How to set up Remote Desktop (RDP) on Sophos UTM9

I'm creating this because I didn't find a good guide online and the way Sophos does this was confusing to me at first.

For demo purposes, my custom port will be 54321 (don't use this number)

The server I'm trying to connect to is 10.10.10.4

Open Network Protection --> NAT

Click the NAT tab --> New NAT Rule...

Group: Up to you

Position: Up to you (choose Bottom)
Rule Type: DNAT

For traffic from: Any IPV4 (alternatively if you would like to add an outside Network or Host IP that you would want to trust exclusively, you can here.)

Using service: In this spot, you can choose Microsoft Remote Desktop or if you have changed the port on your server, click the green Plus Button.

Follow these steps to create a custom port:

Name: Up to you

Type of definition: TCP

Destination port: 54321 (again, don't use this number)

Source Port: 1024:65535 (this is a range of ports that you will accept connections on)

Comment: Explain what you did for the next poor schmuck.

Going to: External WAN Address 

Change the destination to: Click the green Plus Button and add your server.

Name: You choose

Type: Host

IPV4 address: 10.10.10.4

DNS Settings: Sure why not

And the service to: Use the same service that you created earlier with port 54321.

Automatic Firewall Rule: Tick the box. Later you can customize the automatically created rule when you go to Firewall Rules, All Rules, Display All

Comment: Explain what you did for the next poor schmuck.  

Lastly, Enable It

Below is the automatically created Firewall rule.

How to Master Key a Schlage Knob

Insert the key into the business end of the knob and turn it one way or the other, doesn’t matter which way.

Use something hard like a flat head screw driver (or assuming you have a kit, use the included tool) to push this pin in.

Once pressed, remove the knob.

This next part can be kind of tricky. The cylinder in there has a clip that retains all of the springs for the pins. (Skip ahead to see what it looks like.) In order to slide it out of the knob, these springs must be compressed so you have to simultaneously compress them while you slide the entire assembly out.

Now it’s time to remove the Jesus clip.

Slide in your key that unlocks it.

Line your cylinder up with your follower bar and slide your cylinder over and onto it. Be careful not to lose any of those springs or top pins in there because if you do this wrong, they will go flying everywhere.

Dump those old pins like you’re leaving for college.

Now we need to setup your keying. Below I’ve written down the two keys I’m keying this lock to. There’s a master key and an tenant key. In this case, our lock doesn’t know the difference between the two. They are just two different keys that need to work with one lock. Noticed I’ve lined up the numbers for each.

The first pin to be dropped into each hole will be the smaller of the two numbers in each stack. I underlined those in red.

The second pin to be dropped in will be the master pin. This will be the pin that makes up the difference of the two numbers in each stack. I wrote each of these numbers on the very bottom.

My cylinder with the bottom pins installed.

Here I test one of the keys to make sure the correct pins are lining up flush with the top. In this case, 1, 2, 4 & 5 are flush.

Here I add a master pin #2 to hole 3 to make that flush as well.

Now I’m testing with the tenant key. Hole 3 is flush (and has a master pin #2 on top) but holes 1, 2, 4 & 5 will need their master pins to make them flush as well.

Here I’m adding pins #4, #3, #0 (nada) and #2 to holes 1, 2, 4 & 5.

After testing both of those keys, I’m ready to put my springs back on. Be careful with this part because if you didn’t properly test that your keys work, you will lock yourself out of opening this again so unless you know how to pick, you’ll be screwed. You might also notice I’m sliding it on from the side. If you don’t do this, your springs will start falling into the holes prematurely and you will have another mess on your hands.

Turn the cylinder back into place and make sure all of the springs and top pins properly fall into their holes.

Put your Jesus clip back on. Test with both sets of keys.

Find the spot in the knob where you can slide the assembly back in.

Compress the springs and slide it in.

Line it up with the retaining pin and slide it back on.

Get it on there as far as you can. Finally, insert the key and turn it to lock it into place.

How to enable WinRM via Group Policy

In order to remotely manage computers via Powershell, you must enable Windows Remote Management.

Open Group Policy management.

Create a new GPO.

Right-click your newly created GPO and click Edit...

First we need to allow it on each computer's firewall. Open Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Windows Firewall with Advanced Security --> Windows Firewall with Advanced Security --> Inbound Rules

Create a New Rule

Microsoft was nice enough to include it as a predefined Rule

I unchecked Public as I will be doing connecting locally.

Click Allow the connection

The new rule should now be listed. 

That's it for the firewall. Now you need to go to Computer Configuration --> Policies --> Administrative Templates --> Windows Components --> Windows Remote Management (WinRM) --> WinRM Service --> Allow remote server management through WinRM

Syntax:

Type "*" to allow messages from any IP address, or leave the field empty to listen on no IP address. You can specify one or more ranges of IP addresses.

Link your newly created GPO. This is going to be a computer policy so connect it to an OU of the computers you would like to enable this for.  

It's also necessary to make sure the WinRM service starts on startup. To do this via GPO, go to Computer Configuration --> Preferences --> Control Panel Settings --> Services

Right-click and click New --> Service

Choose Automatic (Delayed Start) as the startup type, pick WinRM as the Service name, set Start service as the Service action.

Once all of your domain computers have updated their policies and had a chance to start that system service, you should be able to remotely manage them using Powershell.