Do other users also use client VPN? If so, the above approach probably wont work (it affects all client VPN users).
What you can do though is create a group policy (perhaps called client-vpn-hvac). In that add the firewall rules to say what they can access (don't forget to put a deny all at the end). Then go to the Network-Wide/Clients list, and find their VPN connection (add in the username column if you haven't got it already turned on). Then assign the group policy to that connection. It will stick for all future connections as well.
Then the restriction will only apply to that one VPN user.