Personally I recommend starting with the sensor behind the Firewall.
This way you can find out what kind of attacks are making it through your Firewall.
Many users find that the attacks getting through the Firewall take up most of their time, and don't have to time to spend on attacks already being blocked by the Firewall.
If you've monitored inside your Firewall, and determined that very little is getting past, then it can be worthwhile to move the sensor to outside your Firewall. This way you will see the scans, dos attacks etc.. that already being blocked by your Firewall.
BUT I only recommend doing this if you have the time to sort through the extra alarms that will now be firing. If you start getting too many alarms, consider moving it back behind the Firewall.
In your case though, I am guessing that you may wind up leaving the sensor monitoring outside the Firewall.
Several of our advanced users have begun placing IDS Sensor both inside and outside the Firewall. They mostly monitor the inside sensor. When an attack ocurrs they compare the inside sensor logs with the outside sensor logs to see what other type of activity the user may have been doing that was blocked by the Firewall.