We would like users to be able to connect remotely over the Internet from their personal devices to their primary Windows 7 workstation (a physical box on their desk) by using the Microsoft RDP Client For Windows, Mac, iOS and Android. There is no plan to use RDWeb or Remote Apps, or VDI. Just plain remote access to their desktop PC without VPN plus a third party 2nd factor authentication product that can text them back a code to enter with their AD credentials (AuthAnvil or Duosecurity)
We do not have TMG or ISA.
We would like to get these services all running in a single server and be as simple as possible while still being very secure.
The recommendations I see seem to suggest putting the RDG in a DMZ with either a domain controller on a new domain with a one-way trust to your internal domain or else a read-only domain controller on your domain and then RD Session Host and License server located on different servers on your internal LAN.
That sounds like a lot of separate servers and cost for not a lot of users in our environment.
Do we even need a separate session host server if there are no RDP sessions being hosted directly on the servers because the users are only being redirected to connect to their workstations and will never be using terminal sessions on the server?
Can the RODC or the Domain controller on new domain with the one-way trust be the same server as the Remote Desktop Gateway server and not separate servers?
What is the most minimalist way to set this up with good security when opening all the ports needed to authenticate with internal DC is not secure enough?