HAProxy or Port NAT?

[Julien]

Hey OPNsense and RDP wizards,
Quick question: What's the best way to configure high-availability Remote Desktop Gateways (RDG) behind OPNsense for seamless failover and load balancing? I'm building this out on Windows Server 2025 and hitting a decision point—need your real-world takes to avoid headaches.
Setup Overview:

Firewall: OPNsense as the perimeter (running latest stable 24.7.x).
RD Gateways: Two redundant RDG servers in the DMZ (aiming for active/passive failover, maybe via Windows clustering).
Objective: Single entry point for external RDP over HTTPS (port 443) to a VIP/DNS (e.g., rdg.mycompany.com). Users hit it via RD client, with Duo MFA, and it routes to the healthy RDG. No internal access needed.

The Dilemma: For routing traffic to the pair, should I go with:

HAProxy in OPNsense: L7 balancing with health checks, sticky sessions, and SSL passthrough? (I like the plugin's ease, but worried about RDP quirks like UDP transport or NLA compatibility.)
Port NAT + CARP/VIP: Basic NAT on 443 to a shared CARP IP, with firewall rules for redundancy? (Simple and light, but does it handle failover gracefully without drops?)

Specific Questions:

Which approach wins in production for RDG—HAProxy or NAT/CARP? Why (e.g., performance, reliability)?
Any gotchas? Like cert pinning issues, Duo MFA interference, or RDP session persistence during failover?
Better alternatives? (E.g., Keepalived on OPNsense, external LB like F5, or a hybrid?)
Config tips? Snippets for HAProxy ACLs, CARP setup, or diagrams would be gold!

Full deets: External-only access, no LAN exposure. Saving me from weekend tinkering—appreciate any insights!