Originally posted here by os1
Let me redefine my answer. The VPN Server can sit anywhere on your network with regards to your Firewall. In front, behind, on, or in parallel. It all depends on the way your network is designed and how you would like to add the vpn server into your network.
Yes... and I sit in any seat in a plane, too... depending if I'm flying it from the pilot's seat, assisting from the copilot's seat, or just going along for the ride. Point is, yeah, there are a few places to put it, but only a few of them are advised if I want the thing to fly. Likewise, with a VPN server, there's only a few places to put it on the network if you want your network to be secure.

Similiarly, there's a few different places for a firewall or a network based IDS box... it depends on what you want to accomplish, how things are setup and, well, how much you know (or how paranoid you are, etc).

So, for things like VPN servers and the like, people tend to get in a bit of a holy war. To me, it all comes down to "how much do you trust it" and how much risk you think is involved... if it's risky to have it inside your firewall or open up the hole for it, you can be darned sure it's going to at least be on a DMZ, preferably on its own network segment... perhaps even on its own network with a few screens and/or firewalls sitting around it (and yes, I've firewalled a SINGLE box before).

It also depends on how many Simultaneous Users you will have on the vpn server. If your dmz has multiple high traffic servers then you decide that you want 1000 ppl to connect to your vpn, you are going to cause problems with collisions or response times. If your only going to have 100 or so VPN users then the DMZ would be a good place to add your vpn server. If you dont have a DMZ and dont want your server sitting outside the firewall, then you will need to add it behind the firewall, yet you will have to open the appropriate ports on the firewall for IPSec to negotiate. Some VPN Servers have slots which you can add T1 cards and place them directly next to the core router that way you arent consuming internet, dmz traffic on your Core I-Net connection.
Ummm... this is a completely separate issue and I'll leave it at the idea that it doesn't have much to do with placement, though it might have a bit to do with how you want to segregate your network segments.

So again, it all depends on how your current network is layed out and where it would fit most appropriately and it would also be recommended to check with the VPN Server manufacturer to where they recommend their VPN Server on your network. Your only main concern should be that you do not want your internal network and the outside interface network on the VPN server to be on the same VLAN.
With my experience adding a Cisco VPN Concentrator parallel to the Firewall, I have never encountered a problem.
My experience seems to be that most VPN vendors don't have much of a clue as to placement of the server - as I've said, it tends to be a bit of a holy war, to a point.

And, if you don't want the "outside" interface to be on the same network as your internal net, then... wouldn't that be outside the firewall?

Really, I'm imagining this all as "fairly simple."

Assuming a common network topology consiting of a 3 legged firewall with internal network and DMZ, where would a vpn server be commonly placed? (VPN for remote users, not site-to-site)
To me, that says "small network with a couple hosts on the DMZ (www, ftp, ns, etc) and a firewall that segregates the Internet from both the DMZ and LAN, and the LAN and DMZ from each other." I'm not imaging some hugely complicated network with multiple VLANs, a load balanced or clustered firewall system with fully redundant links to the Internet" or anything even that simple.

So, to directly answer the question: the best and safest/most secure location for your VPN server is probably going to be on the DMZ, behind the firewall - that would be where I'd put pretty much any server that has any sort of connectivity inbound from the Internet... one of the old basics/premises of network security: "Thou shalt host no direct connections from the Internet in to the corporate LAN." (or something like that, anyhow)