>You mentioned RDP; this is what I am used to. I will see if I can ask the customer to allow me to connect via RDP. But I think, if I am not mistaken, the VPN has to be connected. Although I remember I had one customer where I was connecting with the RDP without VPN; directly.

These days connecting to a private VPN, then using RDP is the most common way to gain RDP access and functionality.

A Windows server configured as an RDS host can also have the separate RD Gateway feature installed. RDG is basically an IIS web site to which remote users can authenticate. RDG is also configured with a list of local (to it) computers which authenticated remote users can access, and to which it can forward traffic. Often that's just the RD host server itself but other machines on that LAN can be configured for access as well. If RDG is set up then you can get into a remote host directly in Remote Desktop Connection; you fill in the Options...Advanced...Connect from anywhere...Connection settings...specify the "Use these RD Gateway server settings" before you connect.

RD Gateway is becoming used less often because the RD Gateway computer (which is often the RD Host as well) still needs to be exposed directly to the public internet. Although for somewhat better security you can use a custom port, often it's left at the default 443 for https. These days anything exposing 443 gets hammered by hackers so even if they can't break in you still see high traffic and could potentially get DOS'd. Using a VPN instead for the initial connection step means the VPN server is the first line of defense and the server computer doesn't have to be directly exposed to the public internet.

Unfortunately I have seen cases where RDP traffic from the public internet was port-forwarded directly to an internal computer (server or workstation). Even if a custom port is used, hackers will eventually find it as an open port and then test protocols and will quickly find it's RDP on an internal computer. I've even seen cases where the default port 3389 was forwarded internally, which is just asking for trouble. Exposing RDP directly to the public internet is an awful idea.