Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The following new features were added in Parallels RAS 19.4.2:
Ability to select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials for TOTP, Google Authenticator, and email OTP.
The following new features were added in Parallels RAS 19.4.1:
The following new features were added in Parallels RAS 19.4:
Ability to automatically upgrade Agents on RD Session Hosts, VDI, and Azure Virtual Desktop.
Support for IGEL 11 and 12.
Extended image management for Nutanix AHV (AOS).
Support for Scale Computing SC//HyperCore 9.2.
Validation of HTTP host headers to protect against host header injections.
Sessions disconnections for host pools
Transport protocol for host pools
Bandwidth availability for host pools
Latency for host pool
Connection quality for host pool
UX Evaluator for host pool
Logon duration for host pool
Azure Virtual Desktop improvements.
Important: Do not update to Parallels RAS 19.3 if you assigned multiple templates to a single VDI host pool.
Important: If you are using Azure Virtual Desktop in Parallels RAS 19.3, you need to update Parallels Client to version 19.3.
The following new features were added in Parallels RAS 19.3.1:
Azure Virtual Desktop improvements.
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
single VDI host pool.
Important: If you are using Azure Virtual Desktop in Parallels RAS 19.3, you need to update Parallels Client to version 19.3.
The following new features were added in Parallels RAS 19.3:
Template versioning for RD Session Hosts, VDI, and Azure Virtual Desktop. This feature includes the following:
The ability to assign template versions to host pools for RD Session Hosts, VDI, and Azure Virtual Desktop.
Scheduled template recreation for RD Session Hosts, VDI, and Azure Virtual Desktop.
Ability to configure user profiles and other settings on the host pool level.
Dynamic printer mapping.
Azure Virtual Desktop improvements.
Add multiple provider addresses for the SC//HyperCore provider.
Ability to hide billing information on Tenants.
Ability to recreate hosts keeping the existing MAC addresses on the SC//HyperCore provider.
TLS 1.3 support.
Terminology updates:
References to Pools/Groups have been standardized as "Host Pools".
Reference to Desktop/Guests have been standardized as "Hosts".
Session activity
Disconnection reasons
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
The following new features were added in Parallels RAS 19.2.f3:
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
The following new features were added in Parallels RAS 19.2.2:
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
The following new features were added in Parallels RAS 19.2:
Ability to use RDP Shortpath for single-session and multi-session AVD hosts.
New policy for selecting the display configuration.
Ability to recreate RD Session Hosts and hosts with their original BIOS UUID on ESXi and vCenter (works automatically).
Deprecations and updated system requirements:
See Software Requirements for updated system requirements for components and clients.
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
The following new features were added in Parallels RAS 19.1:
Transport protocol (TCP/UDP)
Network latency
Connection quality
Bandwidth availability
Deprecations and updated system requirements:
See Software Requirements for updated system requirements for components and clients.
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
The following new features were added in Parallels RAS 19.0:
New Parallels Client for Windows for ARM64.
Expression-based client policies, filtering for published resources and MFA configuration.
Power management: starting up and shutting down servers on schedule. Schedules can be created for RD Session Hosts, VDI, and AVD hosts.
Deprecations and updated system requirements:
See Software Requirements for updated system requirements for components and clients.
For the complete list of new features and improvements, see Release notes: https://kb.parallels.com/en/129018.
Parallels RAS provides vendor independent virtual desktop and application delivery from a single platform. Accessible from anywhere with platform-specific clients and web enabled solutions, like the built-in Parallels Web Client, Parallels RAS allows you to publish remote desktops, applications and documents, improving desktop manageability, security and performance.
Parallels RAS extends Windows Remote Desktop Services by using a customized shell and virtual channel extensions over the Microsoft RDP protocol. Parallels RAS supports all major hypervisors from Microsoft, VMware, and other vendors including Hyperconverged solutions such as Nutanix AHV (AOS) and Scale Computing and Cloud platforms and services such as Microsoft Azure and Azure Virtual Desktop (formerly known as Windows Virtual Desktop), enabling the publishing of virtual desktops and applications to Parallels Client.
The product includes powerful universal printing and scanning functionality, as well as resource-based load balancing and management features.
With Parallels Device Manager Module for Parallels RAS you can also centrally manage user connections and PCs converted into thin clients using the free Parallels Client.
When a user requests an application or a desktop, Parallels RAS finds a least loaded RD Session Host or a guest VM on one of the least loaded Providers and establishes an RDP connection with it. Using Microsoft RDP protocol, the requested application or desktop is presented to the user. Note that in addition to RD Sessions Hosts and VDI, Parallels RAS can also be used to configure, manage and publish Azure Virtual Desktop resources.
Users can connect to Parallels RAS using Parallels Client (available at no charge), which can run on Windows, Linux, macOS, Android, Chrome, iOS and iPadOS. Users can also connect via an HTML5 browser or Chromebook.
As newer versions of Windows keep on being developed as time goes by, you need to defend the migration cost to your business. Parallels RAS can help. Desktop replacement allows you to extend the lifespan of your hardware and delay migration to the latest OSs to a time that suits you best. The Parallels RAS solution allows you to be very flexible: you can lock machine configurations on the user side, placing your corporate data in an extremely secure position; or you can opt to allow users to run some local and remote applications. Parallels Client Desktop Replacement is able to reduce the operability of the local machine by disabling the most common local configuration options, while guaranteeing the same level of service and security afforded by thin clients, directly from your existing PCs.
This guide is intended for system administrators responsible for installing, configuring, and administering Parallels RAS. This guide assumes that the reader is familiar with Microsoft Remote Desktop Services and has an intermediate networking knowledge.
This chapter describes how to install and activate Parallels RAS.
Before installing Parallels RAS, please verify that your hardware and software meet or exceed the hardware and software requirements described below. Please note that although Parallels RAS can be used in Workgroup environment, Parallels recommends using Active Directory to manage users, groups, and machine accounts via group policies.
The following table lists the Parallels RAS 19 release history. Parallels RAS documentation is updated for every release. This guide refers to the latest Parallels RAS 19 release from the table below. If you are using a newer Parallels RAS release or version, please download the current version of the guide from https://www.parallels.com/products/ras/resources/.
For information about Microsoft license requirements, such as Remote Desktop Services Client Access Licenses (RDS CALs) and Virtual Desktop Access (VDA) licenses, please see .
19.0
Initial release
07/27/2022
19.0
Update 1
08/31/2022
19.0
Hotfix 1
09/16/2022
19.0
Hotfix 2
09/30/2022
19.0
Hotfix 3
10/14/2022
19.1
Update 2
11/15/2022
19.2
Update 3
07/06/2023
19.3
Update 1
11/06/2023
19.4
Update 2
06/08/2024
To install Parallels RAS:
Make sure you have administrative privileges on the computer where you are installing Parallels RAS.
Double click the RASInstaller.msi
file to launch the Parallels RAS installation wizard. If you see a message that begins with "This version of Parallels RAS is only for testing purposes.", it means that it's not an official build and should not be used in a production environment.
Follow the onscreen instructions.
Note: Please ensure that the presented terms in the license agreement are read and accepted to complete installation and/or upgrade. For programmatic deployment, it is understood that the terms in the license agreement have been read and accepted.
Note: If you are upgrading from one of the major versions (for example, from Parallels RAS 18 to Parallels RAS 19), you will see a message that lists system requirements for every component of the new version. Please read them carefully to make sure that all components can be upgraded in your environment. Note that if you install a component on a system that does not meet its system requirements, the component will not work.
Help us improve our products!
When you install Parallels RAS, you can choose to join Parallels Customer Experience Program. For more information about Parallels Customer Experience Program, see https://www.parallels.com/about/legal/pcep/.
Proceed to the Select Installation Type page and select from the following:
Parallels Remote Application Server. The default installation that will install RAS Console, RAS Management Portal, RAS Connection Broker, RAS Secure Gateway, RAS RD Session Host Agent, RAS PowerShell, and RAS Web Administration Service on the same machine. This is ideal for testing or small production environments.
Parallels RAS Tenant Broker. This option installs Tenant Broker. Please note that Tenant Broker must be installed on a server separate from the existing RAS farms. For more information about Tenant Broker, please see the RAS Multi-Tenant Architecture chapter.
Custom. Select and install only the components that you require. You can select individual components after you click Next. Note that if a component cannot be installed on the current server, it will not be available for installation. See Software Requirements.
Click Next.
Review the notice on the Important Notice wizard page. If there's a port conflict on your computer, the information will be displayed here. You can resolve the conflict later.
Click Next.
On the Firewall Settings page, select Automatically add firewall rules to configure the firewall on this computer for Parallels RAS to work properly. See Port Reference for details.
Click Next and then click Install. Wait for the installation to finish and click Finish.
If you are upgrading your RAS installation, it is recommend to reboot all servers where components are upgraded.
When you need to install a particular Parallels RAS component on a different server, run the installation wizard again, select Custom and choose the component(s) you wish to install.
The Parallels RAS Console is a Windows application used to configure and administer a Parallels RAS Farm.
To open the Parallels RAS Console, navigate to Apps > Parallels and click Parallels Remote Application Server Console. Note that you can open multiple instances of the Parallels RAS Console on the same computer if you want to manage more than one Farm or Site simultaneously without switching between them inside the console. This works with a locally installed Parallels RAS Console and when you run it as a remote application from Parallels Client.
Information: In addition to Parallels RAS Console, Parallels RAS 18 introduced Parallels RAS Management Portal, an HTML5 browser-based console that lets you manage Parallels RAS. Note that at the time of this writing, Parallels RAS Management Portal does not completely replace the desktop RAS Console as some management features are still in development. More features will be added in the upcoming releases. For more information, please refer to Parallels RAS Management Portal Guide, which is available on the Parallels website: https://www.parallels.com/products/ras/resources/.
The following screenshot and the description below it give you an overview of the Parallels RAS Console.
The Parallels RAS Console consists of the following sections:
This section lists categories. Selecting a category will populate the right pane with elements relevant to that category.
This section (the middle pane) is available only for the Farm and the Publishing categories. The navigation tree allows you to browse through objects related to that category.
This section displays the selected object or category properties, such as servers in a Farm or published application properties, etc.
The information bar at the top of the RAS Console displays the name of the Site you are currently logged in to on the left side (the Location field). If you have more than one Site, you can switch between them by clicking the drop-down list (the Site name) and choosing a desired Site. If you used the RAS Console to connect to more than one Farm, the drop-down list will also display the other Farm name(s), clicking on which will connect the console to that Farm.
Your administrator account name is displayed on the right side. Clicking on the name opens a drop-down list from which you can initiate a chat with other administrators, show current sessions, and log off from the RAS Console.
The Press 'Apply' to commit the new settings message in the middle (in red) appears after you make any changes to any of the components or objects. It reminds you that you need to apply these changes to Parallels RAS for them to become effective. The following describes how it works.
When you make changes in the RAS Console, they are saved in the database as soon as you click OK in a dialog. If you close the console at this point, the changes will remain in the database and will not be lost. The changes, however, are not yet applied to running instances of the Parallels RAS processes, so they have no effect in the running RAS Farm. When you click the Apply button (at the bottom of the screen) the changes are applied to the runtime and become effective immediately.
When modifying anything in the RAS Console, follow these rules. When you make a small change, you can click Apply as soon as you are done with it. If you are working on something that requires many modifications in many places, you can wait until you are done with all changes and only then press Apply to apply all of them at the same time.
The information bar at the bottom of the screen is used to display the most recent console notification (if one is available).
In this tutorial, we have configured a simple Parallels RAS Farm with a single RD Session Host and one published application. We then configured a mailbox for outgoing emails and sent an invitation email to end users with instructions on how to install Parallels Client, connect to the Parallels RAS Farm, and run the published application. Essentially, we've created a fully functional Parallels RAS Farm serving remote applications to end users.
If you wish, you can repeat the tutorial and add more RD Session Hosts, publish more applications, or send an invitation email to users who use different types of devices. The instructions remain essentially the same.
The rest of this guide explains in detail how to configure and use various features of Parallels RAS.
Your Parallels RAS Farm is now fully operational. You have an RD Session Host and published application(s). All you need to do now is invite your users to install the Parallels Client software on their devices and connect to the Parallels RAS Farm.
Note: Consider allowing users to access the published resources by using their email instead of Secure Gateway IP address or hostname. For information on how to do it, see Allowing users to discover RAS connections via email address.
To invite users:
In the Parallels RAS Console, select the Start category and click the Invite Users item.
The Invite Users wizard opens. On the first page, specify the mailbox information that should be used to send invitation emails to users.
Specify the following options:
Mailbox Server: Enter the mailbox server name. For example, mail.company.com:500
Sender Address: Enter the email address.
TLS / SSL: Choose whether to use the TLS/SSL protocol.
SMTP server requires authentication: Select this option if your SMTP server requires authentication. If it does, also type the username and password in the fields provided.
In the Test Email section, type one or more email addresses to which a test email should be sent (separate multiple address with a semicolon). Click the Send Test Email button to send the email.
Click Next.
On the next page of the wizard, specify target platforms and connection options:
In the target devices list, select the types of devices to send an invitation to. Each target device of a particular type will receive an email with instructions on how to download, install, and configure the Parallels Client software on that device type.
In the Public address field, specify a public FQDN or IP address. This setting is used by the Preferred routing functionality to redirect client connections. Please see Configuring preferred routing.
In the Connection Mode drop-down list, select the RAS Secure Gateway connection mode. Please note that SSL modes require the gateway to have SSL configured. More information can be found in the Configuring RAS Secure Gateway section.
In the Authentication mode drop-down list, select the authentication mode for your users. For the list of authentication modes, see subsection Primary connection in the RAS Connection Broker connection settings section.
Optionally, click the Advanced button to open the Advanced Settings dialog. This dialog allows you to specify a third-party credential provider component. If you use such a component to authenticate your users, specify its GUID in this dialog. For more information, see Configure Client Policy Options > Single Sign-On.
Click Next.
On the next page, specify the email recipients. Click the [...] button to select users or groups.
Review the invitation email template displayed in the Review the invitation e-mail box. You can modify the template text as needed. The template also uses variables, which are explained below.
%RECIPIENT%
— Specifies the name of a recipient to whom the email message is addressed.
%SENDER%
— The sender's email address that you specified in the first step of this wizard when you configured the outgoing email server settings.
%INSTRUCTIONS%
— Includes a custom URL hyperlink for automatic configuration of Parallels Client. The URL uses the Parallels Client URL scheme. For more info, see RAS Web Client API and Parallels Client URL Scheme.
%MANUALINSTRUCTIONS%
— Includes instructions for manual configuration of Parallels Client.
The variables are defined dynamically depending on the type(s) of the target devices and other settings. Normally, you should always include them in the message, so your users will receive all the necessary instructions and links. If you don't include any of the variables, you will see a warning message, but including all of them is not a requirement. To preview the message, click the Preview button. This will open the HTML version of the message in a separate window. This is the email message that your users will receive.
Click Next, review the summary and click Next again to send the invitation email to users.
When users receive the invitation email, they will follow the instructions that it contains to install and configure Parallels Client on their devices. Once that's done, the users will be able to connect to Parallels RAS and launch published resources.
After you've installed Parallels RAS, run the RAS Console and activate your new Parallels RAS Farm.
By default, the Parallels RAS Console is launched automatically after you click Finish on the last page of the installation wizard. To launch the console manually, navigate to Start > Apps > Parallels and click on Parallels Remote Application Server Console.
When the Parallels RAS Console is launched for the first time, you are presented with the login dialog. In the dialog, specify the following:
Farm: A Parallels RAS Farm to connect to. Enter the FQDN or IP address of the server where you have RAS Connection Broker installed.
If you've installed the Parallels Single Sign-On component when installing the RAS Console, you will see the Authentication type field from which you can select whether to log on using your credentials or SSO. If you reboot after the installation and select SSO, select Single Sign-On and then click Connect. Your Windows credentials will be used to log in to the RAS Farm. If you select Credentials, enter your credentials as described below.
Username: A user account with administrative privileges on the server where Parallels RAS is installed (usually a domain or local administrator). The account name must be specified using the UPN format (e.g. administrator@domain.local
). The specified user will be automatically configured as the Parallels RAS administrator with full access rights.
Password: The specified user account password.
If you select the Remember credentials option, this dialog will not be shown the next time you launch the Parallels RAS Console.
The Edit Connections button opens a dialog where you can manage your RAS connection. This dialog becomes useful if this is not the first time you are connecting to one or more of your RAS Farms. The left pane of the dialog displays RAS Farms to which previously connected (you can remove a Farm from the list by clicking the [-] icon if you no longer need it). The right pane displays at least the primary Connection Broker for the selected Farm. If you've added a secondary Connection Brokers to a Farm, you can add it to this list by clicking the [+] icon and typing its hostname or IP address (click the "recycle" icon to verify the agent status). This way the RAS Console will try to connect to the primary Connection Broker first and if it fails (e.g. the agent is offline or cannot be reached), it will try to connect to the secondary Connection Broker. For more information about secondary Connection Brokers, please see chapter.
When you are done entering the connection information, click the Connect button to connect to the Parallels RAS Farm.
To activate Parallels RAS, you must register for a Parallels business account. After you logged in to Parallels RAS, you'll see the Sign In to Parallels My Account dialog. If you already have an account, type the email address and password you used to register the account and click Sign In.
Note: If you use an HTTP proxy server on your network, you will see a dialog asking you to configure the proxy server connection settings. Click the Configure Proxy button. In the dialog that opens, select one of the following: Use system proxy settings (the default proxy settings from the Internet Explorer will be used) or Manual HTTP proxy configuration (specify the settings manually). If your proxy configuration changes, you can re-configure it later by navigating to Administration > Settings and clicking the Configure Proxy button.
If you don't have a Parallels business account, you can register for one as follows:
In the Sign In to Parallels My Account dialog, click Register. The Register Parallels My Account dialog opens.
Enter your name and email address, choose and type a password, and enter your company info (all fields are required).
Follow the links to Parallels Privacy Policy and Terms of Use. After reading them (and if you agree) select the I have read and agree to the Parallels Privacy Policy and Terms of Use checkbox.
Click Register to register an account. This will create a personal account for yourself and a business account for your organization to which you will be assigned as administrator.
