Setting up a DMZ (Internet-ASA-DMZ-ASA-LAN) as we are looking allow external access. (The DMZ will only host an SMTP relay server and some mail content inspection boxes at this point.)
Usres will use SSL VPN (Cisic ASA) to access some web based apps on the LAN and probabaly ACS radius (or TACACS+) for AAA against a W2003 AD.
I belive the ACS is installed on a windows server but I believe the server must be a member of the AD.
So in that respect, in terms of device placement, I believe that the internt connects to external ASA interface, the ACS box sits in the internal lan as a domain member (?), so the ASA must communicate some how with the ACS box over a particular port (?).
On the right track here? Thanks