Multiple RDWeb / RDGateway / Domains behind single public IP / edge gateway device (e.g. TMG)

Overview: we've been down the multitenant TMG / VLAN / RD Web / RD Gateway path a fair distance and have run into (what I believe to be) a fairly intractable stumbling block. That is, there is only one port 443 available at the edge for redirection of RDP traffic to _one_ of the RD Gateway machines on _one_ of the VLANs that we were thinking about creating, each representing an isolated "customer" of our remote desktop infrastructure. Actually, the HTTPS host header 3rd level domain redirect (customer1.hosteddesktop.org,customer2.hosteddesktop.org, etc.) part would theoretically work fine to redirect to multiple RD Web instances, each isolated on a separate VLAN. The problem arises once the user has authenticated to the RD Web box and is initiating a RDP session by clicking one of the available RDP initiation icons; AFAIK, that triggers an RD Gateway inbound request to port 443 from the MSTSC client, which cannot be redirected on the basis of host headers through TMG (although this I haven't totally convinced myself of).

I'd really like to get to the bottom of this before I abandon the multiple VLAN / multiple RD Web / Gateway approach with TMG, which held tremendous promise when we first started investigating it. Really looking forward to any thoughts that may emmerge here on the forum.

It's worth noting that if VLAN (essentially Layer 2) isolation is not in the cards, we may be forced up the network stack to achieve our goal. One option _may_ by domain and policy based isolation, however I want to avoid a front end which involves showing essentially a single instance of an RD Web to all infrastructure tenants (with links to all of their desktops visible, unless we use policy to intelligently restrict?). In other words, even if we can adequately isolate and secure the resources associate with each tenant, I would prefer they don't perceive that they are sharing the same "front door" (even though they are in reality sharing the same public IP / edge gateway). (It occurs to me as I write this that one clunky solution would be to offer each tenant a unique SSL port for their instance of RD Web, but I'm not sure how much better that really is than using a pile on non-standard RDP port ranges, besides the opportunity to require stronger authentication?)

If anyone has any thoughts on this architecture, I'd appreciate it. We're pretty invested in this infrastructure, but are struggling to finalize the design such that it meets our requirements.