Hi there,
It's pretty straight forward, the access points authenticate directly with the RSA Securid servers so the 2FA takes place exclusively in the DMZ (assuming that's where you site the access points). There is no longer a requirement to configure the Connection servers to handle the RSA authentication so you can use the same Connection servers for both internal and external connectivity.
I would strongly recommend you take a read of Mark Bensons deployment guide as currently the Powershell method of deployment is the only supported method of deploying the access points with the RSA options you will require.
Using PowerShell to Deploy VMware Access Point
Best of luck
Andrew
