It is fairly common when starting work with the new Remote Access role for administrators to choose the Deploy DirectAccess only option. Maybe you initially thought this box was only going to be used for DA, or that all of your client connections would be handled by only the DA role. While this is true for some organizations, it is pretty common to get some benefit from having both DirectAccess and VPN configured on your remote access entry point. Maybe you have some mobile phones or personal tablets that you want connected to the corporate network. Or perhaps you want to give the ability for home computers, or even Macs, to connect remotely. These are scenarios that are outside the scope of Direct Access and require some other form of VPN connectivity.

Making significant changes on a production server can be intimidating, and you want to make sure that you select the right options. Also, IP addressing remote access servers isn't always a cakewalk...