After you sign in to Parallels My Account, the Activate Product dialog opens asking you to activate the Parallels RAS Farm.
If you already have a Parallels RAS license key, select the Activate using license key option and enter the key in the field provided. You can click the button next to the field to see the list of subscriptions and/or permanent license keys you have registered in Parallels My Account. If the list is empty, it means that you don't have any subscriptions or license keys and need to purchase one first.
If you don't have a Parallels RAS license key, you have the following options:
Purchase a subscription online by clicking the Purchase a license link.
Activate Parallels RAS as a trial by selecting the Activate trial version option.
After entering a license key (or selecting to activate a trial version), click Activate. You should see a message that the Parallels RAS Farm was activated successfully. Click OK to close the message box.
The first dialog that you see informs you that you have no servers configured that can be used to host published resources. This means that to begin using Parallels RAS, you need at least one RD Session Host, Provider, or a Remote PC configured. We'll talk about configuring a Parallels RAS Farm in the next chapter. For now, click OK to close the message box. You will then see the Applying Settings dialog. Wait for the initial configuration of Parallels RAS to complete and click OK. You will now see the main Parallels RAS Console window where you can begin configuring the Parallels RAS Farm.
Read on to learn how to quickly add an RD Session Host, publish resources, and invite your users to Parallels RAS.
Note: Starting with Parallels RAS 19, all products and documentation, including this section, use updated terminology. To see what terms were changed, go to .
After you added an RD Session Host, you can publish applications from it.
To publish an application:
In the Parallels RAS Console, select the Start category and click the Publish Applications item in the right pane.
The Publish Applications wizard opens. On the first page, select one or more servers from which the application should be published. You can select all servers, server host pools, or individual servers.
Click Next.
On the next page, select one or more applications you want to publish.
If you've selected more than one server on the previous screen, the Show applications not available on all target servers option becomes enabled. If the option is cleared (default), the folder tree will contain applications that are available on each and every server that you selected. If the option is enabled, the tree will contain applications that may be available on some server(s), but not on the others.
Click Next. Review the summary information and click Next again.
Click Finish when ready.
To verify that an application has been successfully published, select the Publishing category in the RAS Console. The application should be included in the Published Resources list (the middle pane).
Note: You can manage your Parallels RAS license using the Licensing category in the Parallels RAS console. The management tasks include viewing the license information, switching to a different Parallels My Account, and activating the Parallels RAS Farm using a different license key. For more information, please see the section.
Term/Abbreviation | Description |
RAS Console | Parallels RAS Console. The RAS console is the primary interface you use to configure, manage, and run Parallels RAS. As an administrator, you use the RAS console to manage Farms, Sites, RD Session Hosts, published resources, client connections, etc. |
Category | In the RAS console, categories are displayed in the left pane of the main window. Each category consists of a number of settings related to a specific task or operation. The categories include Start, Farm, Load Balancing, Publishing, Universal Printing, Universal Scanning, Connection, Device Manager, and others. |
Farm | A Parallels RAS Farm is a logical grouping of objects for the purpose of centralized management. A Farm configuration is stored in a single database which contains information about all objects comprising the Farm. A Farm consists of at least one Site but may have as many sites as necessary (see Site below). |
Site | A Site consists of at least one RAS Connection Broker, RAS Secure Gateway (or multiple gateways), and RAS agents installed on RD Session Hosts, Providers, and Windows PCs. Note that a given RD Session Host, Provider, or PC can be a member of only one Site at any given time. |
Licensing Site | The Site that manages Parallels RAS licenses in a Parallels RAS Farm. By default, the server on which you install Parallels RAS becomes the Licensing Site. If you create additional sites later, you can designate any one of them as the Licensing Site. There can be only one Licensing Site in a given Farm. All other sites are called secondary sites. Note: Parallels RAS updates or upgrades must be applied to the Licensing Site first. |
RAS Secure Gateway | RAS Secure Gateway tunnels all traffic needed by applications on a single port and provides secure connections. |
Web Client | Web Client allows users to view and launch remote applications and desktops in a web browser. The Web Client functionality is a part of RAS Secure Gateway. |
Publishing | The act of making items installed on a Remote Desktop Server, Provider or Remote PC available to the users via Parallels RAS. |
RAS Connection Broker | RAS Connection Broker provides load balancing of published applications and desktops. |
RAS RD Session Host Agent | RAS RD Session Host Agent collects information from Microsoft RDS hosts required by the Connection Broker and transmits to it when required. |
Remote PC Agent | Remote PC Agent collects information from Remote PC hosts required by the Connection Broker and transmits to it when required. |
RAS Guest Agent | RAS Guest Agent collects information from the VDI desktop required by RAS Connection Broker and transmits to it when required. |
RAS Provider Agent / RAS Provider Agent | RAS Provider Agent collects information from the Parallels RAS Infrastructure and is responsible for controlling VDI through its native API. RAS Provider Agent is built into the RAS Connection Broker and is available by default. It can be used to control multiple Providers in a Parallels RAS Farm. RAS Provider Agent is the same as RAS Provider Agent, but the term is used in the context of Azure Virtual Desktop (described at the end of this table). |
RAS Provider Agent dedicated | RAS Provider Agent dedicated is similar to the RAS Provider Agent described above with one important difference — it is a separate component that must be installed from the Parallels RAS installer and can only control a single Provider. |
RDSH or RD Session Host | RDSH makes applications and a full desktop accessible to a remote client that supports Remote Desktop Protocol (RDP). RDSH replaced Terminal Servicer beginning with Windows 2008 R2. |
HALB | High Availability Load Balancing (HALB) is an appliance that provides load balancing for RAS Secure Gateways. Parallels HALB virtual appliance is available for the following hypervisors: Hyper-V, VMware. Multiple HALB Virtual Servers representing different HALB devices can be deployed in a single Site. Multiple HALB deployments can run simultaneously, one acting as the primary and others as secondaries. The more HALB deployments a Site has, the lower the probability that end users will experience downtime. Primary and secondary HALB deployments share a common or virtual IP address (VIP). Should the primary HALB deployment fail, a secondary is promoted to primary and takes its place. |
Tenant Broker | Tenant Broker is a special RAS installation that hosts shared RAS Secure Gateways. It is an essential part of the RAS multi-tenant architecture. |
Tenant | Tenants are RAS farms that join Tenant Broker (see above) and use shared RAS Secure Gateways and HALB thus eliminating the need to have their own Gateways and HALB deployed. |
RAS Enrollment Server | RAS Enrollment Server is an essential component of the SAML SSO Authentication functionality. It communicates with Microsoft Certificate Authority (CA) to request, enroll, and manage digital certificates on behalf of the user for SSO authentication in the Parallels RAS environment. |
RAS PowerShell | Parallels RAS PowerShell allows you to perform Parallels RAS administrative tasks using PowerShell cmdlets. You can execute cmdlets in the Windows PowerShell console or you can write scripts to perform common Parallels RAS administrative tasks. A complete guide to Parallels RAS PowerShell is available on the Parallels website together with other Parallels RAS documentation. |
RAS REST API | Parallels RAS comes with various APIs to help you develop custom applications that integrate with it. The RAS REST API is one of them. |
RAS Management Portal | Parallels RAS Management Portal is an HTML5 browser-based application that lets you manage Parallels RAS. |
RAS Web Administration Service | A Web service that provides the user interface for RAS Management Portal and implements RESTful Web services for the RAS REST API (see above). |
Azure Virtual Desktop | Azure Virtual Desktop is a desktop and app virtualization service running on Microsoft Azure, providing access to RD Session Hosts and VDI. Parallels RAS 18 provides the ability to integrate, configure, maintain, support and access Azure Virtual Desktop workloads on top of the existing technical capabilities of Parallels RAS. |
FSLogix | FSLogix Profile Container is a remote profile solution for non-persistent environments. Parallels RAS supports FSLogix on RD Session Hosts, VDI, and Azure Virtual Desktop. |
This chapter will help you get started with Parallels RAS. Read it to learn how to use the Parallels RAS Console and how to set up a simple RAS environment.
If you have more than one Parallels RAS Farm in your organization, you can use the same Parallels RAS Console instance to manage any of them. By default, the Parallels RAS Console is installed on the same server where you install other Parallels RAS components, but you can install the console on any computer on your network.
When you open the Parallels RAS Console for the first time, it displays the logon dialog on which you need to specify the following:
Farm: A Parallels RAS Farm to connect to. Enter the FQDN or IP address of the server where you have RAS Connection Broker installed.
If you've installed the Parallels Single Sign-On component when installing the RAS Console, you will see the Authentication type field from which you can select whether to log on using your credentials or SSO. If you reboot after the installation and select SSO, select Single Sign-On and then click Connect. Your Windows credentials will be used to log in to the RAS Farm. If you select Credentials, enter your credentials as described below.
Username: A user account with administrative privileges on the server where Parallels RAS is installed (usually a domain or local administrator). The account name must be specified using the UPN format (e.g. administrator@domain.com). The specified user will be automatically configured as the Parallels RAS administrator with full access rights.
Password: The specified user account password.
If you select the Remember credentials option, this dialog will not be shown the next time you launch the Parallels RAS Console.
After entering the connection properties, click Connect to connect to the Farm and open the RAS Console.
Note that the Edit Connections button will not display any information on first connect (it is used to edit Farm connections that already exist), so you can ignore it at this point. We will talk about using this button closer to the end of this section.
When you need to connect to a different Parallels RAS Farm, you first need to log off from the Parallels RAS Console in order to see the logon dialog again. To do so:
In the Parallels RAS Console, click on the arrow icon next to your user name in the upper right-hand corner and then choose Log Off in the context menu.
The console will close and the RAS logon dialog will open. The dialog will be populated with the current Farm connection properties.
To connect to a different Farm, type the FQDN or IP address of the server where the other Farm is located. Once again, this should be the server where you have the RAS Connection Broker installed.
Specify a username and password and click Connect. The Parallels RAS Console will connect to the Farm using the connection properties that you specified.
After you connect to more than one Farm from the same Parallels RAS Console instance, you can easily switch between them as follows:
In the Parallels RAS Console, click the Location drop-down list in the upper left-hand corner (right below the main application menu, where the current Site name is displayed).
The lower portion of the drop-down list will contain names of the Farms to which you connected at least once in the past (the upper portion contains one or more Site names for the current Farm). Click a desired Farm name to connect to it.
When you click the Farm name, the console will close momentarily and will re-open connected to the Farm that you selected.
Note that you can also switch between Farms by logging off from the console and choosing a desired Farm from the Farm drop-down list in the RAS logon dialog. The method described above is more convenient, so this one is just another way to do it.
As was mentioned in the beginning of this section, the RAS logon dialog has the Edit Connections button. When you click it, the Manage Parallels RAS Farm Connections dialog opens.
On the left side of the dialog, the Farm Connections pane lists Parallels RAS Farms to which you connected at least once in the past. If a connection is no longer relevant, you can remove it by selecting it and clicking the "minus sign" icon at the top. Once a connection is removed, it will no longer appear in the RAS logon dialog and in the Parallels RAS Console (the Location drop-down list).
On the right side of the dialog, the Connection Brokers pane lists RAS Connection Brokers for the selected Farm connection. By default, the primary Connection Broker is included in the list, but you can add more Connection Brokers if needed. When connecting to a Farm, the Parallels RAS Console will try the primary Connection Broker first. If a connection cannot be established, it will try other Connection Brokers in the order they are listed in the Connection Brokers pane. To add a Connection Broker to the list, click the "plus sign" icon and then specify the server FQDN or IP address.
First, you need to add an RD Session Host to the Farm. In this tutorial, we'll add the local server on which Parallels RAS is installed.
To add an RD Session Host to the Farm:
Click Add RD Session Hosts. The Add RD Session Hosts wizard opens.
Click the Tasks menu (or click the [+] icon) and select one of the following:
Add from Active Directory: Adds an RD Session Host from Active directory.
Add Manually: Adds RD Session Host by entering its FQDN or IP address.
Note that if you enter the server FQDN, it will be used as the primary method of connecting to this server from other Parallels RAS components and clients. If you enter the IP address, it will be automatically resolved to FQDN, but only if the global option to resolve to FQDN is enabled. To see the current setting of this global option, click Tools > Options on the main menu. In the Options dialog, examine the Always attempt to resolve to fully qualified domain name (FQDN) when adding hosts option. When the option is selected, the IP address of every server/component in the RAS Farm is always resolved to FQDN. When the option is cleared, whatever is specified for a server (IP address or name) is used to communicate with a server. This makes a difference in deployments where an IP address cannot be used to access a server, such as when a server is hosted in the cloud. For more information, see Host Name Resolution.
Click Next.
The page with general settings opens:
Specify the following settings:
Add firewall rules. Add firewall rules required by Parallels RAS in Windows running on the server. See Port Reference for details.
Install RDS role. Install the RDS role on the server if it's not installed. You should always select this option.
Enable Desktop Experience. Enable the Desktop Experience feature in Windows running on the server. This option is enabled only if the Install RDS role option (above) is selected. The option applies to Windows Server 2008 R2 and Windows 2012 R1/R2 on which the Desktop Experience feature is not enabled by default.
Restart server if required. Automatically restart the server if necessary. You can restart the server manually if you wish.
Click Next.
Add the server (or servers) to a host pool. Select the desired host pool or create a new host pool. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the Manage host pools (RD Session Hosts) section.
Click Next.
In order for end users to access published resources on the RD Session Host, they must be added to the Remote Desktop Users group in Windows running on the server. This can be done one of the following ways:
Adding each user or group directly on the server using standard Windows administrative tools.
Adding users or groups through Active Directory.
Using the wizard page described below, which is provided for your convenience.
If you already added your users to the Remote Desktop Users group on the given server (or if for any reason you want to use one of the other methods listed above), you can simply click Next and skip this page.
To add users to the Remote Desktop Users group using the wizard, select the Specify users or groups to be added to the Remote Desktop Users group option and then click the [+] icon. In the Select Users or Groups dialog, specify a user or group and click OK. The selected user/group will be added to the list on the wizard page.
Click Next.
The User profile page allows you to select a technology to manage user profiles.
You can select from User profile disk or FSlogix. User Profile Disks are virtual hard disks that store user application data on a dedicated file share. Microsoft FSLogix Profile Container is the preferred Profile Management solution as the successor of Roaming Profiles and User Profile Disks (UPDs). It is set to maintain user context in non-persistent environments, minimize sign-in times and provide native profile experience eliminating compatibility issues. You can keep the default settings for now. We will talk in detail about user profiles later in this guide.
The Optimization page allows you to specify settings that will be used to optimize Windows on the RD Session Host for best performance in a Parallels RAS environment.
You can select Windows components, services, and other options that will be disabled, removed, or optimized to ensure a more efficient, streamlined, and improved delivery of virtual apps and desktops. You can keep the default settings or you can modify (or disable if not sure) optimization for now. Optimization is described in detail later in this guide.
On the next page, review the settings and click Next.
The Install RAS RD Session Host Agent dialog opens. Follow the instructions and install the agent. When the installation is finished, click Done to close the dialog.
Back in the wizard, click Finish to exit.
If you would like to verify that the RD Session Host has been added to the Farm, click the Farm category (below the Start category in the left pane of the Parallels RAS Console window) and then click RD Session Hosts in the navigation tree (the middle pane). The server should be included in the RD Session Hosts list. The Status column may display a warning message. If it does, reboot the server. The Status column should now say, "OK", which means that your RD Session Host is functioning properly.
Read on to learn how to publish an application from an RD Session Host.
To add a Site to the Farm:
In the RAS Console, select the Farm category in the left pane and then select the Farm in the middle pane.
In the Tasks drop-down list (the right pane, above the Site list), click Add (or click the + icon).
In the Add Site dialog:
In the Site field, specify a Site name.
In the Server field, specify the IP address or FQDN of the server where the Primary Connection Broker and Secure Gateway should be installed.
Select the Enable HTML5 Gateway option to automatically create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see .
Click Next.
The Site Properties dialog opens. First, it verifies if RAS Connection Broker is installed on the specified Site server. If it isn't, it will indicate this in the Status field.
Click the Install button to install the agent.
In the Install RAS Connection Broker dialog, highlight the server name on which the RAS Connection Broker is to be installed.
(Optional) Select the option Override system credentials to specify and use different credentials to connect to the server and install the agent.
Click Install to install the Connection Broker and Secure Gateway. Click Done once it has been successfully installed.
Once a new Site is created, you can view and manage its configuration by right-clicking the Site in the RAS Console and choosing Switch to this Site.
A Parallels RAS Farm consists of at least one Site, but may have as many sites as necessary.
Sites are often used to separate management and/or location functions. For example, by creating a Site, you can delegate permissions to a Site administrator without granting them full Farm permissions. Or you can have separate sites for different physical locations with the ability to copy the same settings to each Site while using RD Session Hosts, Providers, or PCs that are closer to end users or (depending on your needs) to back-end servers. For instance, it would make sense for a client/server application querying a database to be published from an RD Session Host which is located closer to the database server.
Each Site is completely isolated from other sites within the same Farm. The Farm simply groups sites logically and stores configuration properties of each Site (and the objects that comprise it) in a single database. sites don't communicate with each other and don't share any objects or data. The only exception to this rule is the RAS Licensing Site which periodically communicates with other sites to obtain statistics.
Individual object settings in a given Site can be replicated to all other sites. This does not mean that settings will be shared between sites. The settings that you choose will simply be applied to other sites. For more information, see the section.
When you install Parallels RAS, a Farm with a single Site is created automatically. This first Site becomes the RAS Licensing Site and the host for the main Parallels RAS configuration database. When you add more sites to the Farm, the data in this database is automatically synchronized with every Site that you add. When changes are applied to a particular Site, the main configuration database is automatically updated to reflect the changes.
Each Site must have at least the following components installed in order to publish remote applications and desktops for end users:
Primary RAS Connection Broker
RAS Secure Gateway. Note that if a Site is joined as Tenant to RAS Tenant Broker, RAS Secure Gateway is not needed. For details, see .
RD Session Host, VDI, or PC
When you install Parallels RAS using default installation options, the primary RAS Connection Broker and the RAS Secure Gateway are automatically installed on the server on which you perform the installation. You can then add one or more RD Session Hosts to the Site to host published resources. You can also add more sites to the Farm if needed and configure individual components for each Site as you desire.
