To configure the appearance of Parallels Client, select the Appearance node and then configure the groups of settings described below.
Parallels Client interface. Select the style of interface for Parallels Client for Windows.
Prompt user to switch to Modern interface. Select this option if you want the user to see a prompt that allows them to switch to Modern interface.
To configure connection properties, select the Connection node and then go through each child node configuring their respective properties.
The primary connection always defaults to the primary RAS Secure Gateway, but you can modify the following connection properties:
Specify a friendly name for the connection.
Auto login: Enable or disable auto login in RAS User Portal. If the option is disabled, auto login will be disabled in User Portal and the user will not be able to change it. For more information, see Auto Login.
In the Authentication type drop-down list, select the desired method of authentication:
Credentials. The user will have to enter credentials to log on.
Single Sign-On. This option will be included in the list only if the Single Sign-On module is installed during Parallels Client installation. The credentials that the user used to log on will be used to connect to the remote server.
Smart Card. Select this option to authenticate using a smart card. When connecting to the remote server, a user will need to insert a smart card into the card reader and then enter a PIN when prompted.
Web. If selected, the SAML SSO authentication is allowed. For more information, see SAML SSO Authentication.
Web + Credentials. The same as Web, but users are prompted to enter credentials when they launch a published application. To enable the Web + Credentials method, you must configure your IdP and RAS as described in IdP side configuration and SP side configuration.
Note: Smart card authentication is not supported in Parallels Client for Linux.
Note: The Web + Credentials method works only in Parallels Client for Windows.
Note: The allowed authentication type(s) must be specified in RAS Console in Connection > Authentication.
Select or clear Save password as needed (if credentials are used for authentication). This means forcing a client to save the password for this connection.
Specify the domain name (if credentials are used for authentication).
If you have more than one RAS Secure Gateway, you can define a secondary connection, which will be used as a backup connection in case the primary gateway connection fails.
To add a secondary connection:
Select the Secondary connections item.
In the Secondary connections pane, click Tasks > Add and specify a server name or IP address.
Select the connection mode and modify the default port number if necessary.
If you have multiple secondary connections, you can move them up or down in the list. If the primary connection cannot be established, Parallels Client will use secondary connections in the order listed.
In this pane, specify what to do if the connection is dropped:
Reconnect if connection is dropped. if this option is selected, Parallels Client will try to reconnect if the connection is dropped. The Connection retries property specifies the number of retries.
Show connection banner if reconnection is not established within. Specifies the number of seconds after which the connection banner will be displayed in Parallels Client. This will inform the user that the connection was dropped and will allow them to take actions on their own.
Specify the name that a computer will use during a remote desktop session. If set, this will override the default computer name. Any filtering set by the administrator on the server side will make use of the Override computer name setting.
Connection timeout. The Parallels Client connection timeout value.
Show connection banner if connection is not established within. Specifies the number of seconds after which the connection banner will be displayed. This will inform the user that the connection cannot be established and will allow them to take actions on their own.
Show desktop if published application does not start within. If a published application is not launched within the time period specified in this field, the host server desktop will be shown instead. This is helpful if an error occurs on the server side while launching an application. By showing the server desktop, the user can see the error message.
Select or clear the Use default OS browser option. If the option is selected, the SAML SSO login dialog on the client side will open in the default browser. If the option is cleared, the browser built into the Parallels Client will be used.
The Open browser window to complete log out option is used when the built-in browser is used. In this case, there's no control over the SAML log out, so when this option is selected, a URL will open to perform the logout from SAML. By default, this web page will not be displayed, but if you need to interact with the browser, you can enable this option.
For more info, see SAML SSO Authentication.
When a user opens a remote application, a session must first be launched. Launching a session can take time, which will result in the user waiting for the application to start. To improve user experience, a session can be launched ahead of time, before the user actually opens an application.
To enable (or disable) session prelaunch, choose one of the following in the Mode drop-down list:
Off. No session prelaunch is used.
Basic. A session is prelaunched as soon as the user gets the application listing. The assumption is, the user will open an application within the next few minutes. The session will stay active for 10 minutes. If the user doesn't open an application during that time, the client will disconnect from the session.
Machine Learning. When the application listing is acquired, a session is prelaunched based on user habits. With this option enabled, Parallels Client will record and analyze the user habits of launching applications on a given day of the week. A session is started a few minutes before the user usually opens an application.
When a session is prelaunched, it will all happen in the background, so the user will not see any windows or message boxes on the screen. When the user starts an application, it will open using the prelaunched session, so it will start very quickly.
You can configure rules when session prelaunch must not be used. The following options are available:
Use the Exclude sessions prelaunch list to specify dates on which the prelaunch must not be used. Click on the plus-sign icon and select a date. The list can contain multiple entries.
