I have a question about RDS in Azure. I've setup RDS using the Azure AD Application Proxy, and it does work ok, but, its a bit limiting with supported platforms (Only supports Windows and IE).
Two things i'm having issues with are:
1. I can lock down access with conditional access and 2FA when accessing RDS via the web page, but this can be by-passed if you connect to the Gateway directly with the RDP Shorcut. I cannot lock down access so you cannot connect directly via RDP.
2. Connectivity from non-windows devices isn't supported, or doesn't work (mobile platforms etc). IE works nice, but chrome/safari etc only work by getting the end user to download the client and running directly to RDS Gateway services.
I was therefore wondering if there are alternate ways to present the connection, that keeps the security features, but allows greater support for alternate platforms.
I dont think its necassary for you to use the Azure AD App proxy, but i do see it could have some advantages and disadvantages. but i believe it was intended for application not hosted in a RDS enviroment.
My suggestion to you would be not to involve Azure AD App proxy.
What i would do is the following:
1. i would configure my RDS farm so that only the RDP GW is available from port 443 and perhaps the UDP port you specifed in the deployment. this will insure you cannot RDP to the GW server externally.
A second measure here could be to set a default collection on the RDP GW, this will insure if some one internally tries to connect to the gateway they are forwarded to the collection.
2. i would install the Azure MFA on-prem solution and configure the RDP GW to use this during user validation. this would allow any client that has a Microsoft Remote desktop client to connect and then MFA would happen when someone tries to launch the application.
The Mac version of remote desktop has a wonderful feature where you can add the RDS url and it will list all available application, so no browser is required.
i hope this helps
there could be new features in 2016 im unaware of at the moment.