Thank you for the response, but I don't have issues with rules, but with injected routes on client machines 🙂
As usual it is more complicated than it sounds 🙂
On the first two gw, VPN domain is - All internet without Zoom/Webex services. ( I saw this configuration here somewhere). So clients receive huge routing table that points to the gateway, except for Zoom/Webex.
On the third gw, we want clients to receive only routes to allowed destinations and use their internet services directly, not through the gw. But in fact, they get the same routing tab as members of first two gw.
All remote access vpn domains are defined properly for each gw.
So I was thinking if there is some OS level configuration file that could help for this.