SSL VPN policy and host groups

why?

I would define the destination subnet within VPN-definition and allow access to selected destination-hosts via Firewall-rule.

why?

I would define the destination subnet within VPN-definition and allow access to selected destination-hosts via Firewall-rule.

There are several groups with access to multiple servers (group1 has access to srv1,2,3 while group2 has access to srv4,5,6,7 and so on)

So we cannot use subnets

Limit them in the Firewall after connection. 

You can use the groups/users in a firewall rule as source (match user based) and use the destination as you like. 

Hmmm....Interesting, so SSLVPN user are considered to be from VPN zone or LAN zone?

VPN-Users should come from VPN-Zone.

Use AD-Gruops to allow access via FW-Rule. You can only see one group per user ... but the other are loaded in the background too, so you can combine multiple rules for a single user with membership to multiple groups.