Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
A Parallels RAS administrator has the ability to customize how users connect to Parallels RAS. This chapter describes connection and authentication settings that can be configured according to your organization requirements. It then explains how to use two-factor authentication for higher level of security.
RAS Connection Broker connection settings can be accessed from the Connection category.
Select the Authentication tab. In the Allowed authentication types section, select one of the following options:
Credentials. The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log in to an RDP session.
Smart Card. Smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it.
Web (SAML). SAML SSO authentication. For more information, see SAML SSO Authentication.
Web + Credentials. The same as Web (SAML), but users are prompted to enter credentials when they launch a published application. To enable the Web + Credentials method, you must configure your IdP and RAS as described in IdP side configuration and SP side configuration.
Note: The Web + Credentials method works only in Parallels Client for Windows.
Note that if smart card authentication is disabled, RAS Connection Broker will not hook the Local Security Authority Subsystem Service (LSASS). Smart card authentication can be used in Parallels Client for Windows, Mac, and Linux. Please also note that smart cards cannot be used for authentication if Parallels Client is running inside an RDP session.
A valid certificate must be installed on a user device in order to use smart cards. To do so, you need to import the certificate authority root certificate into the device’s keystore.
A certificate must meet the following criteria:
The "Key Usage" field must contain digital signature.
The "Subject Alternative Name" (SAN) field must contain a user principal name (UPN).
The "Enhanced Key Usage" field must contain smart card logon and client authentication.
To specify an authentication domain, select one of the following:
Specific: Select this option and type a specific domain name.
All trusted domains: If the information about users connecting to Parallels RAS is stored in different domains within a forest, select the All Trusted Domains option to authenticate against multiple domains.
Use client domain if specified: Select this option to use the domain specified in the Parallels Client connection properties. If no domain name is specified on the client side, the authentication is performed according to the settings above.
Force clients to use NetBIOS credentials: If this option is selected, the Parallels Client will replace the username with the NetBIOS username.
Note: If a certificate on your smart card does not contain a user principal name (UPN) in the "Subject Alternative Name" (SAN) field (or if it doesn't have the "Subject Alternative Name" field at all) you have to disable the Force clients to use NETBIOS credentials option.
Recommendation: After changing the domain names or some other authentication related changes, click the Clear cached session IDs button on the Settings tab.
In order to authenticate users sessions against users specified on a standalone machine you must enter the [workgroup_name] / [machine_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1.
You can configure Parallels Client to use a custom URL for changing domain passwords.
To make Parallels Client use a custom URL for changing domain passwords:
Select Use a custom link fro the "Change domain password" option.
Add the link to the text field below.
The Settings tab in the Connection category allows you to configure the following remote session options.
This option affects reporting statistics, whereby a session is declared idle after the amount of time specified without any activity.
The FIPS 140-2 encryption property allows you to specify whether FIPS-encrypted connections are allowed or even enforced on RAS Secure Gateways. When you allow (or enforce) the encryption, the Gateways will use the FIPS 140-2 encryption module. You can choose from the following options:
Disabled. FIPS 140-2 encryption is disabled on RAS Secure Gateways.
Allowed. RAS Secure Gateways accept both FIPS-encrypted and non-FIPS-encrypted connections.
Enforced. RAS Secure Gateways accept FIPS-encrypted connections and will drop any non-FIPS-encrypted connection.
Note: For FIPS 140-2 encryption to work, a FIPS compliant certificate must be installed on each RAS Secure Gateway.
When you enable FIPS 140-2 encryption, the encryption status is displayed on the Information > Site tab in the RAS Console. Look for the Encryption property of a RAS Secure Gateway.
Note: If you use FIPS, the minimum allowed version of TLS is automatically set to 1.2.
FIPS 140-2 encryption is supported in all versions of Parallels Client except for the following:
Parallels Client for Windows installed on Windows 8.1 and earlier
Parallels Client for Android
Parallels Client for iOS
Web Client
Note: Parallels Client for ARM64 does not support FIPS 140-2.
Please also note that when FIPS 140-2 encryption is enforced, it is enforced all users in a given Farm. If there's a necessity to force FIPS for one user group and not forced for another, a new Farm must be deployed for this purpose.
