That is exactly why TMG comes with UAG, to make it "edge-ready". UAG is designed so that it can sit behind a firewall, or directly on the internet. Most of the time the decision on where to place it comes down to your standards (you may have written standards
dictating that nothing goes directly on the internet), or firewall capabilities. To utilize DirectAccess on a UAG box, there must be actual public IP addresses on the external NIC. This mean that if you are placing it in a DMZ behind a firewall, that firewall
must be capable of passing through (routing) the true public IP addresses, it cannot do a NAT, DA will not work if the UAG is behind a NAT. Some firewalls are able to route public IPs, and some are not.
Disclaimer: Shameless plug coming up :) Many network and security admins will not allow a general purpose Windows server to sit directly on the edge of the network, even if it has TMG running. That is one of the purposes behind the specialty appliances on
the market, such as the IVO Networks DirectAccess Concentrator hardened appliances that I install every day.
