Understanding SSL VPN group configuration and virtual servers

Hello, I'm new to the f5 and the f5 SSL VPN configuration and have some conceptual questions around how to configure SSL VPN groups. I'm coming from a Juniper SSL appliance background and am migrating to the f5. For the scenario let's say we have a company with a sales, marketing, IT, HR security groups in their Active Directory. To give each group on the Juniper its departmental VPN config we could set it up with one IP/departmentname. For instance it would look like: 123.456.789.10/sales, 123.456.789.10/marketing, 123.456.789.10/hr etc. We'd acctually give them a URL but the point is it all resolved to the same IP with the /department appended. So I'm trying to translate how I configure a similar scenario on the f5. So far I have a single VPN profile working successfully going to a single virtual server/IP- let's say that's IT. So now when I want to go add sales do I need to create a new virtual server with a new IP? Do I need a separate virtual server/public IP for each department?

The only other way I could figure out to do this was in my AD Query to check group membership I could chain them- have the first check for IT, then fall back to another query for sales, then that fall back to marketing, etc. So there would be a chain of AD queries. Is that how it's done?

Thank you,

Ben