SSL/TLS encryption
Last updated
Was this helpful?
Last updated
Was this helpful?
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the , which typically accepts only HTTPS requests for security reasons.
When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Please also note the following requirements:
Your website must have a valid SSL certificate. See .
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
To configure SSL for a Secure Gateway:
Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.
To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note that some web browsers (Chrome, Edge etc.) use the operating system certificate store when connecting to RAS User Portal.
If you want to add a custom root certificate (a certificate issued by Enterprise CA), Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as Notepad or WordPad, and copy the contents to the clipboard.
Follow one of the instructions below depending on your operating system.
To add the certificate in Parallels Client for Windows:
Identify the location of your trusted.pem file. On most systems, it should be inside the installation directory. This file contains certificates of common trusted authorities.
Open the file named customtrusted.pem in the directory where trusted.pem is located. If this file does not exist, create it. This file will store certificates of custom trusted authorities.
Paste the content of the exported certificate to the file. If the file exists and contains other certificates, add the certificate to the end of the file.
To add the certificate in Parallels Client for Linux:
On IGEL OS 12:
Open the file named customtrusted.pem in the directory $HOME/.config/2X/Client/. If this file does not exist, create it. This file will store certificates of custom trusted authorities.
Paste the content of the exported certificate to the file. If the file exists and contains other certificates, add the certificate to the end of the file.
On other Linux distributions:
Identify the location of your trusted.pem file. On most systems, this should be the <installation directory>/share/ directory. This file contains certificates of common trusted authorities.
Open the file named customtrusted.pem in the directory where trusted.pem is located. If this file does not exist, create it. This file will store certificates of custom trusted authorities.
Paste the content of the exported certificate to the file. If the file exists and contains other certificates, add the certificate to the end of the file.
A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Gateway:
On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the chapter.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the chapter.
On the , make sure that the Enable RDP UDP Data Tunneling option is selected.