Channels:

Microsoft-Windows-TerminalServices-Gateway/Operational.
Events: 200, 300, 302, 303, 308, 312, 313.

Overview

Remote Desktop Gateway is a Windows server role that implements the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection. The gateway can be Internet facing to allow remote users to access internal network resources through RDP.

Channel Conditions Events
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 200: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy requirements and was therefore authorized to access the TS Gateway server.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host, and authentication protocol used (such as NTLM).
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 300: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy requirements and was therefore authorized to connect to <REMOTE_HOST_FQDN>.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway).
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 302: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway).
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 303: <DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>.

Additionnal payloads: Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host and remote host (the user is connecting to through the Remote Desktop Gateway). Metrics about the Remote Desktop session: bytes sent and received, and duration in seconds.
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 312: <USERNAME>@<DOMAIN> on client computer <SOURCE_IP>:<SOURCE_PORT> has initiated an outbound connection that has yet to be authenticated.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host.
Microsoft-Windows-TerminalServices-Gateway/Operational Default configuration Event 313: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> has initiated an inbound connection that has yet to be authenticated.

Information of interest: domain, username, and source IP of the user connecting to the Remote Desktop Gateway host. le

References



View on GitHub