Specifies the time period after which an idle client connection should be logged out. Once the connection is logged out, the user is disconnected from Parallels RAS and is presented with the Connections dialog in Parallels Client as a way to notify them that they were logged out. They can use the dialog to log back on if desired. Parallels Client connection is considered idle after the last user session has been disconnected or logged off.
Specify the amount of time that a session is cached for (higher amount of time reduces AD transactions).
Clears all cached session information.
Note: This feature is not supported on Parallels Clients earlier than version 19 and Parallels Client for Chrome. Creating a logon hours rule restricts the ability to connect to published resources (within a site) using any of these clients.
Logon hours restrictions provide an ability to restrict user access to published resources during specified time frames using flexible expression-based rules.
Time zone redirection is required to be set on the server in order for the feature to work as intended.
To enable group policy setting Allow time zone redirection:
On the Active Directory server, open the Group Policy Management Console.
Expand your domain and?Group Policy Objects.
Right-click the GPO that you created for the group policy settings and select Edit.
In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Enable the setting Allow time zone redirection.
To add a new logon hours rule:
In the RAS Console, navigate to Connection and select the Logon hours tab.
Click Tasks > Add (or click the [+] icon).
In the Name field, specify the name of the rule in the .
in the Description field, specify the description of the rule
In the Criteria section, specify criteria for the rule. You will find the following controls:
(+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address or a hardware ID, click (+). In the context menu that appears, select the type of an object that you want to match and add the specific objects in the dialog that appears. The new criteria appears on the next line.
(X): Deletes a specific object from matching. For example, you want to delete IP address 198.51.100.1 from matching, click (X) next to it. This control appears when at least one object is added. If all objects in a criteria are deleted, the criteria is removed.
is and is not: specifies whether the logon hours rule must be applied when a user connection matches the criteria. Click on the link to switch between the two options. This control appears when at least one object is added.
configure: edits the list of objects to be matched. Click this link to add or delete new objects. Note that for the first criteria (User or group) this link is called everyone. It will change to configure once you specify objects for this criteria.
In the Logon hours specify the hours when users are permitted to log on. To deny logon during a certain day or period of time, select that day or time and click the Logon denied button that is located to the right of the table.
Click OK.
Click Apply.
Note: If no logon hours rules are specified, access to published resources is not restricted. If rules are specified, but the user connection does not match any of them, the user is denied access.
You can also specify the following settings for a logon hours rule:
Do not allow Parallels Client to connect outside of allowed logon hours: If selected, a Parallels Client is not allowed to connect to resources published on the site.
Disconnect user session if the time has elapsed: If selected, shows users a notification that their sessions are going to be disconnected. After selecting this option, you can specify the settings below:
Notify user before disconnect: Time when Parallels RAS notifies the user before the client is disconnected from the Farm.
Allow user to extend session time: If selected, allows user to extend the session.
In the RAS Console, navigate to Connection and select the Logon hours tab.
Select the rule that you want to configure.
Click the gear icon to the left of the Task menu. The Options dialog opens. From here, select the options that you want.
You can specify a minimum requirement for the Parallels Client type and version number in order for it to connect to the Parallels RAS Farm or to list published resources. In addition, you can set the Parallels Client security patch level (described later in this section).
To specify Parallels Client requirements:
In the RAS Console, select the Connection category and click the Allowed Devices tab.
In the Mode drop-down list, select from the following options:
Allow all clients to connect to the system. No restrictions. All Parallels Client types and versions are allowed full access.
Allow only the selected clients to connect to the system. Allows you to specify Parallels Client types and versions that are allowed to connect to the Parallels RAS Farm. Select the desired Parallels Client types in the Clients list. To set the Minimum build value, right-click the client type and choose Edit. Type the version number directly in the Minimum build column.
Allow only the selected clients to list the published items. Allows you to specify Parallels Client types and versions that can list published resources. Compared to the option above, this one does not restrict Parallels Clients connecting to Parallels RAS. Select this option and then select the desired Parallels Client types in the Clients list. To set the Minimum build value, right-click the client type and then click Edit in the context menu. Type the version number directly in the Minimum build column.
If a restriction is configured and a Parallels Client is excluded from the list, the user running it will receive a corresponding error message and will be advised to contact the system administrator.
The Allow only clients with latest security patches option specifies the Parallels Client security patch level. If the option is selected, only clients with latest security patches applied will be allowed to connect to Parallels RAS. This option must normally be selected to protect your environment from vulnerabilities. You should only clear it if you must use an older version of Parallels Client with no security patches installed. For more information, please see the following KB article: .
