Hi andf,
Welcome to the Duo community.

In replacing the CAP and RAP, that will remove the restriction for non-remote users connecting through the gateway won’t it?

• Yes you will no longer be able to restrict who can access using CAP RAP, however you can still restrict who can log on to the terminal server on the terminal server itself.
• Or indeed you can do so at the Duo level using group policies (Duo Administration - Policy & Control | Duo Security) or permitted groups (Duo Administration - Using Groups | Duo Security).

How can I block non-authorised users from connecting remotely, whilst allowing non-enrolled users to connect and test 2FA for a handful of users?

• Given CAP and RAP will not be an option, and given you wish to allow unenrolled users to be able to authenticate, then your only option would be to use log on restrictions on the session host itself rather than on the RDG.

It is possible to use RDGateway to protect your systems.

However it is recommended to use the RDP client instead if this is an option.

Please see the article below for further details:
https://help.duo.com/s/article/6701

The benefits are:

• Passcode support: Knowledge Base | Duo Security
• GUI interface: Duo Authentication for Windows Logon & RDP | Duo Security
• Endpoint protection can not be bypassed by bypassing the gateway: Duo Authentication for Microsoft Remote Desktop Services | Duo Security
• CAP/RAP policies are not locked down: Knowledge Base | Duo Security
• The RDP client can also protect the RDGateway / RDweb / DC server itself.
• Offline access support: Duo Authentication for Windows Logon & RDP | Duo Security
• Deployment and configuration by GPO: Duo Authentication for Windows Logon (RDP) - Active Directory Group Policy | Duo Security
• UAC Elevation protections: (Step 6) Duo Authentication for Windows Logon & RDP | Duo Security