By default, when you have setup a form of Two Factor Authentication (2FA) on your RD WebAccess page and want your users to always use this 2FA you can’t enforce it out of the box. Here’s how to force 2FA.
Consider the following scenario:
You have one or more RD Session Host servers running on which you installed and configured applications and settings. You want to publish this full desktop using a full desktop to your end-users using RD WebAccess and via RD WebAccess only.
When you publish the full desktop via RD WebAccess (whether it’s via a RD Gateway or not). Users will be able to directly contact the RD Session Host (or via RD Gateway) using their local Remote Desktop Client (mstsc.exe). Why? Because RD WebAccess does nothing more than provide you with the rdp-settings to use after you have authenticated. When you start a full desktop session via RD WebAccess mstsc.exe is launched under the hood. Therefore, when you have knowledge of the name of the RDS farm (and the FQDN of the RD Gateway) you will be able to bypass the RD Webaccess and just launch mstsc.exe
There are multiple scenarios however, in which being able to connect directly is not the desired functionality.
For example, when you have made heavy customizations on your RD WebAccess page and want to inform users with news of updates on the availability of your environment using this page you would want to have your users to actually go through the RD WebAccess page to take note of those updates.
Another scenario is where you have setup a form of Two Factor Authentication (2FA) on your RD WebAccess page and want your users to always use this 2FA. By having them access the environment without accessing the RD WebAccess they can actually bypass the 2FA.
A solution for this scenario can be achieved by making use of ISA (or TMG). My colleague explains the way we successfully set this up thoroughly in a blog post here: http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/