RDP is a long-standing protocol which has gone through a lot of versions. Recent versions of the protocol encapsulate a SSL/TLS tunnel through which the actual exchanges take place (RDP has its own format for sending packets, and, within that format, SSL records are sent). This should be secure as long as the authentication layer (i.e. the password-based logon) is secure (which means "a random enough password") and the Remote Desktop Service on the machine does not have remotely exploitable holes. Unfortunately, the RDS code can have, like any other software, buffer overflows and similar weaknesses, as was demonstrated.
Microsoft has its own "solution" for that, called Terminal Services Gateway. It is an extra server which listens on port 443 for incoming SSL/TLS connections; the TSG authenticates the client (with a password or a certificate), and then forwards the RDP-style packets to the server which runs Remote Desktop Services. There are quite a few layers here:
- SSL/TLS connection from the client to the TSG.
- In that SSL/TLS tunnels, some RDP-style packets, sent to the server which runs RDS.
- In these packets, SSL/TLS records for the SSL/TLS tunnel from the client to the RDS server.
- In that SSL/TLS tunnel, the actual RDP packets which encode the keyboard strokes, mouse clicks and display updates.
What are the benefits of the TSG ? Mostly, this is a new server which is supposedly simpler and with a shorter implementation history, then theoretically with less bugs; chances are that the outer SSL/TLS code (the one ran by the TSG) is the same code than the one used by IIS to serve HTTPS Web sites, and that implementation must be reasonably robust since it has wide Internet exposure and is still alive. Also, TSG listens on port 443, which makes it easier for clients in environments with restrictive firewalls (port 443 is one of the ports which are most likely to be authorized for outgoing connections).
From the point of view of Microsoft, TSG has the additional benefit of being yet another server and specific software, so that's extra licenses. I am not sure you can put TSG and the target RDS on the same machine (Remote Desktop Service tends to disallow connections from "localhost").