1 of 100

English

Parallels RAS 19 Administrator’s Guide

Introduction

Welcome to Parallels® Remote Application Server (Parallels RAS), an integrated solution to virtualize your applications, desktops and data. Parallels RAS publishes applications and delivers remote and virtual desktops to any device on your network, anywhere.

Parallels RAS 19 release history

The following table lists the Parallels RAS 19 release history. Parallels RAS documentation is updated for every release. This guide refers to the latest Parallels RAS 19 release from the table below. If you are using a newer Parallels RAS release or version, please download the current version of the guide from .

About Parallels RAS

Parallels RAS provides vendor independent virtual desktop and application delivery from a single platform. Accessible from anywhere with platform-specific clients and web enabled solutions, like the built-in Parallels Web Client, Parallels RAS allows you to publish remote desktops, applications and documents, improving desktop manageability, security and performance.

Parallels RAS extends Windows Remote Desktop Services by using a customized shell and virtual channel extensions over the Microsoft RDP protocol. Parallels RAS supports all major hypervisors from Microsoft, VMware, and other vendors including Hyperconverged solutions such as Nutanix AHV (AOS) and Scale Computing and Cloud platforms and services such as Microsoft Azure and Azure Virtual Desktop (formerly known as Windows Virtual Desktop), enabling the publishing of virtual desktops and applications to Parallels Client.

The product includes powerful universal printing and scanning functionality, as well as resource-based load balancing and management features.

With Parallels Device Manager Module for Parallels RAS you can also centrally manage user connections and PCs converted into thin clients using the free Parallels Client.

How does it work?

When a user requests an application or a desktop, Parallels RAS finds a least loaded RD Session Host or a guest VM on one of the least loaded Providers and establishes an RDP connection with it. Using Microsoft RDP protocol, the requested application or desktop is presented to the user. Note that in addition to RD Sessions Hosts and VDI, Parallels RAS can also be used to configure, manage and publish Azure Virtual Desktop resources.

Users can connect to Parallels RAS using Parallels Client (available at no charge), which can run on Windows, Linux, macOS, Android, Chrome, iOS and iPadOS. Users can also connect via an HTML5 browser or Chromebook.

As newer versions of Windows keep on being developed as time goes by, you need to defend the migration cost to your business. Parallels RAS can help. Desktop replacement allows you to extend the lifespan of your hardware and delay migration to the latest OSs to a time that suits you best. The Parallels RAS solution allows you to be very flexible: you can lock machine configurations on the user side, placing your corporate data in an extremely secure position; or you can opt to allow users to run some local and remote applications. Parallels Client Desktop Replacement is able to reduce the operability of the local machine by disabling the most common local configuration options, while guaranteeing the same level of service and security afforded by thin clients, directly from your existing PCs.

About this guide

This guide is intended for system administrators responsible for installing, configuring, and administering Parallels RAS. This guide assumes that the reader is familiar with Microsoft Remote Desktop Services and has an intermediate networking knowledge.

What's new

Parallels RAS 19.4.2

The following new features were added in Parallels RAS 19.4.2:

Ability to redirect local disk drives as read-only.
Ability to limit clipboard to plain text.
Ability to use SAML SSO together with credentials for user authentication.
Ability to add a custom background for User Portal.
Ability to select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials for TOTP, Google Authenticator, and email OTP.
Ability to automatically connect to an alternative Connection Broker.

Parallels RAS 19.4.1

The following new features were added in Parallels RAS 19.4.1:

Ability to select if Parallels Client detection is triggered on sign-in to User Portal or after the user confirms it via a prompt
Ability to configure a Service URL through which User Portal will detect the IP of the browser it is running on
Added an option to map the Windows key to a key combination when running User Portal on Chrome OS

Parallels RAS 19.4

The following new features were added in Parallels RAS 19.4:

Ability to send OTP via email.
Ability to automatically upgrade Agents on RD Session Hosts, VDI, and Azure Virtual Desktop.
Support for IGEL 11 and 12.
Extended image management for Nutanix AHV (AOS).
Support for Scale Computing SC//HyperCore 9.2.
Ability to enable tunneling for the <Default> Theme.
Ability to edit the message that will be shown by Parallels Client when users sign in using MFA for Radius and TOTP.
Active Directory (AD) based permissions for session management.
Ability to add a customizable URL that points to internal support from RAS Console and Management Portal.
Administrator permissions to view license information.
Ability to configure the minimum key size of certificate authority templates.
Validation of HTTP host headers to protect against host header injections.
New predefined reports:
- Sessions disconnections for host pools
- Transport protocol for host pools
- Bandwidth availability for host pools
- Latency for host pool
- Connection quality for host pool
- UX Evaluator for host pool
- Logon duration for host pool
Azure Virtual Desktop improvements.

Parallels RAS 19.3.1

Important: Do not update to Parallels RAS 19.3 if you assigned multiple templates to a single VDI host pool.

Important: If you are using Azure Virtual Desktop in Parallels RAS 19.3, you need to update Parallels Client to version 19.3.

The following new features were added in Parallels RAS 19.3.1:

Ability to automatically reset sessions on user logoff.
Azure Virtual Desktop improvements.

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.3

single VDI host pool.

Important: If you are using Azure Virtual Desktop in Parallels RAS 19.3, you need to update Parallels Client to version 19.3.

The following new features were added in Parallels RAS 19.3:

Template versioning for RD Session Hosts, VDI, and Azure Virtual Desktop. This feature includes the following:
- Version management
- Version tags
- The ability to assign template versions to host pools for RD Session Hosts, VDI, and Azure Virtual Desktop.
- Scheduled template recreation for RD Session Hosts, VDI, and Azure Virtual Desktop.
Ability to configure user profiles and other settings on the host pool level.
Ability to change user passwords via third-party IdPs.
New policy for configuring drive redirection cache.
New policy for prohibiting saving username.
Ability to drain and power off hosts based on the workload.
FSLogix Office Containers support and enhanced management for FSLogix.
Dynamic printer mapping.
Azure Virtual Desktop improvements.
Add multiple provider addresses for the SC//HyperCore provider.
Ability to hide billing information on Tenants.
Ability to recreate hosts keeping the existing MAC addresses on the SC//HyperCore provider.
TLS 1.3 support.
FIPS 140-2 compliance.
Terminology updates:
- References to Pools/Groups have been standardized as "Host Pools".
- Reference to Desktop/Guests have been standardized as "Hosts".
New predefined reports:
- Session activity
- Disconnection reasons

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.2.3

The following new features were added in Parallels RAS 19.2.f3:

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.2.2

The following new features were added in Parallels RAS 19.2.2:

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.2

The following new features were added in Parallels RAS 19.2:

Integration with MSIX app attach for AVD.
Disk storage cost optimization for VDI and AVD.
Ability to choose the transport protocol for connections between Parallels Client and a server on RDSH, VDI, and Remote PC.
Ability to use RDP Shortpath for single-session and multi-session AVD hosts.
Ability to connect to AVD resources using Parallels Web Client.
New policy for selecting the display configuration.
Ability to assign persistent hosts by the client device hostname.
Ability to recreate RD Session Hosts and hosts with their original BIOS UUID on ESXi and vCenter (works automatically).
Added Microsoft Authenticator as a TOTP provider.

Deprecations and updated system requirements:

See Software Requirements for updated system requirements for components and clients.

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.1

The following new features were added in Parallels RAS 19.1:

Integration with MSIX app attach for VDI.
Search for client policies.
Ability to update all agents in an AVD host pool simultaneously.
New policy for configuring dynamic desktop resizing for published applications.
New policy for configuring multimedia redirection on Azure Virtual Desktop.
Ability to register public domain addresses when using a secret key for joining a RAS Tenant Broker.
Ability to supply public domain addresses when joining a tenant to a RAS Tenant Broker using a secret key.
Ability to easily view the details of a failure to create a hosts.
New predefined reports:
- Transport protocol (TCP/UDP)
- Network latency
- Connection quality
- Bandwidth availability

Deprecations and updated system requirements:

See Software Requirements for updated system requirements for components and clients.

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Parallels RAS 19.0

The following new features were added in Parallels RAS 19.0:

Support for Amazon Web Services as a cloud provider and ability to use EC2 instances.
Integration with MSIX app attach.
Let's Encrypt certificate management.
New Parallels Client for Windows for ARM64.
Expression-based client policies, filtering for published resources and MFA configuration.
Power management: starting up and shutting down servers on schedule. Schedules can be created for RD Session Hosts, VDI, and AVD hosts.
Email-based account discovery that gives users quick access to the RAS resources when using the Parallels Client.
Logon hours restrictions that allow to restrict user access to published resources during specified time frames.
Ability to assign different MFA providers to different Themes.
Ability to specify URLs to be redirected to local end user device or to be launched in the remote session.
Ability to delegate to Custom administrators permissions for working with specific publishing folders.

Deprecations and updated system requirements:

See Software Requirements for updated system requirements for components and clients.

For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.

Terms and abbreviations used in this guide

Note: Starting with Parallels RAS 19, all products and documentation, including this section, use updated terminology. To see what terms were changed, go to https://kb.parallels.com/en/128943.

Term/Abbreviation

Description

RAS Console

Parallels RAS Console.

The RAS console is the primary interface you use to configure, manage, and run Parallels RAS. As an administrator, you use the RAS console to manage Farms, Sites, RD Session Hosts, published resources, client connections, etc.

Category

In the RAS console, categories are displayed in the left pane of the main window. Each category consists of a number of settings related to a specific task or operation.

The categories include Start, Farm, Load Balancing, Publishing, Universal Printing, Universal Scanning, Connection, Device Manager, and others.

Farm

A Parallels RAS Farm is a logical grouping of objects for the purpose of centralized management. A Farm configuration is stored in a single database which contains information about all objects comprising the Farm. A Farm consists of at least one Site but may have as many sites as necessary (see Site below).

Site

A Site consists of at least one RAS Connection Broker, RAS Secure Gateway (or multiple gateways), and RAS agents installed on RD Session Hosts, Providers, and Windows PCs. Note that a given RD Session Host, Provider, or PC can be a member of only one Site at any given time.

Licensing Site

The Site that manages Parallels RAS licenses in a Parallels RAS Farm. By default, the server on which you install Parallels RAS becomes the Licensing Site. If you create additional sites later, you can designate any one of them as the Licensing Site.

There can be only one Licensing Site in a given Farm. All other sites are called secondary sites.

Note: Parallels RAS updates or upgrades must be applied to the Licensing Site first.

RAS Secure Gateway

RAS Secure Gateway tunnels all traffic needed by applications on a single port and provides secure connections.

Web Client

Web Client allows users to view and launch remote applications and desktops in a web browser. The Web Client functionality is a part of RAS Secure Gateway.

Publishing

The act of making items installed on a Remote Desktop Server, Provider or Remote PC available to the users via Parallels RAS.

RAS Connection Broker

RAS Connection Broker provides load balancing of published applications and desktops.

RAS RD Session Host Agent

RAS RD Session Host Agent collects information from Microsoft RDS hosts required by the Connection Broker and transmits to it when required.

Remote PC Agent

Remote PC Agent collects information from Remote PC hosts required by the Connection Broker and transmits to it when required.

RAS Guest Agent

RAS Guest Agent collects information from the VDI desktop required by RAS Connection Broker and transmits to it when required.

RAS Provider Agent / RAS Provider Agent

RAS Provider Agent collects information from the Parallels RAS Infrastructure and is responsible for controlling VDI through its native API. RAS Provider Agent is built into the RAS Connection Broker and is available by default. It can be used to control multiple Providers in a Parallels RAS Farm.

RAS Provider Agent is the same as RAS Provider Agent, but the term is used in the context of Azure Virtual Desktop (described at the end of this table).

RAS Provider Agent dedicated

RAS Provider Agent dedicated is similar to the RAS Provider Agent described above with one important difference — it is a separate component that must be installed from the Parallels RAS installer and can only control a single Provider.

RDSH or RD Session Host

RDSH makes applications and a full desktop accessible to a remote client that supports Remote Desktop Protocol (RDP). RDSH replaced Terminal Servicer beginning with Windows 2008 R2.

HALB

High Availability Load Balancing (HALB) is an appliance that provides load balancing for RAS Secure Gateways. Parallels HALB virtual appliance is available for the following hypervisors: Hyper-V, VMware. Multiple HALB Virtual Servers representing different HALB devices can be deployed in a single Site. Multiple HALB deployments can run simultaneously, one acting as the primary and others as secondaries. The more HALB deployments a Site has, the lower the probability that end users will experience downtime. Primary and secondary HALB deployments share a common or virtual IP address (VIP). Should the primary HALB deployment fail, a secondary is promoted to primary and takes its place.

Tenant Broker

Tenant Broker is a special RAS installation that hosts shared RAS Secure Gateways. It is an essential part of the RAS multi-tenant architecture.

Tenant

Tenants are RAS farms that join Tenant Broker (see above) and use shared RAS Secure Gateways and HALB thus eliminating the need to have their own Gateways and HALB deployed.

RAS Enrollment Server

RAS Enrollment Server is an essential component of the SAML SSO Authentication functionality. It communicates with Microsoft Certificate Authority (CA) to request, enroll, and manage digital certificates on behalf of the user for SSO authentication in the Parallels RAS environment.

RAS PowerShell

Parallels RAS PowerShell allows you to perform Parallels RAS administrative tasks using PowerShell cmdlets. You can execute cmdlets in the Windows PowerShell console or you can write scripts to perform common Parallels RAS administrative tasks. A complete guide to Parallels RAS PowerShell is available on the Parallels website together with other Parallels RAS documentation.

RAS REST API

Parallels RAS comes with various APIs to help you develop custom applications that integrate with it. The RAS REST API is one of them.

RAS Management Portal

Parallels RAS Management Portal is an HTML5 browser-based application that lets you manage Parallels RAS.

RAS Web Administration Service

A Web service that provides the user interface for RAS Management Portal and implements RESTful Web services for the RAS REST API (see above).

Azure Virtual Desktop

Azure Virtual Desktop is a desktop and app virtualization service running on Microsoft Azure, providing access to RD Session Hosts and VDI. Parallels RAS 18 provides the ability to integrate, configure, maintain, support and access Azure Virtual Desktop workloads on top of the existing technical capabilities of Parallels RAS.

FSLogix

FSLogix Profile Container is a remote profile solution for non-persistent environments. Parallels RAS supports FSLogix on RD Session Hosts, VDI, and Azure Virtual Desktop.

Installing Parallels RAS

This chapter describes how to install and activate Parallels RAS.

System requirements

Before installing Parallels RAS, please verify that your hardware and software meet or exceed the hardware and software requirements described below. Please note that although Parallels RAS can be used in Workgroup environment, Parallels recommends using Active Directory to manage users, groups, and machine accounts via group policies.