You can also exclude a published resource from the session prelaunching scheme altogether. This way, the resource is excluded from the analysis and is never considered by Parallels Client when making a decision whether to prelaunch a session. For example, when you have a server on which you never want to prelaunch sessions, you can flag all published resources hosted by that server as to be excluded from session prelaunch. To exclude a published resource from session prelaunch, in the RAS Console, navigate to Published Resources, select a resource and then select the Exclude from session prelaunch option.
The setting in this section specifies to which IP address to bind the local RDP proxy. Select the Use 127.0.01 IP address when using Gateway mode in VPN scenarios option. You should have this setting enabled. Disabling it may lead to users not being able to open applications or desktops when using a VPN. This setting applies to Parallels Client for Windows only.
The Policies category allows you to manage Parallels Client policies for users connecting to a Farm. By adding client policies, you can group users and push different Parallels Client settings to user devices forcing them to function as your organization requires.
Settings that can be enforced on user devices include RAS connection properties, display, printing, scanning, audio, keyboard, device, and others. Once you create a policy and push it to a client device, the user of the device cannot modify the settings that the policy enforces. In Parallels Client, this will manifest itself as hidden or disabled connection properties and global preferences.
Parallels Clients for all platforms are supported.
Note: Starting with Parallels RAS v16.5, a new approach is used to manage client policies. In the previous versions, a client policy would apply the full set of parameters and replace the client settings, completely hiding an enforced category. In RAS v16.5 and newer, client policy settings are split into smaller groups with the ability to configure and enforce each group on the client side individually. For information on how this affects existing client policies that were created in an earlier version of Parallels RAS, please read Client policy backward compatibility.
Items under the Session node in the Policy Properties dialog include connection, display, printing, network, and other settings that will be enforced on a client if defined and enabled.
For a particular group of settings to be enforced on a client device, it must be selected (checked). Unselected groups will not be enforced, so end users will be able to configure them themselves. For example, you can check the Connection node, but only check the Primary connection and Secondary connections groups under it. This will enforce only the two selected groups of settings on client devices.
To configure display settings, select the Display node and then configure the groups of settings described below.
Select the desired video acceleration mode and color depth.
Specify which monitors should be used for a session if more than one monitor is connected to the user's computer.
The following options are available:
All: All displays.
Primary: User's primary display.
Selected: User can select one or several displays manually. To use this option for a published desktop, you need to select Full Screen in Publishing category > select the published desktop > Desktop tab > Desktop Size.
Specify the options as follows:
Use primary monitor only. Select this option to start published applications on the primary monitor. Other monitors connected to a user's computer will not be used.
Use dynamic desktop resizing. Select this option if you want published resources to use the display settings of the local desktop.
Specify the desktop options as follows:
Smart-sizing: Choose a smart sizing option. The Scale (fit to window) option scales a remote desktop to fit the connection window. The Resize (update resolution) option updates the resolution dynamically (without the need to reconnect) based on the window size. To disable smart sizing, select Disabled.
Embed desktop in launcher. Enable this option to access a published desktop inside Parallels Client.
Span desktop across all monitors. Enable this option to span published desktops across all connected monitors.
Connection bar in full screen. Specify whether the connection bar should be pinned, unpinned, or hidden when connecting in full-screen mode.
This section applies to Parallels Web Client only. Specify whether a remote application should open in the same or a new tab in a web browser by default.
On the Keyboard node in the Policy Properties dialog, select how you want to apply key combinations (e.g. Alt+Tab) that you press on the keyboard:
On the local computer. Key combinations will be applied to Windows running on the local computer.
On the remote computer. Key combinations will be applied to Windows running on the remote computer.
In full screen mode only. Key combinations will be applied to the remote computer only when in the full-screen mode.
Select or clear the Send unicode characters as needed.
To add a new client policy:
Select the Policies category and then click Tasks > Add in the right pane. The Policy Properties dialog opens.
The left pane contains a navigation tree allowing you to select a group of options to configure. You can search for options using the Find field in the upper left corner of the dialog. If multiple options are found, you can navigate between them using arrows.
Make sure the Policy node is selected, and then specify a policy name and an optional description.
In the Apply policy to section, click Tasks > Add (or click the plus sign icon) and specify rules that define what object the policy applies to (see below).
By default, a client policy applies to configured users, computers, and groups in all situations. Optionally, you can specify rules that define when the policy should be applied. This functionality allows you to create different policies for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each rule consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.
You can match the following objects:
User, a group the user belongs to, or the computer the user connects from.
Secure Gateway the user connects to.
Client device operating system.
IP address.
Hardware ID. The format of a hardware ID depends on the operating system of the client.
Notice the following about the rules:
Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems.
Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection.
The rules are compared to a user connection starting from the top. Because of this, the priority of a rule depends on its place in the rule list. Parallels RAS will apply the first rule that matches the user connection.
