The Connection tab lets you specify the following options:

• Display name: Specify the name of the OTP connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.

• Primary server and Secondary server: These two fields allow you to specify one or two RADIUS servers to include in the configuration. Specifying two servers gives you an option to configure high availability for RADIUS hosts (see below). Specify a server by entering its hostname or IP address or click the [...] button to select a server via Active Directory.

• When two RADIUS servers are specified, select one of the following high availability modes from the HA mode drop-down list: Active-active (parallel) means the command is sent to both servers simultaneously, the first to reply will be used; Active-passive (failover) means failover and timeout are doubled, Parallels RAS will wait for both hosts to reply.

• HA mode: See Primary server and Secondary server above. If only the Primary server is specified, this field is disabled.

• Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.

• Timeout: Specify the packet timeout in seconds.

• Retries: Specify the number of retries when attempting to establish a connection.

• Secret key: Type the secret key.

• Password encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server.

Click the Check connection button to validate the connection. If the connection is configured correctly, you will see a confirmation message.

Specify additional properties as required:

• User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

• Forward username only to RADIUS server: Select this option if needed.

• Forward the first password to Windows authentication provider: Select this option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be turned off.

• Please also read a note at the bottom of the dialog (if available) suggesting certain setting specifics for the selected RADIUS solution.

The Automation tab in the RADIUS Properties dialog allows you customize the OTP experience for Parallels Client users by configuring security verification methods and custom commands to be sent to a RADIUS server during the MFA login process. Different security verification methods can be assigned priority and configured to be automatically used.

With this functionality configured, users can choose their preferred security verification method from a predefined and configurable list including Push notification, Phone Callback, SMS, Email, and Custom. The methods appear as clickable icons on the OTP dialog in Parallels Client. When a user clicks an icon, a command is sent to the RADIUS server and the corresponding verification methods is used.

To configure a verification method (also called "actions" here and in the Parallels RAS Console), on the Automation tab, click Tasks > Add. In the Add Action dialog, specify the following properties:

• Enable Action: Enables or disables the action.

• Title: The text that will appear on the clickable icon in Parallels Client (e.g. "Push").

• Command: The OTP command to be used when the action icon is clicked in Parallels Client. Consult your MFA provider for command specifications.

• Description: A description that will appear on the user's screen as a balloon when the mouse pointer hovers over the action icon.

• Action message: A message to show to the user in the connection progress box.

• Select an image: Select an image from the provided gallery. The image is used as the action icon in the OTP dialog in Parallels Client.

When done, click OK to save the action. Repeat the steps above for other actions.

You can move the actions on the Automation tab up or down the list. This dictates in which order the action icons will be displayed in Parallels Client.

Autosend

There's one more option that you can configure for an action. It is called Autosend. The option can be enabled for one action only, making it a default action, which will be used automatically without user interaction.

To enable the Autosend option, select an action on the Automation tab and click Tasks > Autosend. To disable the option, click the same menu again. If you enable Autosend for a different action, it will be automatically disabled for the previous action.

There are two possible ways to make an action execute automatically in Parallels Client:

• Client is receiving the action icon configuration for the first time and one of the actions has Autosend enabled.

• Enabling the Remember last method used option in Policies > Session > Connection > Multifactor authentication. When the option is enabled, and Parallel Client receives the policy, the last method successfully used by the user will become the default automatic method.

Parallels Client

When the user logs in to Parallels RAS via MFA, the OTP dialog is shown in Parallels Client with the actions icons positioned above the OTP field. The user clicks an icon and the authentication is carried out according to the predefined action. For example, if the user clicks the "Push" icon, a push notification is sent to the user mobile device where they can simply tap "Approve". Or there could be a "Text me" icon, in which case a text is sent to the user mobile phone with a one-time password. If one of the actions has the Autosend option enabled, then this action is used automatically.

If a user always uses the same authentication method, they can make it the default one. To do so, the user enables the Remember last method used option in the MFA authentication section of the connection properties. Depending on the platform, the option can be found at the following locations:

• Parallels Client for Windows / Linux: Connection Advanced Settings > MFA authentication

• Parallels Client for Mac: Advanced > MFA authentication

• Parallels Client for Chrome: Advanced Settings

• Web Client: Settings

• Parallels Client for iOS: Connection Settings > MFA authentication

• Parallels Client for Android: Settings > MFA authentication

As was already mentioned above, the Remember last method used can also be configured in Client Policies in the RAS Console. The option is enabled by default.

The Advanced tab lets you specify the error messages sent by the RADIUS server that will not be shown by Parallels Client. This can be useful if an error message is confusing for the user or disrupts user experience.

By default, the "New SMS passcodes sent." is added to the list of ignored messages for DUO Radius. This is done to make authentication via SMS easier for the user. It's not recommended to remove this message from the list of ignored messages.

To add a new message to the list of ignored messages:

1. On the Advanced tab, Tasks > Add (or click the [+] icon).

2. Type the exact text of the error message you want to be ignored. Messages are not case sensitive. Please note that you have to specify only the text sent by the RADIUS server. For example, if Parallels Client shows an error that reads "Code [01/00000003] Logon using RADIUS failed. Error: New SMS passcodes sent.", you need to add "New SMS passcodes sent." to the list.

If your RADIUS solution requires configuring attributes, click the Attributes tab and then click Add. In the dialog that opens, choose a desired preconfigured vendor and attribute:

• In the Vendor drop-down list, select a vendor.

• In the Attribute list, select a vendor attribute.

• In the Value field, enter a value for the selected attribute type (numeric, string, IP address, date, etc).

In certain scenarios you may need to add vendors and attributes that are not listed in this dialog. For the information about how to add vendors and attributes, please see the following KB article: https://kb.parallels.com/en/125576.

Click OK and then click OK again .to close all dialogs.

For instructions on how to configure Parallels RAS with Duo RADIUS, please read the following Parallels KB article: https://kb.parallels.com/124429.

The below diagram shows the double hop perimeter network scenario with RAS Connection Broker connected to a RADIUS server (RADIUS is located in Intranet but it can be placed in DMZ).

To configure RADIUS properties:

1. In the Parallels RAS Console, navigate to Connection > Multi-factor authentication.

2. Double-click the MFA provider that you want to configure.

Read on to learn how to configure RADIUS provider settings.

Before reading this section, please read the following important note.

Configure Azure MFA

Depending on the user location, there are four scenarios for the cloud MFA service:

An Azure account with Global Administrator role is required to download and activate MFA Server. Syncing with Microsoft Entra ID (via AD Connect) or a custom DNS domain aren't required to setup an MFA Server which runs exclusively on-premises.

Users need to be imported into MFA Server and be configured for MFA authentication.

Parallels RAS authenticates users with MFA Server using the RADIUS second level authentication provider. MFA Server thus needs to be configured to allow RADIUS client connections from the RAS server.

The authentication process goes through the following stages:

In stage 2 the user can be authenticated using either RADIUS or Windows AD. A prompt to enter the credentials twice (in stage 1 and 6) is avoided by enabling the option to forward the password.