Hardware requirements

Parallels RAS is extensively tested on both physical and virtual platforms. The minimum hardware requirements approved to run Parallels RAS are outlined below.

Physical Machines – Dual Core Processor and a minimum of 4GB RAM.
Virtual Machines – Two Virtual Processors and a minimum of 4GB of RAM.

The server hardware requirements to install and configure Parallels RAS can vary according to end-user requirements.

Typically for an installation of 30 users or under, Parallels RAS can be installed on one high specification server and the resources published directly from it. For more than 30 users, multiple servers may be required.

The below should be considered during the planning stage of a Parallels RAS deployment:

High specification servers should be used, consisting of multiple CPU cores, a high specification disk transfer rate and plenty of RAM.
A hypervisor-based virtual machine can be used as long as the resources needed to serve end-users are calculated accordingly.
It is recommended that RAS Secure Gateway does not exceed 1200 users per server for incoming connections using the Gateway SSL mode.
HALB usage should not exceed 2000 user sessions per HALB appliance. See .
When planning VDI Hypervisor resource requirements, extra requirements such as RAM usage per virtual machine and disk space should be taken into account.

When configuring RD Session Hosts, VDI, or Azure Virtual Desktop, please keep in mind that different types of workloads require different session host configurations. For the best possible experience, scale your deployment depending on your users' needs. The following table gives you an idea of how different workload types affect session host configurations.

Note: Sizing guidelines are based on Microsoft recommendations on RDS or Azure Virtual Desktop multi-session hosts.

For port requirements, please see the Port Reference section.

Software requirements

RAS Connection Broker and RAS Secure Gateway (64-bit versions only)

RAS Connection Broker and RAS Secure Gateway are supported on the following operating systems:

Windows Server 2012 R2 up to Windows Server 2022
On Windows Server 2016, 2019, and 2022 both Server Core and Desktop Experience installations are supported

Note: RAS Connection Broker and RAS Secure Gateway should not be installed on a domain controller or any other machine where a DHCP server is running. This in general applies to any of the RAS components.

RAS Web Administration Service

Same OS requirements as for RAS Connection Broker (see above). Note that for larger environments (2000 or more concurrent connections), it is recommended to install the component on a dedicated server. For details, please see https://kb.parallels.com/en/124988.

Please also note that Windows Server 2012 R2 must have the following updates installed:

Windows Server 2012 R2 — KB2999226

Newer versions of Windows Server do not require any specific updates.

RAS RD Session Host Agent

RAS RD Session Host Agent is supported on the following operating systems:

Windows Server 2008 R2 up to Windows Server 2022
Windows Server 2016 and newer must be installed using the "Desktop Experience" installation option.
Windows Server 2012 R2 — Server Core installation option is not supported.

RAS Provider Agent

Windows Server 2012 R2 up to Windows Server 2022

For the list of supported Providers, see RAS Provider Agent Installation Options.

RAS Guest Agent

Windows Server 2008 R2 up to Windows Server 2022
Windows 7 up to Windows 11

Remote PC Agent

Windows Server 2008 R2 up to Windows Server 2022
Windows 7 up to Windows 11

Parallels RAS PowerShell

Windows Server 2012 R2 up to Windows Server 2022
Windows 7 up to Windows 11
Windows Management Framework 3.0 and .NET Framework 4.5.2 must be installed

Parallels RAS Console

Windows Server 2012 R2 up to Windows Server 2022
Windows 7 up to Windows 11

RAS Enrollment Server

Windows Server 2012 R2 up to Windows Server 2022

Parallels Client

Parallels Client is approved for the following operating systems (both 32-bit and 64-bit systems are supported, where applicable):

Windows 7, 8.x, 10, 11
Windows Server 2008 R2 up to Windows Server 2022
macOS 12 Monterey to macOS 14 Sonoma. Parallels Client runs natively on Intel and Apple silicon processors.
iOS 15 and later, iPadOS 15 and later
Android 7 up to 12
Chrome OS

Note: Parallels Client for Chrome is deprecated. We recommend using Parallels Web Client instead.

Parallels Client for Linux supports the following Linux distributions (x64 versions only):

Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS
Debian 11 (Bullseye), Debian 12 (Bookworm)
Fedora 37, 38
Linux Mint 20, 21
IGEL 11, 12
ThinOS/ Dell Wyse Thin Clients 2303

Parallels Client supports all default window managers of the distributions listed above. If you use a different window manager, your experience may vary from the intended.

For a list of supported thin clients and supported hardware from Technology Partners such as Igel, HP, 10Zig, and more, please see the following KB article: https://kb.parallels.com/124606.

Microsoft license requirements

For information about Microsoft license requirements, such as Remote Desktop Services Client Access Licenses (RDS CALs) and Virtual Desktop Access (VDA) licenses, please see Appendix: Microsoft license requirements in Parallels RAS.

Install Parallels RAS

To install Parallels RAS:

Make sure you have administrative privileges on the computer where you are installing Parallels RAS.
Double click the RASInstaller.msi file to launch the Parallels RAS installation wizard. If you see a message that begins with "This version of Parallels RAS is only for testing purposes.", it means that it's not an official build and should not be used in a production environment.
Follow the onscreen instructions.

Note: Please ensure that the presented terms in the license agreement are read and accepted to complete installation and/or upgrade. For programmatic deployment, it is understood that the terms in the license agreement have been read and accepted.

Note: If you are upgrading from one of the major versions (for example, from Parallels RAS 18 to Parallels RAS 19), you will see a message that lists system requirements for every component of the new version. Please read them carefully to make sure that all components can be upgraded in your environment. Note that if you install a component on a system that does not meet its system requirements, the component will not work.

Help us improve our products!

When you install Parallels RAS, you can choose to join Parallels Customer Experience Program. For more information about Parallels Customer Experience Program, see .

Proceed to the Select Installation Type page and select from the following:
- Parallels Remote Application Server. The default installation that will install RAS Console, RAS Management Portal, RAS Connection Broker, RAS Secure Gateway, RAS RD Session Host Agent, RAS PowerShell, and RAS Web Administration Service on the same machine. This is ideal for testing or small production environments.
- Parallels RAS Tenant Broker. This option installs Tenant Broker. Please note that Tenant Broker must be installed on a server separate from the existing RAS farms. For more information about Tenant Broker, please see the chapter.
- Custom. Select and install only the components that you require. You can select individual components after you click Next. Note that if a component cannot be installed on the current server, it will not be available for installation. See Software Requirements.
Click Next.
Review the notice on the Important Notice wizard page. If there's a port conflict on your computer, the information will be displayed here. You can resolve the conflict later.
Click Next.
On the Firewall Settings page, select Automatically add firewall rules to configure the firewall on this computer for Parallels RAS to work properly. See Port Reference for details.
Click Next and then click Install. Wait for the installation to finish and click Finish.
If you are upgrading your RAS installation, it is recommend to reboot all servers where components are upgraded.

When you need to install a particular Parallels RAS component on a different server, run the installation wizard again, select Custom and choose the component(s) you wish to install.

Log in and activate Parallels RAS

After you've installed Parallels RAS, run the RAS Console and activate your new Parallels RAS Farm.

Start the Parallels RAS Console

By default, the Parallels RAS Console is launched automatically after you click Finish on the last page of the installation wizard. To launch the console manually, navigate to Start > Apps > Parallels and click on Parallels Remote Application Server Console.

When the Parallels RAS Console is launched for the first time, you are presented with the login dialog. In the dialog, specify the following:

Farm: A Parallels RAS Farm to connect to. Enter the FQDN or IP address of the server where you have RAS Connection Broker installed.
If you've installed the Parallels Single Sign-On component when installing the RAS Console, you will see the Authentication type field from which you can select whether to log on using your credentials or SSO. If you reboot after the installation and select SSO, select Single Sign-On and then click Connect. Your Windows credentials will be used to log in to the RAS Farm. If you select Credentials, enter your credentials as described below.
Username: A user account with administrative privileges on the server where Parallels RAS is installed (usually a domain or local administrator). The account name must be specified using the UPN format (e.g. administrator@domain.local). The specified user will be automatically configured as the Parallels RAS administrator with full access rights.
Password: The specified user account password.
If you select the Remember credentials option, this dialog will not be shown the next time you launch the Parallels RAS Console.

The Edit Connections button opens a dialog where you can manage your RAS connection. This dialog becomes useful if this is not the first time you are connecting to one or more of your RAS Farms. The left pane of the dialog displays RAS Farms to which previously connected (you can remove a Farm from the list by clicking the [-] icon if you no longer need it). The right pane displays at least the primary Connection Broker for the selected Farm. If you've added a secondary Connection Brokers to a Farm, you can add it to this list by clicking the [+] icon and typing its hostname or IP address (click the "recycle" icon to verify the agent status). This way the RAS Console will try to connect to the primary Connection Broker first and if it fails (e.g. the agent is offline or cannot be reached), it will try to connect to the secondary Connection Broker. For more information about secondary Connection Brokers, please see chapter.

When you are done entering the connection information, click the Connect button to connect to the Parallels RAS Farm.

To activate Parallels RAS, you must register for a Parallels business account. After you logged in to Parallels RAS, you'll see the Sign In to Parallels My Account dialog. If you already have an account, type the email address and password you used to register the account and click Sign In.

Note: If you use an HTTP proxy server on your network, you will see a dialog asking you to configure the proxy server connection settings. Click the Configure Proxy button. In the dialog that opens, select one of the following: Use system proxy settings (the default proxy settings from the Internet Explorer will be used) or Manual HTTP proxy configuration (specify the settings manually). If your proxy configuration changes, you can re-configure it later by navigating to Administration > Settings and clicking the Configure Proxy button.

If you don't have a Parallels business account, you can register for one as follows:

In the Sign In to Parallels My Account dialog, click Register. The Register Parallels My Account dialog opens.
Enter your name and email address, choose and type a password, and enter your company info (all fields are required).
Follow the links to Parallels Privacy Policy and Terms of Use. After reading them (and if you agree) select the I have read and agree to the Parallels Privacy Policy and Terms of Use checkbox.
Click Register to register an account. This will create a personal account for yourself and a business account for your organization to which you will be assigned as administrator.

Activate Parallels RAS

After you sign in to Parallels My Account, the Activate Product dialog opens asking you to activate the Parallels RAS Farm.

If you already have a Parallels RAS license key, select the Activate using license key option and enter the key in the field provided. You can click the button next to the field to see the list of subscriptions and/or permanent license keys you have registered in Parallels My Account. If the list is empty, it means that you don't have any subscriptions or license keys and need to purchase one first.

If you don't have a Parallels RAS license key, you have the following options:

Purchase a subscription online by clicking the Purchase a license link.
Activate Parallels RAS as a trial by selecting the Activate trial version option.

After entering a license key (or selecting to activate a trial version), click Activate. You should see a message that the Parallels RAS Farm was activated successfully. Click OK to close the message box.

The first dialog that you see informs you that you have no servers configured that can be used to host published resources. This means that to begin using Parallels RAS, you need at least one RD Session Host, Provider, or a Remote PC configured. We'll talk about configuring a Parallels RAS Farm in the next chapter. For now, click OK to close the message box. You will then see the Applying Settings dialog. Wait for the initial configuration of Parallels RAS to complete and click OK. You will now see the main Parallels RAS Console window where you can begin configuring the Parallels RAS Farm.

Read on to learn how to quickly add an RD Session Host, publish resources, and invite your users to Parallels RAS.

Getting Started with Parallels RAS

This chapter will help you get started with Parallels RAS. Read it to learn how to use the Parallels RAS Console and how to set up a simple RAS environment.

The Parallels RAS Console

The Parallels RAS Console is a Windows application used to configure and administer a Parallels RAS Farm.

To open the Parallels RAS Console, navigate to Apps > Parallels and click Parallels Remote Application Server Console. Note that you can open multiple instances of the Parallels RAS Console on the same computer if you want to manage more than one Farm or Site simultaneously without switching between them inside the console. This works with a locally installed Parallels RAS Console and when you run it as a remote application from Parallels Client.

Information: In addition to Parallels RAS Console, Parallels RAS 18 introduced Parallels RAS Management Portal, an HTML5 browser-based console that lets you manage Parallels RAS. Note that at the time of this writing, Parallels RAS Management Portal does not completely replace the desktop RAS Console as some management features are still in development. More features will be added in the upcoming releases. For more information, please refer to Parallels RAS Management Portal Guide, which is available on the Parallels website: https://www.parallels.com/products/ras/resources/.

The following screenshot and the description below it give you an overview of the Parallels RAS Console.

The Parallels RAS Console consists of the following sections:

This section lists categories. Selecting a category will populate the right pane with elements relevant to that category.

This section (the middle pane) is available only for the Farm and the Publishing categories. The navigation tree allows you to browse through objects related to that category.

This section displays the selected object or category properties, such as servers in a Farm or published application properties, etc.

The information bar at the top of the RAS Console displays the name of the Site you are currently logged in to on the left side (the Location field). If you have more than one Site, you can switch between them by clicking the drop-down list (the Site name) and choosing a desired Site. If you used the RAS Console to connect to more than one Farm, the drop-down list will also display the other Farm name(s), clicking on which will connect the console to that Farm.

Your administrator account name is displayed on the right side. Clicking on the name opens a drop-down list from which you can initiate a chat with other administrators, show current sessions, and log off from the RAS Console.

The Press 'Apply' to commit the new settings message in the middle (in red) appears after you make any changes to any of the components or objects. It reminds you that you need to apply these changes to Parallels RAS for them to become effective. The following describes how it works.

When you make changes in the RAS Console, they are saved in the database as soon as you click OK in a dialog. If you close the console at this point, the changes will remain in the database and will not be lost. The changes, however, are not yet applied to running instances of the Parallels RAS processes, so they have no effect in the running RAS Farm. When you click the Apply button (at the bottom of the screen) the changes are applied to the runtime and become effective immediately.

When modifying anything in the RAS Console, follow these rules. When you make a small change, you can click Apply as soon as you are done with it. If you are working on something that requires many modifications in many places, you can wait until you are done with all changes and only then press Apply to apply all of them at the same time.

The information bar at the bottom of the screen is used to display the most recent console notification (if one is available).

Set up a basic Parallels RAS Farm

In this section, we'll set up a basic Parallels RAS Farm where all required components run on a single server.

To set up a Parallels RAS Farm:

Log in to the Parallels RAS Console.
In the console, select the Start category. This category gives you access to three wizards that you can use to easily perform essential tasks, such as adding RD Session Hosts, publishing applications, and inviting users to Parallels RAS.