Parallels RAS is extensively tested on both physical and virtual platforms. The minimum hardware requirements approved to run Parallels RAS are outlined below.
Physical Machines – Dual Core Processor and a minimum of 4GB RAM.
Virtual Machines – Two Virtual Processors and a minimum of 4GB of RAM.
The server hardware requirements to install and configure Parallels RAS can vary according to end-user requirements.
Typically for an installation of 30 users or under, Parallels RAS can be installed on one high specification server and the resources published directly from it. For more than 30 users, multiple servers may be required.
The below should be considered during the planning stage of a Parallels RAS deployment:
High specification servers should be used, consisting of multiple CPU cores, a high specification disk transfer rate and plenty of RAM.
A hypervisor-based virtual machine can be used as long as the resources needed to serve end-users are calculated accordingly.
It is recommended that RAS Secure Gateway does not exceed 1200 users per server for incoming connections using the Gateway SSL mode.
HALB usage should not exceed 2000 user sessions per HALB appliance. See .
When planning VDI Hypervisor resource requirements, extra requirements such as RAM usage per virtual machine and disk space should be taken into account.
When configuring RD Session Hosts, VDI, or Azure Virtual Desktop, please keep in mind that different types of workloads require different session host configurations. For the best possible experience, scale your deployment depending on your users' needs. The following table gives you an idea of how different workload types affect session host configurations.
Note: Sizing guidelines are based on Microsoft recommendations on RDS or Azure Virtual Desktop multi-session hosts.
For port requirements, please see the Port Reference section.
Workload | Example users | Example apps | Max users per vCPU | Minimum |
Light | Basic data entry tasks | Database entry applications, command-line interfaces | 6 | 2 vCPUs 8 GB RAM 16 GB storage |
Medium | Consultants and market researchers | Database entry applications, command-line interfaces, Microsoft Word, static web pages | 4 | 4 vCPUs 16 GB RAM 32 GB storage |
Heavy | Software engineers, content creators | Database entry applications, command-line interfaces, Microsoft Word, static web pages, Microsoft Outlook, Microsoft PowerPoint, dynamic web pages | 2 | 4 vCPUs 16 GB RAM 32 GB storage |
Power | Graphic designers, 3D model makers, machine learning researches | Database entry applications, command-line interfaces, Microsoft Word, static web pages, Microsoft Outlook, Microsoft PowerPoint, dynamic web pages, Adobe Photoshop, Adobe Illustrator, CAD, CAM | 1 | 6 vCPUs 56 GB RAM 340 GB storage |
To view existing sites in the Parallels RAS Console, select the Farm category in the left pane. Existing sites are listed in the right pane.
Note: The Farm node will only be visible to an administrator who has full permissions to manage the Farm. For more information about Farm/Site permissions, please refer to Managing Administrator Accounts.
The Farm category displays the configuration of only one Site at a time. If you log in as the Farm administrator, the configuration of the RAS Licensing Site will be displayed. If you log in as an administrator who has access to a specific Site (but not the Farm), the configuration of that Site will be displayed.
Click on the Farm item in the middle pane to view the list of available sites. The Site which configuration is currently loaded in the console is marked as "Current Site" in the Type column. The column also displays other Site attributes. For example, "Licensing Site / Local Site / Current Site".
To switch to a particular Site, select Farm in the middle pane, then right-click the Site in the right pane and choose Switch to this Site. The Site configuration will be loaded into the RAS Console.
The other way of switching between sites is to click the Location drop-down list in the upper left-hand side of the RAS Console. The menu lists sites for the current Farm and may also list other Farms if you used this RAS Console to connect to them. For more info, see Connecting to a Parallels RAS Farm.
To rename a Site, right-click it and choose Rename Site.
When you select the Site node in the middle pane, the Site Info tab in the right pane displays the list of Parallels RAS components that have been configured for the Site with interactive performance monitoring metrics for each component. Depending on the Site configuration, the list may include RD Sessions Hosts, VDI, Remote PCs, Secure Gateways, Connection Brokers, Azure Virtual Desktop, HALB Virtual Servers and devices, Tenant Broker, Host pools, and Enrollment Server.
To collapse or expand a component group, click an "arrow up" or "arrow down" icon on the right side of the list. Note that if no servers of a particular type have been added to the Site, the group name will not be displayed in the list.
The following information is displayed for each component (the information is updated at an interval of approximately 2 minutes):
Address: Server FQDN or IP address.
Status: Indicates whether the agent software is installed on the server and is functioning properly.
CPU: Current CPU utilization.
RAM: Current RAM utilization.
Disk Read Time: Disk read time.
Disk Write Time: Disk write time.
Sessions: The number of currently active user sessions.
Preferred PA: The name of the RAS Connection Broker designated as preferred for this server.
Operating System: Operating system version installed on the server.
Agent Version: The agent version installed on the server.
Hypervisor: The hypervisor the server is running on.
You can customize this view by clicking Tasks > Monitoring Settings. This opens a dialog where you can specify which colors should be used to display different performance counters and their values.
You can perform a number of tasks on a component displayed in the Site Info tab. These tasks are described below.
To configure a component, do one of the following:
While the Site node is selected in the middle pane, right-click a component in the right pane and choose Show in the editor.
Select a component category in the middle pane (e.g. RD Session Hosts, Providers, etc.).
To use server management tools, right-click a component (server), click Tools and choose a desired tool. For the complete description of tools, see Computer Management Tools.
Select the Site node in the middle and then click the Designer tab in the right pane. The tab displays a visual representation of the Site infrastructure. Use the icons at the top to add more components to the diagram as desired. Note that adding a component to the diagram will actually add it to the Site. Double-click a component to view and configure it in a corresponding editor.
Parallels RAS Farm is a logical grouping of objects for the purpose of centralized management. A Farm configuration is stored in a single database which contains information about all objects comprising the Farm. A Site is the next level grouping in the Farm hierarchy which contains servers and other objects providing connection and remote application services.
The Deploy Azure Virtual Desktop section in the Start category is an optional feature, which allows you to deploy Azure Virtual Desktop in Parallels RAS. The feature is described in detail in the Azure Virtual Desktop chapter.
To add an administrator account to the Parallels RAS Farm:
In the RAS Console, navigate to Administration> Accounts.
Click the Tasks drop-down list and choose Add (or click the [+] icon).
The Account Properties dialog opens.
Click the [...] button next to the Name field. In the Select User or Group dialog, select a user or a group.
Specify an email address and mobile phone number. Both fields are optional and are disabled if the account specified in the Name field is a group.
In the Permissions drop-down list select a role to assign to the administrator:
Root administrator. Grants the administrator full permissions to manage the Farm.
Power administrator. Grants the administrator full permissions by default but allows you to limit them if needed. To grant or deny specific permissions, click the Change Permissions button. For additional info, see .
Custom administrator. This role doesn't have any permissions by default and allows you grant very specific permissions for a particular category, area, or object in the RAS Console. See for details.
In the Receive system notifications via drop-down list, select Email to send all system notifications to the specified email address, or select None to disable email system notifications for this account.
Click OK to add the new administrator account to the Farm.
Modifying an administrator account
To modify an account, select it in the list and click Tasks > Properties. This opens the Account Properties dialog where you can modify the account information.
To enable or disable an account, select or clear the Enable account option at the top of the Account Properties dialog.
If you have a number of administrators using the RAS Console to manage the same Farm, you can configure when an idle RAS Console session should be disconnected. By default, when an administrator opens the console and connects to a Farm but then forgets to log off and goes away, the session will stay active indefinitely possibly locking some of the categories for other administrators. You can change that by specifying the time period after which an idle session will be disconnected (thus unlocking the categories).
To configure idle sessions:
In the RAS Console, navigate to Administration > Settings.
Locate the Miscellaneous section (at the bottom) and choose a desired time period in the Reset idle RAS Console session after drop-down list.
When a session stays idle for close to the specified time period, the administrator (session owner) will be notified a few minutes in advance that the session is about to be disconnected. If the administrator chooses to stay connected, the time period is reset. If the administrator does nothing, the session will be disconnected when the time expires.
You can have more than one administrator in Parallels RAS. At least one administrator (called the root administrator) must be present at all times. Other administrators can be given the following roles:
Root administrator. Has full permissions to manage a Parallels RAS Farm.
Power administrator. Has most permissions granted by default, but can be configured to have limited permissions to manage certain sites or categories.
Custom administrator. Has no permission by default and can be granted specific permission to view or modify very specific areas or objects in the Parallels RAS Farm.
Read on to learn how to create and manage administrator accounts.
The Licensing Site should always be online even if you have other sites in your Farm. If your Licensing Site goes offline, your other sites can still use the maximum number of individual licenses included in your subscription but only for a period of 72 hours. During this time, you need to do one of the following:
Restore your Licensing Site.
Promote a different Site to be the Licensing Site in the Farm (see below for instructions).
Please note that if the Licensing Site is offline from 48 to 72 hours and back online three times per month, you will be required to re-activate it using your Parallels RAS licensing key after the third time.
To promote a secondary Site to be the Licensing Site in the Farm:
In the RAS Console, navigate to Farm > Farm.
In the right pane select a Site and then click Tasks > Set as licensing Site.
You will be asked to activate the new Licensing Site using your Parallels RAS license. Follow the instructions and activate the Site.
To view existing administrator accounts, select the Administration category in the RAS Console. The Accounts tab lists existing accounts and their properties, including:
Group or user name. Account name, which can be a user or group name.
Type. Account type. Can be one of the following: User, Group, Group User. The User and Group are self-explanatory. The Group User is a user who receives Parallels RAS administrative permissions via a group membership. When you initially add a group to the list of Parallels RAS administrators, its members are not displayed on the Accounts tab. As soon as a member of the group logs in to Parallels RAS, the account name is added to the list of administrators as a Group User and remains there. Note that you cannot change Parallels RAS permissions for such an account individually outside the group permissions.
Permissions. A security role assigned to an administrator.
Email. Email address.
Mobile. Mobile phone number.
Group. Group name. This column has a value for Group Users only (see the Type column description above).
Last Modification By. The name of the user who modified this account in Parallels RAS the last time.
Changed On. The last account modification date.
Created By. The name of the user who created this account in Parallels RAS.
Created On. The date when this account was added to Parallels RAS.
ID. Internal Parallels RAS ID.
To modify an account:
Right-click an account and choose Properties in the context menu.
Use the Administrator Properties dialog to modify the necessary information. For more info, see Adding an Administrator Account.
When an administrator is working with an object (e.g. a tab in the RD Session Host properties dialog), the object is locked for all other administrators. Therefore, upon trying to access a locked object, an administrator will be alerted with an error that the object is locked and will be denied access to it.
A root administrator (but not power or custom administrator) can release a locked object as follows:
On the Administration > Accounts tab, click the Tasks drop-down list and choose Show Sessions.
In the Sessions dialog, select the administrator who is locking an object and then click the Send Message icon (at the top).
If the administrator doesn't reply and doesn't release the object, you have an option to click Log Off, which will log them off and will unlock the category.
Parallels RAS administrators logged on to the same Farm can communicate with each other using a built-in instant messenger.
To use the instant messenger:
In the RAS Console, select the Administration category.
Expand the drop-down list next to your name (top-right corner of the console screen) and click Chat.
The Parallels Remote Application Server Chat window opens.
To send a message:
Type the message text in the lower input panel.
In the Logged on administrators list box, select a specific administrator or All to send the message to an individual or all logged on administrators.
Click Send.
Your message history is displayed in the Messages panel. To clear the history, click Clear All.
You can also view the chat history listing all messages between all administrators (not just your own messages). To do so, select the Administration node in the console and then select the Chat History tab.
Parallels Customer Experience Program helps us to improve the quality and reliability of Parallels RAS. If you accept to join the program, we will collect information about the way you use Parallels RAS. We will not collect any personal data, like your name, address, phone number, or keyboard input.
To join the program:
In the RAS Console, select the Administration category.
In the right pane, click the Settings tab.
Select the Participate in the Customer Experience Program option.
After you join the program, CEP will automatically start to collect information about how you use Parallels RAS. Data collected from you and other participants is combined and thoroughly analyzed to help us improve Parallels RAS.
To set permissions for a RAS administrator, do the following:
In the RAS Console, navigate to Administration > Accounts.
Select an administrator in the list and click Tasks > Properties.
Click the Change Permissions button in the Administrator Properties dialog. The following happens depending on what is selected in the Permissions field:
Root administrator. The Change Permission button is disabled because the root administrator always has full permissions.
Power administrator. The Account Permissions dialog opens. In the left pane, select one or more sites for which to grant permissions to the administrator. In the right pane, select specific permissions. See the Power administrator permissions subsection below for details.
Custom administrator. A different Account Permissions dialog opens where you can set custom permissions. Compared to the Power administrator role (see above), this option allows you to grant any permission (view, modify, add, etc.) for entire categories or specific areas or objects in the RAS Console. If a Custom administrator doesn't have permissions to even view a category or tab page, they will not even appear in the RAS Console. Using the Custom administrator role, you can limit permissions to one or more very specific tasks. For details, see Custom administrator permissions below.
The following permissions can be set for a Power administrator:
Allow viewing of site information. Whether the administrator can view the Site information.
Allow site changes. Permissions to modify the following categories: Site, Load Balancing, Universal Printing, Universal Scanning. This option is disabled if the Allow viewing of Site information option is cleared.
Allow session management. Permission to manage running sessions. This option is disabled if the Allow viewing of site information option is cleared.
Allow publishing changes. Permission to modify the Publishing category.
Allow connection changes. Permission to modify the Connection category.
Allow viewing of RAS reporting. Permission to view reports generated by RAS Reporting.
Allow client management changes. Permission to modify the Device Manager category.
In the Global permission area, set the following:
Allow viewing of policies. Whether to allow the administrator to view the Policies category.
Allow policies changes. Whether to allow the administrator to modify the Policies category.
To set custom administrator permissions, you must be either a root administrator or a power administrator with the "Allow site changes" permission granted.
When you first create an administrator of this type, they will have no permissions. To add permissions, select a Site in the left pane and then click the Change permissions button. The Account Permissions dialog opens. In the dialog, select a permission type in the left pane.
The permission types are:
RD Session hosts groups. The Groups tab in Farm > RD Session hosts.
Note: Starting from Parallels RAS 19, per-server RDSH permissions have been deprecated and must be manually replaced with per-group permissions. If you upgrade to Parallels RAS 19 or later from one of the previous versions, during the upgrade you will see a dialog that helps you with the process.
Manage Sessions by AD Groups. Permission for managing user sessions for users that belong to the same AD group as the custom administrator.
Note: Parallels RAS checks all available AD groups to find the ones that include the custom administrator. If you don't want to check certain AD groups, you can exclude them from the search by clicking the Exclude AD groups button in the bottom-left corner of the Account Permissions window.
Remote PCs. The Farm > Remote PCs view.
Secure Gateways. The Farm > Secure Gateways view.
Connection Brokers. The Farm > Connection Brokers.
HALB. The Farm > HALB view.
Themes. The Farm > Themes view.
Publishing. Permissions for individual folders in the Publishing category.
Connection. The entire Connection category.
Device Manager. The entire Device manager category.
Certificates. The Farm > Certificates view.
Application Packages. The Farm > Application Packages view.
To change global permissions, instead of a specific Site select Global in the left pane and then click the Change permissions button.
The global permission types are:
Monitoring. The Monitoring category.
Reporting. The Reporting category.
License. The License category.
After you select a permission type, you can set the actual permissions in the right pane. Different permission types may have different sets of permissions. The following list describes all available permissions:
View. View only.
Modify. View and modify.
Add. View, modify, and add new objects (e.g. servers).
Delete. View, modify, and delete an object.
Control. View and control an object. This permission enables the Tasks > Control menu (where available), which includes enable and disable logons, cancel pending reboot, install RDS role, reboot, and some other options. Also enables power operations (start, stop, etc., where available).
Manage sessions. View and manage sessions.
The lower portion of the right pane lists individual objects (e.g. servers) if the selected permission type has them. Here, you can set individual permissions for a specific object (not the entire tab, for instance, which otherwise would include all available objects).
The Global permissions options at the top of the right pane enables all permissions for all objects for the selected permission type.
As a root administrator (or a power administrator with sufficient privileges), you can apply (clone) permissions of an existing administrator account to another existing account. This way, you can configure permissions for one account and then quickly apply the same configuration to all other accounts that require them.
To clone permissions, select a source administrator account and click Tasks > Clone permissions. In the dialog that opens, select a destination account (or multiple accounts) and click OK.
There could be a situation when a power administrator needs to grant some permissions to a custom administrator. This cannot be done by modifying permissions because power administrators cannot manage administrator accounts directly. Instead, they can delegate some of their own permissions in a given Site to a custom administrator of their choice.
For example, if a power administrator wants the custom administrator to be able to manage a particular RD Session Host, he/she selects that host in the RAS Console and click Tasks > Delegate permissions. This opens a dialog where the administrator can select a custom administrator and specify which permissions (view, modify, etc.) that administrator should have. The Tasks > Delegate permissions menu option is available for many objects, such as Providers, host pools (desktops), and some others. If the menu is not available for an object, it means that this functionality is not available for objects of this type.
RAS Connection Broker provides load balancing of published applications and desktops. A RAS Connection Broker is automatically installed on a server on which you install Parallels RAS and is designated as the primary Connection Broker. Each Site must have a primary RAS Connection Broker but can also have secondary Connection Brokers added to it. The purpose of a secondary Connection Broker is to ensure that users do not experience any interruption of the service due to possible failure of the primary RAS Connection Broker. This chapter describes how to add RAS Connection Brokers to a Site and how to configure them.
Site-specific settings configured for a given Site can be replicated to all other sites in a Farm. Refer to the table below for the information about which settings can be replicated to other sites.
Category | Section | Options |
---|---|---|
To replicate Site settings to all other sites, select Farm> <site>> Settings and then select the Replicate settings option (at the bottom of the Auditing tab). Please note that this option is disabled if you have just one Site in the Farm.
If an administrator who has permissions to enable or disable replication settings makes a change to a specific setting, such setting is replicated to all other sites. If an administrator has access to a particular Site only, upon modifying Site settings which have been replicated, the replicated settings are overridden and the option Replicate Settings is automatically cleared, therefore such settings will no longer be replicated to other sites.
