hi man.. sorry my english..
I created an ldap group, on the right of the smartconsole in user - ldap group. I informed the full path of the OU that has the users who will be able to "authenticate in vpn"
example:
dn-prefix set box
CN=AUTH_VPN - ,OU=Client_vpn,OU=Group,OU=test,DC=testlocal,DC=com,DC=br which is the path you can take in active director via adsi editor
After that I created the rules on the blade firewall/app access rules with the access that each user can have after authenticating, and set vpn ( remote access).
Some accessing remote desktop, others ssh , all under different rules and stating .
Remember to inform the group in the VPN domain of the internal servers in the gateway or cluster properties,