I have a basic setup Security Server in the DMZ and the CS in our back end network
I notice that in order to set the IP URL on our security server, you have to have the Gateway option checked on the Connection Server
Ideally I wanted it so my external users had to use the Gateway and my internal users could use direct connect, is this not an option since I have to have the Gateway checked in order to have it accessible for external users?
You can pair 1 connection server and security server I dont think you would need 2 of them.
Check the Dns and Cname Entries and have a look at this
The problem with only having 1 CS is that internal users would then have their PCoIP sessions gateway'd and this is not as efficient as direct. Just install a replica Connection Server for internal users as has been previously suggested. This gives further benefits such as being able to add 2-factor authentication for external users and using tagging for different external/internal entitlements.