With Security Server and Horizon Connection Servers then the recommendation to dedicate Connection Servers for either internal or external still applies with Horizon 7.
If you are using Access Point instead of Security Server then all Connection Servers can be configured the same, just for password authentication. RADIUS authentication can then be done in the DMZ with Access Point. That way you still get internal users who go direct to Connection Server getting just password authentication, but remote access users connecting via Access Point can get RADIUS 2-FA as well. Same applies for RSA SecurID with Access Point.
See Using PowerShell to Deploy VMware Access Point and Technical Introduction to Access Point for Secure Remote Access - VMware End-User Computing Blog - V...
Mark