The default rule is used when no other rule is matched. You can set it to either Apply policy if no other rule matches or Do not apply policy if no other rule matches, but no criteria is available for this rule.
To create a new rule:
Select the Policy node.
In the Apply policy to section, click Tasks > Add. The New rule properties dialog opens.
Specify the name and the description of the rule.
In the Criteria section, specify criteria for the rule. You will find the following controls:
Apply policy if and Do not apply policy if: specifies whether the policy is applied or not applied when a user connection matches all the criteria. Click on the link to switch between the two options.
(+): adds a new criteria. If you want to match a Secure Gateway, a client device operating system, an IP address, or a hardware ID, click (+). In the context menu that appears, select the type of object that you want to match and add the specific objects in the dialog that appears. The new criteria appears on the next line.
(X): Deletes a specific object from matching. For example, you want to delete IP address from matching, click (X) next to it. This control appears when at least one object is added. If all objects in a criteria are deleted, the criteria is removed.
is and is not: specifies whether the policy is applied or not applied when a user connection matches the criteria. Click on the link to switch between the two options. This control appears when at least one object is added.
configure: edits the list of objects to be matched. Click this link to add or delete new objects. Note that for the first criteria (User, group or computer) this link is called everyone. It will change to configure once you specify objects for this criteria.
On the Scanning node in the Policy Properties dialog, you can specify a scanner that should be used when one is required by a published application:
Use. Allows you to select a scanning technology. RAS Universal Scanning uses TWAIN and WIA redirection allowing an application to use either technology depending on the hardware type connected to the local computer. If you select None, scanning will disabled.
Redirect Scanners. Select scanners attached to your computer for redirection. You can select All (all attached scanners will be redirected) or Specific only (only the scanners you select in the provided list will be redirected).
The Printing node in the Policy Properties dialog allows you to configure printing options.
In the Technology section, select the technology to use when redirecting printers to a remote computer:
None. No printer redirection will be used.
RAS Universal Printing technology. Select this option if you want to use RAS Universal Printing technology.
Microsoft Basic Printing Redirection technology. Select this option if you want to use Microsoft Basic printing technology.
RAS Universal Printing and Microsoft Basic redirection technologies. Select this option to use both Parallels RAS and Microsoft technologies.
Note: The following rules apply when using printing in RAS HTML 5 Client. If None or Microsoft Basic Printing is selected, then no printing redirection will be available in a remote session. If RAS Universal Printing or RAS Universal Printing and Microsoft Basic Printing is selected, then RAS Universal Printing will be used in a remote session.
If you selected RAS Universal Printing technology, use the Redirect Printers drop-down list to specify whether to redirect all printer on the client side, default printer only, or specific printers.
If you select Specific only in the step above, click Tasks > Add. Type a printer name and then click the Options button. In the dialog that opens, specify settings described below.
In the Choose Format drop-down list, select a data format for printing:
Print Portable Document Format (PDF). Adobe PDF. This option does not require you to install any local applications capable of printing a PDF document. All the necessary libraries are already installed together with Parallels Client.
View PDF with external application. To use this option you must have a local application installed which is capable of viewing a PDF document. Note that not all applications are supported. For example, the built-in PDF viewer in Windows is not supported, so you must have Adobe Acrobat Reader (or a similar application) installed.
Print PDF with external application. This option works similar to the View PDF option above. It also requires an application capable of printing a PDF document installed locally.
Enhanced Meta File (EMF). Use vector format and embedded fonts.
Bitmap (BMP). Bitmap images.
In the Client printer preferences section, select one of the following:
Use server preferences for all printers. If this option is selected, a generic printer preferences dialog will be shown when a user clicks Print in a remote application. The dialog has only a minimal set of options that they can choose.
Use client preferences for all printers. With this option selected, a local printer preferences dialog will open when a user clicks Print in an application. The dialog will contain a full set of options for a particular printer that the user has installed on their local computer. If they have more than one printer installed, a native preferences dialog will open for any particular printer that they choose to print to.
Use client preferences for the following printers. This option works similar to the Use client preferences for all printers option (above), but allows users to select which printers should use it. Select this option and then select one or more printer in the list below. If a printer is not selected, it will use the generic printer preferences dialog, similar to the first option in this list.
To configure default printer settings, click the Change Default Printer settings button.
The default printer list shows printers that can be redirected by the client to the remote computer:
To disable the default printer, select <none>.
To redirect the default local printer, select <defaultlocalprinter>.
When <custom printer> is selected, you can specify a custom printer. The first local printer that matches the printer name inserted in the Custom field will be set as the default printer on the remote computer.
Select Match exact printer name to match the name exactly as inserted in the Custom field. Please note that the remote printer name may not match the original printer name. Also note that local printers may not redirect due to server settings or policies.