Add an RD Session Host

First, you need to add an RD Session Host to the Farm. In this tutorial, we'll add the local server on which Parallels RAS is installed.

To add an RD Session Host to the Farm:

Click Add RD Session Hosts. The Add RD Session Hosts wizard opens.
Click the Tasks menu (or click the [+] icon) and select one of the following:
- Add from Active Directory: Adds an RD Session Host from Active directory.
- Add Manually: Adds RD Session Host by entering its FQDN or IP address.
Note that if you enter the server FQDN, it will be used as the primary method of connecting to this server from other Parallels RAS components and clients. If you enter the IP address, it will be automatically resolved to FQDN, but only if the global option to resolve to FQDN is enabled. To see the current setting of this global option, click Tools > Options on the main menu. In the Options dialog, examine the Always attempt to resolve to fully qualified domain name (FQDN) when adding hosts option. When the option is selected, the IP address of every server/component in the RAS Farm is always resolved to FQDN. When the option is cleared, whatever is specified for a server (IP address or name) is used to communicate with a server. This makes a difference in deployments where an IP address cannot be used to access a server, such as when a server is hosted in the cloud. For more information, see Host Name Resolution.
Click Next.
The page with general settings opens:
Specify the following settings:
- Add firewall rules. Add firewall rules required by Parallels RAS in Windows running on the server. See Port Reference for details.
- Install RDS role. Install the RDS role on the server if it's not installed. You should always select this option.
- Enable Desktop Experience. Enable the Desktop Experience feature in Windows running on the server. This option is enabled only if the Install RDS role option (above) is selected. The option applies to Windows Server 2008 R2 and Windows 2012 R1/R2 on which the Desktop Experience feature is not enabled by default.
- Restart server if required. Automatically restart the server if necessary. You can restart the server manually if you wish.
Click Next.
Add the server (or servers) to a host pool. Select the desired host pool or create a new host pool. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the Manage host pools (RD Session Hosts) section.
Click Next.
In order for end users to access published resources on the RD Session Host, they must be added to the Remote Desktop Users group in Windows running on the server. This can be done one of the following ways:
- Adding each user or group directly on the server using standard Windows administrative tools.
- Adding users or groups through Active Directory.
- Using the wizard page described below, which is provided for your convenience.
If you already added your users to the Remote Desktop Users group on the given server (or if for any reason you want to use one of the other methods listed above), you can simply click Next and skip this page.
To add users to the Remote Desktop Users group using the wizard, select the Specify users or groups to be added to the Remote Desktop Users group option and then click the [+] icon. In the Select Users or Groups dialog, specify a user or group and click OK. The selected user/group will be added to the list on the wizard page.
Click Next.
The User profile page allows you to select a technology to manage user profiles.
You can select from User profile disk or FSlogix. User Profile Disks are virtual hard disks that store user application data on a dedicated file share. Microsoft FSLogix Profile Container is the preferred Profile Management solution as the successor of Roaming Profiles and User Profile Disks (UPDs). It is set to maintain user context in non-persistent environments, minimize sign-in times and provide native profile experience eliminating compatibility issues. You can keep the default settings for now. We will talk in detail about user profiles later in this guide.
The Optimization page allows you to specify settings that will be used to optimize Windows on the RD Session Host for best performance in a Parallels RAS environment.
You can select Windows components, services, and other options that will be disabled, removed, or optimized to ensure a more efficient, streamlined, and improved delivery of virtual apps and desktops. You can keep the default settings or you can modify (or disable if not sure) optimization for now. Optimization is described in detail later in this guide.
On the next page, review the settings and click Next.
The Install RAS RD Session Host Agent dialog opens. Follow the instructions and install the agent. When the installation is finished, click Done to close the dialog.
Back in the wizard, click Finish to exit.

If you would like to verify that the RD Session Host has been added to the Farm, click the Farm category (below the Start category in the left pane of the Parallels RAS Console window) and then click RD Session Hosts in the navigation tree (the middle pane). The server should be included in the RD Session Hosts list. The Status column may display a warning message. If it does, reboot the server. The Status column should now say, "OK", which means that your RD Session Host is functioning properly.

Read on to learn how to publish an application from an RD Session Host.

Publish applications

After you added an RD Session Host, you can publish applications from it.

To publish an application:

In the Parallels RAS Console, select the Start category and click the Publish Applications item in the right pane.
The Publish Applications wizard opens. On the first page, select one or more servers from which the application should be published. You can select all servers, server host pools, or individual servers.
Click Next.
On the next page, select one or more applications you want to publish.
If you've selected more than one server on the previous screen, the Show applications not available on all target servers option becomes enabled. If the option is cleared (default), the folder tree will contain applications that are available on each and every server that you selected. If the option is enabled, the tree will contain applications that may be available on some server(s), but not on the others.
Click Next. Review the summary information and click Next again.
Click Finish when ready.

To verify that an application has been successfully published, select the Publishing category in the RAS Console. The application should be included in the Published Resources list (the middle pane).

Invite users

Your Parallels RAS Farm is now fully operational. You have an RD Session Host and published application(s). All you need to do now is invite your users to install the Parallels Client software on their devices and connect to the Parallels RAS Farm.

Note: Consider allowing users to access the published resources by using their email instead of Secure Gateway IP address or hostname. For information on how to do it, see .

To invite users:

In the Parallels RAS Console, select the Start category and click the Invite Users item.
The Invite Users wizard opens. On the first page, specify the mailbox information that should be used to send invitation emails to users.
Specify the following options:
- Mailbox Server: Enter the mailbox server name. For example, mail.company.com:500
- Sender Address: Enter the email address.
- TLS / SSL: Choose whether to use the TLS/SSL protocol.
- SMTP server requires authentication: Select this option if your SMTP server requires authentication. If it does, also type the username and password in the fields provided.
In the Test Email section, type one or more email addresses to which a test email should be sent (separate multiple address with a semicolon). Click the Send Test Email button to send the email.
Click Next.
On the next page of the wizard, specify target platforms and connection options:
- In the target devices list, select the types of devices to send an invitation to. Each target device of a particular type will receive an email with instructions on how to download, install, and configure the Parallels Client software on that device type.
- In the Public address field, specify a public FQDN or IP address. This setting is used by the Preferred routing functionality to redirect client connections. Please see .
- In the Connection Mode drop-down list, select the RAS Secure Gateway connection mode. Please note that SSL modes require the gateway to have SSL configured. More information can be found in the section.
- In the Authentication mode drop-down list, select the authentication mode for your users. For the list of authentication modes, see subsection Primary connection in the section.
- Optionally, click the Advanced button to open the Advanced Settings dialog. This dialog allows you to specify a third-party credential provider component. If you use such a component to authenticate your users, specify its GUID in this dialog. For more information, see .
Click Next.
On the next page, specify the email recipients. Click the [...] button to select users or groups.
Review the invitation email template displayed in the Review the invitation e-mail box. You can modify the template text as needed. The template also uses variables, which are explained below.
- %RECIPIENT% — Specifies the name of a recipient to whom the email message is addressed.
- %SENDER% — The sender's email address that you specified in the first step of this wizard when you configured the outgoing email server settings.
- %INSTRUCTIONS% — Includes a custom URL hyperlink for automatic configuration of Parallels Client. The URL uses the Parallels Client URL scheme. For more info, see .
- %MANUALINSTRUCTIONS% — Includes instructions for manual configuration of Parallels Client.
The variables are defined dynamically depending on the type(s) of the target devices and other settings. Normally, you should always include them in the message, so your users will receive all the necessary instructions and links. If you don't include any of the variables, you will see a warning message, but including all of them is not a requirement. To preview the message, click the Preview button. This will open the HTML version of the message in a separate window. This is the email message that your users will receive.
Click Next, review the summary and click Next again to send the invitation email to users.

When users receive the invitation email, they will follow the instructions that it contains to install and configure Parallels Client on their devices. Once that's done, the users will be able to connect to Parallels RAS and launch published resources.

Azure Virtual Desktop

The Deploy Azure Virtual Desktop section in the Start category is an optional feature, which allows you to deploy Azure Virtual Desktop in Parallels RAS. The feature is described in detail in the chapter.

Conclusion

In this tutorial, we have configured a simple Parallels RAS Farm with a single RD Session Host and one published application. We then configured a mailbox for outgoing emails and sent an invitation email to end users with instructions on how to install Parallels Client, connect to the Parallels RAS Farm, and run the published application. Essentially, we've created a fully functional Parallels RAS Farm serving remote applications to end users.

If you wish, you can repeat the tutorial and add more RD Session Hosts, publish more applications, or send an invitation email to users who use different types of devices. The instructions remain essentially the same.

The rest of this guide explains in detail how to configure and use various features of Parallels RAS.

Farm and Sites

Parallels RAS Farm is a logical grouping of objects for the purpose of centralized management. A Farm configuration is stored in a single database which contains information about all objects comprising the Farm. A Site is the next level grouping in the Farm hierarchy which contains servers and other objects providing connection and remote application services.

Connecting to a Parallels RAS Farm

If you have more than one Parallels RAS Farm in your organization, you can use the same Parallels RAS Console instance to manage any of them. By default, the Parallels RAS Console is installed on the same server where you install other Parallels RAS components, but you can install the console on any computer on your network.

Connecting to a Parallels RAS Farm for the first time

When you open the Parallels RAS Console for the first time, it displays the logon dialog on which you need to specify the following:

Farm: A Parallels RAS Farm to connect to. Enter the FQDN or IP address of the server where you have RAS Connection Broker installed.
If you've installed the Parallels Single Sign-On component when installing the RAS Console, you will see the Authentication type field from which you can select whether to log on using your credentials or SSO. If you reboot after the installation and select SSO, select Single Sign-On and then click Connect. Your Windows credentials will be used to log in to the RAS Farm. If you select Credentials, enter your credentials as described below.
Username: A user account with administrative privileges on the server where Parallels RAS is installed (usually a domain or local administrator). The account name must be specified using the UPN format (e.g. administrator@domain.com). The specified user will be automatically configured as the Parallels RAS administrator with full access rights.
Password: The specified user account password.
If you select the Remember credentials option, this dialog will not be shown the next time you launch the Parallels RAS Console.

After entering the connection properties, click Connect to connect to the Farm and open the RAS Console.

Note that the Edit Connections button will not display any information on first connect (it is used to edit Farm connections that already exist), so you can ignore it at this point. We will talk about using this button closer to the end of this section.

Connecting to a different Parallels RAS Farm

When you need to connect to a different Parallels RAS Farm, you first need to log off from the Parallels RAS Console in order to see the logon dialog again. To do so:

In the Parallels RAS Console, click on the arrow icon next to your user name in the upper right-hand corner and then choose Log Off in the context menu.
The console will close and the RAS logon dialog will open. The dialog will be populated with the current Farm connection properties.
To connect to a different Farm, type the FQDN or IP address of the server where the other Farm is located. Once again, this should be the server where you have the RAS Connection Broker installed.
Specify a username and password and click Connect. The Parallels RAS Console will connect to the Farm using the connection properties that you specified.

Switching between Parallels RAS Farms

After you connect to more than one Farm from the same Parallels RAS Console instance, you can easily switch between them as follows:

In the Parallels RAS Console, click the Location drop-down list in the upper left-hand corner (right below the main application menu, where the current Site name is displayed).
The lower portion of the drop-down list will contain names of the Farms to which you connected at least once in the past (the upper portion contains one or more Site names for the current Farm). Click a desired Farm name to connect to it.
When you click the Farm name, the console will close momentarily and will re-open connected to the Farm that you selected.

Note that you can also switch between Farms by logging off from the console and choosing a desired Farm from the Farm drop-down list in the RAS logon dialog. The method described above is more convenient, so this one is just another way to do it.

Editing Parallels RAS Farm connections

As was mentioned in the beginning of this section, the RAS logon dialog has the Edit Connections button. When you click it, the Manage Parallels RAS Farm Connections dialog opens.

On the left side of the dialog, the Farm Connections pane lists Parallels RAS Farms to which you connected at least once in the past. If a connection is no longer relevant, you can remove it by selecting it and clicking the "minus sign" icon at the top. Once a connection is removed, it will no longer appear in the RAS logon dialog and in the Parallels RAS Console (the Location drop-down list).

On the right side of the dialog, the Connection Brokers pane lists RAS Connection Brokers for the selected Farm connection. By default, the primary Connection Broker is included in the list, but you can add more Connection Brokers if needed. When connecting to a Farm, the Parallels RAS Console will try the primary Connection Broker first. If a connection cannot be established, it will try other Connection Brokers in the order they are listed in the Connection Brokers pane. To add a Connection Broker to the list, click the "plus sign" icon and then specify the server FQDN or IP address.

About Sites

A Parallels RAS Farm consists of at least one Site, but may have as many sites as necessary.

Sites are often used to separate management and/or location functions. For example, by creating a Site, you can delegate permissions to a Site administrator without granting them full Farm permissions. Or you can have separate sites for different physical locations with the ability to copy the same settings to each Site while using RD Session Hosts, Providers, or PCs that are closer to end users or (depending on your needs) to back-end servers. For instance, it would make sense for a client/server application querying a database to be published from an RD Session Host which is located closer to the database server.

Each Site is completely isolated from other sites within the same Farm. The Farm simply groups sites logically and stores configuration properties of each Site (and the objects that comprise it) in a single database. sites don't communicate with each other and don't share any objects or data. The only exception to this rule is the RAS Licensing Site which periodically communicates with other sites to obtain statistics.

Individual object settings in a given Site can be replicated to all other sites. This does not mean that settings will be shared between sites. The settings that you choose will simply be applied to other sites. For more information, see the Replicating Site Settings section.

When you install Parallels RAS, a Farm with a single Site is created automatically. This first Site becomes the RAS Licensing Site and the host for the main Parallels RAS configuration database. When you add more sites to the Farm, the data in this database is automatically synchronized with every Site that you add. When changes are applied to a particular Site, the main configuration database is automatically updated to reflect the changes.

Each Site must have at least the following components installed in order to publish remote applications and desktops for end users:

Primary RAS Connection Broker
RAS Secure Gateway. Note that if a Site is joined as Tenant to RAS Tenant Broker, RAS Secure Gateway is not needed. For details, see RAS Multi-Tenant Architecture.
RD Session Host, VDI, or PC

When you install Parallels RAS using default installation options, the primary RAS Connection Broker and the RAS Secure Gateway are automatically installed on the server on which you perform the installation. You can then add one or more RD Session Hosts to the Site to host published resources. You can also add more sites to the Farm if needed and configure individual components for each Site as you desire.

Sites in the RAS Console

To view existing sites in the Parallels RAS Console, select the Farm category in the left pane. Existing sites are listed in the right pane.

