New Fortigate User: Need help with Watchguard Migration

Hello all, first time Fortigate user and need a little help. I'm upgrading from a Watchguard Firewall, the feature set on the 300D is impressive to say the least. 

Here is an example of a problem I am having trouble solving, and I think it's because I just don't understand how things are done on the Fortigate side:

I have 4 AWS servers (don't have contiguous IPs) that I need to allow authentication over LDAP-SSL to a server inside my network. Here is how I have it set up in Watchguard:

1) I create a 1-1 NAT for the server in question mapping an external IP to the internal IP of the server on my network. 

2) I create a rule with those 4 servers mapping to the external IP created in step 1 for port TCP port 636. 

3) I create a rule outgoing from the internal IP of my server, going to those 4 servers over the same ports. (reverse of step 2)

4) All other traffic is implicitly denied.

Now, attempting to recreate that in Fortigate:

1) I create an LDAP-SSL Service that is TCP on port 636.

2) I create each server as a destination, I leave them as not listed.

3) I create a destination group, and choose the 4 servers, then I leave that as listed. This allows me to quickly select them all at once (they always are referenced together)

4) Here I get stuck... I am not sure how to do 1:1 NAT or if that is even the best way to do it. For the purposes of this discussion, let's call my internal server IP 192.168.1.125.

I thought I had it working with VIPs, but when I turned the rule on, DNS stopped working. And I honestly couldn't figure out why. 

Any help would be greatly appreciated, thanks so much!