I may be getting a little out of my league here, but if I'm understanding you correctly, then yes, I think you'd either have to open whatever port the MS RDP protocol uses, or tunnel over SSH (port 22?) and port-forward or whatever from there (I'm speaking from the context of using TSMobiles on the BB as the client). I thought that the RDP protocol was secure (well, as secure as anything can be), so I didn't think there was a need to use SSH. I know that it's very wise to use an SSH tunnel if you're using the VNC protocol.
I don't know if this answered your question, it might be best to contact Shape Services and Idokorro directly if you're concerned about security.