I’m sure that lots of articles have been written on this subject. When you are given the task of designing the security infrastructure around a Portal website, that has both internal and external facing applications, the rule of the thumb is to NOT mix internal and external applications on the same server.
The situation becomes even more complex when you have a mix of different products such as WebSphere Portal, Tivoli Access Manager and any LDAP server.
The questions on my mind are:
1) Would you have two Portal servers with security enabled using a single Tivoli Access Manager policy server having two WebSeal servers handling internal and external traffic and using ACLs alone?
or
2) Would you create separate secure domains with a complete demarcation between internal and external users?
Personally, I feel (and confirmed by best practices in IBM documentation) is that, security cannot be controlled using Access Control Lists alone. There is every chance that either ACLs could overlap, administrators creating wrong ACL entries that either allow full access or no access at all and other types of security nastiness to creep in. Its best to keep internal and external policies, ACLs etc., complete separate using Secure Domains and use different WebSeal servers to route traffic for internal and external users.