Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
RAS Secure Gateway tunnels all Parallels RAS data on a single port. It also provides secure connections and is the user connection point to Parallels RAS.
At least one RAS Secure Gateway must be installed and configured in every Site. Note that if a Site is joined as Tenant to RAS Tenant Broker, RAS Secure Gateway is not needed. For details, see RAS Multi-Tenant Architecture.
Multiple gateways can exist depending on your requirements. Read this chapter to learn how to add, configure, and manage RAS Secure Gateways.
To add a RAS Secure Gateway to a Site, follow these steps:
In the RAS Console, navigate to Farm > <Site> > Secure Gateways.
With the Secure Gateways tab selected in the right pane, click Tasks > Add to start the Add RAS Secure Gateway wizard.
Enter the server FQDN or IP address (or click the [...] button to select a server from the list). To automatically resolve IP address to FQDN, enable the global Name Resolution option. For details, see Host Name Resolution.
Select the gateway mode from the Mode drop-down list.
If you selected the Forwarding mode in the step above, select the destination gateway in the Forward To drop-down list. You can also select a specific IP address in the On IP drop-down list if the Gateway server has more than one.
Select the Enable HTML5 Gateway option to automatically create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see Configure User Portal.
Select the Add Firewall Rules to automatically configure the firewall on the server hosting the gateway. See Port Reference for details.
Click Next.
On the next page, click Install to start the RAS Secure Gateway installation.
Click Done when the installation is finished.
The Client section allows you to specify application launch methods and other Web Client settings.
Launch sessions using: When a user tries to open a resource from the User Portal web page, the resource can open right in the web browser or it can be launched in a platform-specific Parallels Client installed on the user's computer (e.g., Parallels Client for Windows). This option specifies which client will be used. Compared to Web Client, platform-specific Parallels Client includes a richer set of features and provides end users with a better overall user experience. Select one of the following:
Browser Only: Users can run remote applications and desktops using Parallels Web Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.
Parallels Client Only: Users can run remote applications and desktops in Parallels Client only. When a user connects to Parallels RAS using Parallels Web Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user with a link for downloading the Parallels Client installer. After the user installs Parallels Client, they can still select a remote application or desktop in Parallels Web Client but it will open in Parallels Client instead.
Parallels Client with fallback to Browser: Both Parallels Client and a browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels Web Client will be used as a backup method if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if a resource couldn't be opened in Parallels Client and will be given a choice to open it in the browser instead.
(Parallels Client with fallback to Browser and the Parallels Cient only) Additionally, you can configure Parallels Client detection by clicking on the Configure button:
Detect client: Select when Parallels RAS tries to detect platform-specific Parallels Client.
Automatically on sign in: Parallels RAS tries to detect platform-specific Parallels Client immediately.
Manually on user prompt: Parallels RAS shows users a prompt where can they select whether they want to detect platform-specific Parallels Client .
Client detection timeout: Time period during which Parallels RAS tries to detect platform-specific Parallels Client.
Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the Launch session using option (above) is set to Parallels Client with fallback to Browser (i.e. both methods are allowed).
Allow opening applications in a new tab: If selected, users will be able to open remote applications in a new tab in a web browser.
Use Pre Windows 2000 login format: Enables legacy (pre-Windows 2000) login format.
Allow embedding of User Portal into other web pages: If selected, the User Portcal web page can be embedded in other web pages. Please note that this may be a potential security risk due to a practice known as clickjacking.
Allow file transfer command: Enables file transfer in a remote session. To enable file transfer, select this option and click the Configure button. In the dialog that opens, select Client to server only (transfer files from client to server only), Server to client only (transfer files from server to client only), Bidirectional (transfer files in both directions). For more information, see Configuring Remote File Transfer.
Allow clipboard command: Enables clipboard operations (copy/paste) in a remote session. To enable the clipboard, select this option and click the Configure button. In the dialog that opens, select Client to server only (copy/paste from client to server only), Server to client only (copy and paste from server to client only), Bidirectional (copy and paste in both directions). For more information about using the clipboard, see Using the Remote Clipboard.
Allow cross-origin resource sharing: Enables cross-origin resource sharing (CORS). To enable CORS, select this option and click the Configure button. In the dialog that opens, specify one or more domains for which access to resources should be allowed. If you don't specify any domains, the option will be automatically disabled. In the Browser cache time field, specify for how long the end-user's browser will cache a resource.
