My advice is not to do that. RDP is a very common attack vector to get yourself hacked and your data held for ransom. Please use VPN or other more secure methods and use two factor authentication wherever possible for this type of access. If you absolutely must open RDP on the public internet lock it down to only allow the specific IP addresses of users that need access.
@GlennGrossman Sorry for the slow reply. Yes, if you configure and then establish a client VPN connection to your MX the users can RDP to the internal IP address of their desktop. I have no first hand experience with RDP gateway, but there exists such a thing as enforced two factor authentication for RDP that might be good too. https://duo.com/docs/rdgateway