# Secure Gateway tunneling policies Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Gateway or RAS Secure Gateway IP address. To configure tunneling policies, navigate to **Farm** > \ > **Secure Gateways** and then click the **Tunneling Policies** tab in the right pane. The **\** policy is a preconfigured rule and is always the last one to catch all non-configured Secure Gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the **\** policy by right-clicking it and then clicking **Properties** in the context menu. ## **Adding a new Tunneling Policy** To add a new policy: 1. Click **Tasks** > **Add**. 2. Select a Secure Gateway IP address. 3. Specify to which RD Session Host(s) the users connecting to that specific Secure Gateway should be forwarded. If you select **None** (no forwarding), read the **Restricting RDP access** section below. ## **Managing a Tunneling Policy** To modify an existing Tunneling Policy, right-click it and then click **Properties** in the context menu. ## **Restricting RDP access** You can use tunneling policies to restrict RDP accesses through the RAS Secure Gateway port. To do so, on the **Tunneling Policies** tab, select the **None** option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client. There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is *to prevent a DDoS attack*. A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Connection Broker server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following: * \[I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on Secure Gateway xxx.xxx.xx.xx, Using Default Rule * \[I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT\_IDLESERVER\_REPLY UserName hello\@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, Secure GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0 * \[I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached. * \[I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available! * \[W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14. These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through Secure Gateway tunneling polices, you can prevent this from happening. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-admin-guide/v19-en-us/parallels-ras-19-administrators-guide/ras-secure-gateway/secure-gateway-tunneling-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.