A secondary Connection Broker is added to a Site for redundancy. This way if the primary Connection Broker fails, the secondary Connection Broker is still available to handle the requests. Connection Brokers work in active/active manner to ensure high availability. In case of a Connection Broker failure, the next agent is always ready to handle the load. In general, the N+1 redundancy approach should be used per Site. Note that for auto-promotion you shouldn't have more than three Connection Brokers (auto-promotion is described later in this section).
When you have one more secondary Connection Brokers installed, the runtime data is replicated on each agent, so if any service fails, the downtime is reduced to a minimum. In addition, any active Connection Broker is used for authentication purposes with both the AD and any 2nd level authentication provider used.
The primary Connection Broker performs the same tasks as secondary Connection Brokers but has additional responsibilities. It manages certain processes that must be managed by a single Connection Broker. The following table lists processes managed by the primary Connection Broker and secondary Connection Brokers:
Process | Primary Connection Broker | Secondary Connection Brokers |
---|---|---|
As a demonstration of how load distribution between multiple Connection Brokers works, consider the following example:
Suppose we have two Connection Brokers: PA1 (primary) and PA2 (secondary).
Suppose we also have 10 RD Session Hosts: RDS1, RDS2 ... RDS10
The resulting load will be distributed as follows:
RDS1, RDS2 ... RDS4 will use PA1 as their preferred Connection Broker.
RDS5, RDS6 ... RDS10 will use PA2 as their preferred Connection Broker.
RAS Connection Brokers running on the same Site communicate with each other and share the load. The amount of data being transmitted from one agent to another is quite large, so a reliable high-speed communication channel must be ensured (e.g. a subnetwork can be configured for Connection Broker communications).
When adding a secondary Connection Broker to a Site, you specify an IP address for it. Make sure that the IP addresses of all agents belong to the same network segment. The port that Connection Brokers use to communicate with each other is TCP 20030.
There's no physical limit to how many Connection Brokers you can add to a Site. However, the best results are achieved with only two-three agents present. The three-agent scenario is highly recommended, especially when you have Providers and want to enable high availability for VDI. Adding more than two secondary Connection Brokers to a Site may have a reverse effect and actually degrade the system performance. Note that this does not apply to secondary Connection Brokers in standby mode, which is explained in Configuring RAS Connection Brokers.
To add a secondary Connection Broker:
In the RAS console, navigate to Farm > <Site> > Connection Brokers.
Click the Tasks drop-down list and choose Add to launch the Add RAS Connection Broker wizard.
The Server field specifies the FDQN or IP address of the server that hosts the RAS Connection Broker. To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see Host Name Resolution.
The IP field specifies the server IP address. Click the Resolve button to obtain the IP address automatically using the FQDN specified in the Server field.
The Alternative IPs field specifies one or more alternative IP addresses, separated by a semicolon. These addresses will be used if RAS Secure Gateways fail to connect to the RAS Connection Broker using its FQDN or the address specified in the IP field. This can happen, for example, if Secure Gateways are connecting from a different network, which is not joined to Active Directory.
Select the Install a Secure Gateway with a Connection Broker option if you also want to install a RAS Secure Gateway on the specified server. If you select this option, you may also select the Enable HTML5 Gateway option (for more info, see Configure User Portal).
Select the Add Firewall Rules option to automatically configure the firewall on the server. See Port Reference for details.
Click Next.
On the next page, click Install to install the RAS Connection Broker on the server. The Installing RAS Redundancy Service dialog opens.
Select the server on which the RAS Connection Broker is to be installed and click Install.
Click Done.
Click OK to add the server to the Farm.
You can perform standard computer management tasks on a server hosting the RAS Connection Broker right from the RAS Console. These include Remote Desktop Connection, remote PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks > Tools and choose a desired tool. For requirements and usage information, see .
To view RAS Connection Brokers installed in a Site, navigate to Farm > <Site> > Connection Brokers in the RAS Console. The installed Connection Brokers are listed on the Connection Brokers tab in the right pane.
A Site must have at least the primary Connection Broker installed, which is marked so in the Priority column. You can also add secondary agents to a Site for redundancy (described in the section that follows this one).
To modify the configuration of a Connection Broker, select it and then click Tasks > Properties (or right-click > Properties). The Properties dialog opens where you can modify the following:
Enable Server in site: Enables or disables the Connection Broker. The option is enabled for secondary Connection Brokers only. It is disabled for the primary Connection Broker.
Server: Specifies the FDQN or IP address of the server that hosts the Connection Broker. To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see .
IP: Specifies the server IP address. Click the Resolve button to obtain the IP address automatically using the FQDN specified in the Server field. This IP address is used so that multiple Connection Brokers share information in real time.
Alternate IPs: Specifies one or more alternate IP addresses separated by a semicolon. These addresses will be used if RAS Secure Gateways fail to connect to the RAS Connection Broker using its FQDN or the address specified in the IP field. This can happen, for example, if Secure Gateways are connecting from a network which is not joined to Active Directory.
Description: A user-defined description.
Standby: If selected, puts a secondary Connection Broker into a standby mode. This means that no agent will connect to this Connection Broker until another Connection Broker goes offline. This option is enabled automatically for any new secondary Connection Broker in excess of the three agents that already exist. It is not recommended to have more than three active Connection Brokers because it may degrade system performance. Using this option you can have more than three agents, but have them in standby mode until they are needed. For more information, see .
When done making the changes, click OK and then click Apply in the main RAS Console window.
The Tasks drop-down list on the Connection Brokers tab has the following items:
Add. Adds a RAS Connection Broker to the Site. See the section that follows this one for the information on how to add secondary Connection Brokers.
Upgrade all Agents. Upgrades agents to the current version. The item is disabled if all agents are up to date.
Tools. Gives you access to a set of standard server management tools.
Troubleshooting. The Check agent menu item verifies that the Connection Broker is functioning properly. It opens a dialog where you can see the verification results and optionally install (or uninstall) the Connection Broker. The Logging menu item allows you to configure logging and retrieve or clear log files. For more information, see .
Promote to primary. Promotes a secondary Connection Broker to primary. The current primary becomes a secondary Connection Broker.
Refresh. Refreshes the Connection Brokers list.
Delete. Deletes a secondary Connection Broker from the Site. To delete the primary Connection Broker, you first need to promote a secondary Connection Broker to primary.
Settings audit. Opens the Settings Audit dialog where you can view the changes that were done to the Connection Broker. For more information, see .
Move up and Move down. Changes the priority of a secondary Connection Broker (moves it up or down in the priority list).
Properties. Opens the Connection Broker Properties dialog (see above).
In addition to the Connection Broker editor described above, you can also see the summary about the available RAS Connection Brokers. To do so:
In the RAS Console, navigate to the Farm > <Site> .
The available RAS Connection Brokers are displayed in the Connection Brokers group on the Site Info tab.
To go to the Connection Brokers editor, right-click a RAS Connection Broker and choose Show in the editor.
You can configure Parallels RAS to automatically connect to an alternative Connection Broker when one of Connection Brokers is not responding.
To enable automatic connection to an alternative Connection Broker:
In the RAS Console, click Tools > Options on the main menu (that's the menu at the top of the RAS Console window).
In the Options dialog, select the Automatically connect to an alternative Connection Broker when required option.
Click OK.
For additional info, see .
Farm
VDI > Templates
Auto removal timeout of host pools that fail preparation
Farm
VDI > Desktops
Auto removal timeout
Farm
Settings > Auditing
All settings
Farm
Settings > Global Logging
Logging settings
Farm
Settings > URL Redirection
All settings
Load Balancing
Load Balancing
All settings
Load Balancing
CPU Optimization
All settings
Publishing
Application
Site defaults are replicated. Other settings (name, description, icon, etc.) are global and are common to all sites
Publishing
Shortcuts
All settings
Publishing
Extensions
All settings
Publishing
Licensing
All settings
Publishing
Display
All settings
Universal Printing
Universal printing
Printer renaming
Universal Printing
Printer drivers
All settings
Universal Printing
Fonts management
All settings
Universal Scanning
WIA
Scanner renaming
Universal Scanning
TWAIN
Scanner renaming
Universal Scanning
TWAIN > TWAIN applications
Scanning applications
Connection
Authentication
All settings
Connection
Settings
All settings
Connection
Allowed devices
All settings
Reporting
Reporting engine
Reporting engine type
Reporting
Engine specific settings
All settings
Monitor PAs (counters)
Yes
Yes
Monitor RD Session Hosts (counters)
Yes
Yes
Monitor Providers (counters)
Yes
Yes
Monitor RDS Sessions (reconnection)
Yes
Yes
Monitor Deployed RDS applications
Yes
Yes
Monitor VDI session (reconnections)
Yes
Yes
Manage system settings
Yes
No
Send licensing information & heart beat
Yes
No
Process and send CEP information
Yes
No
Send information to reporting server
Yes
No
Manage RDS scheduler
Yes
No
Reporting engine information
Yes
Future versions
Shadowing
Yes
Future versions
Send email notifications
Yes
No
Welcome to Parallels® Remote Application Server (Parallels RAS), an integrated solution to virtualize your applications, desktops and data. Parallels RAS publishes applications and delivers remote and virtual desktops to any device on your network, anywhere.
To add a RAS Secure Gateway to a Site, follow these steps:
In the RAS Console, navigate to Farm > <Site> > Secure Gateways.
With the Secure Gateways tab selected in the right pane, click Tasks > Add to start the Add RAS Secure Gateway wizard.
Enter the server FQDN or IP address (or click the [...] button to select a server from the list). To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see Host Name Resolution.
Select the gateway mode from the Mode drop-down list.
If you selected the Forwarding mode in the step above, select the destination gateway in the Forward To drop-down list. You can also select a specific IP address in the On IP drop-down list if the Gateway server has more than one.
Select the Enable HTML5 Gateway option to automatically create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see Configure User Portal.
Select the Add Firewall Rules to automatically configure the firewall on the server hosting the gateway. See Port Reference for details.
Click Next.
On the next page, click Install to start the RAS Secure Gateway installation.
Click Done when the installation is finished.
To enable or disable a secondary Connection Broker in a Site, select it in the Connection Brokers list and then select or clear the check box at the beginning of the row.
Each secondary Connection Broker is given a priority. To change the priority, select a secondary Connection Broker and use the "Up arrow" and "Down arrow" icons (or Tasks > Move up, Move down) to move it up or down the list. The higher the agent is in the list, the higher the priority.
If the primary Connection Broker cannot be recovered, you can promote a secondary Connection Broker to primary as follows:
Open the RAS Console on the Connection Broker server that you would like to promote (all required files are automatically installed when a server is added to a Site as a secondary Connection Broker).
Select the Farm category and navigate to the Connection Brokers node.
Select the Connection Broker and then click Tasks > Promote to primary.
Click OK once the process is finished.
If the primary Connection Broker goes offline, you will need to promote a secondary Connection Broker to take its place. The auto-promotion feature can do it automatically after a specified time period.
By default, auto-promotion is turned off. To enable it, do the following:
In the RAS Console, navigate to Farm > <Site> > Connection Brokers.
Select the Auto-promotion tab in the right pane.
Select the Enable auto-promotion option and specify the time period after which the next secondary Connection Broker should be promoted to primary. The time period can be set between 15 minutes and 72 hours (the default value is 30 min).
Select the Enable failback option if you want the original Connection Broker to become primary again should it go back online. For the Licensing Site, this eliminates license activation if failback happens within 72 hours. The license activation countdown is always displayed in the RAS Console, so the administrator can check if the original primary Connection Broker recovers within this time period or not. If the original agent goes back online after the 72-hour period (and if the Farm has been already reactivated), it will become a secondary Connection Broker.
Note: To enable auto-promotion, you need at least three active Connection Brokers in a Site. If you have less than three, the auto-promotion is ignored.
Please also note that auto-promotion must be disabled if you have a single Site with Connection Brokers split across different locations with bad WAN links. If there's no link between Connection Broker located remotely, the third Connection Broker acts as a witness to prevent split-brain.
When auto-promotion takes place, the RAS administrator will receive notifications via email about the following events:
A secondary Connection Broker has been promoted to primary.
Auto-promotion of a secondary Connection Broker has failed.
Auto-promotion failback completed.
To delete a secondary Connection Broker, select it in the list and then click Delete in the Tasks drop-down list.
To manually install a RAS Secure Gateway and add it to the Farm, follow these steps:
Log into the server where you'll be installing the RAS Secure Gateway using an administrator account.
Copy the Parallels RAS installation file (RASInstaller.msi
) to the server and double-click it to launch the installation wizard.
Follow the onscreen instruction and proceed to the installation type page. Select Custom and click Next.
Click on RAS Secure Gateway in the feature tree and select Entire Feature will be installed on local hard drive.
Ensure that all other components in the selection tree are cleared and click Next.
Click Install to start the installation.
When the installation is completed, click Finish to close the wizard.
Open the RAS Console and specify the RAS Connection Broker that will manage the gateway.
To check the status of a RAS Secure Gateway, right-click it in the list and then click Check Status in the context menu. The RAS Secure Gateway Information dialog opens.
The dialog displays the gateway information, including:
Server: The name of the server on which the gateway is installed.
Gateway: The gateway verification status (e.g. Verified).
Version: The gateway software version number. The version number must match the Parallels RAS version number.
OS Type: Operating system type and version.
Status: Display the current RAS Secure Gateway status. If the status indicates a problem (e.g. the gateway did not reply or the gateway software version is wrong), click the Install button to push install the gateway software on the server. Wait for the installation to complete and check the status again.
In this section, we'll set up a basic Parallels RAS Farm where all required components run on a single server.
To set up a Parallels RAS Farm:
Log in to the Parallels RAS Console.
In the console, select the Start category. This category gives you access to three wizards that you can use to easily perform essential tasks, such as adding RD Session Hosts, publishing applications, and inviting users to Parallels RAS.
RAS Connection Broker and RAS Secure Gateway are supported on the following operating systems:
Windows Server 2012 R2 up to Windows Server 2022
On Windows Server 2016, 2019, and 2022 both Server Core and Desktop Experience installations are supported
Note: RAS Connection Broker and RAS Secure Gateway should not be installed on a domain controller or any other machine where a DHCP server is running. This in general applies to any of the RAS components.
Same OS requirements as for RAS Connection Broker (see above). Note that for larger environments (2000 or more concurrent connections), it is recommended to install the component on a dedicated server. For details, please see .
Please also note that Windows Server 2012 R2 must have the following updates installed:
Windows Server 2012 R2 — KB2999226
Newer versions of Windows Server do not require any specific updates.
RAS RD Session Host Agent is supported on the following operating systems:
Windows Server 2008 R2 up to Windows Server 2022
Windows Server 2016 and newer must be installed using the "Desktop Experience" installation option.
Windows Server 2012 R2 — Server Core installation option is not supported.
Windows Server 2012 R2 up to Windows Server 2022
Windows Server 2008 R2 up to Windows Server 2022
Windows 7 up to Windows 11
Windows Server 2008 R2 up to Windows Server 2022
Windows 7 up to Windows 11
Windows Server 2012 R2 up to Windows Server 2022
Windows 7 up to Windows 11
Windows Management Framework 3.0 and .NET Framework 4.5.2 must be installed
Windows Server 2012 R2 up to Windows Server 2022
Windows 7 up to Windows 11
Windows Server 2012 R2 up to Windows Server 2022
Parallels Client is approved for the following operating systems (both 32-bit and 64-bit systems are supported, where applicable):
Windows 7, 8.x, 10, 11
Windows Server 2008 R2 up to Windows Server 2022
macOS 12 Monterey to macOS 14 Sonoma. Parallels Client runs natively on Intel and Apple silicon processors.
iOS 15 and later, iPadOS 15 and later
Android 7 up to 12
Chrome OS
Note: Parallels Client for Chrome is deprecated. We recommend using Parallels Web Client instead.
Parallels Client for Linux supports the following Linux distributions (x64 versions only):
Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS
Debian 11 (Bullseye), Debian 12 (Bookworm)
Fedora 37, 38
Linux Mint 20, 21
IGEL 11, 12
ThinOS/ Dell Wyse Thin Clients 2303
Parallels Client supports all default window managers of the distributions listed above. If you use a different window manager, your experience may vary from the intended.
For the list of supported Providers, see .
For a list of supported thin clients and supported hardware from Technology Partners such as Igel, HP, 10Zig, and more, please see the following KB article: .
You need to install at least one RAS Secure Gateway for Parallels RAS to work. You can add additional Gateways to a RAS Site to support more users, load-balance connections, and provide redundancy.
If you are installing a RAS Secure Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:
Setting the Gateway operation mode (normal or forwarding, see below for details).
Assigning a RAS Connection Broker that will manage the Gateway.
Setting the Gateway communication port.
Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP addresses, and other.
The RAS Console in such an installation scenario (when connected to the local computer, not the RAS Farm) will only have two categories that you can select in the left pane: Gateway and Information. To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.
When the RAS console is connected to a Parallels RAS Farm (i.e. the server where RAS Connection Broker is running), you can manage RAS Secure Gateways by navigating to Farm > <Site> > Secure Gateways.
The following describes how a RAS Secure Gateway handles user connection requests:
A RAS Secure Gateway receives a user connection request.
It then forwards the request to the RAS Connection Broker with which it's registered (the Preferred Connection Broker setting by default).
The RAS Connection Broker performs load balancing checks and the Active Directory security lookup to obtain security permissions.
If the user requesting a published resource has sufficient rights, the RAS Connection Broker sends a response to the gateway which includes details about the RD Session Host the user can connect to.
Depending on the connection mode, the client either connects through the gateway or disconnects from it and then connects directly to the RD Session Host server.
RAS Secure Gateway can operate in one of the following modes:
Normal Mode. A RAS Secure Gateway in normal mode receives user connection requests and checks with the RAS Connection Broker if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
Forwarding Mode. A RAS Secure Gateway in forwarding mode forwards user connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.
Note: To configure the forwarding mode, a Parallels RAS Farm must have more than one RAS Secure Gateway.
When adding RAS Secure Gateways to a Site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Connection Brokers or RD Sessions Hosts.
The Public address field on the General tab specifies a public FQDN or IP address of the Secure Gateway. This setting is used by the Preferred routing functionality for redirecting a client connection. Please see Configuring preferred routing.
