It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 220.127.116.11 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 18.104.22.168 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 22.214.171.124 only! NAT only on the 126.96.36.199 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.