Just to follow up on this. I did get this working ... Applied the filter to the RVI for outbound. Inbound did nothing.
Thanks all..
Just one more piece to this ... I added a counter to the block-rdp term to see things were working, but I am seeing the counter increment slowly even when I am not trying to connect which tells me something else is hitting this on tcp-3389. I tried to add the then log statement but it tells me this is not supported on egress traffic. Any thoughts on how i can identify what IP is hitting this counter?