Use a client IP detection service: If selected, allows configuring an IP detection service to report IP addresses of connected Parallels Web Client applications. To enable a client IP detection service, select this option and click the Configure button. In the dialog that opens, provide the URL to the IP detection service you want to use. You can press the Test button to ensure the API works as expected. When you click the Test button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with a window showing the IP address of the Connection Broker.
To manually install a RAS Secure Gateway and add it to the Farm, follow these steps:
Log into the server where you'll be installing the RAS Secure Gateway using an administrator account.
Copy the Parallels RAS installation file (RASInstaller.msi
) to the server and double-click it to launch the installation wizard.
Follow the onscreen instruction and proceed to the installation type page. Select Custom and click Next.
Click on RAS Secure Gateway in the feature tree and select Entire Feature will be installed on local hard drive.
Ensure that all other components in the selection tree are cleared and click Next.
Click Install to start the installation.
When the installation is completed, click Finish to close the wizard.
Open the RAS Console and specify the RAS Connection Broker that will manage the gateway.
To check the status of a RAS Secure Gateway, right-click it in the list and then click Check Status in the context menu. The RAS Secure Gateway Information dialog opens.
The dialog displays the gateway information, including:
Server: The name of the server on which the gateway is installed.
Gateway: The gateway verification status (e.g. Verified).
Version: The gateway software version number. The version number must match the Parallels RAS version number.
OS Type: Operating system type and version.
Status: Display the current RAS Secure Gateway status. If the status indicates a problem (e.g. the gateway did not reply or the gateway software version is wrong), click the Install button to push install the gateway software on the server. Wait for the installation to complete and check the status again.
RAS Secure Gateway Properties dialog consists of tabs, each containing their own specific set of options. All tabs, except Properties, have one common option Inherit default settings. When you select this option, all fields on a tab are grayed out and the settings are inherited from Site defaults. To view (and modify if necessary) Site default properties for Secure Gateways, click the Site Defaults link, which is available on all tabs mentioned above. The link opens the Site default properties dialog. You can also open this dialog by clicking Tasks > Site defaults while on the Farm > Site > Secure Gateways tab.
The subsequent sections describe individual tabs and available options in the Secure Gateway Properties dialog.
A RAS Secure Gateway is enabled by default. To enable or disable a Secure Gateway, open the RAS Secure Gateway Properties dialog and select or clear the Enable RAS Secure Gateway in site option on the General tab.
A RAS Secure Gateway can operate in normal and forwarding modes. To set the desired mode and configure related settings click the Mode tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site Defaults (Gateways).
To set the normal mode, in the Gateway mode drop-down list, select Normal.
The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address if necessary. Please note that the HTTP server must support the same IP version as the browser making the request.
The Preferred Connection Broker drop-down list allows you to specify a RAS Connection Broker that the Secure Gateway should connect to. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker. For the Secure Gateway to select a Connection Broker automatically, select the Automatic option.
To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding.
Specify (or select) one or more forwarding Secure Gateways in the Forwarding RAS Secure Gateway(s) field.
Note: The forwarding mode allows you to forward data to a Secure Gateway listening on IPv6. It is recommended that forwarding Secure Gateways are configured to use the same IP version.
You need to install at least one RAS Secure Gateway for Parallels RAS to work. You can add additional Gateways to a RAS Site to support more users, load-balance connections, and provide redundancy.
If you are installing a RAS Secure Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:
Setting the Gateway operation mode (normal or forwarding, see below for details).
Assigning a RAS Connection Broker that will manage the Gateway.
Setting the Gateway communication port.
Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP addresses, and other.
The RAS Console in such an installation scenario (when connected to the local computer, not the RAS Farm) will only have two categories that you can select in the left pane: Gateway and Information. To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.
When the RAS console is connected to a Parallels RAS Farm (i.e. the server where RAS Connection Broker is running), you can manage RAS Secure Gateways by navigating to Farm > <Site> > Secure Gateways.
The following describes how a RAS Secure Gateway handles user connection requests:
A RAS Secure Gateway receives a user connection request.
It then forwards the request to the RAS Connection Broker with which it's registered (the Preferred Connection Broker setting by default).
The RAS Connection Broker performs load balancing checks and the Active Directory security lookup to obtain security permissions.
