docs/Networking/Sophos/VPN/Configuring Remote VPN RDP Access.md

Purpose

This document exists to outline the generalized process to configuring remote access in a Sophos XGS Firewall to allow a VPN user to RDP into a workstation. Setting up Remote SSL VPN Access is not covered in this document.

Create MAC Host for Destination Device

The first step in the process is to create a MAC address host for the device being RDP'd into, that way if it's IP rotates, the firewall rule will continue to work correctly.

• Navigate to Sophos XGS Firewall > [System] Hosts and Services
• Click on the Mac Host tab > "Add"
  • Name: <Device-Hostname>
  • Description: <Workstation Remote Access for (username)>
  • Type: Mac Address
  • MAC Address: <mac address of device> Click Save

Configure Firewall Rule

• Navigate to [Protect] Rules and Policies > Add Firewall Rule (New Firewall Rule)
  • Rule Name: Remote Workstation Access for (username)
  • Source Zone: VPN
  • Source Networks and Devices: Any
  • Destination Zone: LAN
  • Destination Networks: <MAC Host We Previously Made>
  • Services > Add New Item > RDP
    • If RDP does not exist, click "Add", Services
      • Name: RDP
      • Description: Remote Desktop Protocol
      • Type: TCP/UDP
        • Protocol: TCP
        • Source Port: 1:65535
        • Destination Port: 3389 Click Save

Configure Specific VPN User(s)

- Check **Match Known Users**
    - Under "Users or Groups" click "Add New Item"
    - Search for the username of the person using the VPN that needs to access the workstation (e.g. `nicole.rappe@bunny-lab.io`)
- Click the **Save** button and have the user try to connect to the VPN, then RDP into their workstation.