (your production website) to initiate and push these files into your internal network? Or, would it be more secure for your internal network to initiate and pull the files from the DMZ machine?
Either way, the account being used should have the least privileges necessary to perform the transfer, so that if the account is compromised, it can't do much more damage than just delete the files, and maybe fill a disk.
-With all that said, how different is this from allowing the BE protocol and data to move this data anyway?