Resolved with the following:

https://wiki.untangle.com/index.php/1:1_NAT​

Thanks for using a search! And yes that article is a great place to start.

I'd further add some wisdom here to help you wrap your brain around this. NGFW doesn't do 1:1 NAT.

Let me say that again... NGFW doesn't do 1:1 NAT! And this is a wonderful thing!

You have TWO features to worry about.

Port Forwards, and NAT Policy.

The former determines how ingress traffic is handled. So if you slap aliases on your External interface, and then setup port forward rules as such:

Destination Address
Protocol
Destination Port

You'll be able to direct traffic by inputting the correct public address in the destination address field. DO NOT USE Destined Local, as that's a place holder for all IP addresses on the server. Source address and source interface could be used too, but generally these are used incorrectly. If you're trying to limit what devices can use the forward, knock yourself out. But typically speaking the above 3 flags are what you use on any port forward rule for a public service.

The latter feature NAT Policy configures what IP address Untangle will use for a device leaving the network. Web servers won't need this or care, and use of it has impact on multi-wan scenarios. So generally speaking you want to avoid configuring NAT policy where possible. Mail server operators however, will need this feature as the egress traffic must be on a specific IP address or bad things happen in SPAM land.