There are multiple ways of doing this. Usually, elegant solution does not exist.
1. You could create a standard customer access DMZ segment separated from the corporate network by the firewall. That segment would include the virtual farm of Virtual machines used as jump off boxes. So you could have site-to-site tunnels terminating in that environment and manage the VPN clients on the VMs.
To gain access to that segment from corporate network users would RDP from their PCs to the VMs in the DMZ. It can be set up so that VMs are allocated to the new sessions on the rotational basis allocating next available VM for the new session.