I would like to hear your feedback on an idea. We are building up our RDS environment and would like to deploy a RDS Gateway in our DMZ. I was reading that in order for the Gateway to authenticate our users, I would need to NAT/PAT pretty much every AD DS port from the Gateway in the DMZ into our production LAN. This seems pretty crazy to me because if the Gateway were to become compromised, it would have free rain on our domain servers along the well known AD DS ports. Why not just NAT from the WAN (port 443 only) into our Gateway already in our LAN?
So, I was thinking....
What if I were to virtualize our Gateway and put two NIC's, one in the DMZ and the other in our LAN. The traffic coming from the WAN to the DMZ over 443 would go to NIC1 and the traffic from on NIC2 would be connected to our LAN. Being as the Gateway would be limited...