Don’t get scared
This is going to be a long response because you’ve asked an excellent question. But as with most things - there’s a lot of nuance in this response so hopefully this big wall of text doesn’t scare you off…
At the bottom of the post is a diagram that I made. If it’s wrong please correct it. This is my understanding of what you’re looking to do ‘roughly’.
Custom SDK App?
The first big question from me is about what is connecting to these sites on the ‘left side’ shown. Are you expecting to author code and make a custom ziti app that knows how to do these things? I expect “no” but thought I’d ask… Same is true for the far side. When you’re writing code on both sides - well… you can do ANYTHING you want!!! 
and you could absolutely do what you want to do.
I expect that’s writing code is not what you want, since that’s “more effort” (and hey, I don’t blame you ). With a tunneller on the left side your options do start to narrow since you’ll be reliant on the tech we’ve implemented to date. Assuming you’re using a tunneller on the left, at this time, I don’t see how you can really get away from declaring “a bunch of services”, a block of them for each site. Yah, I agree it’s more cumbersome but with APIs/ziti cli it can all be scripted out. It might not be “that bad” but I do understand the point you’re making - certainly not ideal.
ZSSH might be for you
One option that came to me talking this over with a couple of fellas and reading your post. If you want “Johnny Admin” to be able to SSH to the iot gateway (shown in green on the image), well zssh is literally all you would need. zssh is a ‘zitification’ - an app that allows you to ssh to a machine over ziti. It supports this feature you would make use of called “addressable terminators”. Let’s explore zssh for a moment. With zssh you could make ONE service - called “zssh-to-gateway”. That ONE service would then allow people to ‘zssh’ to the ‘identity name’… for exampe you would run this command:
zssh remoteUserName@site1. and presto - you are now on that top green box inside that subnet. zssh remoteUserName@site2 and now you’re in the middle box… If that’s all you want then you CAN do this today. The difference is that you’ll be using an ssh implementation we made from go on the ‘left side’. You can watch this short (under 4 minutes) video of me doing that. I’m happy to talk more about that if you like that approach…
You’ll also notice I put orange ‘ziti’ bubbles ON the iot devices. It sounded to me like this isn’t an option. If that is an option do let me know, but I assume it’s not.
In Summary
Right now with a tunneler on the left and on the right (green bubbles) what you want is not currently available. If you were to use a custom ziti app on both sides, well you can do anything you want and if you are only looking to “ssh” from the admin box to the “iot gateway” (in green) well zssh might be all you really want and need all ready for you to use!