If the user requesting a published resource has sufficient rights, the RAS Connection Broker sends a response to the gateway which includes details about the RD Session Host the user can connect to.
Depending on the connection mode, the client either connects through the gateway or disconnects from it and then connects directly to the RD Session Host server.
RAS Secure Gateway can operate in one of the following modes:
Normal Mode. A RAS Secure Gateway in normal mode receives user connection requests and checks with the RAS Connection Broker if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
Forwarding Mode. A RAS Secure Gateway in forwarding mode forwards user connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.
Note: To configure the forwarding mode, a Parallels RAS Farm must have more than one RAS Secure Gateway.
When adding RAS Secure Gateways to a Site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Connection Brokers or RD Sessions Hosts.
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS User Portal, which typically accepts only HTTPS requests for security reasons.
When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).
Please also note the following requirements:
Your website must have a valid SSL certificate. See SSL server configuration.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the SSL Certificate Management chapter.
To configure SSL for a Secure Gateway:
Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the SSL Certificate Management chapter.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.
To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to RAS User Portal.
In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem
. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).
A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Gateway:
On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
The Public address field on the General tab specifies a public FQDN or IP address of the Secure Gateway. This setting is used by the Preferred routing functionality for redirecting a client connection. Please see Configuring preferred routing.
To configure a RAS Secure Gateway:
In the RAS console, navigate to Farm > <Site> > Secure Gateways.
In the right pane, right-click a Secure Gateway and click Properties.
The RAS Secure Gateway Properties dialog opens.
Read on to learn how to configure the RAS Secure Gateway properties.
To enable or disable User Portal, select or clear the Enable User Portal option. This disables User Portal, so users will no be able to connect to User Portal using the Web Client.
To use Site default settings on the User Portal tab, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
User Portal is a functionality built into RAS Secure Gateway that allows users to connect to Parallels RAS and open published resources from a web browser using the Parallels Web Client. The client works similarly to a platform-specific Parallels Client, but does not require any additional software to be installed on users' computers or devices. All that users need is an HTML5-enabled web browser.
This section describes how to configure User Portal in the Parallels RAS Console. For the information about how to use it, please refer to the chapter.
Note: To use Web Client and User Portal, SSL must be enabled on a RAS Secure Gateway. When enabling the client, please verify that SSL is enabled on the SLL/TLS tab or on your network load balancer. Please also note that the User Portal tab is only available if the gateway mode is set to "Normal". For more information, see .
To configure User Portal, click the User Portal tab in the RAS Secure Gateway properties dialog and then set the options described in the subsequent sections.
For the information on how to configure the Web Client URL and how to access the client from a web browser, please .
Use IP version: Select the IP version(s) to use.
IP(s): Specify one or more IP addresses separated by a semicolon, or click Resolve to resolve the IP address automatically. These are the available addresses on the Secure Gateway server. To specify IP addresses that should be used for client connections, use the Bind to IP section (see below).
Bind to IP: Use this section to specify on which IP address (or addresses) the Secure Gateway will listen for client connections. You can select a specific address or <All available addresses>, in which case all of the IP addresses specified in the IP(s) field will be used.
Remove system buffers for: These fields (one for each IP version) can be used when the connection between the Secure Gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select a specific address, all available addresses, or none. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent fast enough from the Secure Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.
You can specify the following IP options:
IP addresses for incoming client connections for a Secure Gateway are specified on the General tab of the RAS Secure Gateway Properties dialog. RAS Secure Gateway recognizes both IPv4 and IPv6. By default, IPv4 is used.
Note: The Web tab is only available if the gateway mode is set to normal. See more in Gateway mode and forwarding settings.
The Web tab allows you to tweak settings necessary for load balancing in certain scenarios. Here you can specify a redirection URL for web requests and a session cookie name to maintain persistence between a client and a server.
An original web request can reach the gateway one of the following two ways:
The request is sent directly to the gateway over the local network using its IP address or FQDN. For example, https://192.168.10.10.
The request is sent to a HALB device that load-balances this and other gateways in the Farm. The HALB device often faces the Internet (i.e. located in DMZ) and so its DNS name can be used in the original request URL. For example, https://ras.msp.com. The HALB device is then distributes the request to a gateway.
When the gateway receives the web request, it takes the URL specified on the Web tab and sends it back to the web browser for redirection.
