>>Not quite true. I'm impressed with Remote Desktop Gateway, which is basically implemented as a site on IIS. This lets remote RDP clients tunnel to the host using SSL. It's supported directly in the Windows RDP client. You can set it up to have the same user name/password for RD Gateway as for a user's RDS session, so it's in effect single sign-on. If a remote user chooses to save credentials, they can access an RDS desktop session just by double-clicking on a .rdp file.
>>
>>I'd consider using IIS as a front-end to be public Internet-grade, from a security POV comparable to typical VPN servers.
>>
>>I don't know if typical non-Windows RDP clients have support for RD Gateway.
>
>I'm using Remmina client on Ubuntu for several years now. It had its glitches in the beginning, the toolbar wouldn't pop up exactly each time I'd want it, clipboard synchronization didn't always work etc, but since about two years ago it's come to the point that I have to set up special color schemes on each machine I visit, so I'd know I'm not at home :). It just works.
>
>And whether it's a straight RDP or SSL tunelling - I wouldn't know now. It's something that's set up early on and forgotten.

Using straight RDP across the public Internet is a bad idea. It usually means the host has been set up with some firewall port being forwarded. In the worst case the host port is left at the default 3389 and crackers continually attack it so even though the host is nominally behind a firewall it's still continually attacked. Some antivirus is adaptive, and if it sees too many incoming attacks/probes it will shut off the network connection - so now the host can't even connect to resources on its own LAN.

Some people use a custom firewall port such as 54321 but that only slows down crackers slightly; once they find the open port they'll try various protocols until they find the one that responds (RDP).

These days it pays to be defensive, and to know how you're connecting. If it's been a few years since you set it up, it might be worth revisiting in case you can use improved technologies. Or to check you're not still using technology that's been cracked, such as PPTP VPN.