A trip to Brimingham was on the cards today, but I'm going in blind!
I didn't manage to speak to the end user before this proof of concept, but I was pretty confident that I could deal with most situations.
Luckily we were deploying OWA, Citrix, Sharepoint and RDP sessions.
It all went swimmingly and the only difference was that we were using an external IP address directly on the appliance, instead of using a DMZ. This was fine until....
We tried to deploy an additional trunk for third parties/contractors, and this was where using two external IP addresses on the NIC (one as an aliase) we came unstuck.
The box would only hold one external IP address, and would not release it correctly to allow access for the other trunk.
Previously when I have deployed a similar solution, we were using DMZ addresses, so that seemed like the logical solution.
Once the firewall was configured correctly within the DMZ with the correct NAT rules, it worked perfectly!