Currently the Small Business Server wants to do RRAS authentication of the user before completing the VPN tunnel. Have you configure RRAS fully? Mobile users are allowed remote access by account and RRAS policies? What authentication methods are set in RRAS? When you say you opened port 1723 what do you mean — port forwarding?
My bet is on mobile user IPs. How are you doing that in a way that is compatible with your internal network firewalls and filters?
Since you have a VPN firewall you should use your Small Business Server simply for RRAS services to approve logon (allowed remote access on account). Point the firewall to the SBS machines for RRAS services. Configure RRAS and user account for allowing Remote Access.
To complete VPN tunnels you might need to set certificates or shared secrets on the firewall to pair with mobile users — capabilities vary with firewall. Certificates are superior but distribution mechanics vary. Ultimately mobile need access to certificates generated for the firewall and firewall need access to certificates for mobile users.
This will end the VPN tunnel at the firewall. The firewall will decrypt and route IP whereever it needs to go in your network. Those users will be able to communciate anywhere in your network AD allows them without passing through and taxing your SBS machine.
If you want to across a firewall L2TP is supposed to be easier to get to work especially is any NAT is in play.