RDP (Remote Desktop Protocol) allows remote access to Windows systems using port 3389. To enable secure RDP access through Sophos Firewall (SFOS), you must create a firewall rule and NAT rule (if accessing from WAN). Below are the complete steps for both internal and external RDP setups.
Open: https://<firewall-ip>:4444
Login as admin.
Go to System β Hosts and Services β Services β Add
Name: RDP
Type: TCP
Destination Port: 3389
Source Port: 1:65535
Click Save.
If you want RDP between internal systems:
Go to Rules and Policies β Firewall Rules β Add Rule
Source Zone: LAN
Destination Zone: LAN
Source Network: PC/Network needing access
Destination Network: Target server (e.g., 192.168.1.10)
Service: RDP
Action: Allow
Click Save β Enable Rule
You can now RDP directly within your LAN.
If you need to access RDP from the Internet, you must create DNAT and a WAN-to-LAN rule.
Go to Rules and Policies β NAT Rules β Add NAT Rule
Original Source: Any
Original Destination: WAN IP
Translated Destination: Internal Server IP (e.g. 192.168.1.10)
Service: RDP (TCP 3389)
Save.
Go to Rules and Policies β Add Rule
Source Zone: WAN
Destination Zone: LAN
Source Network: Any (or specific IP for safety)
Destination Network: Internal Server IP
Service: RDP
Action: Allow
Save & Move rule to top.
From outside:
mstsc β your_public_IP
From inside:
If connection succeeds, your RDP port (3389) is open and allowed.
Restrict RDP access by IP address.
Use VPN (SSL/IPSec) instead of exposing port 3389.
Change RDP port to a non-default number.
Keep Windows firewall and passwords secure.
Sophos Firewall makes it easy to enable and control RDP connections using simple firewall and NAT rules. For best security, always limit access to trusted IPs or route through a VPN.