Note: The Farm node will only be visible to an administrator who has full permissions to manage the Farm. For more information about Farm/Site permissions, please refer to Managing Administrator Accounts.

The Farm category displays the configuration of only one Site at a time. If you log in as the Farm administrator, the configuration of the RAS Licensing Site will be displayed. If you log in as an administrator who has access to a specific Site (but not the Farm), the configuration of that Site will be displayed.

Current Site

Click on the Farm item in the middle pane to view the list of available sites. The Site which configuration is currently loaded in the console is marked as "Current Site" in the Type column. The column also displays other Site attributes. For example, "Licensing Site / Local Site / Current Site".

Switching between sites

To switch to a particular Site, select Farm in the middle pane, then right-click the Site in the right pane and choose Switch to this Site. The Site configuration will be loaded into the RAS Console.

The other way of switching between sites is to click the Location drop-down list in the upper left-hand side of the RAS Console. The menu lists sites for the current Farm and may also list other Farms if you used this RAS Console to connect to them. For more info, see Connecting to a Parallels RAS Farm.

Renaming a Site

To rename a Site, right-click it and choose Rename Site.

Site configuration and health view

When you select the Site node in the middle pane, the Site Info tab in the right pane displays the list of Parallels RAS components that have been configured for the Site with interactive performance monitoring metrics for each component. Depending on the Site configuration, the list may include RD Sessions Hosts, VDI, Remote PCs, Secure Gateways, Connection Brokers, Azure Virtual Desktop, HALB Virtual Servers and devices, Tenant Broker, Host pools, and Enrollment Server.

To collapse or expand a component group, click an "arrow up" or "arrow down" icon on the right side of the list. Note that if no servers of a particular type have been added to the Site, the group name will not be displayed in the list.

The following information is displayed for each component (the information is updated at an interval of approximately 2 minutes):

Address: Server FQDN or IP address.
Status: Indicates whether the agent software is installed on the server and is functioning properly.
CPU: Current CPU utilization.
RAM: Current RAM utilization.
Disk Read Time: Disk read time.
Disk Write Time: Disk write time.
Sessions: The number of currently active user sessions.
Preferred PA: The name of the RAS Connection Broker designated as preferred for this server.
Operating System: Operating system version installed on the server.
Agent Version: The agent version installed on the server.
Hypervisor: The hypervisor the server is running on.

You can customize this view by clicking Tasks > Monitoring Settings. This opens a dialog where you can specify which colors should be used to display different performance counters and their values.

Performing tasks on a component

You can perform a number of tasks on a component displayed in the Site Info tab. These tasks are described below.

To configure a component, do one of the following:

While the Site node is selected in the middle pane, right-click a component in the right pane and choose Show in the editor.
Select a component category in the middle pane (e.g. RD Session Hosts, Providers, etc.).

To use server management tools, right-click a component (server), click Tools and choose a desired tool. For the complete description of tools, see Computer Management Tools.

Using the Site Designer

Select the Site node in the middle and then click the Designer tab in the right pane. The tab displays a visual representation of the Site infrastructure. Use the icons at the top to add more components to the diagram as desired. Note that adding a component to the diagram will actually add it to the Site. Double-click a component to view and configure it in a corresponding editor.

Adding a Site to the Farm

To add a Site to the Farm:

In the RAS Console, select the Farm category in the left pane and then select the Farm in the middle pane.
In the Tasks drop-down list (the right pane, above the Site list), click Add (or click the + icon).
In the Add Site dialog:
- In the Site field, specify a Site name.
- In the Server field, specify the IP address or FQDN of the server where the Primary Connection Broker and Secure Gateway should be installed.
- Select the Enable HTML5 Gateway option to automatically create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see Configure User Portal.
Click Next.
The Site Properties dialog opens. First, it verifies if RAS Connection Broker is installed on the specified Site server. If it isn't, it will indicate this in the Status field.
Click the Install button to install the agent.
In the Install RAS Connection Broker dialog, highlight the server name on which the RAS Connection Broker is to be installed.
(Optional) Select the option Override system credentials to specify and use different credentials to connect to the server and install the agent.
Click Install to install the Connection Broker and Secure Gateway. Click Done once it has been successfully installed.

Once a new Site is created, you can view and manage its configuration by right-clicking the Site in the RAS Console and choosing Switch to this Site.

Replicating Site settings

Site-specific settings configured for a given Site can be replicated to all other sites in a Farm. Refer to the table below for the information about which settings can be replicated to other sites.

Overriding Site Replicated Settings

If an administrator who has permissions to enable or disable replication settings makes a change to a specific setting, such setting is replicated to all other sites. If an administrator has access to a particular Site only, upon modifying Site settings which have been replicated, the replicated settings are overridden and the option Replicate Settings is automatically cleared, therefore such settings will no longer be replicated to other sites.

Managing Licensing Site

The Licensing Site should always be online even if you have other sites in your Farm. If your Licensing Site goes offline, your other sites can still use the maximum number of individual licenses included in your subscription but only for a period of 72 hours. During this time, you need to do one of the following:

Restore your Licensing Site.
Promote a different Site to be the Licensing Site in the Farm (see below for instructions).

Please note that if the Licensing Site is offline from 48 to 72 hours and back online three times per month, you will be required to re-activate it using your Parallels RAS licensing key after the third time.

To promote a secondary Site to be the Licensing Site in the Farm:

In the RAS Console, navigate to Farm > Farm.
In the right pane select a Site and then click Tasks > Set as licensing Site.
You will be asked to activate the new Licensing Site using your Parallels RAS license. Follow the instructions and activate the Site.

Managing administrator accounts

You can have more than one administrator in Parallels RAS. At least one administrator (called the root administrator) must be present at all times. Other administrators can be given the following roles:

Root administrator. Has full permissions to manage a Parallels RAS Farm.
Power administrator. Has most permissions granted by default, but can be configured to have limited permissions to manage certain sites or categories.
Custom administrator. Has no permission by default and can be granted specific permission to view or modify very specific areas or objects in the Parallels RAS Farm.

Read on to learn how to create and manage administrator accounts.

Adding an administrator account

To add an administrator account to the Parallels RAS Farm:

In the RAS Console, navigate to Administration> Accounts.
Click the Tasks drop-down list and choose Add (or click the [+] icon).
The Account Properties dialog opens.
Click the [...] button next to the Name field. In the Select User or Group dialog, select a user or a group.
Specify an email address and mobile phone number. Both fields are optional and are disabled if the account specified in the Name field is a group.
In the Permissions drop-down list select a role to assign to the administrator:
- Root administrator. Grants the administrator full permissions to manage the Farm.
- Power administrator. Grants the administrator full permissions by default but allows you to limit them if needed. To grant or deny specific permissions, click the Change Permissions button. For additional info, see .
- Custom administrator. This role doesn't have any permissions by default and allows you grant very specific permissions for a particular category, area, or object in the RAS Console. See for details.
In the Receive system notifications via drop-down list, select Email to send all system notifications to the specified email address, or select None to disable email system notifications for this account.
Click OK to add the new administrator account to the Farm.

Modifying an administrator account

To modify an account, select it in the list and click Tasks > Properties. This opens the Account Properties dialog where you can modify the account information.

To enable or disable an account, select or clear the Enable account option at the top of the Account Properties dialog.

Administrator account permissions

To set permissions for a RAS administrator, do the following:

In the RAS Console, navigate to Administration > Accounts.
Select an administrator in the list and click Tasks > Properties.
Click the Change Permissions button in the Administrator Properties dialog. The following happens depending on what is selected in the Permissions field:
- Root administrator. The Change Permission button is disabled because the root administrator always has full permissions.
- Power administrator. The Account Permissions dialog opens. In the left pane, select one or more sites for which to grant permissions to the administrator. In the right pane, select specific permissions. See the Power administrator permissions subsection below for details.
- Custom administrator. A different Account Permissions dialog opens where you can set custom permissions. Compared to the Power administrator role (see above), this option allows you to grant any permission (view, modify, add, etc.) for entire categories or specific areas or objects in the RAS Console. If a Custom administrator doesn't have permissions to even view a category or tab page, they will not even appear in the RAS Console. Using the Custom administrator role, you can limit permissions to one or more very specific tasks. For details, see Custom administrator permissions below.

Power administrator permissions

The following permissions can be set for a Power administrator:

Allow viewing of site information. Whether the administrator can view the Site information.
Allow site changes. Permissions to modify the following categories: Site, Load Balancing, Universal Printing, Universal Scanning. This option is disabled if the Allow viewing of Site information option is cleared.
Allow session management. Permission to manage running sessions. This option is disabled if the Allow viewing of site information option is cleared.
Allow publishing changes. Permission to modify the Publishing category.
Allow connection changes. Permission to modify the Connection category.
Allow viewing of RAS reporting. Permission to view reports generated by RAS Reporting.
Allow client management changes. Permission to modify the Device Manager category.

In the Global permission area, set the following:

Allow viewing of policies. Whether to allow the administrator to view the Policies category.
Allow policies changes. Whether to allow the administrator to modify the Policies category.

Custom administrator permissions

To set custom administrator permissions, you must be either a root administrator or a power administrator with the "Allow site changes" permission granted.

When you first create an administrator of this type, they will have no permissions. To add permissions, select a Site in the left pane and then click the Change permissions button. The Account Permissions dialog opens. In the dialog, select a permission type in the left pane.

The permission types are:

RD Session hosts groups. The Groups tab in Farm > RD Session hosts.

Note: Starting from Parallels RAS 19, per-server RDSH permissions have been deprecated and must be manually replaced with per-group permissions. If you upgrade to Parallels RAS 19 or later from one of the previous versions, during the upgrade you will see a dialog that helps you with the process.

Manage Sessions by AD Groups. Permission for managing user sessions for users that belong to the same AD group as the custom administrator.

Note: Parallels RAS checks all available AD groups to find the ones that include the custom administrator. If you don't want to check certain AD groups, you can exclude them from the search by clicking the Exclude AD groups button in the bottom-left corner of the Account Permissions window.

Remote PCs. The Farm > Remote PCs view.
Secure Gateways. The Farm > Secure Gateways view.
Connection Brokers. The Farm > Connection Brokers.
HALB. The Farm > HALB view.
Themes. The Farm > Themes view.
Publishing. Permissions for individual folders in the Publishing category.
Connection. The entire Connection category.
Device Manager. The entire Device manager category.
Certificates. The Farm > Certificates view.
Application Packages. The Farm > Application Packages view.

To change global permissions, instead of a specific Site select Global in the left pane and then click the Change permissions button.

The global permission types are:

Monitoring. The Monitoring category.
Reporting. The Reporting category.
License. The License category.

After you select a permission type, you can set the actual permissions in the right pane. Different permission types may have different sets of permissions. The following list describes all available permissions:

View. View only.
Modify. View and modify.
Add. View, modify, and add new objects (e.g. servers).
Delete. View, modify, and delete an object.
Control. View and control an object. This permission enables the Tasks > Control menu (where available), which includes enable and disable logons, cancel pending reboot, install RDS role, reboot, and some other options. Also enables power operations (start, stop, etc., where available).
Manage sessions. View and manage sessions.

The lower portion of the right pane lists individual objects (e.g. servers) if the selected permission type has them. Here, you can set individual permissions for a specific object (not the entire tab, for instance, which otherwise would include all available objects).

The Global permissions options at the top of the right pane enables all permissions for all objects for the selected permission type.

Clone permissions

As a root administrator (or a power administrator with sufficient privileges), you can apply (clone) permissions of an existing administrator account to another existing account. This way, you can configure permissions for one account and then quickly apply the same configuration to all other accounts that require them.

To clone permissions, select a source administrator account and click Tasks > Clone permissions. In the dialog that opens, select a destination account (or multiple accounts) and click OK.

Delegate permissions

There could be a situation when a power administrator needs to grant some permissions to a custom administrator. This cannot be done by modifying permissions because power administrators cannot manage administrator accounts directly. Instead, they can delegate some of their own permissions in a given Site to a custom administrator of their choice.

For example, if a power administrator wants the custom administrator to be able to manage a particular RD Session Host, he/she selects that host in the RAS Console and click Tasks > Delegate permissions. This opens a dialog where the administrator can select a custom administrator and specify which permissions (view, modify, etc.) that administrator should have. The Tasks > Delegate permissions menu option is available for many objects, such as Providers, host pools (desktops), and some others. If the menu is not available for an object, it means that this functionality is not available for objects of this type.

Managing administrator accounts

To view existing administrator accounts, select the Administration category in the RAS Console. The Accounts tab lists existing accounts and their properties, including:

Group or user name. Account name, which can be a user or group name.
Type. Account type. Can be one of the following: User, Group, Group User. The User and Group are self-explanatory. The Group User is a user who receives Parallels RAS administrative permissions via a group membership. When you initially add a group to the list of Parallels RAS administrators, its members are not displayed on the Accounts tab. As soon as a member of the group logs in to Parallels RAS, the account name is added to the list of administrators as a Group User and remains there. Note that you cannot change Parallels RAS permissions for such an account individually outside the group permissions.
Permissions. A security role assigned to an administrator.
Email. Email address.
Mobile. Mobile phone number.
Group. Group name. This column has a value for Group Users only (see the Type column description above).
Last Modification By. The name of the user who modified this account in Parallels RAS the last time.
Changed On. The last account modification date.
Created By. The name of the user who created this account in Parallels RAS.
Created On. The date when this account was added to Parallels RAS.
ID. Internal Parallels RAS ID.

Modifying an account

To modify an account:

Right-click an account and choose Properties in the context menu.
Use the Administrator Properties dialog to modify the necessary information. For more info, see .

Handling locked objects

When an administrator is working with an object (e.g. a tab in the RD Session Host properties dialog), the object is locked for all other administrators. Therefore, upon trying to access a locked object, an administrator will be alerted with an error that the object is locked and will be denied access to it.

A root administrator (but not power or custom administrator) can release a locked object as follows:

On the Administration > Accounts tab, click the Tasks drop-down list and choose Show Sessions.
In the Sessions dialog, select the administrator who is locking an object and then click the Send Message icon (at the top).
If the administrator doesn't reply and doesn't release the object, you have an option to click Log Off, which will log them off and will unlock the category.

Configure RAS Console idle sessions

If you have a number of administrators using the RAS Console to manage the same Farm, you can configure when an idle RAS Console session should be disconnected. By default, when an administrator opens the console and connects to a Farm but then forgets to log off and goes away, the session will stay active indefinitely possibly locking some of the categories for other administrators. You can change that by specifying the time period after which an idle session will be disconnected (thus unlocking the categories).

