I'm looking at implementing a clientless VPN solution that would allow my users to access specific internal resources through a secure web portal. One of the possibilities that really intrigues me is hosting an RDP session for my users to be able access one of our application servers. The idea being I don't have to worry as much about the state of their client machine when off premises, and don't have to provide a full VPN solution and all its headaches for one service.
However of the two solutions I've looked at they both require a pre-configured username and password to authenticate to the server. This would essentially allow any of the accounts I grant access to this service the same rights as what ever account I assign, and I'd lose any sort accountability.
I've tried some Google-fu but can't seem to find any best practices or use cases for this type of setup. Was hoping someone here could provide me some resources on how to properly secure RDP over a clientless VPN.
Look for SAML (M$ calls this ADFS) or RADIUS support. That is the key for being able to leverage a more capable service (e.g. one that supports MFA) and for minimizing the number of password databases in your life.