The Force Default printer for option specifies the time period, during which a printer will be forced as default. If the default printer is changed during this time after the connection is established, the printer is reset as default.
Select the Update the remote default printer if the local default printer is changed option to change the remote default printer automatically when the local default printer is changed. Please note that the new printer must have been previously redirected.
Windows 10 and 11 have a feature that automatically sets the default printer to the one used most recently or more often. This can break the default printer control on RD Sessions Hosts, guest VMs, and Remote PCs. To resolve this issue, the default printer management in Windows 10 and 11 should be disabled. To disable this feature using the Group Policy, do the following:
Open the group policy editor.
Navigate to User Configuration > Administrative Templates > Control Panel > Printers.
Find the Turn off Windows default printer management policy and enable it.
Force the group policy to all computers attached to the domain.
You can also disable the default printer management in Windows 10 and 11 locally by using the GUI or the registry editor:
On a Windows 10 or 11 computer, click Start, then click the "gear" icon which will open the Settings page.
On the Printers and Scanners tab, set the Let Windows manage my default printer option to OFF.
Using the registry editor:
Open the registry editor (regedit).
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows.
Create a new DWORD item and name it LegacyDefaultPrinterMode.
Change the item's Value data to hexadecimal and set the value data to 1.
In addition to disabling the default printer management, the Download over metered connections option should be enabled in Settings > Devices > Printers & Scanners.
This node in the Policy Properties dialog allows you to configure remote audio playback and recording settings.
In the Remote audio playback section, Use the Where drop-down list to select one of the following remote audio playback options:
Bring to this computer. Audio from the remote computer will play on your local computer.
Do not play. Audio from the remote computer will not play on your local computer and will be muted on the remote computer as well.
Leave at remote computer. Audio will not play on your local computer but will play normally on the remote computer.
Use the Quality drop-down list to adjust the audio quality:
Dynamically adjust based on available bandwidth. This option will increase or decrease the audio quality based on your connection speed. The faster the connection, the higher audio quality setting will be used.
Always use medium audio quality. The audio quality is fixed at the medium level. You can use this option when you don't require the best possible audio quality and would rather use the available bandwidth for graphics.
Always use uncompressed audio quality. The audio quality is fixed at the highest level. Select this option if you have a very fast connection and require the best possible audio quality.
The Enable recording (if applicable) option allows you to enable audio recording on the remote computer. For example, you can speak into a microphone on the local computer and use a sound recording application on the remote computer to record yourself.
The Experience node in the Policy Properties dialog allows you to tweak connection speed and compression.
Choose your connection speed to optimize performance: Choose a connection type according to your situation and then select experience options you want enabled. If you are connecting to a remote server on a local network that runs at 100 Mbps or higher, it is usually safe to have all of the experience options enabled. If you choose Detect connection quality automatically, the experience options will be enabled by default, but some may be dynamically disabled depending on the actual connection speed.
Enhance windows move/size: Enable this option if your users experience graphics artifacts (dark squares) while moving or resizing a remote application window on their desktops. The issue may manifest itself when a remote application is hosted on a Windows Server 2016, 2019 or 2022 and when the Show contents of window while dragging option is enabled. The issue does not appear with any other versions of Windows.
It is recommended to enable compression to have a more efficient connection. The available compression options are described below.
Enable RDP Compression: Enables compression for RDP connections.
Universal printing compression policy: The compression type should be selected based on your environment specifics. You can choose from the following options:
Compression disabled. No compression is used.
Best speed (uses less CPU). Compression is optimized for best speed.
Best size (uses less network traffic). Compression is optimized to save network traffic.
Based on connection speed. The faster the connection speed, the lower compression level and the minimum data size to compress are used.
Universal scanning compression policy: This drop-down list has the same options as the universal printing compression above. Select the compression type based on your environment specifics.
Use the Local devices and resources node in the Policy Properties dialog to configure how local resources are used in a remote session.
Enable or disable the clipboard in a remote session. In the right pane, choose one of the following clipboard redirection options:
Client to server only: Copy and paste from client to a server app only.
Server to client only: Copy and paste from a server app to client only.
Bidirectional: Copy and paste in both directions.
Disabled: The clipboard is disabled.
The Limit clipboard to text only drop-down menu allows you to limit the functionality of the clipboard:
No limit: All types of files can be copied in both directions.
Client to server: Only plain text can be copied from the client to the server.
Server to client: Only plain text can be copied from the server to the client.
Both directions: Only plain text can be copied in both directions.
Note: Clearing the Clipboard option also disables the Remote Clipboard functionality for affected users in Parallels Web Client. For more information, please see Using the remote clipboard.
Select the Allow disk drives and folders redirection option and select local drives you want to redirect, or select Use all disk drives available.
Select the Redirect as read-only drives option to redirect all selected disk drives in read-only mode.
