RDS in Azure - Alternate Gateway solution

I dont think its necassary for you to use the Azure AD App proxy, but i do see it could have some advantages and disadvantages. but i believe it was intended for application not hosted in a RDS enviroment.

My suggestion to you would be not to involve Azure AD App proxy.

What i would do is the following:

1. i would configure my RDS farm so that only the RDP GW is available from port 443 and perhaps the UDP port you specifed in the deployment. this will insure you cannot RDP to the GW server externally.

A second measure here could be to set a default collection on the RDP GW, this will insure if some one internally tries to connect to the gateway they are forwarded to the collection.

2. i would install the Azure MFA on-prem solution and configure the RDP GW to use this during user validation. this would allow any client that has a Microsoft Remote desktop client to connect and then MFA would happen when someone tries to launch the application.

The Mac version of remote desktop has a wonderful feature where you can add the RDS url and it will list all available application, so no browser is required.

i hope this helps

there could be new features in 2016 im unaware of at the moment.