Strategy for RDP to server behind firewall?

I have a Sophos XG behind which is a server which I'd like to access via RDP. I have DNAT setup to forward the port to the server, but I don't want to leave it turned on all the time. I could turn on remote HTTPS to the FW, and turn the DNAT rule on and off as needed. Any other reasonably secure strategies?


Edited TAGs
[edited by: emmosophos at 6:56 PM (GMT -7) on 5 Aug 2022]