I'm not sure if I've understand your problem. But if you need to allow some of your AD users to access from outside (e.g. Public network) so you want to use a different access for them through a new virtual proxy.
This new proxy need to use a custom authentication solution (http://help.qlik.com/en-US/sense/3.2/Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-Security-Authentication-Solutions.htm)
If you want to allow just some AD group to use an external access you can do that in diffeent way using the Security Rule (eg. in the Virtual Proxy configuration you can Extend Security environment and track the source IP on what of which build the Security Rule or using the coming Virtual Proxy for that).
If the access come from teh Public Network you can also consider to put a new proxy in DMZ.
Thanks for the response, The second option that you suggested seems more viable.
The requirement is to grant the access to the external users (outside the domain) access to certain streams and the access should be governed only for specific AD group users.
You made a great suggestion to use the source IP and tieing it to the Virtual Proxy.
Now my concern is to grant certain stream OR new stream access only for those users who access through the new Virtual Proxy. Not sure if using Custom Properties I can achieve this process.
Here (Available resource conditions ‒ Qlik Sense) you can find some attribute on which you can build your security rules. You can achieve it in different ways, for example you can use the the source ip Address (Security rules example: Access to stream by IP address ‒ Qlik Sense) supposing those coming from outside have a different sub-net or TAG the proxys and build some rule on that.