# Secure Setup with Double-hop DMZ and Second-Level Authentication

Second-level authentication provides a high level of protection via different types of security tokens for two-factor authentication. Users have to authenticate through two successive stages to get the remote application list. In addition to a standard user name and password, or a smart card authentication, second-level authentication uses a one-time password generated by a token. The second level of authentication can be provided by DualShield, Safenet, RADIUS, or Google authenticator.

A RADIUS server is recommended to be placed in the Intranet together with the RAS Connection Broker and Active Directory domain controller to speed up application enumeration.

It is recommended to specify Access Control Lists to only allow the IP addresses and protocols/ports necessary for the Wireless Access Points and other devices to communicate with the RADIUS server. No other devices should have a pathway to the RADIUS server.

<figure><img src="/files/ODJRYrQh6cLgXKWUs8ca" alt=""><figcaption></figcaption></figure>

In a configuration of this type, the second-level authentication via a RADIUS server is performed first. If the authentication procedure is successful, the next authentication takes place at the Active Directory level using either the username and password or a smart card.

## **Installation Notes**

Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.parallels.com/landing/ras-reference-architecture/v19/deployment-scenarios/parallels-ras-deployment-scenarios/mixed-scenarios/secure-setup-with-double-hop-dmz-and-second-level-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.