Now I have thought up only one solution:
I can make a small site with https autorization where users can press button which run script (rule for iptables), that open 3389 port only for user IP. And this script make cron job that delete this rule after "X" hours.
It is not smart solution
But it have to work.