We currently use DUO for our RDP connections, directly and without VPN (Port open on firewall). Have never had an issue.
We purposefully don’t want VPN because we don’t need network level access and we don’t want people’s potentially infected remote computers on our networks. Then there’s the added inconvenience of managing muti-platform VPN clients and potentially additional credentials.
However, most traditional IT people suggest that adding VPN would be safer.
It’s definitely an extra layer but given the issues I mention above, the minuses seem to outweigh the pluses.
How are people doing this? Anyone care to comment?