Port Forwarding to remote site from Azure via Tunnel

So, our domain infrastructure looks like the following:

Public --> External Azure --> Fortigate VM (SSL VPN / Tunnel concentrator) --> Internal Azure --> Tunnel --> Remote site Fortigate --> LAN Subnet server with http interface

I am trying to get to the server interface from azure (and our SSL VPN subnet via a specific group). I have configured the groups, users and policy objects -- I am completely stuck on VIPs. Currently have have a VIP from Tunnel interface/0.0.0.0 to my server at port 8088. No joy. Keep in mind that the site is accessible, I can ping the tunnel and SSL interface of the remote Fortigate as well as from the public interface. If I allow a VIP from the public IP, it works fine--publicly, which is something that we are wanting to avoid. I'm beating my head against the wall. Any ideas?