As far as I know, in this configuration, TFS Server use the same SQL Server(databases), so you can use the Team Project Collection as the normal configuration, whether access team projects or work items.
I would just installed the TFS in standard fashion, and just create a domain user or local user on the TFS server for the external users. The rest is standard user access permission configuration for the external users.
I don't think you can easily share WIT between collections, only within the same collection. One collection can be seen as one single TFS server, and must be configured seperately.