It's not mandatory! You can set-up in a one-leg setup. However it's common to "by-pass" the DMZ to internall segments of a firewall. Externall port in DMZ zone on firewall allowing only HTTPS to it and connecting internall port to trusted network. One-leg in DMZ has the disadvantage of allowing many protocols through the firewall from DMZ to internall.