Regarding internal trusted computers and external untrusted computers: You may be able to use DNS to help if your internal DNS is separate from your Internet facing DNS. Have two gateways with different IP's. One is prelogin (.1 for this example) and the other on-demand (.2) Use one name in the client (ex. connect.xyz.com) Internal users: Internal DNS resolves connect.xyz.com to the .1 IP and users connect prelogon. External untrusted users: External DNS resolves connect.xyz.com to the .2 IP and users connect on demand. (assuming this doesn't use certificates for authentication) Or, have a totally separate name and IP for external users to connect to.
... View more