is the following setup possible with BM3.8:

-BM 3.8 is installed in the DMZ with its own tree on a NW 6.5 SP 1.1a

Authentication for VPN Users:

-1. Check UserName and Password via LDAP over a Group in the Productive Tree in the LAN (not the same tree as the vpn Server)
-2. Check UserName and RSA SecureID Token on a RSA ACE Server

Which LoginPolicy and Security Objects do i need to modify ?
Is there a good documentation for this scenario ?