To configure idle sessions:

In the RAS Console, navigate to Administration > Settings.
Locate the Miscellaneous section (at the bottom) and choose a desired time period in the Reset idle RAS Console session after drop-down list.

When a session stays idle for close to the specified time period, the administrator (session owner) will be notified a few minutes in advance that the session is about to be disconnected. If the administrator chooses to stay connected, the time period is reset. If the administrator does nothing, the session will be disconnected when the time expires.

Using instant messaging

Parallels RAS administrators logged on to the same Farm can communicate with each other using a built-in instant messenger.

To use the instant messenger:

In the RAS Console, select the Administration category.
Expand the drop-down list next to your name (top-right corner of the console screen) and click Chat.
The Parallels Remote Application Server Chat window opens.

To send a message:

Type the message text in the lower input panel.
In the Logged on administrators list box, select a specific administrator or All to send the message to an individual or all logged on administrators.
Click Send.

Your message history is displayed in the Messages panel. To clear the history, click Clear All.

You can also view the chat history listing all messages between all administrators (not just your own messages). To do so, select the Administration node in the console and then select the Chat History tab.

Joining Customer Experience Program

Parallels Customer Experience Program helps us to improve the quality and reliability of Parallels RAS. If you accept to join the program, we will collect information about the way you use Parallels RAS. We will not collect any personal data, like your name, address, phone number, or keyboard input.

To join the program:

In the RAS Console, select the Administration category.
In the right pane, click the Settings tab.
Select the Participate in the Customer Experience Program option.

After you join the program, CEP will automatically start to collect information about how you use Parallels RAS. Data collected from you and other participants is combined and thoroughly analyzed to help us improve Parallels RAS.

RAS Connection Broker

RAS Connection Broker provides load balancing of published applications and desktops. A RAS Connection Broker is automatically installed on a server on which you install Parallels RAS and is designated as the primary Connection Broker. Each Site must have a primary RAS Connection Broker but can also have secondary Connection Brokers added to it. The purpose of a secondary Connection Broker is to ensure that users do not experience any interruption of the service due to possible failure of the primary RAS Connection Broker. This chapter describes how to add RAS Connection Brokers to a Site and how to configure them.

Configuring RAS Connection Brokers

To view RAS Connection Brokers installed in a Site, navigate to Farm > <Site> > Connection Brokers in the RAS Console. The installed Connection Brokers are listed on the Connection Brokers tab in the right pane.

A Site must have at least the primary Connection Broker installed, which is marked so in the Priority column. You can also add secondary agents to a Site for redundancy (described in the section that follows this one).

To modify the configuration of a Connection Broker, select it and then click Tasks > Properties (or right-click > Properties). The Properties dialog opens where you can modify the following:

Enable Server in site: Enables or disables the Connection Broker. The option is enabled for secondary Connection Brokers only. It is disabled for the primary Connection Broker.
Server: Specifies the FDQN or IP address of the server that hosts the Connection Broker. To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see Host Name Resolution.
IP: Specifies the server IP address. Click the Resolve button to obtain the IP address automatically using the FQDN specified in the Server field. This IP address is used so that multiple Connection Brokers share information in real time.
Alternate IPs: Specifies one or more alternate IP addresses separated by a semicolon. These addresses will be used if RAS Secure Gateways fail to connect to the RAS Connection Broker using its FQDN or the address specified in the IP field. This can happen, for example, if Secure Gateways are connecting from a network which is not joined to Active Directory.
Description: A user-defined description.
Standby: If selected, puts a secondary Connection Broker into a standby mode. This means that no agent will connect to this Connection Broker until another Connection Broker goes offline. This option is enabled automatically for any new secondary Connection Broker in excess of the three agents that already exist. It is not recommended to have more than three active Connection Brokers because it may degrade system performance. Using this option you can have more than three agents, but have them in standby mode until they are needed. For more information, see Secondary Connection Brokers.

When done making the changes, click OK and then click Apply in the main RAS Console window.

The Tasks drop-down list on the Connection Brokers tab has the following items:

Add. Adds a RAS Connection Broker to the Site. See the section that follows this one for the information on how to add secondary Connection Brokers.
Upgrade all Agents. Upgrades agents to the current version. The item is disabled if all agents are up to date.
Tools. Gives you access to a set of standard server management tools.
Troubleshooting. The Check agent menu item verifies that the Connection Broker is functioning properly. It opens a dialog where you can see the verification results and optionally install (or uninstall) the Connection Broker. The Logging menu item allows you to configure logging and retrieve or clear log files. For more information, see Logging.
Promote to primary. Promotes a secondary Connection Broker to primary. The current primary becomes a secondary Connection Broker.
Refresh. Refreshes the Connection Brokers list.
Delete. Deletes a secondary Connection Broker from the Site. To delete the primary Connection Broker, you first need to promote a secondary Connection Broker to primary.
Settings audit. Opens the Settings Audit dialog where you can view the changes that were done to the Connection Broker. For more information, see Settings Audit.
Move up and Move down. Changes the priority of a secondary Connection Broker (moves it up or down in the priority list).
Properties. Opens the Connection Broker Properties dialog (see above).

RAS Connection Brokers overview

In addition to the Connection Broker editor described above, you can also see the summary about the available RAS Connection Brokers. To do so:

In the RAS Console, navigate to the Farm > <Site> .
The available RAS Connection Brokers are displayed in the Connection Brokers group on the Site Info tab.
To go to the Connection Brokers editor, right-click a RAS Connection Broker and choose Show in the editor.

For additional info, see Sites in the RAS Console.

Automatically connect to an alternative Connection Broker

You can configure Parallels RAS to automatically connect to an alternative Connection Broker when one of Connection Brokers is not responding.

To enable automatic connection to an alternative Connection Broker:

In the RAS Console, click Tools > Options on the main menu (that's the menu at the top of the RAS Console window).
In the Options dialog, select the Automatically connect to an alternative Connection Broker when required option.
Click OK.

Secondary Connection Brokers

A secondary Connection Broker is added to a Site for redundancy. This way if the primary Connection Broker fails, the secondary Connection Broker is still available to handle the requests. Connection Brokers work in active/active manner to ensure high availability. In case of a Connection Broker failure, the next agent is always ready to handle the load. In general, the N+1 redundancy approach should be used per Site. Note that for auto-promotion you shouldn't have more than three Connection Brokers (auto-promotion is described later in this section).

When you have one more secondary Connection Brokers installed, the runtime data is replicated on each agent, so if any service fails, the downtime is reduced to a minimum. In addition, any active Connection Broker is used for authentication purposes with both the AD and any 2nd level authentication provider used.

The primary Connection Broker performs the same tasks as secondary Connection Brokers but has additional responsibilities. It manages certain processes that must be managed by a single Connection Broker. The following table lists processes managed by the primary Connection Broker and secondary Connection Brokers:

Process

Primary Connection Broker

Secondary Connection Brokers

Monitor PAs (counters)

Yes

Monitor RD Session Hosts (counters)

Yes

Monitor Providers (counters)

Yes

Monitor RDS Sessions (reconnection)

Yes

Monitor Deployed RDS applications

Yes

Monitor VDI session (reconnections)

Yes

Manage system settings

Yes

Send licensing information & heart beat

Yes

Process and send CEP information

Yes

Send information to reporting server

Yes

Manage RDS scheduler

Yes

Reporting engine information

Yes

Future versions

Shadowing

Yes

Future versions

Send email notifications

Yes

As a demonstration of how load distribution between multiple Connection Brokers works, consider the following example:

Suppose we have two Connection Brokers: PA1 (primary) and PA2 (secondary).
Suppose we also have 10 RD Session Hosts: RDS1, RDS2 ... RDS10

The resulting load will be distributed as follows:

RDS1, RDS2 ... RDS4 will use PA1 as their preferred Connection Broker.
RDS5, RDS6 ... RDS10 will use PA2 as their preferred Connection Broker.

Planning for secondary Connection Brokers

RAS Connection Brokers running on the same Site communicate with each other and share the load. The amount of data being transmitted from one agent to another is quite large, so a reliable high-speed communication channel must be ensured (e.g. a subnetwork can be configured for Connection Broker communications).

When adding a secondary Connection Broker to a Site, you specify an IP address for it. Make sure that the IP addresses of all agents belong to the same network segment. The port that Connection Brokers use to communicate with each other is TCP 20030.

There's no physical limit to how many Connection Brokers you can add to a Site. However, the best results are achieved with only two-three agents present. The three-agent scenario is highly recommended, especially when you have Providers and want to enable high availability for VDI. Adding more than two secondary Connection Brokers to a Site may have a reverse effect and actually degrade the system performance. Note that this does not apply to secondary Connection Brokers in standby mode, which is explained in Configuring RAS Connection Brokers.

Adding a secondary RAS Connection Broker to a Site

To add a secondary Connection Broker:

In the RAS console, navigate to Farm > <Site> > Connection Brokers.
Click the Tasks drop-down list and choose Add to launch the Add RAS Connection Broker wizard.
The Server field specifies the FDQN or IP address of the server that hosts the RAS Connection Broker. To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see Host Name Resolution.
The IP field specifies the server IP address. Click the Resolve button to obtain the IP address automatically using the FQDN specified in the Server field.
The Alternative IPs field specifies one or more alternative IP addresses, separated by a semicolon. These addresses will be used if RAS Secure Gateways fail to connect to the RAS Connection Broker using its FQDN or the address specified in the IP field. This can happen, for example, if Secure Gateways are connecting from a different network, which is not joined to Active Directory.
Select the Install a Secure Gateway with a Connection Broker option if you also want to install a RAS Secure Gateway on the specified server. If you select this option, you may also select the Enable HTML5 Gateway option (for more info, see Configure User Portal).
Select the Add Firewall Rules option to automatically configure the firewall on the server. See Port Reference for details.
Click Next.
On the next page, click Install to install the RAS Connection Broker on the server. The Installing RAS Redundancy Service dialog opens.
Select the server on which the RAS Connection Broker is to be installed and click Install.
Click Done.
Click OK to add the server to the Farm.

Managing Secondary Connection Brokers

Enabling or disabling a secondary Connection Broker

To enable or disable a secondary Connection Broker in a Site, select it in the Connection Brokers list and then select or clear the check box at the beginning of the row.

Changing the secondary Connection Broker priority

Each secondary Connection Broker is given a priority. To change the priority, select a secondary Connection Broker and use the "Up arrow" and "Down arrow" icons (or Tasks > Move up, Move down) to move it up or down the list. The higher the agent is in the list, the higher the priority.

Promoting a secondary Connection Broker to primary

If the primary Connection Broker cannot be recovered, you can promote a secondary Connection Broker to primary as follows:

Open the RAS Console on the Connection Broker server that you would like to promote (all required files are automatically installed when a server is added to a Site as a secondary Connection Broker).
Select the Farm category and navigate to the Connection Brokers node.
Select the Connection Broker and then click Tasks > Promote to primary.
Click OK once the process is finished.

Configuring auto-promotion

If the primary Connection Broker goes offline, you will need to promote a secondary Connection Broker to take its place. The auto-promotion feature can do it automatically after a specified time period.

By default, auto-promotion is turned off. To enable it, do the following:

In the RAS Console, navigate to Farm > <Site> > Connection Brokers.
Select the Auto-promotion tab in the right pane.
Select the Enable auto-promotion option and specify the time period after which the next secondary Connection Broker should be promoted to primary. The time period can be set between 15 minutes and 72 hours (the default value is 30 min).
Select the Enable failback option if you want the original Connection Broker to become primary again should it go back online. For the Licensing Site, this eliminates license activation if failback happens within 72 hours. The license activation countdown is always displayed in the RAS Console, so the administrator can check if the original primary Connection Broker recovers within this time period or not. If the original agent goes back online after the 72-hour period (and if the Farm has been already reactivated), it will become a secondary Connection Broker.

Note: To enable auto-promotion, you need at least three active Connection Brokers in a Site. If you have less than three, the auto-promotion is ignored.

Please also note that auto-promotion must be disabled if you have a single Site with Connection Brokers split across different locations with bad WAN links. If there's no link between Connection Broker located remotely, the third Connection Broker acts as a witness to prevent split-brain.

When auto-promotion takes place, the RAS administrator will receive notifications via email about the following events:

A secondary Connection Broker has been promoted to primary.
Auto-promotion of a secondary Connection Broker has failed.
Auto-promotion failback completed.

Deleting a secondary Connection Broker

To delete a secondary Connection Broker, select it in the list and then click Delete in the Tasks drop-down list.

RAS Secure Gateway

RAS Secure Gateway tunnels all Parallels RAS data on a single port. It also provides secure connections and is the user connection point to Parallels RAS.

At least one RAS Secure Gateway must be installed and configured in every Site. Note that if a Site is joined as Tenant to RAS Tenant Broker, RAS Secure Gateway is not needed. For details, see RAS Multi-Tenant Architecture.

Multiple gateways can exist depending on your requirements. Read this chapter to learn how to add, configure, and manage RAS Secure Gateways.

Overview

You need to install at least one RAS Secure Gateway for Parallels RAS to work. You can add additional Gateways to a RAS Site to support more users, load-balance connections, and provide redundancy.

Installing a RAS Secure Gateway on a dedicated server

If you are installing a RAS Secure Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:

Setting the Gateway operation mode (normal or forwarding, see below for details).
Assigning a RAS Connection Broker that will manage the Gateway.
Setting the Gateway communication port.
Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP addresses, and other.

The RAS Console in such an installation scenario (when connected to the local computer, not the RAS Farm) will only have two categories that you can select in the left pane: Gateway and Information. To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.

When the RAS console is connected to a Parallels RAS Farm (i.e. the server where RAS Connection Broker is running), you can manage RAS Secure Gateways by navigating to Farm > <Site> > Secure Gateways.

How a RAS Secure Gateway works

The following describes how a RAS Secure Gateway handles user connection requests:

A RAS Secure Gateway receives a user connection request.
It then forwards the request to the RAS Connection Broker with which it's registered (the Preferred Connection Broker setting by default).
The RAS Connection Broker performs load balancing checks and the Active Directory security lookup to obtain security permissions.
If the user requesting a published resource has sufficient rights, the RAS Connection Broker sends a response to the gateway which includes details about the RD Session Host the user can connect to.
Depending on the connection mode, the client either connects through the gateway or disconnects from it and then connects directly to the RD Session Host server.

RAS Secure Gateway operation modes

RAS Secure Gateway can operate in one of the following modes:

Normal Mode. A RAS Secure Gateway in normal mode receives user connection requests and checks with the RAS Connection Broker if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
Forwarding Mode. A RAS Secure Gateway in forwarding mode forwards user connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.

Note: To configure the forwarding mode, a Parallels RAS Farm must have more than one RAS Secure Gateway.

