This has come up on TechNet uncountable times. I’ve seen it in deployments large and small. I’ve seen it so much that I feel it needs a large font.
TECHNET DOES NOT SUGGEST YOU PUT YOUR EDGE ON THE INTERNAL LAN. PLEASE DON’T DO THIS.
Every edge server should have two interfaces, one internal facing and one external facing. I realize that the TechNet documentation doesn’t always use the clearest language and we see articles like this that states “On your internal interface, configure one static IP on the internal perimeter network subnet”.
However, that does not mean your internal network. A perimeter network is also often called a DMZ. This is a separate network firewalled from all other networks.
PUTTING YOUR EDGE SERVER WITH ONE LEG IN A DMZ AND ANOTHER ON YOUR INTERNAL LAN BYPASSES YOUR FIREWALL AND IS BAD SECURITY PRACTICE.
Instead, TechNet is suggesting two separate perimeter networks (or DMZs). An external facing one that can communicate with the Internet via a firewall or with access control, and a separate internal facing one that communicate with internal servers and workstations via a firewall. These two networks should not be able to route to each other and only necessary ports should be opened.