I have a dual NBM3.7 DMZ built like this:

Public--NBM1(NAT)--DMZ--NBM2(NAT)--Private

I am planning on upgrading to NBM3.8 and implementing site-to-site
VPN.
Should I configure the VPN Master on NBM1 or NBM2? Which server
should I
upgrade first? If I make NBM2 the master, how to configure the packet

filters?

TIA,
--
Chad