That scenario will work. It is a very common way to set up internal and external access so that just external users coming in via the Security Server get RSA SecurID authentication. We know this works in other environments. Is it possible that the Security Server is paired to the wrong Connection Server? Do a test from an external client and verify from the logs that you are seeing log activity for that session on the Security Server and SecurID configured Connection Server.
If you're still having problems, contact VMware support and they should be able to help you. They may ask you to generate a DCT log set so that your setup can be investigated.
Mark