Sorry for the delayed response here. One possible approach you can take here is to use Connect's ability to delegate to multiple LDAP identity providers. You could build an LDAP directory for only external users, and then let Connect delegate to both that "external" LDAP directory and the internal LDAP directory. Just ensure that usernames are unique, and both should be able to access!
As @rstub mentioned, you will still need to mark content as accessible to these external users.
Another solution would be to have separate Connect servers - one which is internet accessible and another which is "internal only." You can use some manner of "staging" / programmatic deployment / etc. to keep content in sync across the servers, if this is a desirable approach. We have seen customers take this approach on occasion, since the internet accessible server has more restrictive firewall and security requirements.
We're definitely happy to chat through it with you either here or elsewhere, if you have any more specific questions! Always feel free to ping firstname.lastname@example.org, and we can set up a call!