Generally speaking you're going to want to set up another server, though this isn't a hard requirement. While you can run the security server against the existing connection server [CS], some settings are defined at the CS level - one example being turning on/off the PSG. If you use the same server for both internal and external connections you'll invariably need to enable the tunnel and PSG in order to connect externally, but that means internal connections are being unnecessarily routed through the CS instead of going directly to the desktop. Therefore most customers have alternate CSs configured which enable the secure tunnel, PSG, etc. in order for the security servers to pair with and have internal-only CSs which turn off those unneeded features.