Note: When you select the Redirect as read-only drives option, the drag-and-drop functionality in Parallels Client for Windows becomes limited. Users will be able to use drag-and-drop only for copying file paths from local to remote computers.
Note: When you select the Redirect as read-only drives option, the drag-and-drop functionality in Parallels Client for Mac becomes limited. Users will be able to use drag-and-drop only for copying data from local to remote computers.
If you select the Use also disk drives that I plug in later option, disk drives that you connect to a local computer later will be automatically available in a remote session.
Note: This option applies to Parallels Client for Windows only.
In the Cache drop-down list, you can select whether to enable drive redirection cache hat makes file browsing and navigation on the redirected drives much faster:
Disable: Drive redirection cache is disabled.
Enable: Drive redirection cache is enabled.
Fast mode: Same as above, but certain decorative features of File Explorer are disabled in favor of faster browsing.
Note: This option applies to Parallels Client for Windows only.
On this pane, specify whether to redirect local devices in general, use all devices available, and also devices that will be plugged in later.
Local devices that can be redirected include supported Plug and Play devices, media players based on the Media Transfer Protocol (MTP), and digital cameras based on the Picture Transfer Protocol (PTP).
Please note that disk drives and smart cards are redirected using dedicated Disk drives and folders and Smart cards options.
Specifies video capture devices to redirect from a user device to the remote session. This is a high-level redirection that allows to redirect a composite USB device, such as a webcam with a microphone.
Allow devices redirection: Allows to choose which video capture devices to redirect.
Use all devices available: Redirect all available devices.
Use also devices that I plug in later: A device that is plugged in after a session is started will also be used. Note that if this option is disabled, you will need to restart a session for a newly plugged in device to become available.
Select whether to redirect LPT and COM ports.
Select whether to redirect smart cards. Note that if smart card is selected as the authentication type in the Primary connection pane, the smart card redirection is automatically enabled and this option is grayed out.
Enables or disables the following functions:
Pen input redirection with pressure sensitivity support.
Windows touch input redirection. Windows touch input redirection allows users to use Windows native touch gestures from touch-enabled devices, including touch, hold, and release actions. The actions are redirected to remote applications and desktops as corresponding mouse clicks. This option allows you to disable touch input redirection in case of app compatibility issues.
Note: This policy is applicable to Parallels Client for Windows and Parallels Web Client only.
Allows to watch video content played in a browser on a remote Azure Virtual Desktop host. To use this feature, you also need to configure redirection on your AVD hosts as described at https://learn.microsoft.com/en-us/azure/virtual-desktop/multimedia-redirection?tabs=edge#requirements.
Note: This policy is applicable to Parallels Client for Windows 10 1909 and later, and Windows 11. Note: Multimedia redirection on Azure Virtual Desktop is not available when using the Advanced client feature set. Note: Multimedia redirection on Azure Virtual Desktop is currently in preview. For the list of websites that support multimedia redirection, see https://learn.microsoft.com/en-us/azure/virtual-desktop/multimedia-redirection-intro.
Enables file transfer in a remote session. To enable file transfer, select this node and then select a desired option in the Allow file transfer drop-down list in the right pane. For additional information, see Configuring remote file transfer.
Use the Network node in the Policy Properties dialog to configure a proxy server for Parallels Client.
Select the Use proxy server option and then select the protocol from the following list:
SOCKS4. Enable this option to transparently use the service of a network firewall.
SOCKS4A. Enable this option to allow a client that cannot connect to resolve the destination host’s name to specify it.
SOCKS5. Enable this option to be able to connect using authentication.
HTTP 1.1. Enable this option to connect using a standard HTTP 1.1 protocol connection.
Specify the proxy host's domain name or IP address and the port number.
For SOCKS5 and HTTP 1.1 protocols, select the Proxy requires authentication option. For authentication, select the Use user logon credentials option or specify a user name and password in the fields provided.
Use the Server authentication node in the Policy Properties dialog to specify what should happen if authentication of an RD Session Host, Remote PC, or Guest VM fails.
In the If authentication fails drop-down list, select one of the following options:
Connect. The user can ignore the certificate of the server and still connect.
Warn. The user is alerted about the certificate and still has the ability to choose whether to connect or not.
Do not connect. The user is not allowed to connect.
The Client options node allows you configure client policy options. Select the node and then select and configure individual items under it as described below.
On the Connection pane, specify the following options:
Connection Banner. Select a banner to display while establishing a connection.
Automatically refresh connected RAS connections every [ ] minutes. Select this option and specify the time interval to automatically refresh a connection. This will refresh the published resources list in Parallels Client.
When all sessions are closed. Specifies what happens when all user sessions are closed:
Do nothing. Nothing happens.
Lock workstation. The computer is locked.
Sign out from workstation. The current user is signed out from their account.
Note: The Lock workstation option is not supported on the devices managed in the Kiosk mode.
