SSL VPN User Group - restrict access to 1 specific IP on LAN

I already have a SSL VPN configured on a Fortigate 80E ( v5.6 ) that is functional.  Those users have full access to the LAN.  The portal they are assigned to is the default "tunnel-access" with IP range 10.212.134.200-210.

I now need to create a connection for a group of people who will only have access to a single IP on the LAN.  To accomplish that, I have done the following:

-created user ( bob )

-created group (GroupBob)

-created SSL Portal (Bob-Tunnel) that has a different IP range than the "tunnel-access" portal.  This range is 10.213.134.200-210.

-assigned GroupBob to the Bob-Tunnel portal

I then created a new IPv4 Policy with full access to the LAN just for testing.

Incoming Interface:  SSL-VPN Tunnel Interface

Outgoing Interface:  LAN

Source: Bob-Tunnel-SSL-Address-Range

              BobGroup

Destination:  LAN

Schedule:  Always

Service:  All

Action:  ACCEPT

Unfortunately, after bob authenticates, he can't see anything on the LAN.

What am I missing?  I feel like it is something easy that I am just overlooking...

Thanks in advance!