We recently resolved an issue with RemoteApp delivered via Remote Desktop gateway on Windows Server 2008 R2 to an external client on a different untrusted windows domain.
The issue was tracked down by packet tracing both ends of the network.
We narrowed it down to their domain controllers responding to an LDAP query being answer on the public internet. If this query was blocked, the connection worked fine, if it was allowed to resolve, the connection timed out while connecting.
What I suspect is happening is that RD Gateway is attempting to determine if the client machine is on a local network by discovering domain controllers and querying them for information on the machine.
In every other connection we've attempted the query is blocked at the customers firewall, so the connection works. In this case it went through, so we believe RD Gateway mistakenly thought the client was local.
We've blocked outbound LDAP requests to the internet on our firewall now to resolve this issue.
We wanted to confirm however if our assumption about the behaviour is correct.