====== Sophos XG Firewall: How to configure a Business Application Rule for RDP ====== ===== Overview ===== Sophos XG Firewall allows publishing of internal resources located in the LAN or DMZ over the Internet. This article explains how to use a Business Application Rule to forward Remote Desktop requests to the protected server. The following sections are covered: * Configure a Business Application Rule for RDP * Feedback and contact Applies to the following Sophos products and versions Sophos Firewall ==== Configure a Business Application Rule for RDP ==== The Database Server is hosted in the DMZ zone of the network. Sophos Firewall is deployed in Gateway Mode to protect the internal network. {{ :sophos:sophosxg_rdp1.png |}} - Click Firewall and click on +Add Firewall Rule and select Business Application Rule. - Select Application Template as DNAT/FULL NAT/Load Balancing. Using this policy, an administrator can define access rights of the protected server to users who require access over the WAN. Define other parameters as shown in the image below. {{ :sophos:sophosxg_rdp2.png |}} {{ :sophos:sophosxg_rdp2_2.png |}} - In the Source section, select the Source Zone and Allowed Client Networks to which the policy applies. We have set the Source Zone to WAN and the Allowed Client Networks to Any. - Specify the external interface or IP Address in the Destination & Service section under Destination Host/Network. - Define the service for RDP as shown below, in this case we are using the default port of 3389. {{ :sophos:sophosxg_rdp3.png |}} - Only forward specific ports to the protected server, if the protected server is running on a non-standard port, Port forwarding can be defined. In our example, we will forward the port 3389 (RDP). - In the Forward To section, configure port forwarding based on these settings: * **Protected Servers:** Select the protected server you want to forward the traffic to. * **Protected Zone:** Select the zone the server is located in. * **Mapped Port:** This can only be used if the Change Destination Port(s) box is ticked. An administrator may change the port from a non-standard to the standard port for example. - In the Routing Section under Advanced, Enable Rewrite source address (Masquerading) and specify the NAT policy for Use Outbound Address. Traffic from this policy will pass according to the NAT Policy for all gateways. Here we used the default NAT policy MASQ. This NAT policy translates the private IP address of the source with the public IP address of the WAN interface. - Click Save to complete the settings. ===== Test Configuration ===== - Use any remote desktop client, such as Remote Desktop (available on Windows) to verify the configuration. - On a Windows system, access the Run command box by pressing the Windows logo key +R. - Type the command mstsc and click OK. {{ :sophos:sophosxg_rdp4.png |}} - In the Remote Desktop Connection window, enter the hosted address (in our example, 1.1.1.2) as shown in the image below. Click Connect. {{ :sophos:sophosxg_rdp5.png |}} - A Windows Security dialogue box prompts for credentials. This indicates that the connection to the internal server is successful. - Enter the credentials to log in to the server.