Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Beginning with RAS 17.1, Parallels introduces a new multi-tenant architecture, with the addition of Parallels RAS Tenant Broker, enabling organizations to share components from the same RAS infrastructure among different Tenants while keeping client data segregated and reducing costs.
The RAS multi-tenant architecture offers the following advantages to Service Providers and organizations:
Cost savings due to reduction of number of RAS Secure Gateways and High Availability Load Balancers (HALBs) while maximizing resource usage and consolidation.
Faster onboarding of new tenants/customers.
Simplified centralized management of multi-tenant environments.
Extended market reach through reduction of operational costs for organizations of any size by allowing cost scaling through shared infrastructure.
A typical scenario of deploying the multi-tenant architecture of Parallels RAS consists of the following steps:
Deploy Tenant Broker.
Deploy a traditional RAS Farm to operate as a Tenant.
Configure network between the Tenant Broker and the Tenant to allow the following connections:
Shared RAS Secure Gateways to Tenant RAS Connection Brokers.
Shared RAS Secure Gateways to resources hosts.
Tenant RAS Connection Brokers to Tenant Broker RAS Connection Broker.
For the information about ports numbers, please see Communication ports.
Create a Tenant object and a corresponding invitations hash in the Tenant Broker console, or create a secret key (more on this later in this chapter).
Join the Tenant to the Tenant Broker using the invitation hash or the secret key.
Assign a public domain address to the Tenant. This can be done at this point (after you join a Tenant) or it can be done in advance if you wish. Either way it has to be done or the clients will not be able to connect to the Tenant Farm.
Set up routing for incoming Tenant traffic from the Internet to shared RAS Secure Gateways and HALB.
Configure a certificate for the Tenant. By default, a self-signed certificate created during the installation will be used.
Test the client connectivity.
The subsequent sections describe the steps above in detail.
First you need to install Tenant Broker on a dedicated server. Please note that if you have Parallels RAS already installed on a computer where you are planning to install Tenant Broker, you need to uninstall it first. The two installation versions cannot coexist on the same machine.
To install Tenant Broker:
Run the standard Parallels RAS installer.
On the Select Installation Type page, select Parallels RAS Tenant Broker.
Click Next and follow the onscreen instructions.
Once the installation is finished, run the Parallels RAS Console.
When the console starts, you'll see that it has a different set of categories and managed objects compared to the standard RAS Console. The purpose of the Tenant Broker console is to manage shared resources and Tenants. It is not used to manage RD Sessions Hosts, VDI, or any other standard RAS resources because they are deployed and managed in individual Tenant Farms.
You can manage the following categories and object in the Tenant Broker console:
Farm. This category allows you to manage Tenants, Gateways, Connection Brokers, HALB, and Certificates. The Settings subcategory allows you to manage global logging and the Tenant Broker itself.
Administration. Allows you to perform management tasks similar to the standard RAS Console: Accounts, Settings, Mailbox, Reporting, Settings Audit.
Information. Lists services and components running in the Tenant Broker and their status.
As with the standard RAS Console, every time you modify any of the objects, you need to click the Apply button for the changes to be saved in the configuration database.
By default, Tenant Broker does not have any RAS Secure Gateways installed. To add a Gateway, log in to the Tenant Broker console, navigate to Farm > Secure Gateways and click Tasks > Add. If you already have one or more RAS Secure Gateways, which are not used in any other RAS Farm, you can also add such a Gateway to the Tenant Broker. Please note that existing RAS Secure Gateway installations must be RAS version 17.1 or newer. Gateways from older RAS versions cannot operate as shared gateways.
To install a new gateway, run the Parallels RAS installer on a desired server, choose Custom and select the RAS Secure Gateway component. After the installation is finished, go back to the Tenant Broker console and add the gateway to the Tenant Broker.
The following diagram illustrates the RAS user connection flow through Tenant Broker:
Shared RAS Secure Gateways installed in Tenant Broker are able to work with multiple concurrent user sessions in multiple Tenant farms. On the diagram above, you can see two users (1 and 2) connecting to different Tenant Farms (Tenant 1 Farm and Tenant 2 Farm). Both connections are tunneled through the same Gateway and then delivered to the correct Tenant Farm.
The connection flow consists of the following steps:
(1A), (2A) — A user initiates a RAS connection to a public address registered in the Tenant Broker. The (1A) connection goes to the Tenant 1 public address; the (2A) connection goes to the Tenant 2 public address.