Planning for high availability

When adding RAS Secure Gateways to a Site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Connection Brokers or RD Sessions Hosts.

Manually adding a RAS Secure Gateway

To manually install a RAS Secure Gateway and add it to the Farm, follow these steps:

Log into the server where you'll be installing the RAS Secure Gateway using an administrator account.
Copy the Parallels RAS installation file (RASInstaller.msi) to the server and double-click it to launch the installation wizard.
Follow the onscreen instruction and proceed to the installation type page. Select Custom and click Next.
Click on RAS Secure Gateway in the feature tree and select Entire Feature will be installed on local hard drive.
Ensure that all other components in the selection tree are cleared and click Next.
Click Install to start the installation.
When the installation is completed, click Finish to close the wizard.
Open the RAS Console and specify the RAS Connection Broker that will manage the gateway.

Checking the RAS Secure Gateway status

To check the status of a RAS Secure Gateway, right-click it in the list and then click Check Status in the context menu. The RAS Secure Gateway Information dialog opens.

The dialog displays the gateway information, including:

Server: The name of the server on which the gateway is installed.
Gateway: The gateway verification status (e.g. Verified).
Version: The gateway software version number. The version number must match the Parallels RAS version number.
OS Type: Operating system type and version.
Status: Display the current RAS Secure Gateway status. If the status indicates a problem (e.g. the gateway did not reply or the gateway software version is wrong), click the Install button to push install the gateway software on the server. Wait for the installation to complete and check the status again.

Enable or disable a Secure Gateway

A RAS Secure Gateway is enabled by default. To enable or disable a Secure Gateway, open the RAS Secure Gateway Properties dialog and select or clear the Enable RAS Secure Gateway in site option on the General tab.

Set IP addresses for client connections

Use IP version: Select the IP version(s) to use.
IP(s): Specify one or more IP addresses separated by a semicolon, or click Resolve to resolve the IP address automatically. These are the available addresses on the Secure Gateway server. To specify IP addresses that should be used for client connections, use the Bind to IP section (see below).
Bind to IP: Use this section to specify on which IP address (or addresses) the Secure Gateway will listen for client connections. You can select a specific address or <All available addresses>, in which case all of the IP addresses specified in the IP(s) field will be used.
Remove system buffers for: These fields (one for each IP version) can be used when the connection between the Secure Gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select a specific address, all available addresses, or none. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent fast enough from the Secure Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.

You can specify the following IP options:

IP addresses for incoming client connections for a Secure Gateway are specified on the General tab of the RAS Secure Gateway Properties dialog. RAS Secure Gateway recognizes both IPv4 and IPv6. By default, IPv4 is used.

Gateway mode and forwarding settings

A RAS Secure Gateway can operate in normal and forwarding modes. To set the desired mode and configure related settings click the Mode tab in the RAS Secure Gateway Properties dialog.

Using Site defaults

To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site Defaults (Gateways).

Setting the normal mode

To set the normal mode, in the Gateway mode drop-down list, select Normal.

The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address if necessary. Please note that the HTTP server must support the same IP version as the browser making the request.

The Preferred Connection Broker drop-down list allows you to specify a RAS Connection Broker that the Secure Gateway should connect to. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker. For the Secure Gateway to select a Connection Broker automatically, select the Automatic option.

Setting the forwarding mode

To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding.

Specify (or select) one or more forwarding Secure Gateways in the Forwarding RAS Secure Gateway(s) field.

Note: The forwarding mode allows you to forward data to a Secure Gateway listening on IPv6. It is recommended that forwarding Secure Gateways are configured to use the same IP version.

Gateway network options

The Network tab is used to configure RAS Secure Gateway network options.

Using Site defaults

To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site Defaults (Gateways).

Configuring network

By default RAS Secure Gateway listens on TCP ports 80 and 443 to tunnel all Parallels RAS traffic. To change the port, specify a new port in the RAS Secure Gateway Port input field.

RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP Port option and specify a new port. When setting your own port, please make sure that the port number does not conflict with the standard "RD Session Host Port" setting.

Note: If RDP port is changed, the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).

Broadcast RAS Secure Gateway Address. This option can be used to switch on the broadcasting of the Secure Gateway address, so Parallels Clients can automatically find their primary Secure Gateway. The option is enabled by default.

Enable RDP UDP Data Tunneling. To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.

Device Manager Port. Select this option to enable management of Windows devices from the Device Manager category. The option is enabled by default.

Enable RDP DOS Attack Filter. When selected, this option denies chains of uncompleted sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.

SSL/TLS encryption

The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.

Using Site defaults

To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).

Enforcing HSTS

The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS User Portal, which typically accepts only HTTPS requests for security reasons.

When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:

Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.

Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).

Please also note the following requirements:

Your website must have a valid SSL certificate. See SSL server configuration.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.

Configuring SSL

By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.

SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the SSL Certificate Management chapter.

To configure SSL for a Secure Gateway:

Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the SSL Certificate Management chapter.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.

Encrypting Parallels Client connection

By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.

To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to RAS User Portal.

Parallels Clients configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:

Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:

On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).

Securing RDP-UDP connections

A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Gateway:

On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
On the Network tab, make sure that the Enable RDP UDP Data Tunneling option is selected.

The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.

Configure User Portal

User Portal is a functionality built into RAS Secure Gateway that allows users to connect to Parallels RAS and open published resources from a web browser using the Parallels Web Client. The client works similarly to a platform-specific Parallels Client, but does not require any additional software to be installed on users' computers or devices. All that users need is an HTML5-enabled web browser.

This section describes how to configure User Portal in the Parallels RAS Console. For the information about how to use it, please refer to the Parallels Web Client and User Portal chapter.

Note: To use Web Client and User Portal, SSL must be enabled on a RAS Secure Gateway. When enabling the client, please verify that SSL is enabled on the SLL/TLS tab or on your network load balancer. Please also note that the User Portal tab is only available if the gateway mode is set to "Normal". For more information, see Gateway mode and forwarding settings.

To configure User Portal, click the User Portal tab in the RAS Secure Gateway properties dialog and then set the options described in the subsequent sections.

For the information on how to configure the Web Client URL and how to access the client from a web browser, please Web request load balancing.

Enable or disable User Portal

To enable or disable User Portal, select or clear the Enable User Portal option. This disables User Portal, so users will no be able to connect to User Portal using the Web Client.

Client settings

The Client section allows you to specify application launch methods and other Web Client settings.

Launch sessions using: When a user tries to open a resource from the User Portal web page, the resource can open right in the web browser or it can be launched in a platform-specific Parallels Client installed on the user's computer (e.g., Parallels Client for Windows). This option specifies which client will be used. Compared to Web Client, platform-specific Parallels Client includes a richer set of features and provides end users with a better overall user experience. Select one of the following:
1. Browser Only: Users can run remote applications and desktops using Parallels Web Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.
2. Parallels Client Only: Users can run remote applications and desktops in Parallels Client only. When a user connects to Parallels RAS using Parallels Web Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user with a link for downloading the Parallels Client installer. After the user installs Parallels Client, they can still select a remote application or desktop in Parallels Web Client but it will open in Parallels Client instead.
3. Parallels Client with fallback to Browser: Both Parallels Client and a browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels Web Client will be used as a backup method if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if a resource couldn't be opened in Parallels Client and will be given a choice to open it in the browser instead.
(Parallels Client with fallback to Browser and the Parallels Cient only) Additionally, you can configure Parallels Client detection by clicking on the Configure button:
- Detect client: Select when Parallels RAS tries to detect platform-specific Parallels Client.
  - Automatically on sign in: Parallels RAS tries to detect platform-specific Parallels Client immediately.
  - Manually on user prompt: Parallels RAS shows users a prompt where can they select whether they want to detect platform-specific Parallels Client .
- Client detection timeout: Time period during which Parallels RAS tries to detect platform-specific Parallels Client.
Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the Launch session using option (above) is set to Parallels Client with fallback to Browser (i.e. both methods are allowed).
Allow opening applications in a new tab: If selected, users will be able to open remote applications in a new tab in a web browser.
Use Pre Windows 2000 login format: Enables legacy (pre-Windows 2000) login format.
Allow embedding of User Portal into other web pages: If selected, the User Portcal web page can be embedded in other web pages. Please note that this may be a potential security risk due to a practice known as clickjacking.
Allow file transfer command: Enables file transfer in a remote session. To enable file transfer, select this option and click the Configure button. In the dialog that opens, select Client to server only (transfer files from client to server only), Server to client only (transfer files from server to client only), Bidirectional (transfer files in both directions). For more information, see Configuring Remote File Transfer.
Allow clipboard command: Enables clipboard operations (copy/paste) in a remote session. To enable the clipboard, select this option and click the Configure button. In the dialog that opens, select Client to server only (copy/paste from client to server only), Server to client only (copy and paste from server to client only), Bidirectional (copy and paste in both directions). For more information about using the clipboard, see Using the Remote Clipboard.
Allow cross-origin resource sharing: Enables cross-origin resource sharing (CORS). To enable CORS, select this option and click the Configure button. In the dialog that opens, specify one or more domains for which access to resources should be allowed. If you don't specify any domains, the option will be automatically disabled. In the Browser cache time field, specify for how long the end-user's browser will cache a resource.
Use a client IP detection service: If selected, allows configuring an IP detection service to report IP addresses of connected Parallels Web Client applications. To enable a client IP detection service, select this option and click the Configure button. In the dialog that opens, provide the URL to the IP detection service you want to use. You can press the Test button to ensure the API works as expected. When you click the Test button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with a window showing the IP address of the Connection Broker.

Network load balancers access

The Network Load Balancers access section is intended for deployment scenarios where third-party front-end load balancers such as Amazon Web Services (AWS) Elastic Load Balancers (ELBs) are used. It allows you to configure an alternate hostname and port number to be used by the Network Load Balancer (NLB). This is needed to separate hostnames and ports on which TCP and HTTPS communications are carried out because AWS load balancers don't support both specific protocols over the same port.

The following options are available:

Use alternate hostname: Select this option and specify an alternate hostname. When the alternate hostname is enabled, all platform-specific Parallels Clients will use this hostname to connect to the RAS Farm or Site.
Use alternate port: Select this option and specify an alternate port number. The port must not be used by any other component in the RAS Farm or Site. To reset the port number to the default value, click Default. When the alternate port is enabled, all platform-specific Parallels Clients will use this port to connect to the RAS Farm or Site. Note that RDP sessions in Web Client will still be connecting to the standard SSL port (443).

Note: Please note that using an alternate host or port is not suitable in a multi-tenant environment as Tenant Broker RAS Secure Gateways are shared between Tenants, which would require different configurations.

In addition, the AWS Application Load Balancer (ALB), which handles HTTP/s traffic required by the Parallels Web Client, only supports specific cookies that are usually automatically generated. When a load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy. By default, Parallels RAS uses its own ASP.NET cookie named _SessionId, however in this case you must customize the cookie specifying the mentioned AWS cookie for sticky sessions. This can be configured using the Web cookie field on the Web Requests tab. Please note that this functionality is available in Parallels RAS 17.1 or newer.

Wyse ThinOS support

To publish applications from the Parallels RAS to thin clients using the Wyse ThinOS, select the Enable Wyse ThinOS support option on the Wyse tab.

Note: The Wyse tab is only available if the gateway mode is set to normal. See Gateway mode and forwarding settings for more info.

By enabling this option, the RAS Secure Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this Secure Gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.

The Do not warn if server certificate is not verified option can be selected (enabled) if a Wyse device shows an SSL warning when connecting to a RAS Secure Gateway because the hostname does not match the certificate. When the option is selected, the Secure Gateway will send Wyse clients the following parameters in the wnos.ini file: SecurityPolicy=low TLSCheckCN=no, which will disable SSL checks. Note that the option is not required if a certificate has the following:

The CNAME set to the FQDN of the RAS Secure Gateway.
The SAN set to the RAS Secure Gateway IP address.

Note that if you use a custom wnos.ini in "C:\Program Files (x86)\Parallels\ApplicationServer\AppData\wnos" folder on Secure Gateway, the Secure Gateway will not send the SSL check parameters.

If you configure DHCP option 188 to set the broker address to a given Secure Gateway, you can verify this by clicking the Test button.

Web request load balancing

Note: The Web tab is only available if the gateway mode is set to normal. See more in Gateway mode and forwarding settings.

The Web tab allows you to tweak settings necessary for load balancing in certain scenarios. Here you can specify a redirection URL for web requests and a session cookie name to maintain persistence between a client and a server.

Redirection URL

An original web request can reach the gateway one of the following two ways:

The request is sent directly to the gateway over the local network using its IP address or FQDN. For example, https://192.168.10.10.
The request is sent to a HALB device that load-balances this and other gateways in the Farm. The HALB device often faces the Internet (i.e. located in DMZ) and so its DNS name can be used in the original request URL. For example, https://ras.msp.com. The HALB device is then distributes the request to a gateway.

When the gateway receives the web request, it takes the URL specified on the Web tab and sends it back to the web browser for redirection.

Technically, you can enter any URL here, and the original web request will be redirected to that URL. The primary purpose of this field, however, is to give end users an easy way to access User Portal from their web browsers. Here's how it works:

A user enters the Load Balancer DNS name in a web browser. For example, https://ras.msp.com.
The Load Balancer receives the request and distributes it to the least-busy RAS Secure Gateway for processing.
The gateway receives the original URL and replaces it with the URL specified in the Default URL field. See the Default URL format subsection below.
The replaced URL is then sent back to the web browser, which uses it to open the User Portal login page.

Default URL format

The default URL format is the following:

https://%hostname%/userportal

The %hostname% variable is automatically replaced with the name of the server that received the original request, which in our example is the Load Balancer DNS name. If you wish, you can replace the variable with a specific host name or IP address (e.g. this or some other gateway). For example, https://192.168.5.5/userportal. If you do this, the web requests will always be forwarded to the specified host and will open the User Portal on it. Hard-coding a host may not be very practical, but you can do this nevertheless.
userportal is a constant and is the path to the User Portal login page.

In our example, the resulting URL that the web browser will use to access the User Portal is the following:

https://ras.msp.com/userportal

The fact is, a user could simply use the above URL from the start, but thanks to the redirection feature, users only need to enter the server DNS name (or FQDN/IP-address on the local network) instead of the entire URL.

Opening a specific User PortalTheme

User Portal Themes is a feature that allows you to custom design the User Portal look and feel for different groups of users. Themes are described in detail in Parallels Web Client and User Portal.

The default web request URL opens the default Theme. To make it open a specific Theme, add the Theme name at end of the URL as follows:

https://%hostname%/userportal/?theme=<theme-name>

where <theme-name> is the name of a Theme without brackets or quotes.

