http://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx