Hi @krknopp,
I’m sorry to see that no one has replied to this yet with some suggestions for you. Hoping that by bumping the thread, we may be able to get a response here.
Thank you for sharing this question with the community, and welcome! We love to see these types of best practice questions or calls for recommendations and ideas.
You may have come across this article already, and it’s possible the solution won’t work for you, but what we usually recommend to folks is to install Duo only on the endpoint where users are forced to connect during each authentication. See “How often will I be prompted for 2FA when Duo for RD Gateway and Duo for RD Web are both installed?” for more details. Depending on which integration you use, you could then further reduce this so users are not prompted on subsequent remote desktop connections by using Remembered Devices to generate a persisting cookie following an initial authentication.
Since you specifically mention that using one or the other won’t work in your scenario, I take it there’s something I am missing here, but just thought I’d reply and attempt to help anyway!