Technically, you can enter any URL here, and the original web request will be redirected to that URL. The primary purpose of this field, however, is to give end users an easy way to access User Portal from their web browsers. Here's how it works:
A user enters the Load Balancer DNS name in a web browser. For example, https://ras.msp.com.
The Load Balancer receives the request and distributes it to the least-busy RAS Secure Gateway for processing.
The gateway receives the original URL and replaces it with the URL specified in the Default URL field. See the Default URL format subsection below.
The replaced URL is then sent back to the web browser, which uses it to open the User Portal login page.
The default URL format is the following:
https://%hostname%/userportal
The %hostname%
variable is automatically replaced with the name of the server that received the original request, which in our example is the Load Balancer DNS name. If you wish, you can replace the variable with a specific host name or IP address (e.g. this or some other gateway). For example, https://192.168.5.5/userportal
. If you do this, the web requests will always be forwarded to the specified host and will open the User Portal on it. Hard-coding a host may not be very practical, but you can do this nevertheless.
userportal
is a constant and is the path to the User Portal login page.
In our example, the resulting URL that the web browser will use to access the User Portal is the following:
https://ras.msp.com/userportal
The fact is, a user could simply use the above URL from the start, but thanks to the redirection feature, users only need to enter the server DNS name (or FQDN/IP-address on the local network) instead of the entire URL.
User Portal Themes is a feature that allows you to custom design the User Portal look and feel for different groups of users. Themes are described in detail in Parallels Web Client and User Portal.
The default web request URL opens the default Theme. To make it open a specific Theme, add the Theme name at end of the URL as follows:
https://%hostname%/userportal/?theme=<theme-name>
where <theme-name>
is the name of a Theme without brackets or quotes.
For users to open a specific Theme, the URL that they enter in a web browser must contain the Theme name, but in this case the format is as simple as the following:
https://<server-name>/<theme-name>
Using our Load Balancer DNS name example from above, the URL may look like the following:
https://ras.msp.com/Theme-E1
For additional information, please see Configure Themes > URLs.
The Web cookie field is used to specify a session cookie name. RAS Web Client session persistence is normally set by the user IP address (source addressing). If you can't use source addressing in your environment (e.g. your security policy doesn't allow it), you can use the session cookie to maintain persistence between a client and a server. To do so, you need to set up a load balancer that can use a session cookie for persistence. The default cookie name is ASP.NET_SessionId. Note that if you are using Amazon Web Services (AWS) or other third-party load balancers, you may need to specify their own cookie name. See Network load balancers access for more information.
You can allow or deny user access to a Secure Gateway based on a MAC address. This can be accomplished using the Security tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
To configure a list of allowed or denied MAC addresses, click the Security tab and select one of the following options:
Allow all except. All devices on the network will be allowed to connect to the Secure Gateway except those included in this list. Click Tasks > Add to select a device or to specify a MAC address.
Allow only. Only the devices with the MAC addresses included in the list are allowed to connect to the Secure Gateway. Click Tasks > Add to select a device or to specify a MAC address.
Please note that the Secure Gateway MAC address filtering is based on ARP, so client and server must be on the same network for the filtering to work. It does not work across network boundaries.
You can view the summary information for all available RAS Secure Gateways in one place as follows:
In the RAS Console, select the Farm category and then select the Site node in the middle pane.
The available RAS Secure Gateways are displayed in the Gateways group in the right pane.
To go to the main Gateway view/editor, right-click a server and choose Show in the Editor.
You can also view the detailed information about a RAS Secure Gateway by navigating to Information > Site in the Parallels RAS Console. The information on this page includes general information, such as OS version, RAS version, Gateway mode, as well as the information about various types of connections, sessions, cached sockets, and threads.
When configuring RAS Secure Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:
The certificate, which should be valid and trusted.
The protocol, key exchange, and cipher should be supported.
The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Gateway, you may need to temporarily move it to the public Internet.
The test is available at the following URL: https://www.ssllabs.com/ssltest/.
You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide.
Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Gateway or RAS Secure Gateway IP address.
To configure tunneling policies, navigate to Farm > <Site> > Secure Gateways and then click the Tunneling Policies tab in the right pane.
The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured Secure Gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.
To add a new policy:
Click Tasks > Add.
Select a Secure Gateway IP address.
Specify to which RD Session Host(s) the users connecting to that specific Secure Gateway should be forwarded. If you select None (no forwarding), read the Restricting RDP access section below.
To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.
