Hello,
Environment
# Client:
O/S: Windows 7
Browsers: IE11 + Firefox 44
# Server
O/S: Windows Server 2012 R2
BO BI 4.1 SP7
Web Server: Tomcat 7 + JRE 8_66
# Authentication
Windows AD : 2012
Kerberos + SSO
# URL to access BILP web portal (HTTPS/TLSv1.2): 2 existing FQDN
- public FQDN: xyz.corp.fr (reachable from web)
- internal FQDN: a-b-xyz.corp.fr + a-b-xyz.corp.local (reachable from LAN)
AIM
Laptops need to access BILP from LAN or from the web (roaming users).
Whatever the used type of network (LAN or web), a single public URL is wanted to access BILP: https://xyz.corp.fr/BOE/BI
Symptoms
With LAN, to get SSO under IE11, https://xyz.corp.fr has to be added in "Local intranet" security zone.
But if the laptop is connected from web, https://xyz.corp.fr/BOE/BI is KO : "This page cannot be displayed" 
To make it work, https://xyz.corp.fr has to be deleted from "Local intranet" security zone.
Then, if the laptop is again connected from LAN, SSO does not work anymore since https://xyz.corp.fr is no more in "Local intranet" security zone.
!!! NB: no problem with Firefox that does not use the concept of "security zones".
Questions
Is it possible to use a single URL for external (web) and internal (LAN) access ?
How ?
Simple and cheap solution is wanted by the client (very small IT team, few time, few money, few skills).
I made some "do it yourself" to get a quick and dirty solution but I'll give it later not to bias your answers. 
Thanks by advance for your suggestions.
Regards,
Stéphane