When a client initiates a connection, RD Gateway first establishes SSL tunnels between itself and the external client. Next, RD Gateway vets the client's user (and optionally the computer) credentials to make sure that the user / computer are authorized to connect to RD Gateway. Then RD Gateway makes sure the client is allowed to connect to the requested resource. If the request is authorized then RD Gateway sets up an RDP connection between itself and the internal resource. All communication between the external client and the internal endpoint goes through RD Gateway. So, the RD Gateway can enforce device redirection between itself and the external client, and then enforce device redirection between itself and the internal resource.
If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.