So these users who are going to access the server are untrusted users? Are they not a part of your company? This is a big security issue. Do you have an existing domain with a domain controller?
Remote Desktop Gateway is easy to set up, it's just a roll that a server provides. It's considered unsafe to have the RDP port open to the internet and the RDP gateway is a safe way for public access. RDP Gateway is only available on server 2008.
You will need virtualization if you want to run three instances of server. Hyper-v 2012 is free or you could run Hyper-v inside 2008 standard.
Does this file share that the vendor application needs to access also need to be accessed by users inside your work? If not you could set up the RDP server and RDP Gateway on a separate network or DMZ.
As far as pricing, I'm not sure, I do not purchase our software or hardware.