Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. There are five Windows Server 2003 SP2 servers that have the Terminal Server component installed. A firewall server runs Microsoft Internet Security and Acceleration (ISA) Server 2006. You need to create a remote access strategy for the Remote Desktop Services servers that meets the following requirements:

Restricts access to specific users
Minimizes the number of open ports on the firewall
Encrypts all remote connections to the Remote Desktop Services servers

What should you do?

A.
Implement SSL bridging on the ISA Server. Require authentication on all inbound connections to the ISA Server.

B.
Implement port forwarding on the ISA Server. Require authentication on all inbound connections to the ISA Server.

C.
Upgrade a Windows Server 2003 SP2 server to Windows Server 2008 R2. On the Windows Server 2008 R2 server, implement the Remote Desktop Gateway (RD Gateway) role service, and configure a Remote Desktop resource authorization policy (RD RAP).

D.
Upgrade a Windows Server 2003 SP2 server to Windows Server 2008 R2. On the Windows Server 2008 R2 server, implement the Remote Desktop Gateway (RD Gateway) role service, and configure a Remote Desktop connection authorization policy (RD CAP).

Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Terminal Services Gateway
TS Gateway allows Internet clients secure, encrypted access to Terminal Servers behind your organizations firewall without having to deploy a Virtual Private Network (VPN) solution. This means that you can have users interacting with their corporate desktop or applications from the comfort of their homes without the problems that occur when VPNs are configured to run over multiple Network Address Translation (NAT) gateways and the firewalls of multiple vendors.
TS Gateway works using RDP over Secure Hypertext Transfer Protocol (HTTPS), which is the same protocol used by Microsoft Office Outlook 2007 to access corporate Exchange Server 2007 Client Access Servers over the Internet. TS Gateway Servers can be configured with connection authorization policies and resource authorization policies as a way of differentiating access to Terminal Servers and network resources. Connection authorization policies allow access based on a set of conditions specified by the administrator; resource authorization policies grant access to specific Terminal Server resources based on user account properties.

Connection Authorization Policies
Terminal Services connection authorization policies (TS-CAPs) specify which users are allowed to connect through the TS Gateway Server to resources located on your organizations internal network. This is usually done by specifying a local group on the TS Gateway Server or a group within Active Directory. Groups can include user or computer accounts. You can also use TS-CAPs to specify whether remote clients use password or smart-card authentication to access internal network resources through the TS Gateway Server. You can use TS-CAPs in conjunction with NAP; this scenario is covered in more detail by the next lesson.