Agree with reducing the attack surface. Go one better and configure a random high port and port forward that internally to 3389. You have then greatly reduced the brute force attacks that machine will see.
To add to this. The above step would only be necessary if you're using Remote Desktop directly. In your routers (i.e. D-Link, Linksys, etc.), in the port forwarding table, there will be an option for a Public Port and a Private Port. The public port would as Indy pointed out a high number like 11000-62000 (I can't remember the exact range, but you got a lot of choices.) The private port would be 3389. If a person were to remote in, you would have to tell them to specify the port number when remoting in. Assume your IP address is 67.67.67.67, the public port is 32000 and the private port is 3389. You'd tell the person who's remoting in to put 67.67.67.67:32000 as the computer name in Remote Desktop
With the gateway, it's sort of like Remote Desktop VPN. Once you authenticate against the gateway, it's like you're on the LAN there. No ports need to be opened/forwarded externally besides 443 for SSL. This uses an encrypted SSL connection to authenticate (the same kind used for credit card transactions online). You can use a $50 GoDaddy SSL Certificate.
.png "ACUF Donor I")