Specify a log level for Parallels Client. Choose from the following options:
You should normally use the Standard logging. When you have an issue with Parallels Client, you can temporarily raise the log level by selecting Extended or Verbose and setting start date/time and a duration. Note that start date and time correspond to the local client time zone. Parallels Client must be running in order for the logging to take place. If Parallels Client is launched when Extended or Verbose levels should be already in effect, the level will stay on for the remainder of the original duration setting. If a policy changes during this time, the actual log level settings will be reapplied accordingly.
Select Check for updates on startup and specify an update URL if you want Parallels Client to check for updates when it starts. The URL can point to the Parallels website or you can store updates on your local network and use this local URL. For the information on how to configure a local update server, please read https://kb.parallels.com/123658.
Note: This option works with Parallels Client for Windows only. Parallels Client for Mac can be updated only from the App Store. Parallels Client for Linux does not support this feature.
To force a particular keyboard to be used, select the Force use PC keyboard and select a keyboard layout from the drop-down list. Note that the selected layout can and will only be used in a Parallels Client version that supports this particular layout.
Parallels Client for Windows comes with its own SSO component that you can install and use to sign in to Parallels RAS. If you already use a third-party credential provider component on your Windows computers, you first need to try if the single sign-on works right out of the box. If it doesn't, you need to configure Parallels RAS and Parallels Client to use the Parallels RAS SSO component to function as a wrapper for the third-party credential provider component.
To use Parallels RAS SSO as a wrapper, specify a third-party component, select the Force to wrap third party credential provider component option and specify the component's GUID in the field provided. You can obtain the GUID in Parallels Client as follows:
Install Parallels Client on a computer that has the third-party component installed.
In Parallels Client, navigating to Tools > Options > Single Sign-On (tab page).
Select the "Force to wrap..." option and then select your provider in the drop-down list.
Click the Copy GUID to Clipboard button to obtain the component's GUID.
You will also need to specify the component's GUID when setting up an invitation email in the RAS Console. If you haven't set up an invitation email yet, you can do it as follows:
In the RAS Console, select the Start category and then click the Invite Users item in the right pane.
On the second page of the wizard (target platform and connection options), click the Advanced button.
In the dialog that opens, select the Force to wrap third party SSO component option and specify the GUID of the component.
For more information, see the Invite users section.
After the policies are applied on Windows computers, Parallels Client will be automatically configured to use the specified third-party credentials provider.
Use this pane to specify advanced client options, as described below.
Always on Top. With this feature enabled, other applications will no longer mask the launcher.
Show connection tree. Displays the connection tree.
Minimize to tray on close or escape. Enable this feature to place the Parallels Client into the System Tray when you click on the Close button or hit escape.
Enable graphic acceleration (Chrome client).
Do not warn if server certificate is not verified. When connected to a RAS Secure Gateway over SSL, and the certificate is not verified, a warning message will be displayed. You can disable this warning message by enabling this option.
Swap mouse buttons. When enabling this setting, the mouse buttons will be swapped on the remote computer.
DPI aware. This will force a published application to be DPI-aware depending on the client's DPI settings. This feature works on Windows 8.1 or higher.
Add RAS Connection automatically when starting web or shortcuts items. This option will add the connection preferences in the Parallels Client when starting an item contained in a connection that is not yet listed.
Do not show prompt message for auto add RAS connection. Enable this option to disable prompt messages when adding auto connections.
Close error messages automatically. When a session disconnects because of an error, the error is automatically dismissed after 15 seconds.
Clear session cookies on exit. When a user logs on, a Parallels RAS logon cookie is kept on the client side. This will allow the user to connect again with Parallels RAS without re-authenticating. Check this option to delete any cookies when the user closes the Parallels Client.
Enable extended logging. Enables extended logging.
Turn off UDP on Client: Turns off UDP traffic from Parallels Client for Windows.
Specify a language that Parallels Client should use. The Default option uses the main language used by the client's operating system.
Install missing fonts automatically. If automatic fonts are installed on the server, they will be available when a session connects.
Raw printing support. When enabling this setting, printing will still work for applications sending data in RAW format.
Convert non distributable fonts data to images. During RAS Universal Printing, if a document includes non-distributable fonts, each page is converted to an image.
Cache printers hardware information. Caching of printer hardware information locally to speed-up RAS universal printer redirection.
Refresh printer hardware information every 30 days. Forces the printer hardware information cache update even if nothing has changed in 30 days. When this option is off, the cache will only be refreshed if there were known changes.
Cache RAS Universal Printing embedded fonts. Caching of embedded fonts locally to speed-up RAS universal printing process time.
Hide Launcher when application is launched. If this option is enabled, the launcher will be minimized in the system tray after an application is launched.
Launch automatically at Windows startup. This option will place a shortcut in the start menu folder of the client and the Parallels Client will launch automatically on Windows startup.
