But does the server then know that the connections are less-trusted "external" ones, or does it think they are coming from semi-trusted internal machines?

Can it tell the difference?
That's where all of the solutions I've found thus far fall down.