If VPN has been configured as your only way in, then that wil be your only way in.
AIUI, if you have a standard NAT router, then the only way in from the outside will be
1) Via any open ports (and then there has to be a machine on the internal LAN, on the port-forwarded IP, which does something with the packets, e.g. a web server on port 80)
2) Via a VPN (comment as above - e.g. an RDP server)
3) Via some way which hacks NAT. I don't know of any such method, but possibly one might get in via a port which was previously opened by some internal machine accessing some external resource.
That seems to be the default position, anyway.
With PC/Anywhere, some people opened up the two PC/A ports in their routers, and relied on the PC/A authentication etc for security. I have always thought that was a stupid idea, because a hacker could just forget PC/A and feed all kinds of malformed packets to that machine; all kinds of such hacks have been developed.
The iPad (or any other device) can only connect to what you have opened up on your network perimiter. Don't open up the VPN port and it can't connect to that either.
I think you know far more about this than I do...
What I was getting at is the example I gave, where a VPN failure will result in the app trying to do plaintext logins (pop3, ftp, htaccess, etc) over an open network.
There is no easy way to stop that, because of the usually indeterminate way in which different apps fall back onto whatever network connection happens to be available.
If the RDP client on the Ipad can be forced to use only a VPN, that is OK, but what if not? VPNs are notoriously unreliable, especially on a GPRS/3G connection. The ither week I was in Greece, on a Cosmote 3G SIM card (2GB for 7 days), which disconnected you every few minutes. So the VPN will bomb after a few mins, and whatever app you are running over it may retry the login...