@EricWenger I've used two approaches in the past.
1.Use a jump host. A jump host is a Windows/Linux based machine that has two NICs. One NIC plugs into the "outside" segment which you can get to via VPN (via the MX in this case), and the inside goes to the machinery. You then VPN in, RDP/SSH to the jump host, and then RDP/SSH from there to the final machine. This approach means that no piece of machinery has Internet access, yet you can still get to it for maintenance. It also means nothing on the outside has direct access to it.
For my more sensitive clients - this jump host is actually left powered off, guaranteeing no access. The jump host is then powered on when remote access is requested and permission is given, and then I usually configure it to shutdown automatically after 60 minutes so it "buttons itself up" automatically without relying on a human. "Secure by default".
2. Create a group policy. Create a rule to override firewall policies and create a layer 3 firewall rule to deny all traffic by default. Apply that policy to a VLAN interface, and put all the machines into that VLAN. Then add a layer 3 rule that permits only the management traffic to get onto that VLAN (this could be the IP address pool used by the VPN, or it could be an internal workstation segment, etc). You could take it one step further, and leave the physical port shutdown except when access is needed, or I guess you could even get someone to physically plug it in/unplug it if you want to take it a step further.