the connection must be initiated from C's side to A. This simply cannot work simultaneously, so I tried to make use of my public server B which can be used as a "bridge" between A and C. So, A connects to B, C connects to B, and then A and C communicate. Roughly speaking...
That was my initial idea, but seems too complicated to work out, so I asked for a possible easier alternative. :-)
Easy. John R Pierce's idea works no problem. Just do it the other way round for A.
A will run ssh (or putty) and connect to B with a ssh key and do port forwarding.
So instead of ssh -L as suggested by John, do the equivalent of ssh -R on A.
Then your problem will become: how do I secure B:3389 against unauthorized connections. Again, ssh (or putty) on C -> B to the rescue.
Back to John's suggestion. C will do ssh -L and B will firewall all access to port 3389 except from localhost.
A ssh -R3389(or whateverA):localhost:3389 | | |/
B
/|\ | | C -L3389(or whateverB):localhost:3389(or whateverA)
rdesktop or Remote Desktop on C connections to localhost port 3389 (or whateverB)