## Purpose
This document exists to outline the generalized process to configuring remote access in a Sophos XGS Firewall to allow a VPN user to RDP into a workstation.  *Setting up Remote SSL VPN Access is not covered in this document.*

### Create MAC Host for Destination Device
The first step in the process is to create a MAC address host for the device being RDP'd into, that way if it's IP rotates, the firewall rule will continue to work correctly.

- Navigate to **Sophos XGS Firewall > [System] Hosts and Services**
- Click on the **Mac Host** tab > "**Add**"
    - Name: `<Device-Hostname>`
    - Description: `<Workstation Remote Access for (username)>`
    - Type: `Mac Address`
    - MAC Address: `<mac address of device>`
    Click **Save**

### Configure Firewall Rule
- Navigate to **[Protect] Rules and Policies > Add Firewall Rule (New Firewall Rule)**
    - Rule Name: `Remote Workstation Access for (username)`
    - Source Zone: `VPN`
    - Source Networks and Devices: `Any`
    - Destination Zone: `LAN`
    - Destination Networks: `<MAC Host We Previously Made>`
    - Services > Add New Item > `RDP`
        - If `RDP` does not exist, click "Add", `Services`
            - Name: `RDP`
            - Description: `Remote Desktop Protocol`
            - Type: `TCP/UDP`
                - Protocol: `TCP`
                - Source Port: `1:65535`
                - Destination Port: `3389`
                Click **Save**
    - Check **Match Known Users**
        - Under "Users or Groups" click "Add New Item"
        - Search for the username of the person using the VPN that needs to access the workstation (e.g. `nicole.rappe@bunny-lab.io`)
    - Click the **Save** button and have the user try to connect to the VPN, then RDP into their workstation.