I did both. I bridged the VM-Ware directly over my main OS and a second time over my router and disabled all FW's. Further, I set up a test which i could exploit, when the XP firewall was down. So unfortunately remote exploitation even with old OS is not that easy than client sided attacks.
The book Penetration Tester's Guide only gives some good tips finding vulnerabilities on not updated system. But not on a certain System you want to exploit, since most computers do not run telnet, ssh, sql, http etc. I have been using the auxiliary scanners of msf and Nessus, which also provides a lot of informations about possible attack vectors. So I am now looking in arp poisoning and sniffing of traffic to find an entry point.