To add an MFA provider:
In the RAS Console, navigate to Connection and select the Multi-Factor authentication tab.
Click Tasks > Add (or click the [+] icon).
Select your MFA provider. A wizard will open.
In the Wizard window, specify the following parameters:
Name: Name of the provider.
Description: Description of the provider.
In the Themes table select the Theme(s) that will use this MFA provider.
Click Next.
Do one of the following:
If you use RADIUS, configure the setting as described in Connection and click Finish.
If you are using a TOTP provider other than Google Authenticator, configure the setting as described in Configuring TOTP.
If you use email to send OTPs, configure the setting as described in Configuring email OTP.
If you use Deepnet DualShield, configure the setting as described in Configuring Parallels RAS to use the DualShield Authentication Platform. For information about configuring DualShield Authentication Platform, see section Configuring DualShield 5.6+ Authentication Platform.
If you use SafeNet, configure the setting as described in Configuring SafeNet.
If you use Google Authenticator, configure the setting as described in Configuring Google Authenticator.
Parallels RAS allows you to use multi-factor authentication for access control. When multi-factor authentication is used, users will have to authenticate through two successive stages to get the application list. While the first level will always use native authentication (Active Directory / LDAP), the second level can use one of the following solutions:
Azure MFA (RADIUS)
Duo (RADIUS)
FortiAuthenticator (RADIUS)
TekRADIUS
RADIUS
Google Authenticator
Microsoft Authenticator
TOTP (Time-based one-time password)
Multi-factor authentication is more secure because instead of using a standard user name and password, it uses a static user name and a one-time password generated by a token.
Learn how to add an MFA provider in the Adding an MFA provider section.
See also Configuring MFA rules.
The Connection tab lets you specify the following options:
Display name: Specify the name of the OTP connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.
Primary server and Secondary server: These two fields allow you to specify one or two RADIUS servers to include in the configuration. Specifying two servers gives you an option to configure high availability for RADIUS hosts (see below). Specify a server by entering its hostname or IP address or click the [...] button to select a server via Active Directory.
When two RADIUS servers are specified, select one of the following high availability modes from the HA mode drop-down list: Active-active (parallel) means the command is sent to both servers simultaneously, the first to reply will be used; Active-passive (failover) means failover and timeout are doubled, Parallels RAS will wait for both hosts to reply.
HA mode: See Primary server and Secondary server above. If only the Primary server is specified, this field is disabled.
Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.
Timeout: Specify the packet timeout in seconds.
Retries: Specify the number of retries when attempting to establish a connection.
Secret key: Type the secret key.
Password encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server.
Click the Check connection button to validate the connection. If the connection is configured correctly, you will see a confirmation message.
Specify additional properties as required:
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
Forward username only to RADIUS server: Select this option if needed.
Forward the first password to Windows authentication provider: Select this option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be turned off.
Please also read a note at the bottom of the dialog (if available) suggesting certain setting specifics for the selected RADIUS solution.
The Automation tab in the RADIUS Properties dialog allows you customize the OTP experience for Parallels Client users by configuring security verification methods and custom commands to be sent to a RADIUS server during the MFA login process. Different security verification methods can be assigned priority and configured to be automatically used.
With this functionality configured, users can choose their preferred security verification method from a predefined and configurable list including Push notification, Phone Callback, SMS, Email, and Custom. The methods appear as clickable icons on the OTP dialog in Parallels Client. When a user clicks an icon, a command is sent to the RADIUS server and the corresponding verification methods is used.
To configure a verification method (also called "actions" here and in the Parallels RAS Console), on the Automation tab, click Tasks > Add. In the Add Action dialog, specify the following properties:
Enable Action: Enables or disables the action.
Title: The text that will appear on the clickable icon in Parallels Client (e.g. "Push").
Command: The OTP command to be used when the action icon is clicked in Parallels Client. Consult your MFA provider for command specifications.
Description: A description that will appear on the user's screen as a balloon when the mouse pointer hovers over the action icon.
Action message: A message to show to the user in the connection progress box.
Select an image: Select an image from the provided gallery. The image is used as the action icon in the OTP dialog in Parallels Client.
When done, click OK to save the action. Repeat the steps above for other actions.
