You can do this with separate RDP-Tcp listeners, one for internal users and the other one for vpn users. For example, say your server has two network cards, you can have the default RDP-Tcp set to the first NIC and then create a new listener called
RDP-Tcp-VPN and set it to the second NIC. In the properties of RDP-Tcp-VPN you limit it to 16-bit color depth. This is done in RD Session Host Configuration (tsconfig.msc).
To make this seamless you will need to configure your DNS records so that your VPN users are directed to the ip address of the RDP-Tcp-VPN network interface, and your internal users are directed to the ip address of the RDP-Tcp network interface.
Thank you for the great idea. There's just one problem. We have 3 terminal servers grouped in a farm like fashion wit NLB. They each have 2 NICs - one for nlb and one for data. Is it still possible to do this then ?