That's simple enough to do via child domain, or simple VLAN specification at the switch, no (once the host is setup\published, of course)?
For external access to/from your 'detached' server, the VLAN specs will allow incoming/outgoing traffic. Installing the IIS role +/- RD Web Access, or Direct Access (Windows Server in your DC?) provides any web/enhanced VPN tunneling (for domain-joined client) access you'd need.