How to Audit RD Gateway Connections

This blog post focuses on RD Gateway auditing. We discuss what Remote Desktop Gateway is, why you should be monitoring it, and the best ways to audit RD Gateway connections.

Let’s start with the definition.

What is RD Gateway?

Remote Desktop Gateway (RDG or RD Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. It encrypts the RDC traffic into an HTTPS tunnel which creates a secure connection.

In layman’s lingo, RD Gateway is basically a funnel into your corporate environment. However, before you can use RD Gateway in your environment, clients must meet the conditions specified in at least one Remote Desktop connection authorization policy (RD CAP) and Remote Desktop resource authorization policy (RD RAP). RD CAPS specify who can connect to an RD Gateway server and the authentication method that must be used.

Now, because RD Gateway acts as a proxy between the external user and the Remote Desktop infrastructure, system administrators monitor those connections for security reasons.

The management also wants this info to track people’s remote logins and see who’s remoting into their desktops using RD Gateway to check who’s really working remotely from home and who’s just fooling around.

Why should I monitor RD Gateway connections?

For system admins, knowing who’s connecting through RD Gateway is an absolute must. By monitoring active and inactive RD Gateway connections, you can tell if there’s anything strange going on.

For example, you might have an unknown user trying to connect to the corporate network in the dead of night from an unknown IP address.

How can you tell if that’s a colleague working late hours once they have put their kids to sleep? If you don’t monitor RD Gateway connections, how will you be able to spot a potential hacker who tried to log in with the wrong user ID and password.

How to audit RD Gateway connections

Auditing user logons through the RD Gateway is demanding. You have three ways to do this. First you can log onto each server to check for failed and successful logins (if you have enabled this feature). Second, you can deploy a custom PowerShell script to extract this kind of information automatically from the Event Log.

The first option takes time and it’s a hassle because you have to dig your way through all those logs. You’d go bananas before you have any real records. For the second one, you need a good PowerShell script or have enough skills to write your own.

The third option is to use a third-party tool to put all the information you need on one central console.

What do I need to measure?

Well, apart from knowing WHO is using the RD Gateway to access the corporate network from the outside, you need the following:

  • Connection log for each user
  • User activities by connection state (active, ide, disconnected, and remote control)
  • Client IP address and target workstation for each user who connected via RD Gateway
  • How long the sessions lasted (log on and log off times).

SysKit Monitor

As I’ve already mentioned, you can audit RD Gateway connections with a third-party tool. One of server monitoring tools is SysKit Monitor, a monitoring and administration tool that tracks server performance, licenses, applications, and user activities to make your life as a system admin more enjoyable.

But how do you know I SysKit Monitor is the right tool for me?

Consider this:

SysKit Monitor automatically gathers real-time and historical data to give a complete logon history through the RD Gateway. These data are collected and available within a single interface. Also, all RD Gateway reports are represented as professional-looking documentation and can be saved and exported as Word or Excel files.

SysKit Monitor offers RD Gateway monitoring and gathers the following:

  • Current user connections to the computers made via RD Gateway.
  • Detailed connection log for a selected user which shows the start, end, and total times for the connections made via RD Gateway in a specific session state.
  • User activities over time shows the first logon and last logoff times, total time connected via RD Gateway, and the time spent in different session states.
  • Source IP address and target computer for each user who connected via RD Gateway. When combined with a computer filter, you can pinpoint the exact computer a user connected to.

You can start with a 30-day trial version today and test out the other features that SysKit Monitor has to offer, like diagnosing server performance problems, tracking system inventory, and monitoring application usage.