Hi Paul,

what is the goal you want to accomplish?

For sure you have to create firewall rules for any communication you want to allow.
All what is not defined ist blocked by default.

The log strip you put in here show a connection to port 4444.
This is the default webadmin port für any interface.
Try another port for your network service host. By the way did you created a DNAT rule.

Or try to check the Rulz No.3 by Bob

Best Regards
DKKDG

Typo on the port number.. 

The steps I when through is outline here - https://fortwayneits.zendesk.com/hc/en-us/articles/235945188-How-to-do-Port-Forward-Translation-for-RDP-in-a-Sophos-UTM-9

Copied from the link. In a default installation should this work. My goal is have a RDP session incoming on port 1223 and connecting on the internal host on port 3389.

How to do Port Forward Translation for RDP in a Sophos UTM 9

Are you sure you would like to have a RDP session open on the internet for everyone to (ab)use?

Also in step 3 it is recommended to set the interface to internal, while that will work, it might give you a lot of headache later on. It's best to leave the interface blank as default.

It is NOT RECOMMENDED to NAT to an RDP server from the internet, period! It's just not safe enough when you let everyone in the entire world connect to your RDP machine. Using a different port won't add much security (security through obscurity).

If you do need to RDP session then make the extra step and secure it behind a VPN or at the very least restrict the source IP's that are allowed to connect (but prefer the VPN).

Read thus discussion snnd KB article.

port substitution may.help, but tbere are absolutely a lot of bad guys doing password guessong attacks on RDP.

Hi Paul and welcome to the UTM Community!

Instead of looking elsewhere to get good advice, start in this community.  If there's a better explanation of something elsewhere, you will find links here.  In this case, not only is Richards' piece painfully long, it's wrong.

In the DNAT definition itself, you can use the green + icon to define any new item needed - no need to traipse all around WebAdmin.

See #5 in Rulz to understand that Richards himself was new to UTM when he created that piece.

Finally - the error causing your packets to be tossed overboard by the firewall...  Your RDP definition is incorrect - the Source Port should be 1:65535, not 5000.  The packet in your firewall log line didn't qualify because its source port was 47439.  The standard RDP definition should have been used in a NAT rule like:

Internet -> {1:65535->1243} -> External (Address) : to {network service host} using RDP

In any case, I think the advice to use remote access is spot on.  If you will have more than one person at a time using RDP remotely, I would use the SSL VPN.  If it will never be more than one, the HTML5 method might be more to your liking.

Cheers - Bob