@elmer: Yeah, but by and large it's much, much cheaper to just put an off-the-shelf hardware firewall device in place than to go with TMG. Especially once you go with DirectAccess, since most of the complexity that usually goes along with authentication and access control just becomes a non-issue (plus you get the benefits of remote management of client devices without having to have them connect to a vpn).