Allow RDP redirection of other supported RemoteFX USB devices to all users. This setting applies to Parallels Client for Windows only. Outside Parallels RAS, the standard RemoteFX USB redirection feature must be enabled via Group Policy in order to work. When you select the "Allow RDP redirection ..." option on this screen, it will do the same as GPO, which is update the corresponding registry setting in Windows on a client machine. Parallels Client for Windows relies on this feature to be enabled in Windows registry in order to redirect USB devices. When the policy containing this setting is applied on a client machine, the user will see a message that RemoteFX USB redirection was enabled and that they will need to restart Windows.
Participate in Customer Experience Program. This setting allows you to join Parallels Customer Experience Program. For more information about Parallels Customer Experience Program, see https://www.parallels.com/about/legal/pcep/.
Control settings options allow you to control various actions on the client side. These options affect the following Parallels Clients:
On the Connections pane, select (or clear) the following options:
Prohibit adding of RAS connections. When a user presses the Add Connection button, an RDP connection is always created.
Prohibit adding standard RDP connections. When a user presses the Add Connection button, a RAS connection is always created
On the Password pane, specify the following options:
Prohibit saving username. Parallels Client will not display the username of the last user who logged in. Selecting this option automatically enables the Prohibit saving password option.
Prohibit saving password. The option to save the password will not be shown to the user for that particular connection. A password is never saved on a disk, but kept in memory until the user closes the application.
Prohibit changing password. The option to change the password will not be shown in the context menu for that particular connection.
On the Import and Export pane:
Prohibit importing settings. If this option is selected, the user cannot import connection settings to Parallels Client.
Prohibit exporting settings. If this option is selected, the user cannot export connection settings from Parallels Client.
The Advanced Settings node in the Policy Properties dialog allows you to customize the default behavior or Parallels Client.
You can specify the following properties:
Use client system colors: Enable this option to use the client system colors instead of those specified on the remote desktop.
Use client system settings: Enable this option to use the client system settings instead of those specified on the RD Session Host.
Create shortcuts configured on server: For each published application, the administrator can configure shortcuts that can be created on the client's desktop and the Start menu. Select this option to create the shortcuts, or clear the option if you don't want to create them.
Register file extensions associated from the server: For each published application, the administrator can create file extension associations. Use this option to either register the associated file extensions or not.
Redirect URLs to the client device: Enable this option to use the local web browser when opening 'http:" links.
Redirect MAILTO to the client device: Enable this option to use the local mail client when opening ‘mailto:’ links.
Always ask for credentials when starting applications: If this option is enabled, a user will be asked to enter credentials when starting an application even if the session is still active. You can use this option as added security to prevent unauthorized users to access applications. For example, if a user disconnects from a session, no one else will be able to take over the session and run remote applications. As another example, if a user leaves a device with an open User Portal displaying the app listing (with or without running RDP sessions) then any user who tries to open a new application or another instance of a running application will be prompted for credentials. Please note that the option must be disabled for this functionality to work; otherwise saved credentials will be used automatically.
Allow Server to send commands to be executed by client: Enable this option to allow commands being received from the server to be executed by the client.
Confirm Server commands before executing them: If this option is enabled, a message is displayed on the client to confirm any commands before they are executed from the server.
Network Level Authentication: Check this option to enable network level authentication, which will require the client to authenticate before connecting to the server.
Redirect POS devices: Enables the Point of Service (POS) devices such as bar code scanners or magnetic readers that are attached to the local computer to be used in the remote connection.
Use Pre Windows 2000 login format: If this option is selected, it allows you to use legacy (pre-Windows 2000) login format.
Disable RDP-UDP for gateway connections: Disables RDP UDP data tunneling on the client side. You can use this option when some clients experience random disconnects when RDP UDP data tunneling is enabled on the RAS Secure Gateway (the Network tab in the gateway Properties dialog), while other clients are not.
Do not show drive redirection dialog: This option affects Parallels Client for Mac. By default, the Grant access to Home folder (drive redirection) dialog opens automatically when a Mac user connects to Parallels RAS. This happens when this option is disabled or when there's no client policy at all. The dialog allows the user to configure which folders on the local disk drive should be available to remote applications. If you enable this option, the dialog will not be shown a user. Read below for more explanation.
Drive redirection cannot be configured via client policies, so Mac users have to do this themselves. By automatically showing the dialog, you can invite the user to go through the local folder configuration procedure. On the other hand, if there's no need for your users to redirect their local drives, you can disable the automatic opening of the dialog. Note that the dialog can still be run manually in Parallels Client for Mac at any time by opening Connection Properties > Local Resources, selecting the Disk drives option and clicking Configure.
