Is this possible?

Here's my current dilemma. I want to make a rdp or ssh connection from a server 2003 machine to a windows 7 workstation. I want the rdp or ssh connection to be tunneled through some sort of virtual private connection (whether that be vpn or a vps) preferably with an AES-256 cipher, but I don't want all of the traffic to be tunneled. I also would like 2 forms of authentication to be able to access the connection such as username/pass and rsa key or something else that would work along the same lines. Also I'll need everything to be able to pass a vulnerability test and any open port will result in failure.

I'm in the brainstorming stages so I figured I'd ask the community here before I really dig into it. Is this possible and is there any way I could make this more secure? Also should I use SSH or RDP? I know ssh is more secure, I was just wondering if there were pros and cons to both.

How to Use Remote Desktop over a Secure Connection.

http://m.desy.de/sites2009/site_m/content/e262/e96318/RDPusage.pdf

Yes I'm fully aware how to use putty. As far as I know, putty doesn't support 2 factor authentication and putty would require a tcp port to be open and listening, so putty itself isn't going to work.

 

I was thinking of maybe going from workstation>>>putty>>>VPS>>>>Putty>>>server to be able to implement multiple types of authentication, however now my question is "is it possible to set up some sort of authentication such as a biometric device or an rsa key fob or something like that with putty?" 

Basically I need this to be fully PCI compliant and I can't risk any chance of failing a full pentest.