I resolved my issue with the source IP address being wrong on traffic from internet users to the windows web server by indicating a source IP range on the port-forwarders of the internal interface (eth1).
In order to do this, I had to create a networking object under the Networking > Objects menu that represented the entire range of IPs that any computer would ever be assigned on my LAN (192.168.0.1-254).
In summary, I've added 3 virtual interfaces to Zentyal's external interface, so that Zentyal can handle traffic for 3 additional public IP Addresses: 55.55.55.55, 55.55.55.56, 55.55.55.57.
I have a windows webserver inside the Zentyal network assigned these private IPs: 192.168.0.5, 192.168.0.6, and 192.168.0.7.
I essentially need the following mappings:
55.55.55.55:80 gets served by 192.168.0.5:80
55.55.55.56:80 gets served by 192.168.0.6:80
55.55.55.57:443 gets served by 192.168.0.7:443
This webserver serves over 40 websites. One website has a dedicated IP 55.55.55.55 (for SEO considerations) , and the other websites are mainly on 55.55.55.56, and the other IP is dedicated to a SSL website.
So that internet users can access the windows webserver via 55.55.55.55, I have this port-forwarder:
interface: eth0
Orginal Destination: 55.55.55.55/32
Protocol: 80
Source: Any
Destination IP: 192.168.0.5
Replace Source Address: No
So that internet users, will see 55.55.55.55 as the source address on replies by the windows webserver, I have this SNAT entry:
SNAT address: 55.55.55.55
Outgoing interface: eth0 eth0:object1, eth0:object2, etc
Source: 192.168.0.5
Destination: Any
Service: Any
So that LAN users may also access all websites served by 55.55.55.55, I added this port-forwarder to eth1 (not eth0). Also notice that I had to check the box for "Replace Source Address", which I didn't do this for my port-forwarders on eth0. Also notice that the source is a network object that represents the internal IP range, so that this rule is not applied to any internet sourced traffic:
interface: eth1
Orginal Destination: 55.55.55.55/32
Protocol: 80
Source: source object 192.168.0.1-254
Destination IP: 192.168.0.5
Replace Source Address: Yes
Here's the port-forwarder allowing internet users to access this same windows webserver via 55.55.55.56:
interface: eth0
Orginal Destination: 55.55.55.56/32
Protocol: 80
Source: Any
Destination IP: 192.168.0.6
Replace Source Address: No
So that those internet users will see 55.55.55.56 as the source address on all replies by the windows webserver I have this SNAT entry:
SNAT address: 55.55.55.56
Outgoing interface: eth0 eht0:object1, eht0:object2, etc
Source: 192.168.0.6
Destination: Any
Service: Any
So that LAN users may also access all websites served by 55.55.55.56, I added this port-forwarder to eth1 (not eth0). Also notice that I had to check the box for "Replace Source Address", which I didn't do this for my port-forwarders on eth0. Also notice that the source is a network object that represents the internal IP range, so that this rule is not applied to any internet sourced traffic:
interface: eth1
Orginal Destination: 55.55.55.56/32
Protocol: 80
Source: source object: 192.168.0.1-254
Destination IP: 192.168.0.6
Replace Source Address: Yes
Here's the port-forwarder allowing internet users to access this same windows webserver via 55.55.55.57:
interface: eth0
Orginal Destination: 55.55.55.57/32
Protocol: 443
Source: Any
Destination IP: 192.168.0.7
Replace Source Address: No
So that those internet users will see 55.55.55.57 as the source address on all replies by the windows webserver I have this SNAT entry:
SNAT address: 55.55.55.57
Outgoing interface: eth0 eht0:object1, eht0:object2, etc
Source: 192.168.0.7
Destination: Any
Service: Any
So that LAN users may also access all websites served by 55.55.55.57, I added this port-forwarder to eth1 (not eth0). Also notice that I had to check the box for "Replace Source Address", which I didn't do this for my port-forwarders on eth0. Also notice that the source is a network object that represents the internal IP range, so that this rule is not applied to any internet sourced traffic:
interface: eth1
Orginal Destination: 55.55.55.56/32
Protocol: 443
Source: source object 192.168.0.1-254
Destination IP: 192.168.0.6
Replace Source Address: Yes
Before, I was using "ANY" instead of the source object 192.168.0.1-254 for the source on the internal interface port-forwarders. This had the unforeseen ramification of also applying this rule for traffic coming in from the internet and it changed the source to 192.168.0.1 for internet sourced traffic . . . making the windows web server think that all its traffic was coming from 192.168.0.1 (which isn't too helpful for web site traffic analytics). By narrowing the source scope from ANY to just the internal IP range, internet traffic was no longer affected by my internal interface port-forwarders.
I'd like to thank Christian, Half-Life, and jbahillo for teaching me the fundamentals that led to this solution.