To configure a RAS Secure Gateway:
In the RAS console, navigate to Farm > <Site> > Secure Gateways.
In the right pane, right-click a Secure Gateway and click Properties.
The RAS Secure Gateway Properties dialog opens.
Read on to learn how to configure the RAS Secure Gateway properties.
RAS Secure Gateway Properties dialog consists of tabs, each containing their own specific set of options. All tabs, except Properties, have one common option Inherit default settings. When you select this option, all fields on a tab are grayed out and the settings are inherited from Site defaults. To view (and modify if necessary) Site default properties for Secure Gateways, click the Site Defaults link, which is available on all tabs mentioned above. The link opens the Site default properties dialog. You can also open this dialog by clicking Tasks > Site defaults while on the Farm > Site > Secure Gateways tab.
The subsequent sections describe individual tabs and available options in the Secure Gateway Properties dialog.
A RAS Secure Gateway can operate in . To set the desired mode and configure related settings click the Mode tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
To set the normal mode, in the Gateway mode drop-down list, select Normal.
The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address if necessary. Please note that the HTTP server must support the same IP version as the browser making the request.
The Preferred Connection Broker drop-down list allows you to specify a RAS Connection Broker that the Secure Gateway should connect to. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker. For the Secure Gateway to select a Connection Broker automatically, select the Automatic option.
To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding.
Specify (or select) one or more forwarding Secure Gateways in the Forwarding RAS Secure Gateway(s) field.
Note: The forwarding mode allows you to forward data to a Secure Gateway listening on IPv6. It is recommended that forwarding Secure Gateways are configured to use the same IP version.
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the , which typically accepts only HTTPS requests for security reasons.
When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).
Please also note the following requirements:
Your website must have a valid SSL certificate. See .
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
To configure SSL for a Secure Gateway:
Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.
To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to RAS User Portal.
In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem
. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).
A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Gateway:
On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the chapter.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the chapter.
On the , make sure that the Enable RDP UDP Data Tunneling option is selected.
Use IP version: Select the IP version(s) to use.
IP(s): Specify one or more IP addresses separated by a semicolon, or click Resolve to resolve the IP address automatically. These are the available addresses on the Secure Gateway server. To specify IP addresses that should be used for client connections, use the Bind to IP section (see below).
Bind to IP: Use this section to specify on which IP address (or addresses) the Secure Gateway will listen for client connections. You can select a specific address or <All available addresses>, in which case all of the IP addresses specified in the IP(s) field will be used.
Remove system buffers for: These fields (one for each IP version) can be used when the connection between the Secure Gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select a specific address, all available addresses, or none. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent fast enough from the Secure Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.
You can specify the following IP options:
IP addresses for incoming client connections for a Secure Gateway are specified on the General tab of the RAS Secure Gateway Properties dialog. RAS Secure Gateway recognizes both IPv4 and IPv6. By default, IPv4 is used.
To use Site default settings on the User Portal tab, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
To enable or disable User Portal, select or clear the Enable User Portal option. This disables User Portal, so users will no be able to connect to User Portal using the Web Client.
User Portal is a functionality built into RAS Secure Gateway that allows users to connect to Parallels RAS and open published resources from a web browser using the Parallels Web Client. The client works similarly to a platform-specific Parallels Client, but does not require any additional software to be installed on users' computers or devices. All that users need is an HTML5-enabled web browser.
This section describes how to configure User Portal in the Parallels RAS Console. For the information about how to use it, please refer to the chapter.
Note: To use Web Client and User Portal, SSL must be enabled on a RAS Secure Gateway. When enabling the client, please verify that SSL is enabled on the SLL/TLS tab or on your network load balancer. Please also note that the User Portal tab is only available if the gateway mode is set to "Normal". For more information, see .
To configure User Portal, click the User Portal tab in the RAS Secure Gateway properties dialog and then set the options described in the subsequent sections.
For the information on how to configure the Web Client URL and how to access the client from a web browser, please .
The Client section allows you to specify application launch methods and other Web Client settings.
Launch sessions using: When a user tries to open a resource from the User Portal web page, the resource can open right in the web browser or it can be launched in a platform-specific Parallels Client installed on the user's computer (e.g., Parallels Client for Windows). This option specifies which client will be used. Compared to Web Client, platform-specific Parallels Client includes a richer set of features and provides end users with a better overall user experience. Select one of the following:
Browser Only: Users can run remote applications and desktops using Parallels Web Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.
Parallels Client Only: Users can run remote applications and desktops in Parallels Client only. When a user connects to Parallels RAS using Parallels Web Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user with a link for downloading the Parallels Client installer. After the user installs Parallels Client, they can still select a remote application or desktop in Parallels Web Client but it will open in Parallels Client instead.
Parallels Client with fallback to Browser: Both Parallels Client and a browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels Web Client will be used as a backup method if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if a resource couldn't be opened in Parallels Client and will be given a choice to open it in the browser instead.
(Parallels Client with fallback to Browser and the Parallels Cient only) Additionally, you can configure Parallels Client detection by clicking on the Configure button:
Detect client: Select when Parallels RAS tries to detect platform-specific Parallels Client.
Automatically on sign in: Parallels RAS tries to detect platform-specific Parallels Client immediately.
Manually on user prompt: Parallels RAS shows users a prompt where can they select whether they want to detect platform-specific Parallels Client .
Client detection timeout: Time period during which Parallels RAS tries to detect platform-specific Parallels Client.
Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the Launch session using option (above) is set to Parallels Client with fallback to Browser (i.e. both methods are allowed).
Allow opening applications in a new tab: If selected, users will be able to open remote applications in a new tab in a web browser.
Use Pre Windows 2000 login format: Enables legacy (pre-Windows 2000) login format.
Allow embedding of User Portal into other web pages: If selected, the User Portcal web page can be embedded in other web pages. Please note that this may be a potential security risk due to a practice known as clickjacking.
Allow file transfer command: Enables file transfer in a remote session. To enable file transfer, select this option and click the Configure button. In the dialog that opens, select Client to server only (transfer files from client to server only), Server to client only (transfer files from server to client only), Bidirectional (transfer files in both directions). For more information, see Configuring Remote File Transfer.
Allow clipboard command: Enables clipboard operations (copy/paste) in a remote session. To enable the clipboard, select this option and click the Configure button. In the dialog that opens, select Client to server only (copy/paste from client to server only), Server to client only (copy and paste from server to client only), Bidirectional (copy and paste in both directions). For more information about using the clipboard, see Using the Remote Clipboard.
Allow cross-origin resource sharing: Enables cross-origin resource sharing (CORS). To enable CORS, select this option and click the Configure button. In the dialog that opens, specify one or more domains for which access to resources should be allowed. If you don't specify any domains, the option will be automatically disabled. In the Browser cache time field, specify for how long the end-user's browser will cache a resource.
Use a client IP detection service: If selected, allows configuring an IP detection service to report IP addresses of connected Parallels Web Client applications. To enable a client IP detection service, select this option and click the Configure button. In the dialog that opens, provide the URL to the IP detection service you want to use. You can press the Test button to ensure the API works as expected. When you click the Test button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with a window showing the IP address of the Connection Broker.
The Network tab is used to configure RAS Secure Gateway network options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site Defaults (Gateways).
By default RAS Secure Gateway listens on TCP ports 80 and 443 to tunnel all Parallels RAS traffic. To change the port, specify a new port in the RAS Secure Gateway Port input field.
RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP Port option and specify a new port. When setting your own port, please make sure that the port number does not conflict with the standard "RD Session Host Port" setting.
Note: If RDP port is changed, the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).
Broadcast RAS Secure Gateway Address. This option can be used to switch on the broadcasting of the Secure Gateway address, so Parallels Clients can automatically find their primary Secure Gateway. The option is enabled by default.
Enable RDP UDP Data Tunneling. To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.
Device Manager Port. Select this option to enable management of Windows devices from the Device Manager category. The option is enabled by default.
Enable RDP DOS Attack Filter. When selected, this option denies chains of uncompleted sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.
You can allow or deny user access to a Secure Gateway based on a MAC address. This can be accomplished using the Security tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
To configure a list of allowed or denied MAC addresses, click the Security tab and select one of the following options:
Allow all except. All devices on the network will be allowed to connect to the Secure Gateway except those included in this list. Click Tasks > Add to select a device or to specify a MAC address.
Allow only. Only the devices with the MAC addresses included in the list are allowed to connect to the Secure Gateway. Click Tasks > Add to select a device or to specify a MAC address.
Please note that the Secure Gateway MAC address filtering is based on ARP, so client and server must be on the same network for the filtering to work. It does not work across network boundaries.
When configuring RAS Secure Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:
The certificate, which should be valid and trusted.
The protocol, key exchange, and cipher should be supported.
The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Gateway, you may need to temporarily move it to the public Internet.
The test is available at the following URL: https://www.ssllabs.com/ssltest/.
You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide.
Note: The Web tab is only available if the gateway mode is set to normal. See more in Gateway mode and forwarding settings.
The Web tab allows you to tweak settings necessary for load balancing in certain scenarios. Here you can specify a redirection URL for web requests and a session cookie name to maintain persistence between a client and a server.
An original web request can reach the gateway one of the following two ways:
The request is sent directly to the gateway over the local network using its IP address or FQDN. For example, https://192.168.10.10.
The request is sent to a HALB device that load-balances this and other gateways in the Farm. The HALB device often faces the Internet (i.e. located in DMZ) and so its DNS name can be used in the original request URL. For example, https://ras.msp.com. The HALB device is then distributes the request to a gateway.
When the gateway receives the web request, it takes the URL specified on the Web tab and sends it back to the web browser for redirection.
Technically, you can enter any URL here, and the original web request will be redirected to that URL. The primary purpose of this field, however, is to give end users an easy way to access User Portal from their web browsers. Here's how it works:
A user enters the Load Balancer DNS name in a web browser. For example, https://ras.msp.com.
The Load Balancer receives the request and distributes it to the least-busy RAS Secure Gateway for processing.
The gateway receives the original URL and replaces it with the URL specified in the Default URL field. See the Default URL format subsection below.
The replaced URL is then sent back to the web browser, which uses it to open the User Portal login page.
The default URL format is the following:
https://%hostname%/userportal
The %hostname%
variable is automatically replaced with the name of the server that received the original request, which in our example is the Load Balancer DNS name. If you wish, you can replace the variable with a specific host name or IP address (e.g. this or some other gateway). For example, https://192.168.5.5/userportal
. If you do this, the web requests will always be forwarded to the specified host and will open the User Portal on it. Hard-coding a host may not be very practical, but you can do this nevertheless.
userportal
is a constant and is the path to the User Portal login page.
In our example, the resulting URL that the web browser will use to access the User Portal is the following:
https://ras.msp.com/userportal
The fact is, a user could simply use the above URL from the start, but thanks to the redirection feature, users only need to enter the server DNS name (or FQDN/IP-address on the local network) instead of the entire URL.
User Portal Themes is a feature that allows you to custom design the User Portal look and feel for different groups of users. Themes are described in detail in Parallels Web Client and User Portal.
The default web request URL opens the default Theme. To make it open a specific Theme, add the Theme name at end of the URL as follows:
https://%hostname%/userportal/?theme=<theme-name>
where <theme-name>
is the name of a Theme without brackets or quotes.
For users to open a specific Theme, the URL that they enter in a web browser must contain the Theme name, but in this case the format is as simple as the following:
https://<server-name>/<theme-name>
Using our Load Balancer DNS name example from above, the URL may look like the following:
https://ras.msp.com/Theme-E1
For additional information, please see Configure Themes > URLs.
The Web cookie field is used to specify a session cookie name. RAS Web Client session persistence is normally set by the user IP address (source addressing). If you can't use source addressing in your environment (e.g. your security policy doesn't allow it), you can use the session cookie to maintain persistence between a client and a server. To do so, you need to set up a load balancer that can use a session cookie for persistence. The default cookie name is ASP.NET_SessionId. Note that if you are using Amazon Web Services (AWS) or other third-party load balancers, you may need to specify their own cookie name. See Network load balancers access for more information.
Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Gateway or RAS Secure Gateway IP address.
To configure tunneling policies, navigate to Farm > <Site> > Secure Gateways and then click the Tunneling Policies tab in the right pane.
The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured Secure Gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.
To add a new policy:
Click Tasks > Add.
Select a Secure Gateway IP address.
Specify to which RD Session Host(s) the users connecting to that specific Secure Gateway should be forwarded. If you select None (no forwarding), read the Restricting RDP access section below.
To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.
You can use tunneling policies to restrict RDP accesses through the RAS Secure Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client.
There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack.
A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Connection Broker server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:
[I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on Secure Gateway xxx.xxx.xx.xx, Using Default Rule
[I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, Secure GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0
[I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached.
[I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available!
[W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14.
These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through Secure Gateway tunneling polices, you can prevent this from happening.
You can view the summary information for all available RAS Secure Gateways in one place as follows:
In the RAS Console, select the Farm category and then select the Site node in the middle pane.
The available RAS Secure Gateways are displayed in the Gateways group in the right pane.
To go to the main Gateway view/editor, right-click a server and choose Show in the Editor.
You can also view the detailed information about a RAS Secure Gateway by navigating to Information > Site in the Parallels RAS Console. The information on this page includes general information, such as OS version, RAS version, Gateway mode, as well as the information about various types of connections, sessions, cached sockets, and threads.
A RAS Secure Gateway is enabled by default. To enable or disable a Secure Gateway, open the RAS Secure Gateway Properties dialog and select or clear the Enable RAS Secure Gateway in site option on the General tab.
To publish applications from the Parallels RAS to thin clients using the Wyse ThinOS, select the Enable Wyse ThinOS support option on the Wyse tab.
Note: The Wyse tab is only available if the gateway mode is set to normal. See Gateway mode and forwarding settings for more info.
By enabling this option, the RAS Secure Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this Secure Gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.
The Do not warn if server certificate is not verified option can be selected (enabled) if a Wyse device shows an SSL warning when connecting to a RAS Secure Gateway because the hostname does not match the certificate. When the option is selected, the Secure Gateway will send Wyse clients the following parameters in the wnos.ini file: SecurityPolicy=low TLSCheckCN=no, which will disable SSL checks. Note that the option is not required if a certificate has the following:
The CNAME set to the FQDN of the RAS Secure Gateway.
The SAN set to the RAS Secure Gateway IP address.
Note that if you use a custom wnos.ini in "C:\Program Files (x86)\Parallels\ApplicationServer\AppData\wnos" folder on Secure Gateway, the Secure Gateway will not send the SSL check parameters.
If you configure DHCP option 188 to set the broker address to a given Secure Gateway, you can verify this by clicking the Test button.
The Network Load Balancers access section is intended for deployment scenarios where third-party front-end load balancers such as Amazon Web Services (AWS) Elastic Load Balancers (ELBs) are used. It allows you to configure an alternate hostname and port number to be used by the Network Load Balancer (NLB). This is needed to separate hostnames and ports on which TCP and HTTPS communications are carried out because AWS load balancers don't support both specific protocols over the same port.
The following options are available:
Use alternate hostname: Select this option and specify an alternate hostname. When the alternate hostname is enabled, all platform-specific Parallels Clients will use this hostname to connect to the RAS Farm or Site.
Use alternate port: Select this option and specify an alternate port number. The port must not be used by any other component in the RAS Farm or Site. To reset the port number to the default value, click Default. When the alternate port is enabled, all platform-specific Parallels Clients will use this port to connect to the RAS Farm or Site. Note that RDP sessions in Web Client will still be connecting to the standard SSL port (443).
Note: Please note that using an alternate host or port is not suitable in a multi-tenant environment as Tenant Broker RAS Secure Gateways are shared between Tenants, which would require different configurations.
In addition, the AWS Application Load Balancer (ALB), which handles HTTP/s traffic required by the Parallels Web Client, only supports specific cookies that are usually automatically generated. When a load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB
, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy. By default, Parallels RAS uses its own ASP.NET cookie named _SessionId
, however in this case you must customize the cookie specifying the mentioned AWS cookie for sticky sessions. This can be configured using the Web cookie field on the Web Requests tab. Please note that this functionality is available in Parallels RAS 17.1 or newer.
RD Session Hosts are used to host published resources (applications, desktops, documents, etc.) in a Parallels RAS Farm. Read this chapter to learn how to add, configure, and administer RD Session Hosts.
Beginning with Parallels RAS v16.5, you can create and add to a RAS Farm the following types of RD Session Hosts:
Individual servers. These can be physical boxes or virtual machines treated as physical servers. For information on how to create these types of servers, see Adding an RD Session Host.
Virtual machines (VMs) created from a template, which is a part of RAS Virtual Desktop Infrastructure (VDI). The main advantage of using VMs is the ability to create as many of them as you require from a single template. For information on how to create these types of servers, see Add a template-based RD Session Host.
Considering that template is a part of RAS VDI, some aspects of creating, provisioning, and managing RD Session Hosts based on a template differ from the regular RD Session Hosts (individual servers). When reading these sections, please pay attention to whether or not a particular functionality applies to RD Session Hosts based on a template.
A RAS Secure Gateway is monitored and logs are created containing relevant information. To configure logging and retrieve or clear existing log files, right-click a gateway, choose Troubleshooting > Logging in the context menu, and then click Configure, Retrieve, or Clear depending on what you want to do. For the information on how to perform these tasks, see the Logging section.
A template-based RD Session Host is a clone of a virtual machine running on a hypervisor or a cloud-based provider. When you create a template, you select a preconfigured VM with the operating system and applications already installed. Individual hosts (VMs) are then created as clones of the template. The clones can be created in advance or on as-needed basis (configurable when you create a template). This functionality allows you to create and configure an RD Session Host running in a virtual machine and then create as many copies of it as you require.
To add a template-based RD Session Host to a Site:
Create a template as described in .
Assign the template to a host pool as described in .
Add individual RD Session Hosts to the host pool. Do one of the following:
If you want to add RD Session Hosts manually, go to the host pool properties, select the Servers tab and click Tasks > Add (or click the [+] icon). In the dialog that opens, select the number of RD Session Host you want to create and click OK.
If you want Parallels RAS to add RD Session Hosts automatically when certain conditions are met, configure autoscaling as described in
RAS Secure Gateway tunnels all Parallels RAS data on a single port. It also provides secure connections and is the user connection point to Parallels RAS.