When the option is disabled (or when there's no client policy defined), the dialog opens at least once when the user connects to Parallels RAS for the first time. At that time, the user can either configure local folders or select the Never ask me again option. In both cases, the dialog will not be shown to the user anymore. The Mac user can reset the Never ask me selection by going to Connection Properties > Advanced and clearing the Do not show drive redirection dialog option.
Redirection options allow you to move your existing users from one RAS Secure Gateway to another gateway within the same Farm, or you can even redirect users to a gateway in a different Farm.
Note: When setting gateway redirection, make sure that the gateway criteria (the Criteria node) does not conflict with it. Read the Gateway criteria subsection at the end of this section for the explanation.
To configure redirection options:
Select the Redirection node in the left pane of the Policy Properties dialog.
In the right pane, specify the new connection properties, including:
Gateway address
Connection mode
Port number
Alternative address
When this policy is applied to user devices, the following will happen:
Parallels Client connection settings are automatically updated on each device.
Parallels Client tests the new connection. If succeeded, the current connection policies are removed and new policies are added.
If Parallels Client cannot connect to Parallels RAS using new settings, the application list will not be shown and an error message will be displayed saying that the redirection policy has failed to apply. The user will be advised to contact the system administrator.
If a policy has both Redirection and Criteria settings enabled and configured, a situation may occur when the policy is applied in an infinite loop on the client side, which will result in an error. Consider the following possible scenarios when this may happen:
Parallels Client connects to gateway "A" and applies a policy, which redirects it back to gateway "A". This will continue to loop until Parallels Client gives up and displays an error to the user, which will say, "Failed to apply redirection policy....".
Parallels Client connects to gateway "A" and applies policy "P1", which redirects it to gateway "B". As expected, Parallels Client connects to gateway "B" and applies policy "P2", which redirects it back to gateway "A" where it all began. This will will also continue to loop until Parallels Client gives up and displays the same error message as described above.
Once again, this may only happen if the Criteria node is enabled and specified gateways conflict with each other. To avoid it, make sure that the Gateway criteria option on the Criteria pane is set to if Client is connected to one of the following gateways and that the same policy is not applied again when Parallels Client is redirected to a new gateway.
Starting with Parallels RAS v16.5, a new approach is used to manage client policies. In the previous versions, a client policy would apply the full set of parameters and replace the client settings completely hiding an enforced category. In RAS v16.5 (or newer), client policy settings are split into smaller groups with the ability to configure and enforce each group on the client side individually. For example, the administrator wants to re-design the policies to disable clipboard redirection only, leaving the rest of the local devices and resources settings available for the end users to control. In the previous version, this would not be possible. The new design allows an administrator to easily achieve this goal.
This section explains how the backward compatibility is achieved with older clients and how new clients retain compatibility with older server-side installations.
The new client policies implementation handles compatibility issues as follows:
All settings found in older policies are sent to the client as if being sent from an older Parallels RAS server. When a client receives the policy, the Connection properties and Options/Preferences settings are set correctly from the old design point of view. If, however, the policy is configured in such a way that the user cannot change anything, the entire tab will be hidden (no need to display the options if all of them are disabled).
The Parallels RAS Console handles old-style policy settings as if they are new and displays them using the updated graphical user interface.
In terms of policies, when a Parallels RAS v16.5 client connects to a previous version of Parallels RAS, the client keeps working normally and all of the policy settings are functioning as expected.
When a policy is applied to a user device, the information about it is displayed in Parallels Client. The information can be used to verify that the correct policy was delivered to a user device. The following information is included:
ID: The policy ID as displayed in the ID field in the Policies list in the RAS Console.
Version: The policy version number as displayed in the Version field in the Policies list in the RAS Console.
RAS Connection: The name of the connection through which the policy was delivered. Displayed only on mobile devices and in Web Client.
By comparing the information above in Parallels Client running on a user device and the information in the RAS Console, you can see which policy was applied to a user device.
To see the applied policy information for a connection:
In Parallels Client for Windows / Mac / Linux, open the Connection Properties dialog. The information is displayed at the bottom of a tab page to which the policy was applied.
In Parallels Client for Android, the information is displayed at the bottom of the Settings screen.
In Parallels Client for iOS, open the Edit RAS Connection screen and tap View Applied Server Policy (as the bottom).
In RAS Web Client, the information is displayed in the Settings dialog.
Please note that when all of the connection properties in Parallels Client are managed through client policies, the user can still open the Connection Properties dialog, but it will contain a single tab displaying the applied policy information. If only some of the connection properties are managed through policies, the user will be able to see those tabs and the applied policy information that they contain.
When a policy includes global policy options, you can view the applied policy information in Parallels Client as follows:
In Parallels Client for Windows and Linux, open the Options dialog (click Tools > Options).
In Parallels Client for Mac, open Preferences (click Parallels Client > Preferences).
The applied policy information is displayed at the bottom of the dialog, similar to how it is displayed for the connection.