I have multiple Local users trying to connect Windows Terminal Server at remote site from Local Windows Terminal Server running Windows 2016 Server. For security reason I wish to encrypt session end to end (hence tunnel inside tunnel) as it crosses multiple untrusted domains. I want to ensure each users get authenticated 1st by Local AD followed by SSL or TLS based tunnel authentication.  

Question 1 - Can I terminate SSL or TLS tunnel on same firewall I am terminating IPSec tunnel? 

Question 2 - Dose Windows Terminal Server needs multiple SSL or TLS Cisco VPN client instances per user to ensure each user session is authenticated?

Question 3 - Any special license apart from Security Plus License required on ASA5512-FPWR-K9 to terminate multiple SSL or TLS tunnels?

Scenario 1

Thanks

RT