Double NAT with a VPN Server?

hi everyone,

i'm researching setup of microsoft vpn server , rras, etc.  in technet, see following topology (taken technet) listed being pretty normal.

so in setup, have firewall before microsoft vpn server 2 nics.  i'm trying figure out how works.  in preferred environment:

1. nat enabled on firewall , on vpn server?  if so, isn't double nat a bad thing? example:
isp equipment ------> [wanip]firewall[172.16.y.z] ---------> [172.16.y.z]microsoft vpn server nat , 2 nics[192.168.1.z] --------> internal network

2. or nat enabled on ms vpn server this?
isp equipment ------> [wanip]firewall[wanip] ---------> [wanip]microsoft vpn server nat , 2 nics[192.168.1.z] --------> internal network

3. in picture above, web server have wan ip, or private ip (172.16.y.z)?

or maybe both methods acceptable?

thank thoughts!

   firewalls nat, don't. if firewall doing nat, firewall need forward required protocols vpn server , clients need connect firewall's public ip (and ditto web server , http clients). if not doing nat, vpn , web servers have public ips.

   have run double nat configurations in test systems , delay not detectable. not sure wold use in heavy traffic live setup.

---

bill

Windows Server  >  Platform Networking