You're on the right track, here is a copy and paste from the admin guide:
"1. Create a new Network Connect resource policy where you specify the three servers to which you want to grant remote users access following the instructions described in Defining Network Connect Access Control PoliciesÓ on page 655: a. In the Resources section, specify the IP address ranges necessary to allow access to the three servers ( outlook.acme.com,Ó oracle.financial.acme.com,Ó and case.remedy.acme.comÓ) separated by carriage returns. udp://10.2.3.64-127:80,443 udp://10.2.3.192-255:80,443 b. In the Roles section, select the Policy applies to SELECTED roles option and ensure that only the user_role_remoteÓ role appears in the Selected roles list. c. In the Action section, select the Allow access option."
The next section talks about defining the rest of the NC policy, which is different from the ACL.