As mougT said, you need to use different connection servers for your internal and external users - the tunnel setting is per connection server, so you must pair your security servers with a connection server that has the option enabled and point internal clients to one without. See the "security server topologies" section of the admin guide: http://pubs.vmware.com/view-51/topic/com.vmware.view.planning.doc/GUID-955BC8CA-B662-43ED-BE39-50C96DF5B282.html
Mike