So having a firewall rule 'deny 192.168.160.2 all to 10.0.0.4' does not work...if u really need to block access to a VPNed system but not another on the same network sounds like an inefficient way to do things. Maybe u should have 2 VPN servers running on the zentyal. One can have access to ur terminal server and the other does not