Hi Gordon,
I think what Seb is trying to say here is have 2 Tomcats. One for external users and one for internal users.
You could install an additional Tomcat instance on a separate drive.
You could then bring over the .war files from your BO Tomcat to the 2nd one and deploy them.
The "Web Application Deployment Guide" would contain additional information on how to deploy: http://help.sap.com/boall_en
Note: A unique port on each Tomcat would be needed to ensure isolation on the network.
The NAT option is also valid and saves adding a 2nd instance.
Regards,
Sid