At least one RAS Secure Gateway must be installed and configured in every Site. Note that if a Site is joined as Tenant to RAS Tenant Broker, RAS Secure Gateway is not needed. For details, see RAS Multi-.
Multiple gateways can exist depending on your requirements. Read this chapter to learn how to add, configure, and manage RAS Secure Gateways.
Read this section to learn how manage RD Session Hosts components in Parallels RAS.
RD Session Host templates are designed specifically to give you the ability to replicate RD Session Hosts running in virtual machines. Hosts created from an RD Session Host template are treated by Parallels RAS almost like regular RD Session Hosts. The main difference is, you can create as many hosts from a single template as you require, thus automating RD Session Host provisioning according to your needs.
RD Session Host templates are supported on the following VDI platforms:
Microsoft Hyper-V
Microsoft Hyper-V Failover Cluster
VMware VCenter
VMware ESXi
SC//HyperCore
Nutanix AHV (AOS)
Microsoft Azure
Amazon Web Services
RD Session Host templates support Windows Server 2008 R2 up to Windows Server 2022 as a guest OS. Compared to regular RD Session Hosts, servers created from an RD Session Host template do not support earlier versions of Windows Server. The reason is, these servers run in VMs and require the RAS Guest Agent installed in them, so the guest OS requirements are limited by Windows Server versions supported by RAS Guest Agent.
Please note that the following standard RAS VDI features are not available when using RD Session Host templates:
Pool management
Persistent hosts
Session management
Publishing from a specific Template
Some other strictly RAS VDI specific features.
For the information on how to provision RD Session Hosts created from a template, see Manage host pools (RD Session Hosts).
When you publish resources in Parallels RAS, you need to specify one or more servers that host them. Host pools allow you to combine multiple RD Session Hosts and then publish the resources from the host pool instead of specifying individual servers.
The main benefits of using RD Session Host host pools are as follows:
They simplify the management of published resources.
They allow you to use RD Session Hosts created from a template. More on this later in this section.
Each RD Session Hosts must belong to a host pool. Parallels RAS comes with a built-in host pool named <Default> that you can use. Note that an RD Session Host can be a member of one host pool only. You cannot add the same server to multiple host pools.
To move an RD Session Host from one host pool to another:
In the RAS console, navigate to Farm > <Site> > RD Session Hosts.
Select an RD Session Host.
Click Tasks > Assign to host pool or right-click the RD Session Host and select Assign to host pool in the context menu.
In the Assign to Host pool dialog, select the host pool you need.
Note: The settings of the new host pool will apply to the RD Session Host.
The settings on the Autoscale tab of the host pool properties determine how RD Session Hosts are created from the specified template. The settings are described below.
Template: Specifies the template assigned to the host pool.
Enable autoscale: Enables autoscale.
Configure: Configures the autoscale settings:
Min number of hosts to be added to the host pool from the Template: Specifies the minimum number of servers that will be added to the host pool automatically when the template is assigned to the host pool. This number of servers will remain in the host pool irrespective of utilization.
Max number of hosts to be added to the host pool from the Template: This option allows you to set a limit on how many servers in total can be added to the host pool from the template. A template can be shared between host pools. By setting a limit for each host pool, you can ensure that the combined number of servers in each host pool will not exceed the template limit. Consider the following examples:
If the template is used by a single host pool, then this number can be up to the Maximum hosts setting of the template.
If two or more host pools share the same template, then the combined number from all host pools must be less or equal to the Maximum hosts settings of the template.
When you save a host pool, a validation will be performed against other host pools (if any) and you will see an error message if the numbers don't match. Note that when a server cannot be created on request due to an error, a "Template error" event is triggered and the administrator will receive an alert message.
Add new or power on existing hosts when workload is above (%): Specifies a workload threshold in percent. When the actual workload is above this value, a new server (or servers) will be created and added to the host pool (if not already available). The host pool workload percentage is calculated using the following formula:
Host pool Workload = (Current Sessions / Max Sessions) * 100
In the formula above:
Current Sessions is the total number of all sessions on all servers in the host pool. This includes static (standalone) servers and servers created from the template (host pools). Note that servers that are disabled, being drained, or have the agent status of ‘Not Verified’ are not included in the calculation.
Max Sessions is a setting that you specify on the Agent Settings tab (either inherited from Site defaults or overridden for this host pool) and the maximum number of sessions allowed for the host pool.
Consider the following examples:
RAS Host pool 1 — mixed server types (static and host pools), different agent status:
RDSH-1, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Static
RDSH-2, Status: Disabled, Max Sessions 20, Current Sessions: 0, Type: Static
RDSH-3, Status: OK, Max sessions 10, Current Sessions: 4, Type: Host
RDSH-4, Status: Drain Mode, Max sessions 10, Current Sessions: 3, Type: Host
For the host pool above, the workload is calculated as (Current Sessions / Max Sessions) * 100 or ((2 + 4) / 20) * 100 = 30%
Note that servers RDSH-2 and RDSH-4 are not included in the workload because the former has the agent disabled and the latter is in drain mode.
RAS Host pool 2 — mixed server types (static and host pools), different agent status:
RDSH-1, Status: OK, Max Sessions 10, Current Sessions: 0, Type: Host
RDSH-2, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Host
RDSH-3, Status: Not Verified, Max sessions 10, Current Sessions: 0, Type: Host
Host pool Workload = (Current Sessions / Max Sessions) * 100 or ((0 + 2) / 20) * 100 = 10%
Please note that a host pool will always make sure that it has at least one server available, even if the workload is zero percent.
Number of hosts to be added to the host pool per request: Specifies how many servers should be created when the workload goes above the threshold value. This setting works together with the Add servers from template when workload is above (%) setting described above. When a host pool sends a request to the template to create additional servers, the value specified here will determine the number of servers that will be created.
Drain and power off hosts from host pool when workload is below (%): Specifies a workload threshold in percent. When the actual workload is below this value and remains there for a period specified in the Workload remains below this level field, excessive hosts will be switched to drain mode or powered off. The period of time can be selected from the drop-down list or you can type your own integer value using "weeks", "days", "hours", "minutes", or "seconds" as a unit measure. The server(s) with the least number of sessions will be switched to drain mode. As soon as all users are logged off from a server, it is unassigned from the host pool. At that point, the server becomes available to other host pools on demand.
Remove hosts from host pool after drain and power off: Specifies if hosts should be removed from the host pool after being drained and powered off.
Tip: Servers are unassigned from the host pool only when all user sessions on that particular server are logged off. In case user sessions are still present, such as user sessions in idle, active or disconnected state, autoscaling does not log off user sessions and does not unassign the server from a host pool.
Note: Parallels recommends setting viable timeouts for idle time and disconnected sessions either in Windows Host pool Policies or in the Site Default Properties dialog to make the drain mode effective. GPOs can be used to forcibly log off a user session, however this should be used carefully as this may result in data loss.
RD Sessions Hosts assigned to a host pool have various settings that they can inherit from the host pool defaults. This makes it simpler to configure a single set of settings for all servers instead of configuring each server individually. A Site also has its own default settings (Site defaults). Moreover, an RD Session Host host pool can inherit these Site defaults. This gives you the following choices when inheriting default settings by an RD Session Host:
Configure Site defaults and make the host pool inherit these settings. The RD Session Hosts assigned to the host pool will therefore also inherit Site defaults. This is the default scenario for a new host pool. Site defaults can be configured by navigating to Farm > <Site> > RD Session hosts and clicking Tasks > Site defaults.
Configure default settings for a given host pool. This way you can have multiple host pools, each having its own host pool defaults (different from Site defaults). Therefore, the servers assigned to a host pool will inherit the host pool's defaults.
To configure default settings for a host pool, open the Host pool Properties dialog (Tasks > Properties), select a desired tab (except the General tab, which doesn't have any defaults) and select or clear the Inherit default settings option. If you clear the option, you can specify your own defaults. All servers that are (or will be) assigned to this host pool will inherit these settings. Note that inheritance works independently for each individual tab on the host pool properties dialog.
For information on how default settings are configured for an RD Session Host, see View and modify RD Session Host properties.
To complete the tasks described in this section, the following requirements must be met:
Requirements described in the "Requirements" subsection of Creating a VM template.
Network Discovery UDP port 137 must be enabled for a domain firewall profile in the guest OS. This can be done via domain group policies or manually in the guest OS.
Normally, you will push install the necessary agent software in a source VM right from the Parallels RAS console. However, you can also install the software manually by running the Parallels RAS installer in Windows in the VM. When doing so, use the Custom installation option and select the following agent components RAS Guest Agent and RAS RD Session Host Agent to be installed in the source VM.
To create an RD Session Host template:
Add one of the supported provides, as described in Add a Provider.
Go to Farm > Site > RD Session Hosts > Templates tab.
In the Tasks drop-down menu, click Add (or click the [+] icon).
In the dialog that opens, select a host from which you would like to create a template and click OK.
The Create Parallels Template Wizard opens. Each wizard page is described below in the order they appear on the screen.
Verify that the Agent is installed and install it manually if needed as described in Step 1: Check and install the Agent. This step only appears if an on-premises Provider is used.
Configure the template as described in Step 2: Configure the template.
When you create RD Session Host host pools, you can assign a template to a host pool. This can be done when you create or modify a host pool, or it can be done from the Templates tab.
To assign a template to a host pool:
Go to Farm > Site > RD Session Hosts > Templates tab.
On the Templates tab, select a template.
Click Tasks > Assign to host pool.
Select the template version in the Version dialog.
A dialog opens listing existing RD Session Host host pools. Host pools that already have a template assigned are not shown in this list by default. To display them, select the Show host pools with assigned template option. The template that they are currently using is displayed in the Template column.
Select one or more host pools and click OK.
To remove a template from a host pool or host pool:
Select a template and click Tasks > Remove from host pool.
A dialog opens listing all host pools to which this template is assigned.
Select the host pools to remove the template from and click OK.
Note that if a host pool has hosts created from the template that you are removing, they will be removed as well. A message is displayed where you need to confirm the removal.
This section describes how to configure and manage an existing RD Session Host.
You can enable and configure automatic updates for all RD Session Host Agents in a host pool.
To schedule Agent auto-upgrade:
Go to Farm > Site > RD Session Hosts > Host pools > Properties > Auto-upgrade tab.
Clear the Inherit default settings options if you want to modify them for this host pool.
Select the Enable auto-upgrade maintenance window option. During the maintenance window, all hosts in the host pool will try to download Agent upgrades. The upgrades will be downloaded and installed as soon as all users log out of their hosts. New logons from users are prohibited (drain mode). If the users don't log off during a maintenance window, the upgrades won't be installed until the next window.
Specify the start date and time, duration, and recurrence settings for this event. To make this a one-time event, select Never in the Recur drop-down list.
(Optional) If you want to forcefully log off all users and download the upgrades at the end of a maintenance window, select the Force logoff of current sessions at the end of the maintenance window duration option.
(Optional) Configure a message that will be sent to users before or during a maintenance window. Click the Configure messages button and specify the message title, body, and the time period when it should be sent.
To cancel Agent auto-update:
Go to Farm > Site > RD Session Hosts > Host pools.
Select Tasks > Cancel auto-upgrade maintenance window.
To view the list of RD Session Hosts based on a specific template:
Go to Farm > <Site> > RD Session Hosts > Templates.
Select a template and click Tasks > Show servers.
RD Session Hosts based on a template inherit the template settings. To view the settings, note on which template an RD Session Host is based and then view properties of that template, specifically the Settings and Security tabs. For more information, see Site defaults. Note that you a template can inherit Site default settings or you can specify your own custom settings for it.
A guest RD Session Hosts based on a template must have RAS Guest Agent installed and the agent must match the Parallels RAS version. The agent is installed by default when an RD Session Host is created from a template. If the RD Session Host was created using the native hypervisor tools, it may not have the agent installed in it. In such a case, the RD Session Host will be able to serve only the remote desktop. To enable it to server applications or documents, you'll need to install the agent yourself.
To check if the RAS Guest Agent is installed and up to date:
Go to Farm > <Site> > RD Session Hosts > RD Session Hosts.
Continue as described in Managing hosts, subsection "Checking the RAS Guest Agent status".
The RD Session Host template must also have the RAS RD Session Host Agent installed.
To check if the RAS RD Session Host Agent is installed and up to date:
Go to Farm > <Site> > RD Session Hosts > Templates.
Select a template in the list and then click Tasks > Troubleshooting > Check agent.
See Managing hosts, subsection "Deleting a host".
See Managing hosts, subsection "Managing hosts that failed preparation". Notice than in case of RD Session Hosts, you have to go to Farm > <Site> > RD Session Hosts > RD Session Hosts and click Tasks > Site defaults to see Site Defaults.
If something happens to a RD Session Hosts based on a template and it becomes unusable, you don't have to delete it and create a new one. Instead, you can recreate it keeping its name, MAC address, and other properties. This way none of the other Site settings, which may rely on a broken RD Session Host, will be affected. Another reason for recreating an RD Session Host is to apply changes made to the template (when you exit from maintenance without executing the Recreate command).
Please note that recreated RD Session Hosts can keep the the following properties:
MAC address is kept on ESXi, vCenter, Hyper-v, Hyper-v Failover Cluster, Nutanix AHV (AOS), and SC//HyperCore.
BIOS UUID is kept on ESXi and vCenter.
DRS groups are kept on vCenter.
Note: If an RD Session Host based on a template was already assigned to an RD Session Host host pool, it cannot be recreated.
To recreate one or more guest RD Session Host:
In the Parallels RAS Console, navigate to Farm > <Site> > RD Session Hosts > Templates.
To recreate all deployed RD Session Host, click the Tasks drop-down list and choose Recreate all servers.
To recreate a specific host (or multiple hosts), click Tasks > Show servers. This will open the dialog which will list RD Session Hosts. Select one or more RD Session Hosts and then click the Tasks > Recreate.
When you recreate a RD Session Host based on a template:
The procedure deletes the RD Session Host and creates a new one from the same template.
The new RD Session Host retains the same computer name as the one it replaces.
If an RD Session Host is running, all unsaved data in its memory will be lost. For this reason, an important data should be saved to an external storage.
You may need to install the RAS RD Session Host Agent manually if the automatic push installation cannot be performed. For instance, an SMB share may not be available or the firewall rules may interfere with the push installation, etc.
Log in to the server where the RAS RD Session Host Agent is to be installed using an administrator account and close all other applications.
Copy the Parallels RAS installation file (RASInstaller.msi
) to the server and double-click it to launch the installation.
Follow the onscreen instructions and proceed to the installation type page. Select Custom and click Next.
Click on RAS RD Session Host Agent and select Entire Feature will be installed on local hard drive from the drop-down list.
Ensure that all other components are deselected and click Next.
Click Install to start the installation.
Click Finish once the installation is finished.
The RAS RD Session Host Agent doesn't require any configuration. Once the agent is installed, highlight the server name in the RAS Console and click Troubleshooting > Check Agent in the Tasks drop-down list to update the server status.
To uninstall RAS RD Session Host Agent from a server:
Navigate to Start > Control Panel > Programs > Uninstall a Program.
Find Parallels Remote Application Server in the list of installed programs.
If you don't have any other Parallels RAS components on the server that you want to keep, right-click Parallels Remote Application Server and then click Uninstall. Follow the instructions to uninstall the program. You may skip the steps below.
If you have other RAS components that you want to keep on the server, right-click Parallels Remote Application Server and then click Change.
Click Next on the Welcome page.
On the Change, repair, or remove page, select Change.
On the next page, select Custom.
Select RAS RD Session Host Agent, then click the drop-down list in front of it, and click Entire feature will be unavailable.
Click Next and complete the wizard.
You can assign an RD Session Host to a different Site in your Farm if needed. Please note that this functionality is only available if you have more than one Site in your Farm.
To change the Site assignment:
Right-click an RD Session Host and then click Change Site in the context menu. The Change Site dialog opens.
Select a Site in the list and click OK. The server will be moved to the RD Session Hosts list of the target Site (Farm > <new-site-name> > RD Session Hosts).
An RD Session Host must have RAS RD Session Host Agent installed in order to publish remote applications and desktop from it. In addition to this, Remote Desktop Services (formerly Terminal Services) must also be installed.
Normally when you add an RD Session Host to a Site, the RD Session Host Agent and Remote Desktop Services are installed by default. However, if you skipped the installation (or uninstalled the agent or RDS from the server), you can check their status and take appropriate actions if needed.
To check the status of RD Session Host Agent and RDS, do the following:
First, check the Status column in the RD Session Hosts list. The column should display "OK". If so, the Agent is installed and functioning properly. If not, read on.
In addition to the description, the Status column uses a color code to indicate the agent status as follows:
Red — not verified
Orange — needs update
Green — verified
Right-click a server and click Troubleshooting > Check agent in the context menu. The Agent Information dialog opens.
If the agent is not installed on the server, click the Install button and follow the instructions on the screen.
After the agent installation is complete, you may need to reboot the RD Session Host. You can do it right from the Parallels RAS Console by selecting the server and clicking Tasks > Control > Reboot.
To view the list of RD Session Hosts for the current Site:
In the RAS Console, navigate to Farm > <Site-name> > RD Session Hosts.
The available RD Session Hosts are displayed on the RD Session Hosts tab in the right pane.
You can filter the RD Session Hosts list as follows:
Click the magnifying glass icon, which is located on a toolbar above the list.
An extra row is displayed at the top of the list where you can type a string in one or more columns that will be used to filter the list.
For example, if you want to search for a server by its name, enter the text in the Server column. You can type the entire server name or the first few characters until a match is found. The list will be filtered as you type and only the matching server(s) will be displayed.
If you type a filter string in more than one column, they will be combined using the logical AND operator.
To remove the filter and display the complete list, click the magnifying glass icon again.
If you click the magnifying glass icon one more time, you'll see that the filter that you specified earlier is still there. To remove it completely, simply delete the filter string(s) from the column(s).
In addition to the RD Session Hosts editor described above, you can also see the summary about the available RD Session Hosts. To do so:
In the RAS Console, select the Farm category and then select the Site node in the middle pane.
The available servers are displayed in the RD Session Hosts host pool in the right pane.
To go to the RD Session Host editor (described above), right-click a server and choose Show in the Editor.
