(SoHo) Multi-Factor Authentication for Remote Desktop Gateway

We're running a TSG with client certificates configured to allow users to connect to their desktops. As long as you allow port 443 and properly configure the resource access policy, it works. There's a tutorial on technet on how to achieve this.

However, we're only using it for a small number of people, and we've not run into any of the licensing issues that I think sdnelson mentions. I would check this out before progressing any further.

I would use Terminal Services Web Access with client certificates. With the scale you are talking about I think it is going to be the least cost.