no. it should work. i just tried it and it works for me.
PC----bgroup0[SSG]eth0/1-------RDP server
Trust DMZ
Here's my config. I tested from Trust -> DMZ zones, but the config is the same.
set service "rdp3525" protocol tcp src-port 0-65535 dst-port 3525-3525
set service "rdp3389" protocol tcp src-port 0-65535 dst-port 3389-3389
set interface bgroup0 ip 192.168.1.1/24
set interface ethernet0/1 ip 192.168.80.70/27
set interface bgroup0 vip interface-ip 3525 "rdp3389" 192.168.80.71 manual
set policy id 8 from "Trust" to "DMZ" "Any" "VIP(bgroup0)" "rdp3525" permit log
My debug/snoop output: Notice packet is sent to TCP port 3525, but leaves the firewall with dst-port 3389
1978650.0: bgroup0(i) len=66:e4115b3e7181->0017cb898b4b/0800
192.168.1.33 -> 192.168.1.1/6
vhl=45, tos=00, id=3051, frag=4000, ttl=128 tlen=52
tcp:ports 36734->3525, seq=1018173189, ack=0, flag=8002/SYN
****** 1978650.0: <Trust/bgroup0> packet received [52]******
ipid = 3051(0beb), @03a3fa90
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:192.168.1.33/36734->192.168.1.1/3525,6<Root>
no session found
flow_first_sanity_check: in <bgroup0>, out <N/A>
self check, not for us
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 192.168.1.33->192.168.80.71) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 3.route 192.168.80.71->192.168.80.71, to ethernet0/1
routed (x_dst_ip 192.168.80.71) from bgroup0 (bgroup0 in 0) to ethernet0/1
policy search from zone 2-> zone 3
policy_flow_search policy search nat_crt from zone 2-> zone 10
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.1, port 3525, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 8/0/0x9
Permitted by policy 8
No src xlate choose interface ethernet0/1 as outgoing phy if
no loop on ifp ethernet0/1.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <ethernet0/1>
existing vector list 103-43d959c.
Session (id:7958) created for first pak 103
flow_first_install_session======>
route to 192.168.80.71
arp entry found for 192.168.80.71
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/1, 192.168.80.71->192.168.1.33) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
[ Dest] 7.route 192.168.1.33->192.168.1.33, to bgroup0
route to 192.168.1.33
arp entry found for 192.168.1.33
ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 7958
flow_main_body_vector in ifp bgroup0 out ifp ethernet0/1
flow vector index 0x103, vector addr 0x43d959c, orig vector 0x43d959c
adjust tcp mss.
tcp seq check.
Got syn, 192.168.1.33(36734)->192.168.1.1(3525), nspflag 0x801801, 0x800800
post addr xlation: 192.168.1.33->192.168.80.71.
packet send out to 001122334455 through ethernet0/1
1978650.0: ethernet0/1(o) len=66:0017cb898b45->001122334455/0800
192.168.1.33 -> 192.168.80.71/6
vhl=45, tos=00, id=3051, frag=4000, ttl=127 tlen=52
tcp:ports 36734->3389, seq=1018173189, ack=0, flag=8002/SYN
Regards,
Sam