We've been using Teamcity successfully as our build and deployment engine, having several builds (projects) on one single instance and restricting who does what by built-in user permissions. But our security guys are concerned (as they always are) with the issue that the teamcity vm can be vulnerable as it has access to both dev and production environments and only difference who can build for testing or deploy new version to the live production server is 'simple' username/password control that we have for the Teamcity users.
We are thinking about spliting the project between two TC installations, so that two machines can be in separate subnets etc. but the question is what is the best way to move artifacts from the build instance to the deployment instance - use the shared drive available to both machines and come up with some kind of storage protocol (build puts files in a folder with build no as a name, or something like that), or access artifacts over rest/direct http(s) address...or anything else.
Anybody has experience doing something similar? any advice would be appreciated!