It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 22.214.171.124 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 126.96.36.199 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 188.8.131.52 only! NAT only on the 184.108.40.206 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.