We use RDP, but they have to connect with the VPN first. When I first got here they had RDP wide open, I caught a hacker on one of the servers sending spam with a bunch of scripts. Since then I'm really paranoid about letting any connections without a VPN tunnel.
I suppose Remote App would open that possibility back up too. Or I could assign RDP to a peculiar port but wouldn't a port scan just make it possible to figure out which one I've used?
SSL VPN tunnels are a little more processor intensive than the traditional IPSEC tunnels
but in practice i've not noticed much difference from a user perspective apart from reduced 'my vpn isn't working' calls, you just need to be a bit more generous when speccing up the VPN server.
Opening RDP on a high port isn't a good idea, as you say all they need to do is run a portscan (devil) and they've found it and your back to square one.
You might want to look at using a 'portal' model where the user visits a SSL protected website and then there's a html5 or similar 'rdp session in a browser'
a couple of the products I've used are Sophos UTM (formerly astaro security gateway)and juniper netscreen SA series,
the Sophos boxes are slightly cheaper than the SA but the SA is definitely better.
Or you could buy a server run up your favourite distro and fire up an openvpn server slightly more work but essentially free and secure (its openvpn inside the Sophos box anyway :-D ).
That's what remote app does. I had it working at one point but was trying to make it only use a specific wan and broke it. I need to make time to look at it again.