Restricting users' 2X access from LAN vs. WAN (SSL)

I've got a single 2X terminal server inside the LAN, and I have it set up to use SSL. It works fine both internally and across the 'net (I have a DNS record set up, port 443 NATted on the firewall, etc)...however, I have a business need to only let certain users access the 2X server from oustide our LAN. I've been giving those users VPN logins, but I'm starting to get more and more requests to connect from users' personal computers...and I don't really want their personal muck-machines on the LAN, even by VPN. I also have some users who have trouble establishing VPN's from behind firewalls at remote sites...so 2X/SSL is brilliant...except, how do I set up something to only allow that sub-group to access the 2X apps remotely, but still allow all my users to get to stuff from here?

I've also set up a DNS domain that mirrors my outside domain, except it points at LAN addresses as appropriate rather than WAN addresses..this is useful for portable clients and the like to get to Exchange...and 2X....

..I'm open to about anything. I have a DMZ, and wouldn't mind putting another server in there if it will help with this.

Any suggestions?

EDIT -- DETAILS:

2X is 5.1-275
Windows Server is 2003 R2 Standard in Application Server Mode