Server 1: DB2, SSC, Meetings, Proxy, Media
Server 2: Community (Proxy could go on this server instead of Server 1 if desired)
Server 3: VMGR (low spec box)
Server 4: VMCU (4 CPU cores, 8GB ram)
You can create a "Limited" policy and assign them to specific users or groups in the LDAP directory so that users that aren't entitled to everything such as screen capture and file transfer don't get those capabilities, but everyone else gets the full suite of functionality. I hope this helps, thanks!
I would only add... Plan for clustering if there is any chance this company expects significant growth in the life cycle of the product. Clustering allows expansion without reinstalling