The best way that you are going to get it is if you IPSec tunneling between the VPN and the internal network so that it can properly route requests. If you put it on the firewall, then you'll have the same problem and one more "zone" to worry about. If you put it on the internal network you get people trying to compromise it all the time, not to mention that you are basically giving anyone a free ticket to bypassing the firewall.
At one place, they actually used SOAP and XML to pass requests from VPN users to the internal network. There are lots of messed up ways you can do it, but the bottom line is putting the VPN in the DMZ is probably your best bet.
REgards,
Wizeman
Reply With Quote