I'm thinking that you might try to monitor it before it gets to the DA server. There should be a way to map the user public IP address to their user-id, e.g. if there are logs somewhere in either: DA server, AD, some other security tool, or similar, you could push that into user-id. Not simple or elegant though. I wouldn't try to monitor the traffic within the tunnel directly, but anything traversing your firewall going to the IP address of the DA server.
... View more