As Linjo says, the simplest solution is to set up an additional security server to point these clients to (no need for another connection server, you can pair it with the existing one). You are required today to provide an IP address for the PSG, so you will need a second server if you need to route them through a different one.
Of course, if they are completely untrusted clients then you may want to force them to go through the external access point anyway but it sounds like you need to avoid the extra traffic cost of that approach.
Mike