Thanks Travis it worked.
Here is what I did:
Used Custom Service to Set up RDC
FROM WEBUI
Objects --> Services --> Custom --> NEW
Service Name: RDC
Service Timeout: use protocol default
1 | TCP | Source Port Low 1024 / High 65535 | Destination Port Low 3389 / High 3389 | ICMP left blank
2 | TCP | Source Port Low 1024 / high 65535 | Destination Port Low 80 / High 80 | ICMP left blank
OK
FROM CLI
Telnet to Firewall
ns5gt-adsl--> set interface untrust vip 66.666.xx.xx 3389 "RDC" 192.168.xx.xx
ns5gt-adsl--> set policy id x from "untrust" to "trust" "any" "VIP(untrust)" "RDC" permit log
66.666.xx.xx is the same IP as your untrusted interface (assigned by your ISP), I have a dynamic IP so I am going to have to modify my policy and VIP when the IP changes.
192.168.xx.xx is the IP of the PC or Server you are wanting to Remote Desktop to.
id x - x is the policy number, ensure that it is unique and does not share a number with an existing policy
I think the thing that was tripping me up was that the interface list on my firewall was different to what was being described in many of the knowledgebase articles, thanks to Hans for clearing that up for me. Also it seemed to me that I was telling the firewall the same thing at least twice, but I have now come to realise that the NS Devices has the VIP layer then the Policy Layer and the service you are forwarding needs to be referred to in both layers. It all makes sense now but coming from a NAT Device it took some head scratching to realise this.
Thanks for the help.
Lance