For additional info, see .
You can perform a number of tasks on the an RD Session Host using menus. To do so, click the Tasks drop-down list and choose a desired option, or right-click a host and choose an option from the context menu.
Please note that not all menu options are available for RD Session Hosts based on a template. If an option is not available for this host type, it will be either disabled or hidden. These include:
Assign to host pool. Host pool assignment is performed automatically for template-based hosts.
Delete. Deleting a host (which is a VM) can only be done on the template level (the Host List dialog).
Control (logon commands). Drain mode is managed automatically by the host pool to which a template-based host belongs.
An RD Session Host must have the Remote Desktop Services (RDS) role installed. You can install RDS right from the RAS Console, as described later in this section.
To push install the RAS RD Session Host Agent on a server, the following requirements must be met:
The firewall must be configured on the server to allow push installation. Standard SMB ports (139 and 445) need to be open. See also Port reference for the list of ports used by Parallels RAS.
SMB access. The administrative share (\\server\c$) must be accessible. Simple file sharing must be enabled.
Your Parallels RAS administrator account must have permissions to perform a remote installation on the server. If it doesn't, you'll be asked to enter credentials of an account that does.
The RD Session Host should be joined to an AD domain. If it's not, the push installation may not work and you will have to install the Agent on the server manually. See section.
Note: The rest of this section applies to regular RD Session Hosts only. If you are looking for the information on how to add an RD Session Host based on a template, see .
To add an RD Session Host to a Site:
In the RAS Console, navigate to Farm > Site > RD Session Hosts.
Click Tasks > Add. This opens the Add RD Session Hosts wizard. Note that you can also open the wizard from the Start category as describe in .
Click the Tasks menu (or click the [+] icon) and select one of the following:
Add from Active Directory: Adds an RD Session Host from Active directory.
Add Manually: Adds RD Session Host by entering its FQDN or IP address.
Note that if you enter the server name (hostname or FQDN), it will be used as the primary method of connecting to this server from other RAS components and clients. If you enter the IP address, it will be automatically resolved to FQDN, but only if the global option to resolve to FQDN is enabled. To see the current setting of this global option, click Tools > Options on the main menu. In the Options dialog, examine the Always attempt to resolve to fully qualified domain name (FQDN) when adding hosts option. When the option is selected, the IP address of every server/component in the RAS Farm is always resolved to FQDN. When the option is cleared, whatever is specified for a server (IP address or name) is used to communicate with a server. This makes a difference in deployments where an IP address cannot be used to access a server, such as when a server is hosted in the cloud. For more information, see .
Click Next.
On the next page, specify the following options:
Add firewall rules. Add firewall rules required by Parallels RAS in Windows running on the server. See Port reference for details.
Install RDS role. Install the RDS role on the server if it's not installed. You should always select this option.
Enable Desktop Experience. Enable the Desktop Experience feature in Windows running on the server. This option is enabled only if the Install RDS role option (above) is selected. The option applies to Windows Server 2008 R2 and Windows 2012 R1/R2 on which the Desktop Experience feature is not enabled by default.
Restart server if required. Automatically restart the server if necessary. You can restart the server manually if you wish.
Add server(s) to host pool. Add the server (or servers) to a host pool. Select the desired host pool in the list box located below this option. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the section.
Click Next.
Add the server (or servers) to a host pool. Select the desired host pool or create a new host pool. If you are not sure what host pool to choose, select Default Host pool. Host pools are described in detail in the section.
Click Next.
The next page allows you to add users and groupsto the Remote Desktop Users groups in Windows running on the server. This is necessary for your Parallels RAS users to be able to access published resources hosted by an RD Session Host. To specify users and/or groups, select the option provided and then click the [+] icon. In the Select Users or Groups dialog, specify a user or a group and click OK. The selected user/group will be added to the list on the wizard page.
Note: If you skip this step and your users are not members of the Remote Desktop Users group on an RD Session Host, they will not be able to access published resources. If you already used (or want to use later) standard Windows tools to add users to the Remote Desktop Users group, you can skip this page.
Click Next.
On the next page, review the settings and click Next.
The Install RAS RD Session Host Agent dialog opens. Follow the instructions and install the agent. When the installation is finished, click Done to close the dialog.
Back in the wizard, click Finish to close it.
If you would like to verify that the RD Session Host has been added to the Farm, click the Farm category (below the Start category in the left pane of the Parallels RAS Console window) and then click RD Session Hosts in the navigation tree (the middle pane). The server should be included in the RD Session Hosts list. The Status column may display a warning message. If it does, reboot the server. The Status column should now say, "OK", which means that your RD Session Host is functioning properly.
Note: The information in this section does not apply to RD Session Hosts based on a template. Hosts of that type don't have individual properties and are managed on the template level. For more information, see and .
To configure an RD Session Host:
In the RAS Console, navigate to Farm > <site> > RD Session Hosts.
Select a server and click Tasks > Properties.
The server properties dialog opens where you can configure the RD Session Host properties.
The dialog is described in the subsections that follow this one.
The server properties dialog consists of tabs, each containing their own specific set of properties. All tabs, except General, have either Group Defaults or Site defaults link, which allows you to view and modify default settings. If you want the properties on a particular tab to inherit default settings, select the Inherit default settings option. When you do, the default settings will be inherited from one of the following:
Group defaults. Groups are described in .
Site defaults. Note that a group may also inherit Site defaults, but this can be overridden in the group properties dialog where you can specify custom settings for a group.
To view or modify default settings, click the Group Defaults or Site defaults link. Note that each individual tab can inherit default settings independently from other tabs.
To specify custom settings for an RD Session Host, clear the Inherit default settings option and use the controls on a given tab to set the desired options.
Each RD Session Host in a RAS Farm has an RAS RD Session Host Agent installed through which it communicates with other Parallels RAS components. Use the Agent Settings tab to configure the agent.
To use default settings, select the Inherit default settings option. See .
To configure the agent, set the options as described below.
Disconnect active session after: Specifies the amount of time each session remains connected in the background after the user has closed a remote application. This option is used to avoid unnecessary reconnections with the server.
Logoff disconnected session after: This setting allows you to control how long it takes for a session to be logged off after it is marked as "disconnected".
Port: Specifies a different remote desktop connection port number if a non-default port is configured on the server.
Max sessions: Specifies the maximum number of sessions.
Preferred Connection Broker: Select a Connection Broker to which the RD Session Host should connect. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker.
When a user tries to open a URL or an HTML Mailto link in a remote application, the link can be redirected to the client computer and open in a local default application (a web browser or email client) instead of an application on the remote host. To enable this functionality, select the option and click the Configure button. In the dialog that opens, select one of the following:
Replace Registered Application: This option uses an alternative method of redirecting a link. It replaces the default web browser and mail client with "dummy" apps on the remote server side. By doing so, it can intercept an attempt to open a link and redirect it to the client computer.
Support Windows Shell URL namespace objects: The Shell URL namespace objects support means that Parallels RAS can intercept actions in published applications that use the Shell namespace API to open links, which is a standard behavior in most applications. The ability to disable support for Shell URL namespace objects is for compatibility with older versions of Parallels RAS. You may disable this option if you want the behavior of an older version of Parallels RAS (RAS v16.2 or earlier).
Please note that you can configure a list of URLs that should never be redirected, even if the redirection is enabled. This can be done on the Farm > Site > Settings > URL Redirection tab. See more in .
Allows you to set how the drag and drop functionality works in Parallels Clients. To enable drag and drop, select the option, click the Configure button and then select from the following:
Server to client only: Drag and drop to a local application, but not in the opposite direction.
Client to server only: Drag and drop to a remote application only.
Bidirectional: Note that this option has changed since Parallels RAS 17.1. In the past, it was a checkbox that would enable or disable drag and drop which worked in the "Client to server only" mode. When upgrading from an older version of Parallels RAS, and if the checkbox was enabled, the "Client to server only" option is selected by default. If the option was disabled, the "Disabled" option will be set. You can change it to any of the new available options if you wish.
Note: At the time of this writing, the drag and drop functionality is only supported on Parallels Client for Windows and Parallels Client for Mac.
Select this option to allow a process running on the server to instruct the client to deploy an application on the client side. Read more about 2XRemoteExec in the Using RemoteExec subsection at the end of this topic.
Enable this option to allow use of remote apps for shell-related issues when an app is not displayed correctly. This feature is supported on the Parallels Client for Windows only.
Select the transport protocol that will be used for connections between Parallels Client and a server. To do this, select this option and click the Configure button.
Enable or disable monitoring of applications on the server. Disabling application monitoring stops the WMI monitoring to reduce CPU usage on the server and network usage while transferring the information to RAS Connection Broker. If the option is enabled, the collected information will appear in a corresponding RAS report. If the option is disabled, the information from this server will be absent from a report.
2XRemoteExec is a feature that facilitates the servers ability to send commands to the client. This is done using the command line utility 2XRemoteExec.exe
. Command line options include:
The following command displays a message box describing the parameters that can be used.
This command runs Notepad on the client.
In this example, the command opens the C:\readme.txt
file in the Notepad on the client. No message is shown and 2XRemoteExec would wait for 6 seconds or until the application is started.
Properties. RD Session Hosts of this type don't have individual properties. Some essential properties are inherited from Default Server Properties (see ).
The User profile page allows you to select a technology to manage user profiles. You can select from User profile disk or FSlogix. User profile disks are virtual hard disks that store user application data on a dedicated file share. Microsoft FSLogix Profile Container is the preferred Profile Management solution as the successor of Roaming Profiles and User Profile Disks (UPDs). It is set to maintain user context in non-persistent environments, minimize sign-in times and provide native profile experience eliminating compatibility issues. For complete instructions, please see .
The Optimization page allows you to specify settings that will be used to optimize Windows on the RD Session Host for best performance in a Parallels RAS environment. You can select Windows components, services, and other options that will be disabled, removed, or optimized to ensure a more efficient, streamlined, and improved delivery of virtual apps and desktops. For the complete description, please see .
Read on to learn how to .
Enables file transfer in a remote session. To enable file transfer, select this option and click the Configure button. For more information, see
Improves user experience by making file browsing and navigation on redirected drives much faster. For details, see .
Command Line Parameter | Parameter Description |
| Used to run the 2XRemoteExec command in ‘silent’ mode. Without this parameter, the command will display pop up messages from the application. If you include the parameter, the messages will not be displayed. |
| Is used to specify the timeout until the application is started. Timeout must be a value between 5000ms and 30000ms. Note that the value inserted is in ‘ms’. If the timeout expires the command returns with an error. Please note that the application might still be started on the client. |
| Shows a help list of the parameters that 2XRemoteExec uses. |
| The Application that will be started on the client as prompted from the server. |
To create an RD Session Host host pool:
In the RAS console, navigate to Farm > <Site> > RD Session HostsHost pools.
Click Tasks > Add (or click the [+] icon).
Select Enable Host pool in site to enable the host pool. Specify the name and the description for the new host pool.
Click Next.
On the Provisioning page, select whether this host pool will contain template-based or standalone hosts:
Template: (Template-based RD Session Hosts only) Hosts will be created dynamically from a template. You will need to create or select an existing template in the next step or later. Choosing Template as the provisioning type ensures a homogeneous host pool, which is recommended to provide consistent user experience across the host pool. For more information about creating template-based RD Session Hosts, see section Add a template-based RD Session Host.
Standalone: (Template-based and standalone RD Session Hosts) Select one or more hosts that already exist. You'll be able to do it in the next step or you can do it later. Prior to adding hosts to host pools, ensure that hosts are domain joined and have network access to the domain environment. Note that the Standalone provisioning is considered "unmanaged" as it lacks some of the functionality, such as Autoscaling.
Click Next.
Depending on the selection made on the Provisioning page (above), do one of the following
Standalone: Select one or more hosts from the list to be included in the host pool (you can also add hosts to the pool later).
Template: Select a template from the list or click Create new to create a new template and specify the template settings. Versions: If you selected an existing template, select one of its versions. Enable autoscale: (Multi-session hosts) Enable and configure autoscale.
Click Next.
(Templates only) On the General page, specify the following options:
Template name: Choose and type a template name.
Maximum hosts: Specify the maximum number of hosts that can be created from this template.
Number of hosts deployed on wizard completion: The number of hosts to deploy once the template is created. Please keep in mind that this will take some time because the hosts will be created one at a time.
Host name: A pattern to use when naming new hosts.
Click Next.
(Templates only) On the Additional properties page, specify the following options:
Keep available buffer: The minimum number of hosts to always keep unassigned and session free for the template. As soon as the number of free and unassigned desktops drops below the setting value, it forces the template to create another host. The template uses its own settings for host creation including initial power state.
Host state after the preparation: Select the power state that should be applied to a host after it is prepared. Choose from Powered on, Powered off, or Suspended. Note that when the power state is set to Power off or Suspended, the number of running (fully ready and waiting for incoming connections) hosts is controlled by the Keep available buffer setting (see above). For example, let's say the Maximum hosts value is set at 200, the number of guest hosts deployed on wizard completion is 100, and the power state after preparation is Powered off. The result of such a configuration will be 100 clones deployed and powered off.
Delete unused hosts after: Select what to do with unused hosts to save resources. Choose whether to never delete them or specify the time period after which they should be deleted.
Click Next.
On the User profile page, you can select from Do not manage by RAS (user profiles will not be managed) or FSlogix. Microsoft FSLogix Profile Container allows to maintain user context in non-persistent environments, minimize sign-in times and provides native profile experience eliminating compatibility issues. For complete instructions, please see User profile.
Click Next.
On the Summary page, review the template summary information. You can click the Back button to correct some of the information if needed.
Finally, click Finish to create the host pool and close the wizard.
After you create a host pool and later publish resources from it, you can view the list of resources by right-clicking a host pool and choosing Show published resources (or click Tasks > Show Published Resources). For more information, see Viewing published resources hosted by RD Session Hosts.
The Optimization tab allows you to specify settings that will be used to optimize the RD Session Host for best performance in a Parallels RAS environment. You can select Windows components, services, and other options that will be disabled, removed, or optimized to ensure a more efficient, streamlined, and improved delivery of virtual apps and desktops.
To use default settings, select the Inherit default settings option. See Using default settings.
For the complete description, please see Optimization.
Use this tab to configure user profile settings.
To use default settings, select the Inherit default settings option. See Using default settings.
For complete instructions about configuring user profiles, see User profile.
The Application Packages tab allows you to manage MSIX application packages on RD Session Hosts and groups.
To use default settings, select the Inherit default settings option. See Using default settings.
Adding a package to an RD Session Host
See Using MSIX application packages, subsection "Adding a package to a host".
Adding a package to a VDI pool
See Using MSIX application packages, subsection "Adding a package to a VDI pool".
Managing applications installed from MSIX packages
The following actions are available from the Task drop-down list:
Add: Add a new package to the RD Session Host.
Retry Staging: Manually trigger re-staging of all added packages.
Refresh: Refresh the list of the packages.
Delete: Delete the selected package.
Select or clear the Enable Server in site option to enable or disable the server. A disabled server cannot serve published applications and virtual desktops to clients.
Other elements on this tab are:
Server: Specifies the server FQDN or IP address.
Description: An optional server description.
Change Direct Address: Select this option if you need to change the direct address that Parallels Client uses to establish a direct connection with the RD Session Host.
This topic describes how to configure existing FSLogix Profile Containers to be managed by Parallels RAS. FSLogix Profile Container configuration defines how and where the profile is redirected. Normally, you configure profiles through registry settings and GPO. Parallels RAS gives you the ability to configure profiles from the Parallels RAS Console or RAS Management Portal without using external tools.
Before you configure FSLogix Profile Containers in Parallels RAS, make note of the following:
You don't have to change the profiles themselves; existing profiles stay the same.
You can keep using your existing FSLogix Profile Container locations, such as SMB network shares or Cloud Cache.
Perform the following preliminary steps:
Back up your existing profiles. It is highly unlikely that profile data can be lost or corrupted, but it is best practice to have a valid backup prior to any change in profile configuration.
Turn off the GPO configuration of FSLogix Profile Containers. This step is important because you cannot have both GPO and Parallels RAS management of FSLogix profiles enabled at the same time.
Before configuring FSLogix profiles for a host in a RAS Farm, make sure there are no user sessions running on the host. As a suggestion, you can make the transition in a maintenance window out of working hours.
To configure existing FSLogix Profile Containers in Parallels RAS, you need to replicate your existing GPO to the FSLogix configuration in Parallels RAS. This can be done in the Parallels RAS Console or the Parallels RAS Management Portal.
To configure profiles in the RAS Console:
Follow the instruction from the section and open the Disks tab.
In the Location of profile disks list box, specify existing SMB or Cloud Cache locations where you keep your FSLogix profiles. Also, specify the profile disk format, allocation type, and default size.
Configure the rest of FSLogix settings you may have on your servers, such as user exclusions, folder exclusions, and others.
To configure profiles in the RAS Management Portal:
Navigate to Infrastructure > RD Session Hosts.
Click a host in the list and then click Properties.
In the middle pane, click User Profile.
Specify the settings as described in steps above for the RAS Console.
Please note that at the time of this writing RAS Management Portal can only be used to configure RD Session Hosts to use FSLogix Profile Containers. For other host types, please use the desktop-based RAS Console.
When performing steps in the previous section, do not configure multiple (or all) servers in a RAS Farm right away. Begin with a single server (e.g. an RD Session Host) and then test it with a single user connection. After that, configure some other servers and test the same user logging in to multiple servers consecutively to confirm the profile is loaded and personalization is retained irrespective of a session host. If all is good, configure other hosts, host pools, or Site defaults.
Your RAS users can now connect to Parallels RAS using pre-existing FSLogix Profile Containers, which are now managed centrally through Parallels RAS.
Note: If you have existing FSLogix Profile Containers and would like their configurations to be managed by Parallels RAS, please read additional instructions in .
Parallels RAS has been tested with FSLogix releases up to and including release 2210 hotfix 2.
Before you configure FSLogix for a specific server or a template (described later in this guide), you need to configure the FSLogix installation method on the Site level as follows:
Navigate to Farm > Site > Settings and select the Features tab. Here you need to select a method that Parallels RAS will use to install FSLogix on individual hosts. You can select from one of the following:
Install manually: Select this option if you want to install FSLogix on every host yourself. If this option is selected, Parallels RAS will not attempt to install FSLogix on a host.