For users to open a specific Theme, the URL that they enter in a web browser must contain the Theme name, but in this case the format is as simple as the following:

https://<server-name>/<theme-name>

Using our Load Balancer DNS name example from above, the URL may look like the following:

https://ras.msp.com/Theme-E1

For additional information, please see Configure Themes > URLs.

The Web cookie field is used to specify a session cookie name. RAS Web Client session persistence is normally set by the user IP address (source addressing). If you can't use source addressing in your environment (e.g. your security policy doesn't allow it), you can use the session cookie to maintain persistence between a client and a server. To do so, you need to set up a load balancer that can use a session cookie for persistence. The default cookie name is ASP.NET_SessionId. Note that if you are using Amazon Web Services (AWS) or other third-party load balancers, you may need to specify their own cookie name. See Network load balancers access for more information.

Secure Gateway tunneling policies

Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Gateway or RAS Secure Gateway IP address.

To configure tunneling policies, navigate to Farm > <Site> > Secure Gateways and then click the Tunneling Policies tab in the right pane.

The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured Secure Gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.

Adding a new Tunneling Policy

To add a new policy:

Click Tasks > Add.
Select a Secure Gateway IP address.
Specify to which RD Session Host(s) the users connecting to that specific Secure Gateway should be forwarded. If you select None (no forwarding), read the Restricting RDP access section below.

Managing a Tunneling Policy

To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.

Restricting RDP access

You can use tunneling policies to restrict RDP accesses through the RAS Secure Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client.

There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack.

A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Connection Broker server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:

[I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on Secure Gateway xxx.xxx.xx.xx, Using Default Rule
[I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, Secure GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0
[I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached.
[I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available!
[W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14.

These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through Secure Gateway tunneling polices, you can prevent this from happening.

Viewing Secure Gateway summary and metrics

You can view the summary information for all available RAS Secure Gateways in one place as follows:

In the RAS Console, select the Farm category and then select the Site node in the middle pane.
The available RAS Secure Gateways are displayed in the Gateways group in the right pane.
To go to the main Gateway view/editor, right-click a server and choose Show in the Editor.

You can also view the detailed information about a RAS Secure Gateway by navigating to Information > Site in the Parallels RAS Console. The information on this page includes general information, such as OS version, RAS version, Gateway mode, as well as the information about various types of connections, sessions, cached sockets, and threads.

Using computer management tools

You can perform standard computer management tasks on server hosting the RAS Secure Gateway right from the RAS Console. These include Remote Desktop Connection, PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see .

RD Session Hosts

RD Session Hosts are used to host published resources (applications, desktops, documents, etc.) in a Parallels RAS Farm. Read this chapter to learn how to add, configure, and administer RD Session Hosts.

Add an RD Session Host

RD Session Host requirements

An RD Session Host must have the Remote Desktop Services (RDS) role installed. You can install RDS right from the RAS Console, as described later in this section.

To push install the RAS RD Session Host Agent on a server, the following requirements must be met:

The firewall must be configured on the server to allow push installation. Standard SMB ports (139 and 445) need to be open. See also Port reference for the list of ports used by Parallels RAS.
SMB access. The administrative share (\\server\c$) must be accessible. Simple file sharing must be enabled.
Your Parallels RAS administrator account must have permissions to perform a remote installation on the server. If it doesn't, you'll be asked to enter credentials of an account that does.
The RD Session Host should be joined to an AD domain. If it's not, the push installation may not work and you will have to install the Agent on the server manually. See section.

Note: The rest of this section applies to regular RD Session Hosts only. If you are looking for the information on how to add an RD Session Host based on a template, see .

Add an RD Session Host

To add an RD Session Host to a Site:

In the RAS Console, navigate to Farm > Site > RD Session Hosts.
Click Tasks > Add. This opens the Add RD Session Hosts wizard. Note that you can also open the wizard from the Start category as describe in .
Click the Tasks menu (or click the [+] icon) and select one of the following:
- Add from Active Directory: Adds an RD Session Host from Active directory.
- Add Manually: Adds RD Session Host by entering its FQDN or IP address.
Note that if you enter the server name (hostname or FQDN), it will be used as the primary method of connecting to this server from other RAS components and clients. If you enter the IP address, it will be automatically resolved to FQDN, but only if the global option to resolve to FQDN is enabled. To see the current setting of this global option, click Tools > Options on the main menu. In the Options dialog, examine the Always attempt to resolve to fully qualified domain name (FQDN) when adding hosts option. When the option is selected, the IP address of every server/component in the RAS Farm is always resolved to FQDN. When the option is cleared, whatever is specified for a server (IP address or name) is used to communicate with a server. This makes a difference in deployments where an IP address cannot be used to access a server, such as when a server is hosted in the cloud. For more information, see .
Click Next.
On the next page, specify the following options:
- Add firewall rules. Add firewall rules required by Parallels RAS in Windows running on the server. See Port reference for details.
- Install RDS role. Install the RDS role on the server if it's not installed. You should always select this option.
- Enable Desktop Experience. Enable the Desktop Experience feature in Windows running on the server. This option is enabled only if the Install RDS role option (above) is selected. The option applies to Windows Server 2008 R2 and Windows 2012 R1/R2 on which the Desktop Experience feature is not enabled by default.
- Restart server if required. Automatically restart the server if necessary. You can restart the server manually if you wish.
- Add server(s) to host pool. Add the server (or servers) to a host pool. Select the desired host pool in the list box located below this option. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the section.
Click Next.
Add the server (or servers) to a host pool. Select the desired host pool or create a new host pool. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the section.
Click Next.
The next page allows you to add users and groupsto the Remote Desktop Users groups in Windows running on the server. This is necessary for your Parallels RAS users to be able to access published resources hosted by an RD Session Host. To specify users and/or groups, select the option provided and then click the [+] icon. In the Select Users or Groups dialog, specify a user or a group and click OK. The selected user/group will be added to the list on the wizard page.

Note: If you skip this step and your users are not members of the Remote Desktop Users group on an RD Session Host, they will not be able to access published resources. If you already used (or want to use later) standard Windows tools to add users to the Remote Desktop Users group, you can skip this page.

Click Next.
On the next page, review the settings and click Next.
The Install RAS RD Session Host Agent dialog opens. Follow the instructions and install the agent. When the installation is finished, click Done to close the dialog.
Back in the wizard, click Finish to close it.

Installing the agent manually

You may need to install the RAS RD Session Host Agent manually if the automatic push installation cannot be performed. For instance, an SMB share may not be available or the firewall rules may interfere with the push installation, etc.

Installing RAS RD Session Host Agent manually

Log in to the server where the RAS RD Session Host Agent is to be installed using an administrator account and close all other applications.
Copy the Parallels RAS installation file (RASInstaller.msi) to the server and double-click it to launch the installation.
Follow the onscreen instructions and proceed to the installation type page. Select Custom and click Next.
Click on RAS RD Session Host Agent and select Entire Feature will be installed on local hard drive from the drop-down list.
Ensure that all other components are deselected and click Next.
Click Install to start the installation.
Click Finish once the installation is finished.

The RAS RD Session Host Agent doesn't require any configuration. Once the agent is installed, highlight the server name in the RAS Console and click Troubleshooting > Check Agent in the Tasks drop-down list to update the server status.

Uninstalling RAS RD Session Host Agent

To uninstall RAS RD Session Host Agent from a server:

Navigate to Start > Control Panel > Programs > Uninstall a Program.
Find Parallels Remote Application Server in the list of installed programs.
If you don't have any other Parallels RAS components on the server that you want to keep, right-click Parallels Remote Application Server and then click Uninstall. Follow the instructions to uninstall the program. You may skip the steps below.
If you have other RAS components that you want to keep on the server, right-click Parallels Remote Application Server and then click Change.
Click Next on the Welcome page.
On the Change, repair, or remove page, select Change.
On the next page, select Custom.
Select RAS RD Session Host Agent, then click the drop-down list in front of it, and click Entire feature will be unavailable.
Click Next and complete the wizard.

Add a template-based RD Session Host

A template-based RD Session Host is a clone of a virtual machine running on a hypervisor or a cloud-based provider. When you create a template, you select a preconfigured VM with the operating system and applications already installed. Individual hosts (VMs) are then created as clones of the template. The clones can be created in advance or on as-needed basis (configurable when you create a template). This functionality allows you to create and configure an RD Session Host running in a virtual machine and then create as many copies of it as you require.

To add a template-based RD Session Host to a Site:

Create a template as described in .
Assign the template to a host pool as described in .
Add individual RD Session Hosts to the host pool. Do one of the following:
- If you want to add RD Session Hosts manually, go to the host pool properties, select the Servers tab and click Tasks > Add (or click the [+] icon). In the dialog that opens, select the number of RD Session Host you want to create and click OK.
- If you want Parallels RAS to add RD Session Hosts automatically when certain conditions are met, configure autoscaling as described in

Manage RD Session Hosts

Read this section to learn how manage RD Session Hosts components in Parallels RAS.

Manage host pools (RD Session Hosts)

When you publish resources in Parallels RAS, you need to specify one or more servers that host them. Host pools allow you to combine multiple RD Session Hosts and then publish the resources from the host pool instead of specifying individual servers.

The main benefits of using RD Session Host host pools are as follows:

They simplify the management of published resources.
They allow you to use RD Session Hosts created from a template. More on this later in this section.

Each RD Session Hosts must belong to a host pool. Parallels RAS comes with a built-in host pool named <Default> that you can use. Note that an RD Session Host can be a member of one host pool only. You cannot add the same server to multiple host pools.

Moving an RD Session Host to another host pool

To move an RD Session Host from one host pool to another:

In the RAS console, navigate to Farm > <Site> > RD Session Hosts.
Select an RD Session Host.
Click Tasks > Assign to host pool or right-click the RD Session Host and select Assign to host pool in the context menu.
In the Assign to Host pool dialog, select the host pool you need.

Note: The settings of the new host pool will apply to the RD Session Host.

Autoscale

The settings on the Autoscale tab of the host pool properties determine how RD Session Hosts are created from the specified template. The settings are described below.

Template: Specifies the template assigned to the host pool.

Enable autoscale: Enables autoscale.

Configure: Configures the autoscale settings:

Min number of hosts to be added to the host pool from the Template: Specifies the minimum number of servers that will be added to the host pool automatically when the template is assigned to the host pool. This number of servers will remain in the host pool irrespective of utilization.
Max number of hosts to be added to the host pool from the Template: This option allows you to set a limit on how many servers in total can be added to the host pool from the template. A template can be shared between host pools. By setting a limit for each host pool, you can ensure that the combined number of servers in each host pool will not exceed the template limit. Consider the following examples:
- If the template is used by a single host pool, then this number can be up to the Maximum hosts setting of the template.
- If two or more host pools share the same template, then the combined number from all host pools must be less or equal to the Maximum hosts settings of the template.
When you save a host pool, a validation will be performed against other host pools (if any) and you will see an error message if the numbers don't match. Note that when a server cannot be created on request due to an error, a "Template error" event is triggered and the administrator will receive an alert message.
Add new or power on existing hosts when workload is above (%): Specifies a workload threshold in percent. When the actual workload is above this value, a new server (or servers) will be created and added to the host pool (if not already available). The host pool workload percentage is calculated using the following formula:
Host pool Workload = (Current Sessions / Max Sessions) * 100
In the formula above:
- Current Sessions is the total number of all sessions on all servers in the host pool. This includes static (standalone) servers and servers created from the template (host pools). Note that servers that are disabled, being drained, or have the agent status of ‘Not Verified’ are not included in the calculation.
- Max Sessions is a setting that you specify on the Agent Settings tab (either inherited from Site defaults or overridden for this host pool) and the maximum number of sessions allowed for the host pool.
Consider the following examples:
RAS Host pool 1 — mixed server types (static and host pools), different agent status:
- RDSH-1, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Static
- RDSH-2, Status: Disabled, Max Sessions 20, Current Sessions: 0, Type: Static
- RDSH-3, Status: OK, Max sessions 10, Current Sessions: 4, Type: Host
- RDSH-4, Status: Drain Mode, Max sessions 10, Current Sessions: 3, Type: Host
For the host pool above, the workload is calculated as (Current Sessions / Max Sessions) * 100 or ((2 + 4) / 20) * 100 = 30%
Note that servers RDSH-2 and RDSH-4 are not included in the workload because the former has the agent disabled and the latter is in drain mode.
RAS Host pool 2 — mixed server types (static and host pools), different agent status:
- RDSH-1, Status: OK, Max Sessions 10, Current Sessions: 0, Type: Host
- RDSH-2, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Host
- RDSH-3, Status: Not Verified, Max sessions 10, Current Sessions: 0, Type: Host
Host pool Workload = (Current Sessions / Max Sessions) * 100 or ((0 + 2) / 20) * 100 = 10%
Please note that a host pool will always make sure that it has at least one server available, even if the workload is zero percent.
Number of hosts to be added to the host pool per request: Specifies how many servers should be created when the workload goes above the threshold value. This setting works together with the Add servers from template when workload is above (%) setting described above. When a host pool sends a request to the template to create additional servers, the value specified here will determine the number of servers that will be created.
Drain and power off hosts from host pool when workload is below (%): Specifies a workload threshold in percent. When the actual workload is below this value and remains there for a period specified in the Workload remains below this level field, excessive hosts will be switched to drain mode or powered off. The period of time can be selected from the drop-down list or you can type your own integer value using "weeks", "days", "hours", "minutes", or "seconds" as a unit measure. The server(s) with the least number of sessions will be switched to drain mode. As soon as all users are logged off from a server, it is unassigned from the host pool. At that point, the server becomes available to other host pools on demand.
Remove hosts from host pool after drain and power off: Specifies if hosts should be removed from the host pool after being drained and powered off.

Tip: Servers are unassigned from the host pool only when all user sessions on that particular server are logged off. In case user sessions are still present, such as user sessions in idle, active or disconnected state, autoscaling does not log off user sessions and does not unassign the server from a host pool.

Note: Parallels recommends setting viable timeouts for idle time and disconnected sessions either in Windows Host pool Policies or in the Site Default Properties dialog to make the drain mode effective. GPOs can be used to forcibly log off a user session, however this should be used carefully as this may result in data loss.

Using host pool defaults

RD Sessions Hosts assigned to a host pool have various settings that they can inherit from the host pool defaults. This makes it simpler to configure a single set of settings for all servers instead of configuring each server individually. A Site also has its own default settings (Site defaults). Moreover, an RD Session Host host pool can inherit these Site defaults. This gives you the following choices when inheriting default settings by an RD Session Host:

Configure Site defaults and make the host pool inherit these settings. The RD Session Hosts assigned to the host pool will therefore also inherit Site defaults. This is the default scenario for a new host pool. Site defaults can be configured by navigating to Farm > <Site> > RD Session hosts and clicking Tasks > Site defaults.
Configure default settings for a given host pool. This way you can have multiple host pools, each having its own host pool defaults (different from Site defaults). Therefore, the servers assigned to a host pool will inherit the host pool's defaults.

