You're referencing the SSH server with the name "prismweb5" - that name will likely only work if you have "search domains" setup for the network interface that you're using. The search domain would be appended to the hostname that you're referencing above, so if your search domain is "example.com", the FQDN would be prismweb5.example.com.
It's also possible that the DNS name "prismweb5" cannot be resolved from outside of the network. This setup may be referred to as "split-DNS", and the private name "prismweb5" may not be something that can be looked up on your 'normal' DNS servers (those provided by your home ISP).
A workaround for this would potentially be to set the DNS server that is at the remote office as the primary DNS server for the network interface (Ethernet, Wi-Fi) that you're using to connect. This will allow your machine to perform lookups of 'internal' names. I'm not sure about Shrewsoft, but many VPN clients allow DNS server settings to be changed to specific servers when the VPN connects.
Alternately, you can avoid using DNS names to connect to the server, and simply use the IP address to connect. However, this would require that you know what the IP address of the server "prismweb5" is (or be able to perform a lookup to retrieve that address).
If you are still not able to connect to the server using the IP address, see if your machine can ping that IP address (assuming prismweb5's IP is 192.168.1.5):
ping 192.168.1.5
If the machine is responding to pings, you should be able to connect to it...However, if you're not seeing IMCP (ping) responses, it's possible that your machine doesn't know the route to that computer (i.e., the VPN interface.) See what 'route' reports for that IP:
route get 192.168.1.5
The route should report an interface that is being used to connect to that device. Often, you'll see something like "ppp0" or "gif0" (or some other interface, other than en0/en1)
If the route for that device is not showing the correct interface, it may help to show all routes on the machine using netstat:
netstat -nr
The output of netstat may include an IP range/Destination for your remote network (e.g., 192.168/16), and may show the interface that should be used (Netif) on the right.
Best Answer
You can find the DesignatedRequirement and SigningIdentifier like this:
Start by installing the app on a device. On your Mac make sure you have the app downloaded in iTunes as well. In the folder "~/Music/Itunes/Mobile Applications/" you'll now find an .ipa file for you app.
Assuming that the app you want to target is "SomeApp" then copy SomeApp.ipa from that folder to a temporary folder. Rename the file and change the file extension from .ipa to .zip. Double-click to unzip the file. When unzipped you'll find that you have a folder named "Payload" in which a "SomeApp.app" folder exists.
Open a Terminal window and cd to the temporary folder. Run the following command:
This command will output the designated requirement ("anchor apple generic...").
Then run the following command:
This command will output a line starting with "Identifier=". The rest of the line is the SigningIdentifier.
Note that you mention the "App to Per App VPN" section of the linked manual - this specific payload is only supported on macOS. On iOS you do the same thing by sending the Settings command with an ApplicationAttributes entry over the MDM protocol.