Install online: This option installs FSLogix on session hosts from the Internet. Select one of the supported FSLogix versions from the drop-down list or select Custom URL and specify a download URL. Click the Detect latest button to automatically obtain a URL of the latest FSLogix version.
Install from a network share: Select this option if you have the FSLogix installation files on a network share and specify its location.
Push from RAS Connection Broker: This option allows you to upload the FSLogix installation archive to the RAS Connection Broker server. When you enable FSLogix on a session host, it will be push installed on the host from the RAS Connection Broker server.
When done, click Apply in the RAS Console to apply your changes to Parallels RAS.
The dialog described above can also be used to upgrade FSLogix to a newer version. To upgrade, do one of the following:
Select Install online and choose from one of the provided FSLogix builds or specify a custom URL. The Detect latest button obtains a URL for the latest stable FSLogix build.
Download a new version from the Microsoft website, place it on a network share or upload it to the RAS Connection Broker server and then select Install from a network share or Push from RAS Connection Broker, whichever applies.
If FSLogix is already installed on one or more hosts and a new version of FSLogix becomes available when you do one of the above, FSLogix will be upgraded on hosts that have it installed. Note that if you specify a version that is earlier than the version installed on a host, then FSLogix will be downgraded.
To configure Site defaults or individual hosts for FSLogix, do one of the following:
For Site defaults, navigate to Farm > Site and click Tasks > Site defaults > RD Session Hosts (or VDI to configure defaults for VDI, or one of the AVD options to configure site defaults for Azure Virtual Desktop).
To configure individual hosts, navigate to Farm > Site > RD Session Hosts. Right-click a host and choose Properties.
When you add an RD Session Host to a Farm, the FSLogix settings are specified on the User profile page.
In the Site defaults or Properties dialog, select the User profile tab and specify the following options:
If you are in the host Properties dialog (or in a wizard where you add a new host or template), clear the Inherit default settings option if you want to specify different settings for this host.
In the Technology section, select FSLogix.
The Deployment method field shows the currently set deployment method as configured on the Site level (see the description above). You can click the Change... link and select a different method. Note that this will modify the Site setting, which will change it for all hosts in the Site.
If you want to use Profile Containers, select the Use Profile Containers options. Click the Configure button to configure settings:
Users and Groups tab: Specify include and exclude user and group lists. By default, Everyone is added to the FSLogix profile include list. If you want some user profiles remain local, you can add those users to the exclude list. Users and group can exist in both lists but exclude takes priority.
Folders tab: Specify include and exclude lists for folders. You can select from common folders or you can specify your own. Please note that folders must reside in user profile path.
Disks tab: Specify the settings of the profile disk. Location type: Select a location type for profile disks (SMB Location or Cloud Cache) and then specify one or more locations. Location of profile disks: Location(s) of profile disks. These are the locations of VHD(X) files (the VHDLocations setting in the registry as specified in the FSLogix documentation). Profile disk format: Select from VHD or VHDX according to your requirements. VHDX is a newer format and has more features. Allocation type: Select Dynamic or Full. This setting is used in conjunction with the Default size setting (see below) to manage the size of a profile. Dynamic causes the profile container to use the minimum space on disk, regardless of the allocated Default size. As a user profile is filled with more data, the amount of data on disk will grow up to the size specified in Default size, but will never exceed it. Default size: Specifies the size of newly created VHD(X) in megabytes.
If you want to use Office Containers, select the Use Office Containers options. Click the Configure button to configure settings:
Users and Groups tab: Same as above.
Disks tab: Same as above.
Advanced tab: Same as above.
Click the Configure general settings button to configure FSLogix settings for all types of containers:
When you enable FSLogix for a new host while running the wizard, no additional steps are necessary. On wizard completion, the host is rebooted and is added to the active load balancing. An existing host must be rebooted manually using the Tasks > Tools > Reboot menu option.
Beginning with version 18, Parallels RAS includes built-in automated optimization capabilities for RD Session Hosts, VDI, and Azure Virtual Desktop workloads. Different preconfigured optimizations for multi-session (such as RD Session Hosts) or single-session (such as VDI) hosts are available for administrators to choose from manually or automatically to ensure a more efficient, streamlined and improved delivery of virtual apps and desktops.
Preconfigured optimizations were designed to be easily updated to support future releases of Microsoft Windows. Moreover, custom scripts may also be used within the tool to make use of already available optimizations to be deployed on Parallels RAS workload machines.
Over 130 image optimizations are available out-of-the-box and divided into the following main categories:
UWP application packages (removal; available for VDI only)
Windows Defender ATP (turn ON or OFF, disable real-time scan, exclude files, folder, processes, and extensions)
Windows components (removal)
Windows services (disable)
Windows scheduled tasks (disable)
Windows advanced options (Cortana, system restore, telemetry, custom layout)
Network performance (disable task offload, ipv6, etc.)
Registry (service startup timeout, disk I/O timeout, custom, etc.)
Visual effects (best appearance, best performance, custom)
Disk cleanup (delete user profiles, image cleanup, etc.)
Custom scripts (.ps1, .exe, .cmd, and other extensions/formats)
For the complete list of optimization categories and components, please see .
Optimizations are applicable to RD Session Hosts, VDI desktops, Azure Virtual Desktop, and Remote PC pools (through VDI) based on:
Windows Server 2012 R2 and later
Windows 7 SP1
Windows 10
Windows 11
Optimization can be configured for the following:
RD Session Hosts
VDI
Azure Virtual Desktop
Optimization settings are configured for the above on the Site level (Site defaults) and can also be configured for individual components if the RAS administrator decides to use custom settings for a given component.
To configure optimizations on the Site level, navigate to Farm > Site, click the Tasks > Site defaults menu and choose one of the following:
RD Session Host
VDI
AVD multi-session hosts
AVD single-session hosts
In a Site defaults dialog that opens, select the Optimization tab. The user interface for configuring optimization is the same for all of the above.
Note: Before applying optimization, make sure you have a saved state of session hosts as you will not be able to revert changes after they are applied.
To configure optimization:
If you are in the host Properties dialog or in a wizard, clear the Inherit default settings options if you want to modify them for this host.
Select the Enable optimization option.
Choose optimization type from the following:
Automatic: Predefined and preconfigured optimization will be used automatically.
Manual: Gives you full control over which optimization options to use and allows you to configure each one. This option also gives you an option to use a custom optimization script that will be executed on the host.
If you selected Manual in the previous step, configure optimization categories and components according to your requirements. See Configure optimization below.
Force optimization on all enabled categories: This is a special option that should only be used in situations when some parts of optimization failed to apply to a host for some unforeseen reason (e.g. the host went offline unexpectedly). When you select this option, then click OK and then Apply in the RAS Console, the entire optimization configuration will be applied to the host. This way you can make sure that changes that you made to optimization components last time, and that were not applied to the host, will be applied again. The state of the Force optimization on all enabled categories option (selected or cleared) is not saved because this is a one-time action, so the next time you open the dialog, the option will be cleared again. Note that in a standard scenario, when you make changes and then apply them to a host, you don't need to select this option, because normally you want to apply just the changes that you made, not the entire optimization configuration.
The Category list contains optimization categories that can be configured. To include a category in optimization, select the corresponding checkbox. Some categories contain multiple components, which can be configured individually, some have settings that can be customized. To configure category settings or components, highlight the category and click the gear icon (or click Tasks > Properties, or simply double-click a category). Depending on the category selected, you can do the following:
Configure category settings (choose from available options, select or clear individual settings, specify values, add or remove entries).
Add or remove underlying components to include or exclude them from optimization (use the plus- and minus-sign icons). When adding a component (where available), you can select from a predefined list or you can specify a custom component.
In some cases (specifically registry entries) you can double-click an entry and specify multiple values for it.
If you remove a predefined component, you can always get it back in the list by clicking Tasks > Reset to default. You can also use this menu to reset category settings to default values if they were modified.
The last optimization category in the list is Custom script. You can use it to execute an optimization script that you may have available. Read the Using custom script subsection below for details.
When done, click OK to close the dialog.
The Custom script optimization category is used to execute an optimization script on a target host. Before configuring this category, make sure that the script exists on target hosts and that the path and file name are the same on each host.
To configure the Custom script optimization:
Enable the Custom script category in the list (select the checkbox), then highlight it and click Tasks > Properties.
In the dialog that opens, specify the command to execute, arguments (if required), the initial directory, and credentials that will be used to execute the script.
Click OK.
When you apply the optimization to a host, the script will be executed as part of applying other optimization parameters.
After you enable optimization for a host and then click Apply in the RAS Console, the following will happen the next time the host communicates with Parallels RAS:
The host status changes to Optimization pending and the host enters the drain mode. At this stage, you can stop optimization by selecting a host in the list and clicking Tasks > Stop optimization.
Once all users are logged off, the host status changes to Optimization in progress.
After all optimization settings are applied, the host will reboot.
After the reboot, the host returns to operation and its status changes to OK.
Note: By design, the host will be rebooted after optimization completion even if it is failed.
Optimization results are logged on a host at the following location: %ProgramData%\Parallels\RASLogs\ImageOptimizer.log. Open the file and search for entries similar to the following:
[I 78/00000009/T10C4/P0FD4] 11-30-20 10:09:19 - Image Optimization completed with 98 successful and 0 unsuccessful optimizations.
Note: By design, Optimization has less priority than Reboot/Disable schedule. For example, it is expected if a host changes the status from "Optimization pending" to Disabled/Reboot when schedule starts.
When Parallels RAS is upgraded from an older version:
The optimization feature is disabled.
The inheritance is off.
To use optimization after the upgrade, the administrator needs to enable it manually either in Site defaults or in the host pool/host pool settings.
Please note the following:
Some optimizations may fail and generate warnings if they had been already applied.
Some optimizations may fail and generate warnings depending on OS specifics. For example, removal of UWP apps may fail because apps are already absent.
The Desktop Access tab allows you to restrict remote desktop access to certain users.
To use default settings, select the Inherit default settings option. See .
By default, all users who have access to remote applications on an RD Session Host can also connect to the server via a standard RDP connection. If you want to restrict remote desktop access to certain users, do the following:
On the Desktop Access tab, select the Restrict direct desktop access to the following users option. If you have the Inherit default settings option selected, click the Edit Defaults link to see (and modify if needed) the default configuration. The rest of the steps apply to both the Server Properties and Default Server Properties dialogs.
Click the Add button.
Select the desired users. To include multiple users, separate them by a semicolon.
Click OK.
The selected users will appear in the list on the Desktop Access tab.
Users in this list will still be able to access remote applications using Parallels Client, but will be denied direct remote desktop access to this server.
Note: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connection > Allow users to connect remotely using remote desktop services must be set to Not configured, otherwise it takes precedence.
Please note that members of the Administrator group will still be able to connect to the remote desktop even if they are included in this list.
The RDP Printer tab allows you to configure the renaming format of redirected printers. The format may vary depending on which version and language of the server you are using.
To use default settings, select the Inherit default settings option. See .
The RDP Printer Name Format drop-down list allows you to select a printer name format specifically for the configured server.
Select the Remove session number from printer name and the Remove client name from printer name options to exclude the corresponding information from the printer name.
Advanced tab: This tab allows you to modify advanced FSLogix registry settings. To modify a setting, select it and click Tasks > Edit. By default, the settings are disabled. To enable a setting, select the checkbox in front of its name. A description for each setting is provided in the RAS console. For further information regarding FSLogix Profile Containers configurations, visit .
App Services tab: This tab allows you to modify advanced FSLogix registry settings. For more information about these settings, see .
Cloud Cache tab: This tab allows you to modify Cloud Cache settings. For more information about these settings, see .
Logging tab: This tab allows you to modify logging settings for profile containers. For more information about these settings, see .
Component | Optimization | Inherits from |
---|
RDSH Site defaults | Yes | None |
RDSH Host pool | No | None |
RDSH standalone | Yes | RDSH Site defaults |
RDSH template | Yes | RDSH Site defaults |
RDSH from template | No | None |
VDI Site defaults | Yes | None |
VDI Desktop standalone | Yes | VDI Site defaults |
VDI Desktop template | Yes | VDI Site defaults |
VDI Desktop from template | No | None |
Azure Virtual Desktop Site defaults | Yes | None |
Azure Virtual Desktop host pool - hosts from a template | No | None |
Azure Virtual Desktop host pool - standalone hosts | Yes | AVD multi-session hosts Site defaults or AVD single-session hosts Site defaults. |
Azure Virtual Desktop template | Yes | AVD multi-session hosts Site defaults or AVD single-session hosts Site defaults. |
Azure Virtual Desktop hosts from template | No | None |
Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives. Make sure to check the following information with your security team.
Exclude files:
%Programfiles%\FSLogix\Apps\frxdrv.sys
%Programfiles%\FSLogix\Apps\frxdrvvt.sys
%Programfiles%\FSLogix\Apps\frxccd.sys
%TEMP%*.VHD
%TEMP%*.VHDX
%Windir%\TEMP*.VHD
%Windir%\TEMP*.VHDX
\\storageaccount.file.core.windows.net\share**.VHD
\\storageaccount.file.core.windows.net\share**.VHDX
Exclude processes:
%Programfiles%\FSLogix\Apps\frxccd.exe
%Programfiles%\FSLogix\Apps\frxccds.exe
%Programfiles%\FSLogix\Apps\frxsvc.exe
When configuring optimizations, you can specify files and processes to exclude in the Windows Defender ATP category. For more information, please see Optimization.
User profile is a collection of settings and application data associated with a specific user. In a non-persistent remote environment, such as Parallels RAS, user profiles must be maintained to provide consistent user experience. This is achieved by storing user profile data in a network location to minimize sign in times and optimize file I/O between host, client, and the profile storage.
Parallels RAS supports the following technologies to manage user profiles:
User profile disk: [RD Session Hosts only] These are virtual hard disks that store user application data on a dedicated file share. This disk is mounted to the user session as soon as the user signs in to a session host. The disk is unmounted when the user logs out.
Note: The User Profile Disks technology is no longer being actively developed by Microsoft. It's recommended to migrate profiles to FSLogix. Please note that the User profile disk option is not available for VDI and Azure Virtual Desktop due to obsolescence.
FSLogix: A remote profile solution for non-persistent environments. FSLogix Profile Container redirects the entire user profile to a remote location and maintains user context in non-persistent environments, minimizing sign-in times and providing native profile experience eliminating compatibility issues. FSLogix Profile Container is the preferred profile management solution as the successor of Roaming Profiles and User Profile Disks.
User profiles can be configured for the following:
RD Session Hosts
VDI
Azure Virtual Desktop
User profile settings are configured for the above on the Site level (Site defaults) and can also be configured for individual components if the RAS administrator decides to use custom settings for a given component.
To configure user profile on the Site level, navigate to Farm > Site, click the Tasks > Site defaults menu and choose one of the following:
RD Session Host
VDI
AVD multi-session hosts
AVD single-session hosts
In a Site defaults dialog that opens, select the User profile tab. The user interface for configuring optimization is the same for all of the above.
The subsequent sections describe in detail how to configure the user profile functionality.
This topic explains the Enable drive redirection cache option, which is available in a dialog where you configure RAS RD Session Host, VDI, Azure Virtual Desktop, or Remote PC agents. When the option is enabled, browsing folders on redirected drives becomes much faster thanks to the caching mechanism explained below.
Native RDP is not efficient for file and folder enumeration when using drive redirection, which results in slow and sluggish user experience. The Enable drive redirection cache option forces the session host to run the kernel-based driver (RasRdpFs). This optimizes how the communication is carried out compared to standard RDP and also adds caching of the folder structure on the session host (RDSH, VDI, or Azure Virtual Desktop). The driver starts as soon as the setting is pushed to the session host via Apply in the RAS Console. When this happens, all new sessions will have this functionality enabled. The existing sessions need to be reconnected to use this optimization.
A session host must run a 64-bit operating system.
The cache is per session and is paged into the driver memory.
On log off or disconnect, the cache is purged.
If the number of cached folders in the session exceeds the threshold, and the user accesses a new non-cached folder, then the oldest accessed folder is replaced in the cache.
When the option is switched off, all currently active user sessions will lose the cache (the driver is stopped and the cache is purged). This happens transparently to the user, but file and folder enumeration become slow.
When the option is switched on, all currently active user sessions will not automatically have the cache enabled. To use this functionality, the existing sessions will need to be reconnected.
The option is applicable only to sessions initiated by the following versions of Parallels Client:
Parallels Client for Windows versions 18 and later
Parallels Client for macOS versions 19 and later
Similar to native RDP changes made on the client side (in a remote session), requires manual refresh (F5) in a redirected folder on the server side.
To configure User Profile Disks, specify the following settings:
When in the host "Properties" dialog, clear the Inherit default settings if you want to specify different settings for this host.
In the Technology section, select User profile disk.
In the drop-down list, select one of the following:
Do not change: Keep the current server settings (default).
Enabled: Enable the User Profile Disks functionality.
Disabled: Disable the functionality.
Click the Configure advanced User Profile Disks settings button to open the User Profile Advanced Settings dialog.
On the Disk tab, specify the following:
Disk location: If you selected Enabled in the previous step, specify a network location where the User Profile Disks should be created. Use the Microsoft Windows UNC format to specify a location (e.g. \\RAS\users\disks
). Please note that the server must have full control permissions on the disk share.
Maximum size: Enter the maximum allowed disk size (in gigabytes).
On the Folders tab, specify the following:
Store all user settings and data on the user profile disk: All folders, except those specified in the exclusion list, will be stored on the user profile disk. To add or remove folders to/from the exclusion list, click the [+] or [-] buttons.
Store only the following folders on the user profile disk: Only folders specified in the inclusion lists will be stored on the user profile disk. There are two inclusion lists. The first one contains standard user profile folders (e.g. Desktop, Documents, Downloads, etc.) and allows you to select the folders that you want to include. The second list allows you to specify additional folders. Click the [+] or [-] buttons to add or remove folders.
Note that when you enable User Profile Disks, you need to restart the server for the changes to take effect.
You can perform standard computer management tasks on server hosting the RAS Secure Gateway right from the RAS Console. These include Remote Desktop Connection, PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see Computer management tools.