The truly paranoid may elect to use the 2.4 kernels' Netfilter4 facility (adding stateful packet filtering) or a commercial application-level proxygateway.
Once a mobile user is authenticated through the Workspace and Gateway, the proxy runs as an authenticated user sitting at a desk inside the corporate network would run.