At some sites, ThinLinc should be available for all users on the internal network, but only some users should get access from the internet. This can be accomplished by running two different SSH daemons with different configuration files, listening on different interfaces. The SSH daemon listening on the external interface is then configured with the AllowGroups directive, and will allow only users that are members of one or several specific groups.

As usual, the hostname(s) reported by the VSM agent(s) must be available in DNS on both the outside and the inside, and the VSM agent(s) must be reachable from both the outside and the inside.