docs/Networking/Sophos/Configuring Remote VPN RDP Access.md

Purpose

This document exists to outline the generalized process to configuring remote access in a Sophos XGS Firewall to allow a VPN user to RDP into a workstation. Setting up Remote SSL VPN Access is not covered in this document.

Create MAC Host for Destination Device

The first step in the process is to create a MAC address host for the device being RDP'd into, that way if it's IP rotates, the firewall rule will continue to work correctly.

• Navigate to Sophos XGS Firewall > [System] Hosts and Services
• Click on the Mac Host tab > "Add"
  • Name: <Device-Hostname>
  • Description: <Workstation Remote Access for (username)>
  • Type: Mac Address
  • MAC Address: <mac address of device> Click Save
• Navigate to [Protect] Rules and Policies > Add Firewall Rule (New Firewall Rule)
  • Rule Name: Remote Workstation Access for (username)
  • Source Zone: VPN
  • Source Networks and Devices: Any
  • Destination Zone: LAN
  • Destination Networks: <MAC Host We Previously Made>
  • Services > Add New Item > RDP
    • If RDP does not exist, click "Add", Services
      • Name: RDP
      • Description: Remote Desktop Protocol
      • Type: TCP/UDP
        • Protocol: TCP
        • Source Port: 1:65535
        • Destination Port: 3389 Click Save
  • Check Match Known Users
    • Under "Users or Groups" click "Add New Item"
    • Search for the username of the person using the VPN that needs to access the workstation (e.g. nicole.rappe@bunny-lab.io)
  • Click the Save button and have the user try to connect to the VPN, then RDP into their workstation.