Ideas On How To Access A Plant Perspective Project From Segmented Business Network

Looking for idea on how to have users on our business network have view only access to perspective projects running on a scada network. We have ideas to how this could work but to do it at scale, for over 100 plants is the question.

Our infra layout is:
Business Network (Users) || DMZ || SCADA
Users cannot talk to SCADA directly, all traffic has to hop through the DMZ
We do have “corp” ignition servers in the DMZ (distributor gateways) and in the business network (backend/frontend gateway) so we have viable gateway area network from business network to scada

So, options:
1st option we thought about was copying the local plant project up to the business frontend gateway. Got kind of ugly with the project looking for the local database from the plant and requires lots of scripting to change things like db, tag-historian, etc

2nd option, use a web reverse proxy in the dmz. Users web browse to the proxy and the proxy calls the projects from the plant scada. viable but opens the whole gateway UI to users when we only want to show the project. Also concerns about security as a user could log into the project as an admin and make changes outside of the plant

Looking for other thoughts, options.

Reverse proxy with rules that prevent access to the gateway UI (or only allow access to Perspective projects) is what I’d be looking into.

Maybe someone else with more experience deploying setups like this can chime in.