Note: You can create up to five actions. When all five are created, the Tasks > Add menu is disabled.
You can move the actions on the Automation tab up or down the list. This dictates in which order the action icons will be displayed in Parallels Client.
There's one more option that you can configure for an action. It is called Autosend. The option can be enabled for one action only, making it a default action, which will be used automatically without user interaction.
To enable the Autosend option, select an action on the Automation tab and click Tasks > Autosend. To disable the option, click the same menu again. If you enable Autosend for a different action, it will be automatically disabled for the previous action.
There are two possible ways to make an action execute automatically in Parallels Client:
Client is receiving the action icon configuration for the first time and one of the actions has Autosend enabled.
Enabling the Remember last method used option in Policies > Session > Connection > Multifactor authentication. When the option is enabled, and Parallel Client receives the policy, the last method successfully used by the user will become the default automatic method.
When the user logs in to Parallels RAS via MFA, the OTP dialog is shown in Parallels Client with the actions icons positioned above the OTP field. The user clicks an icon and the authentication is carried out according to the predefined action. For example, if the user clicks the "Push" icon, a push notification is sent to the user mobile device where they can simply tap "Approve". Or there could be a "Text me" icon, in which case a text is sent to the user mobile phone with a one-time password. If one of the actions has the Autosend option enabled, then this action is used automatically.
If a user always uses the same authentication method, they can make it the default one. To do so, the user enables the Remember last method used option in the MFA authentication section of the connection properties. Depending on the platform, the option can be found at the following locations:
Parallels Client for Windows / Linux: Connection Advanced Settings > MFA authentication
Parallels Client for Mac: Advanced > MFA authentication
Parallels Client for Chrome: Advanced Settings
Web Client: Settings
Parallels Client for iOS: Connection Settings > MFA authentication
Parallels Client for Android: Settings > MFA authentication
As was already mentioned above, the Remember last method used can also be configured in Client Policies in the RAS Console. The option is enabled by default.
The below diagram shows the double hop perimeter network scenario with RAS Connection Broker connected to a RADIUS server (RADIUS is located in Intranet but it can be placed in DMZ).
To configure RADIUS properties:
In the Parallels RAS Console, navigate to Connection > Multi-factor authentication.
Double-click the MFA provider that you want to configure.
Read on to learn how to configure RADIUS provider settings.
If your RADIUS solution requires configuring attributes, click the Attributes tab and then click Add. In the dialog that opens, choose a desired preconfigured vendor and attribute:
In the Vendor drop-down list, select a vendor.
In the Attribute list, select a vendor attribute.
In the Value field, enter a value for the selected attribute type (numeric, string, IP address, date, etc).
Click OK and then click OK again .to close all dialogs.
In certain scenarios you may need to add vendors and attributes that are not listed in this dialog. For the information about how to add vendors and attributes, please see the following KB article: .
The Advanced tab lets you specify the error messages sent by the RADIUS server that will not be shown by Parallels Client. This can be useful if an error message is confusing for the user or disrupts user experience.
By default, the "New SMS passcodes sent." is added to the list of ignored messages for DUO Radius. This is done to make authentication via SMS easier for the user. It's not recommended to remove this message from the list of ignored messages.
To add a new message to the list of ignored messages:
On the Advanced tab, Tasks > Add (or click the [+] icon).
Type the exact text of the error message you want to be ignored. Messages are not case sensitive. Please note that you have to specify only the text sent by the RADIUS server. For example, if Parallels Client shows an error that reads "Code [01/00000003] Logon using RADIUS failed. Error: New SMS passcodes sent.", you need to add "New SMS passcodes sent." to the list.
This section explains how to integrate TOTP MFA providers with Parallels RAS.
Before reading this section, please read the following important note.
Note: As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates, and generate activation credentials as usual: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy. For new deployments, it is recommended to use Azure NPS Extension https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension or Azure MFA Service along with SAML configuration in RAS.
Depending on the user location, there are four scenarios for the cloud MFA service:
An Azure account with Global Administrator role is required to download and activate MFA Server. Syncing with Microsoft Entra ID (via AD Connect) or a custom DNS domain aren't required to setup an MFA Server which runs exclusively on-premises.
Users need to be imported into MFA Server and be configured for MFA authentication.
