Well, the VPN server SHOULD NOT sit parallel to the firewall - that gives you two hosts to worry about people attacking in order to get in to your LAN.

Ideally, you'd want the VPN server off in an isolated corner of your DMZ, on a switch. At the very least, you'd want to limit the places where authenticated VPN users could then bounce off that server and through your firewall (ie. they wouldn't hace full access to your internal LAN, but just to the stuff they might need - things that would probably require further sorts of authentication to get to, actually).

You should think of the VPN server as simply a "secure pipe" that allows your corporate information to traverse the Internet without being susceptible to real-time snooping. However, the traffic from the VPN server is still somewhat untrusted and needs to be suitably screened. Placing it inside or alongside the firewall implies that it would have unrestricted access internal to your LAN and, I'd guess, that's not what you'd want (especially considering that there's at least one port that's going to have to be pretty wide-open to the Internet).

Also, I'd give thought to backend'ing the VPN server to come through a separate port on the firewall, across a private link (so someone couldn't spoof the "semi-trusted IP" to get through your firewall without going through the VPN server).

Hope that helps...