This is a very problematic configuration, from what I've read. The problem is if you terminate the VPN at the external server, you will only be able to access resources on the DMZ segment, except for those resources that you publish on the internal ISA Server. The reason for this is that you can't publish the VPN server because publishing rules don't work for GRE. Now, you could use a public address DMZ, but there is a problem with the packet filtering mechanism that appears to break passing GRE packets through to the external interface of the internal ISA Server. You *should* be able to do this, but people report to me that they have a hard time making this work. I haven't tested this out yet, but will in the near future for the 2nd edition of our book.
One solution that I think should work is to tunnel a PPTP connection inside another PPTP connection. For example, you establish a PPTP connection to the external interface of the external ISA/VPN server. Then after establishing this connection, establish a PPTP tunnel inside of the one that you already created so that you can connect to the ISA/VPN server on the inside of the DMZ. This should work, and I hope to demonstrate that soon.
I don't even want to think about how to make this work with L2TP/IPSec. However, if I did think about it, the same tunnel inside a tunnel approach should work. You may be able to use packet filters, but you wouldn't be able to publish the internal L2TP/IPSec VPN server because the IP Protocols could not be published.
Get It Here!