the way it's set up at the moment is the FW forwards the port to the internal IP of each machine.....
i.e xxx.xxx.xxx.xxx:3889 > 192.168.0.100
xxx.xxx.xxx.xxx:3890 > 192.168.0.101
however, this is not tidy, opens 10 ports up = less safe.
I have 15 ip's, 13 spare, but don't want to go down that route.
using the ports like this, means that each machine's registry has been hacked, to change the listening port.
Terminal services lol, not for this guys,.
VPN , thought about it, but not done that before......
I have 81 users, 10 in one department don't use Citrix..... so they use their own server, otherwise this would be easy.
Sirius is what everyone else uses. (citrix over HTTPS basically)