Parallels RAS authenticates users with MFA Server using the RADIUS second level authentication provider. MFA Server thus needs to be configured to allow RADIUS client connections from the RAS server.
The authentication process goes through the following stages:
In stage 2 the user can be authenticated using either RADIUS or Windows AD. A prompt to enter the credentials twice (in stage 1 and 6) is avoided by enabling the option to forward the password.
To configure TOTP settings:
Specify the following:
Display Name: The default name here is TOTP. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install TOTP app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device".
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.
The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse. Note: When using TOTP providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.
Click Finish.
Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of seconds in the future.
User location | MFA in the cloud | MFA Server |
---|---|---|
For instructions on how to configure Parallels RAS with Duo RADIUS, please read the following Parallels KB article: .
The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using the TOTP provider. If you reset a user, they'll have to go through the registration procedure again (for instruction on doing this for Google Authenticator, see . You can search for specific users, reset all users, or import the list of users from a CSV file.
Microsoft Entra ID
Yes
Microsoft Entra ID and on-premises AD using federation with AD FS (is required for SSO)
Yes
Yes
Microsoft Entra ID and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync
Yes
Yes
Microsoft Entra ID and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - with password sync
Yes
On-premises Active Directory
Yes
To configure Google Authenticator settings:
Specify the following:
Display Name: The default name here is Google Authenticator. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install Google Authenticator app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device". Technically, you can use any authenticator app (hence the ability to change the name), but at the time of this writing only the Google Authenticator app is officially supported.
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
The User enrollment section allows you to limit user enrollment via Google Authenticator if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.
The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse.
Note: When using Time-based One-time Passwords (TOTP) providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.
The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they'll have to go through the registration procedure again (see Using Google Authenticator in Parallels Client below). You can search for specific users, reset all users, or import the list of users from a CSV file.
Click Finish.
Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of second in the future.
Important: To use Google Authenticator or other TOTP provider, the time on a user device must be in sync with the time set on the RAS Connection Broker server. Otherwise, Google authentication will fail.
Google Authenticator is supported in Parallels Client running on all supported platforms, including mobile, desktop, and Web.
To use Google Authenticator, a user needs to install the Authenticator app on their iOS or Android device. Simply visit Google Play or App Store and install the app. Once the Authenticator app is installed, the user is ready to connect to Parallels RAS using two-factor authentication.
To connect to Parallels RAS:
The user opens Parallels Client or Web Client and logs in using his/her credentials.
The multi-factor authentication dialog opens displaying a barcode (also known as QR code) and a secret key.
The user opens the Google Authenticator app on their mobile device:
If this is the first time they use it, they tap Begin and then tap Scan a barcode.
If a user already has another account in Google Authenticator, they tap the plus-sign icon and choose Scan a barcode.
The user then scans the barcode displayed in the Parallels Client login dialog.
If scanning doesn't work for any reason, the user goes back in the app, chooses Enter a provided key and then enters the account name and the key displayed in the Parallels Client login dialog.
The user then taps Add account in the app, which will create an account and display a one time password.
The user goes back to Parallels Client, clicks Next and enters the one time password in the OTP field.
On every subsequent logon, the user will only have to type their credentials (or nothing at all if the Save password options was selected) and enter a one time password obtained from the Google Authenticator app (the app will continually generate a new password). If the RAS administrator resets a user (see the Reset Users(s) field description at the beginning of this section), the user will have to repeat the registration procedure described above.
To configure sending OTPs via email:
Specify the following:
Name: The name that will appear in RAS Console.
(Optional) Description: The description of MFA.
Themes: The Themes that use the MFA.
Display name: The name that will appear in Parallels Client.
OTP Lenght: The length of an OTP. Can be between 4 and 20 numbers.
OTP Validity: The time period when an OTP is valid. Can be between 30 and 240 seconds.
User Prompt: Specify the text the user will see when prompted with an OTP dialog.
E-mail subject: The subject of an email containing an OTP.
E-mail content: The content of an email containing an OTP.
Allow users to enroll using external emails: Select this option if you want users to enroll using external email addresses. You can store external emails in RAS Storage or an AD Attribute. If you want to store emails in an Active Directory Custom attribute, you must specify the name of the attribute in the field AD Custom Attribute. You can make sure that you have the permission necessary for storing email addresses in an AD attribute by clicking Validate.
The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to an expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.