To configure default settings for a host pool, open the Host pool Properties dialog (Tasks > Properties), select a desired tab (except the General tab, which doesn't have any defaults) and select or clear the Inherit default settings option. If you clear the option, you can specify your own defaults. All servers that are (or will be) assigned to this host pool will inherit these settings. Note that inheritance works independently for each individual tab on the host pool properties dialog.

Add host pools (RD Session Hosts)

Creating a host pool

To create an RD Session Host host pool:

In the RAS console, navigate to Farm > <Site> > RD Session HostsHost pools.
Click Tasks > Add (or click the [+] icon).
Select Enable Host pool in site to enable the host pool. Specify the name and the description for the new host pool.
Click Next.
On the Provisioning page, select whether this host pool will contain template-based or standalone hosts:
- Template: (Template-based RD Session Hosts only) Hosts will be created dynamically from a template. You will need to create or select an existing template in the next step or later. Choosing Template as the provisioning type ensures a homogeneous host pool, which is recommended to provide consistent user experience across the host pool. For more information about creating template-based RD Session Hosts, see section Add a template-based RD Session Host.
- Standalone: (Template-based and standalone RD Session Hosts) Select one or more hosts that already exist. You'll be able to do it in the next step or you can do it later. Prior to adding hosts to host pools, ensure that hosts are domain joined and have network access to the domain environment. Note that the Standalone provisioning is considered "unmanaged" as it lacks some of the functionality, such as Autoscaling.
Click Next.
Depending on the selection made on the Provisioning page (above), do one of the following
- Standalone: Select one or more hosts from the list to be included in the host pool (you can also add hosts to the pool later).
- Template: Select a template from the list or click Create new to create a new template and specify the template settings. Versions: If you selected an existing template, select one of its versions. Enable autoscale: (Multi-session hosts) Enable and configure autoscale.
Click Next.
(Templates only) On the General page, specify the following options:
- Template name: Choose and type a template name.
- Maximum hosts: Specify the maximum number of hosts that can be created from this template.
- Number of hosts deployed on wizard completion: The number of hosts to deploy once the template is created. Please keep in mind that this will take some time because the hosts will be created one at a time.
- Host name: A pattern to use when naming new hosts.
Click Next.
(Templates only) On the Additional properties page, specify the following options:
- Keep available buffer: The minimum number of hosts to always keep unassigned and session free for the template. As soon as the number of free and unassigned desktops drops below the setting value, it forces the template to create another host. The template uses its own settings for host creation including initial power state.
- Host state after the preparation: Select the power state that should be applied to a host after it is prepared. Choose from Powered on, Powered off, or Suspended. Note that when the power state is set to Power off or Suspended, the number of running (fully ready and waiting for incoming connections) hosts is controlled by the Keep available buffer setting (see above). For example, let's say the Maximum hosts value is set at 200, the number of guest hosts deployed on wizard completion is 100, and the power state after preparation is Powered off. The result of such a configuration will be 100 clones deployed and powered off.
- Delete unused hosts after: Select what to do with unused hosts to save resources. Choose whether to never delete them or specify the time period after which they should be deleted.
Click Next.
On the User profile page, you can select from Do not manage by RAS (user profiles will not be managed) or FSlogix. Microsoft FSLogix Profile Container allows to maintain user context in non-persistent environments, minimize sign-in times and provides native profile experience eliminating compatibility issues. For complete instructions, please see User profile.
Click Next.
On the Summary page, review the template summary information. You can click the Back button to correct some of the information if needed.
Finally, click Finish to create the host pool and close the wizard.

After you create a host pool and later publish resources from it, you can view the list of resources by right-clicking a host pool and choosing Show published resources (or click Tasks > Show Published Resources). For more information, see Viewing published resources hosted by RD Session Hosts.

Manage templates (RD Session Hosts)

RD Session Host templates are designed specifically to give you the ability to replicate RD Session Hosts running in virtual machines. Hosts created from an RD Session Host template are treated by Parallels RAS almost like regular RD Session Hosts. The main difference is, you can create as many hosts from a single template as you require, thus automating RD Session Host provisioning according to your needs.

RD Session Host templates are supported on the following VDI platforms:

Microsoft Hyper-V
Microsoft Hyper-V Failover Cluster
VMware VCenter
VMware ESXi
SC//HyperCore
Nutanix AHV (AOS)
Microsoft Azure
Amazon Web Services

RD Session Host templates support Windows Server 2008 R2 up to Windows Server 2022 as a guest OS. Compared to regular RD Session Hosts, servers created from an RD Session Host template do not support earlier versions of Windows Server. The reason is, these servers run in VMs and require the RAS Guest Agent installed in them, so the guest OS requirements are limited by Windows Server versions supported by RAS Guest Agent.

Please note that the following standard RAS VDI features are not available when using RD Session Host templates:

Pool management
Persistent hosts
Session management
Publishing from a specific Template
Some other strictly RAS VDI specific features.

For the information on how to provision RD Session Hosts created from a template, see Manage host pools (RD Session Hosts).

Creating an RD Session Host template

Requirements

To complete the tasks described in this section, the following requirements must be met:

Requirements described in the "Requirements" subsection of Creating a VM template.
Network Discovery UDP port 137 must be enabled for a domain firewall profile in the guest OS. This can be done via domain group policies or manually in the guest OS.

Manual agent installation

Normally, you will push install the necessary agent software in a source VM right from the Parallels RAS console. However, you can also install the software manually by running the Parallels RAS installer in Windows in the VM. When doing so, use the Custom installation option and select the following agent components RAS Guest Agent and RAS RD Session Host Agent to be installed in the source VM.

Create a template

To create an RD Session Host template:

Add one of the supported provides, as described in Add a Provider.
Go to Farm > Site > RD Session Hosts > Templates tab.
In the Tasks drop-down menu, click Add (or click the [+] icon).
In the dialog that opens, select a host from which you would like to create a template and click OK.
The Create Parallels Template Wizard opens. Each wizard page is described below in the order they appear on the screen.
Verify that the Agent is installed and install it manually if needed as described in Step 1: Check and install the Agent. This step only appears if an on-premises Provider is used.
Configure the template as described in Step 2: Configure the template.

Assigning a template to a host pool (RD Session Host)

When you create RD Session Host host pools, you can assign a template to a host pool. This can be done when you create or modify a host pool, or it can be done from the Templates tab.

To assign a template to a host pool:

Go to Farm > Site > RD Session Hosts > Templates tab.
On the Templates tab, select a template.
Click Tasks > Assign to host pool.
Select the template version in the Version dialog.
A dialog opens listing existing RD Session Host host pools. Host pools that already have a template assigned are not shown in this list by default. To display them, select the Show host pools with assigned template option. The template that they are currently using is displayed in the Template column.
Select one or more host pools and click OK.

To remove a template from a host pool or host pool:

Select a template and click Tasks > Remove from host pool.
A dialog opens listing all host pools to which this template is assigned.
Select the host pools to remove the template from and click OK.

Note that if a host pool has hosts created from the template that you are removing, they will be removed as well. A message is displayed where you need to confirm the removal.

Managing RD Session Hosts based on a template

Viewing RD Session Hosts based on a specific template

To view the list of RD Session Hosts based on a specific template:

Go to Farm > <Site> > RD Session Hosts > Templates.
Select a template and click Tasks > Show servers.

Site defaults

RD Session Hosts based on a template inherit the template settings. To view the settings, note on which template an RD Session Host is based and then view properties of that template, specifically the Settings and Security tabs. For more information, see Site defaults. Note that you a template can inherit Site default settings or you can specify your own custom settings for it.

Checking the RAS Guest Agent status

A guest RD Session Hosts based on a template must have RAS Guest Agent installed and the agent must match the Parallels RAS version. The agent is installed by default when an RD Session Host is created from a template. If the RD Session Host was created using the native hypervisor tools, it may not have the agent installed in it. In such a case, the RD Session Host will be able to serve only the remote desktop. To enable it to server applications or documents, you'll need to install the agent yourself.

To check if the RAS Guest Agent is installed and up to date:

Go to Farm > <Site> > RD Session Hosts > RD Session Hosts.
Continue as described in Managing hosts, subsection "Checking the RAS Guest Agent status".

The RD Session Host template must also have the RAS RD Session Host Agent installed.

To check if the RAS RD Session Host Agent is installed and up to date:

Go to Farm > <Site> > RD Session Hosts > Templates.
Select a template in the list and then click Tasks > Troubleshooting > Check agent.

Deleting an RD Session Hosts based on a template

See Managing hosts, subsection "Deleting a host".

Managing RD Session Hosts based on a template that failed preparation

See Managing hosts, subsection "Managing hosts that failed preparation". Notice than in case of RD Session Hosts, you have to go to Farm > <Site> > RD Session Hosts > RD Session Hosts and click Tasks > Site defaults to see Site Defaults.

Recreating an RD Session Hosts based on a template

If something happens to a RD Session Hosts based on a template and it becomes unusable, you don't have to delete it and create a new one. Instead, you can recreate it keeping its name, MAC address, and other properties. This way none of the other Site settings, which may rely on a broken RD Session Host, will be affected. Another reason for recreating an RD Session Host is to apply changes made to the template (when you exit from maintenance without executing the Recreate command).

Please note that recreated RD Session Hosts can keep the the following properties:

MAC address is kept on ESXi, vCenter, Hyper-v, Hyper-v Failover Cluster, Nutanix AHV (AOS), and SC//HyperCore.
BIOS UUID is kept on ESXi and vCenter.
DRS groups are kept on vCenter.

Note: If an RD Session Host based on a template was already assigned to an RD Session Host host pool, it cannot be recreated.

To recreate one or more guest RD Session Host:

In the Parallels RAS Console, navigate to Farm > <Site> > RD Session Hosts > Templates.
To recreate all deployed RD Session Host, click the Tasks drop-down list and choose Recreate all servers.
To recreate a specific host (or multiple hosts), click Tasks > Show servers. This will open the dialog which will list RD Session Hosts. Select one or more RD Session Hosts and then click the Tasks > Recreate.

When you recreate a RD Session Host based on a template:

The procedure deletes the RD Session Host and creates a new one from the same template.
The new RD Session Host retains the same computer name as the one it replaces.
If an RD Session Host is running, all unsaved data in its memory will be lost. For this reason, an important data should be saved to an external storage.

Manage hosts (RD Session Hosts)

This section describes how to configure and manage an existing RD Session Host.

Check an RD Session Host Agent status

An RD Session Host must have RAS RD Session Host Agent installed in order to publish remote applications and desktop from it. In addition to this, Remote Desktop Services (formerly Terminal Services) must also be installed.

Normally when you add an RD Session Host to a Site, the RD Session Host Agent and Remote Desktop Services are installed by default. However, if you skipped the installation (or uninstalled the agent or RDS from the server), you can check their status and take appropriate actions if needed.

To check the status of RD Session Host Agent and RDS, do the following:

First, check the Status column in the RD Session Hosts list. The column should display "OK". If so, the Agent is installed and functioning properly. If not, read on.
In addition to the description, the Status column uses a color code to indicate the agent status as follows:
- Red — not verified
- Orange — needs update
- Green — verified
Right-click a server and click Troubleshooting > Check agent in the context menu. The Agent Information dialog opens.
If the agent is not installed on the server, click the Install button and follow the instructions on the screen.

After the agent installation is complete, you may need to reboot the RD Session Host. You can do it right from the Parallels RAS Console by selecting the server and clicking Tasks > Control > Reboot.

Change RD Session Host Site assignment

You can assign an RD Session Host to a different Site in your Farm if needed. Please note that this functionality is only available if you have more than one Site in your Farm.

To change the Site assignment:

Right-click an RD Session Host and then click Change Site in the context menu. The Change Site dialog opens.
Select a Site in the list and click OK. The server will be moved to the RD Session Hosts list of the target Site (Farm > <new-site-name> > RD Session Hosts).

General

Select or clear the Enable Server in site option to enable or disable the server. A disabled server cannot serve published applications and virtual desktops to clients.

Other elements on this tab are:

Server: Specifies the server FQDN or IP address.
Description: An optional server description.
Change Direct Address: Select this option if you need to change the direct address that Parallels Client uses to establish a direct connection with the RD Session Host.

English

Parallels RAS 19 Administrator’s Guide

Introduction

Parallels RAS 19 release history

About Parallels RAS

How does it work?

About this guide

What's new

Parallels RAS 19.4.2

Parallels RAS 19.4.1

Parallels RAS 19.4

Parallels RAS 19.3.1

Parallels RAS 19.3

Parallels RAS 19.2.3

Parallels RAS 19.2.2

Parallels RAS 19.2

Parallels RAS 19.1

Parallels RAS 19.0

Terms and abbreviations used in this guide

Installing Parallels RAS

System requirements

Hardware requirements

Software requirements

RAS Connection Broker and RAS Secure Gateway (64-bit versions only)

RAS Web Administration Service

RAS RD Session Host Agent

RAS Provider Agent

RAS Guest Agent

Remote PC Agent

Parallels RAS PowerShell

Parallels RAS Console

RAS Enrollment Server

Parallels Client

Microsoft license requirements

Install Parallels RAS

Log in and activate Parallels RAS

Start the Parallels RAS Console

Sign in to Parallels My Account

Activate Parallels RAS

Getting Started with Parallels RAS

The Parallels RAS Console

Set up a basic Parallels RAS Farm

Add an RD Session Host

Publish applications

Invite users

Azure Virtual Desktop

Conclusion

Farm and Sites

Connecting to a Parallels RAS Farm

Connecting to a Parallels RAS Farm for the first time

Connecting to a different Parallels RAS Farm

Switching between Parallels RAS Farms

Editing Parallels RAS Farm connections

About Sites

Sites in the RAS Console

Current Site

Switching between sites

Renaming a Site

Site configuration and health view

Performing tasks on a component

Using the Site Designer

Adding a Site to the Farm

Replicating Site settings

Overriding Site Replicated Settings

Managing Licensing Site

Managing administrator accounts

Adding an administrator account

Administrator account permissions

Power administrator permissions

Custom administrator permissions

Clone permissions

Delegate permissions

Managing administrator accounts

Modifying an account

Handling locked objects

Configure RAS Console idle sessions

Using instant messaging

Joining Customer Experience Program

RAS Connection Broker

Configuring RAS Connection Brokers