The way to do is to leverage UAGs for the use cases. Personally, I would enforce 2FA for all external users. UAG does support multiple different types of auth including radius. The caveat is you need to decide whether you wish to split your connection brokers between, in your case, internal users and external or keep them the same. Personally I always keep them the same. I have yet to find a use case where I couldn't use the same connection servers for both. However, I believe as best practice, mostly unwritten, VMware would suggest segregating the brokers between internal and external within the same pod. The downside of using the same brokers for both internal and external use means you can no longer enable tunneling on the connection brokers. The gain is less management overhead.
Thanks for the reply, appreciate it!
The 2FA for all external users may come later, but since it involves contractors and contracts, it isn't something I can just enforce immediately. I agree, 2FA for all external access would be best. I will move ahead with segregating the brokers and seeing how that works out!