You can use tunneling policies to restrict RDP accesses through the RAS Secure Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client.
There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack.
A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Connection Broker server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:
[I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on Secure Gateway xxx.xxx.xx.xx, Using Default Rule
[I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, Secure GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0
[I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached.
[I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available!
[W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14.
These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through Secure Gateway tunneling polices, you can prevent this from happening.
The Network tab is used to configure RAS Secure Gateway network options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
By default RAS Secure Gateway listens on TCP ports 80 and 443 to tunnel all Parallels RAS traffic. To change the port, specify a new port in the RAS Secure Gateway Port input field.
RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP Port option and specify a new port. When setting your own port, please make sure that the port number does not conflict with the standard "RD Session Host Port" setting.
Note: If RDP port is changed, the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).
Broadcast RAS Secure Gateway Address. This option can be used to switch on the broadcasting of the Secure Gateway address, so Parallels Clients can automatically find their primary Secure Gateway. The option is enabled by default.
Enable RDP UDP Data Tunneling. To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.
Device Manager Port. Select this option to enable management of Windows devices from the Device Manager category. The option is enabled by default.
Enable RDP DOS Attack Filter. When selected, this option denies chains of uncompleted sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.
To publish applications from the Parallels RAS to thin clients using the Wyse ThinOS, select the Enable Wyse ThinOS support option on the Wyse tab.
Note: The Wyse tab is only available if the gateway mode is set to normal. See Gateway mode and forwarding settings for more info.
By enabling this option, the RAS Secure Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this Secure Gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.
The Do not warn if server certificate is not verified option can be selected (enabled) if a Wyse device shows an SSL warning when connecting to a RAS Secure Gateway because the hostname does not match the certificate. When the option is selected, the Secure Gateway will send Wyse clients the following parameters in the wnos.ini file: SecurityPolicy=low TLSCheckCN=no, which will disable SSL checks. Note that the option is not required if a certificate has the following:
The CNAME set to the FQDN of the RAS Secure Gateway.
The SAN set to the RAS Secure Gateway IP address.
Note that if you use a custom wnos.ini in "C:\Program Files (x86)\Parallels\ApplicationServer\AppData\wnos" folder on Secure Gateway, the Secure Gateway will not send the SSL check parameters.
If you configure DHCP option 188 to set the broker address to a given Secure Gateway, you can verify this by clicking the Test button.
The Network Load Balancers access section is intended for deployment scenarios where third-party front-end load balancers such as Amazon Web Services (AWS) Elastic Load Balancers (ELBs) are used. It allows you to configure an alternate hostname and port number to be used by the Network Load Balancer (NLB). This is needed to separate hostnames and ports on which TCP and HTTPS communications are carried out because AWS load balancers don't support both specific protocols over the same port.
The following options are available:
Use alternate hostname: Select this option and specify an alternate hostname. When the alternate hostname is enabled, all platform-specific Parallels Clients will use this hostname to connect to the RAS Farm or Site.
Use alternate port: Select this option and specify an alternate port number. The port must not be used by any other component in the RAS Farm or Site. To reset the port number to the default value, click Default. When the alternate port is enabled, all platform-specific Parallels Clients will use this port to connect to the RAS Farm or Site. Note that RDP sessions in Web Client will still be connecting to the standard SSL port (443).
Note: Please note that using an alternate host or port is not suitable in a multi-tenant environment as Tenant Broker RAS Secure Gateways are shared between Tenants, which would require different configurations.
In addition, the AWS Application Load Balancer (ALB), which handles HTTP/s traffic required by the Parallels Web Client, only supports specific cookies that are usually automatically generated. When a load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB
, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy. By default, Parallels RAS uses its own ASP.NET cookie named _SessionId
, however in this case you must customize the cookie specifying the mentioned AWS cookie for sticky sessions. This can be configured using the Web cookie field on the Web Requests tab. Please note that this functionality is available in Parallels RAS 17.1 or newer.
A RAS Secure Gateway is monitored and logs are created containing relevant information. To configure logging and retrieve or clear existing log files, right-click a gateway, choose Troubleshooting > Logging in the context menu, and then click Configure, Retrieve, or Clear depending on what you want to do. For the information on how to perform these tasks, see the Logging section.
You can perform standard computer management tasks on server hosting the RAS Secure Gateway right from the RAS Console. These include Remote Desktop Connection, PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see Computer management tools.