one way to solve this is to put vbond on public ip in DMZ with 1:1 nat from outside and other controllers in inside zone, when the try accessing the public vbond ip they also get natted from inside to DMZ using public so vbond will look at both publi...
vbond needs to be public or behind 1:1 nat, with no tunnel interface configured, rest all the controllers can be behind nat. (try avoiding symmetric nat)
vbond will help doing NAT traversal for natted devices
keep in mind to open the list of Firewall...
You cannot do custom applications as of now. but there is a list of applications which nbar2 and qosmos support muttually which can be detected and policies can be applied.
