It is very bad to share a direct RDP connection outside, so I recommend hanging a VPN outside, but through it the connection will already be similar to LAN. Thus, the presence of permission for a VPN connection will be a natural restriction on connecting to a remote location not from a local network.
I think setting up a VPN for the director should not cause very big difficulties. Especially if you explain to him that this is a safer option.

Impossible.

as the boss said " With infinite time and infinite payment, everything is possible. "
So:
RDP is looking outside and no one wants to change it yet. (If there is a VPN, the problem disappears).
Those. outside RDP always responds, but if the correct password is entered, the correct user is entered, but the client is from outside, the connection must be refused.
Make a Logon script. Check the client's RDP address. And do not let extra)))

I only know the option to install a VPN server

In order to forbid Vasya Ivanov to connect from home, and to allow the director, the order of the director will be enough.
It is not necessary to produce things unnecessarily.

Forward port 63000 to rdp port 3389 in kerio and give the boss an address to connect like myip:63000 instead of what he currently uses myip (aka myip:3389).

Made on Powrshell permission to log in via rdp only to certain users with the correct IP.
The situation is similar, only did for 1c7 rdp.
Also, for reliability, I disabled the account if the user logged in from the wrong IP, followed by manual activation upon request.
The script is executed at the rdp login event, checks the user, IP, if everything matches, does nothing, if it does not match - the event is logged (username, IP), the user account is disabled.
Logon script did not do because it will be executed for all users, but I needed only for certain ones.

Thanks everyone. The idea with vpn was spinning in my head, but I wanted to do it with the means already available. There is one thought, but the advice of people who worked with Kerio is needed:

• Kerio supports the creation of "your" Kerio users. In the properties of these users there is a type of their identification. I usually use IP authentication, for example, if the IP is 192.168.1.6, then this is the Kerio user director, etc ... But there is also another option . This is the type of Windows Identification I assume.
  Those. if the director logged in via RDP under the windows account Director and with his password and there is an account in Kerio with the same name Director, then the current session will be considered on behalf of the Kerio account Director.
  
• If the previous point really works as I guess, then all that remains is to make Kerio users with the same names as Windows users and create a rule in Kerio:
  

  Name: Deny rdp users
  Source: Internet //interface to the internet
  Destination: Prohibited //this group of Kerio users who should be denied RDP access from the internet. (Yes, Kerio allows you to specify user groups in this field)
  Service: RDP //determine which service to close access to (the definition goes by port)
  Action: Deny //actually, the rule is to refuse.
  

  
  Thus, the rule will NOT allow users via RDP from the Internet who have passed the Windows authorization on the server under their own account, have been automatically mapped to the Kerio account based on the username and assigned to the Prohibited group.
  

It remains to wait for the opinion of the person who worked with Kerio on the first point: does it really work this way? I hope there is such a person :)

You can make a preliminary authorization through Kerio (using a browser), and this kerio's user is already allowed access to the RDP port:

This is authorization by IP.
PS Paranoids may not criticize, because. all advantages and disadvantages are obvious.