Great question. There’s quite a few options for protecting RDS with Duo, and due to limitations of RDS, a caveat comes with each.
If you’d like to continue to use RemoteApp, installing Duo on RD Web is not a great option. Installation of Duo Authentication for RD Web effectively disables the use of RemoteApp because there is not a method for two-factor authentication when the RemoteApp and Desktop Connections client accesses the “/rdweb/pages/webfeed.aspx” or “rdweb/feed/webfeed.aspx” URLs.
If you opt to instead install Duo on the RD Gateway, your authentication factors are limited to Duo auto-mode (automatically receiving a push or a phonecall on your default device).
How many session hosts do you have? Unless it’s an unmanagable amount, due to the use cases you’re trying to support, I’d actually recommend looking at our RDP/Winlogon integration route: installing Duo for Windows Logon and RDP (duo.com/docs/rdp) on each of your session hosts. In this instance, regardless of how an end-user connects to the host, they will be challenged for 2FA.
Interested to hear your thoughts on this suggestion!