(1B), (1C) — The shared Gateway makes a decision where to forward a user connection based on a hostname used in the initial connection (1A, 2A). After that each client establishes a RAS session with a Connection Broker of their respective Tenant Farm. Tenant's Connection Broker authenticates the user against Active Directory of the Tenant. After that, the user receives the list of published applications available to him or her.
(1D), (2D) — A user start a Remote User Session to a published application. The shared Gateway requests from Tenant's Connection Broker an address of a server to forward the remote session to and forwards it.
The mapping of public addresses to Tenants is configured on shared Gateways by the Tenant Broker Connection Broker.
The following diagram illustrates a typical Parallels RAS deployment that uses the RAS multi-tenant architecture.
Firewalls and HALB are installed in a DMZ and are shared by Tenants.
Tenant Broker is a special RAS installation that hosts shared RAS Secure Gateways and HALB, and can also use RAS access layer. Tenant Broker is installed using the Parallels RAS Tenant Broker option in the Parallels RAS installer. Tenant Broker can be installed in its own domain or outside of a domain.
Tenant farms are deployed just like traditional on-premises RAS environments and are joined to the Tenant Broker. Each Tenant Farm has its own RAS Connection Brokers and servers hosting published resources (VDI, RD Session hosts, or Remote PCs). No local RAS Secure Gateways and HALB (or third-party load balancers) are needed.
Tenants are joined to the Tenant Broker and each Tenant is represented as a Tenant object in the Tenant Broker.
Parallels Clients (both platform-specific and Web) connect to shared gateways in the Tenant Broker. When a client connects to User Portal, a Theme from the corresponding Tenant is always used depending on which Tenant the client belongs to.
In addition to an invitation hash, you can join a Tenant to the Tenant Broker using a secret key. a secret key can be used to join an unlimited number of Tenants to the same Tenant Broker.
To create a secret key:
Log in to the Tenant Broker console.
In the RAS Console, navigate to Farm > Settings.
Select the Tenant broker tab.
Select Allow RAS Farms to register in Tenant Broker using a secret key.
Optionally, select Do not show billing information to hide billing information in the Licensing category of Tenants joined with secret keys.
The secret key is generated automatically. To generate a different key, click Generate.
If you want to register Tenants as subdomains, specify the domain part of the hostname in the Domain field. For example, to use "subdomain.domain.com" as a Tenant host name, specify "domain.com".
Once you have the key, you can use it to join one or more Tenants to the Tenant Broker.
Note: Due to its unlimited usage capability, only the Tenant Broker administrator should have access to a shared secret key. Secret keys can be practical when the Tenant Broker administrator manages Tenant Farms, so instead of generating a hash for every Tenant, he/she can use a single secret key to join all of them to the Tenant Broker.
To join a Tenant using a secret key:
Log in to the Tenant.
In the RAS Console, navigate to Farm > Site.
Click Tasks > Join Tenant Broker.
In the Join Tenant Broker dialog, specify the following:
Enter the secret key in the first field from the top. If the Tenant is able to reach the Tenant Broker, the Tenant Broker field will be populated automatically.
The Tenant Name field is populated automatically based on the name of the current Site, but you can specify a Tenant name of your choosing. The name you enter will be used in the Tenant Broker to name the corresponding Tenant object.
In the Public domain addresses field, you can specify public domain addresses that will be used to access the Tenant. Configuring this is optional. If the Domain field is configured in the Tenant Broker settings (see above), you may enter subdomain only rather then the full domain address.
Click Join.
On successful join, you will see a message welcoming you to the Tenant Broker. If the primary Connection Broker in your Tenant Farm can't reach the Tenant Broker, you will see a corresponding error message. Make sure that the Tenant Broker computer is reachable from the machine where you have the primary Connection Broker running.
The Tenant Broker IP address is detected automatically when you generate a secret key and is embedded into it. If a Tenant can't reach the Tenant Broker using this address, you have the ability to override it as follows:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Settings and click the Tenant broker tab.
Select the Override Tenant Broker address in tenant invitations and secret keys option.
Enter the desired IP address in the field provided.
After you join a Tenant to the Tenant Broker, you should verify that the procedure was successful.
First, verify the Tenant Broker status in the Tenant console:
Log in to the Tenant Farm.
In the RAS Console, navigate to Farm > Site and select the Site tab in the right pane.
You should see the Tenant Broker section with the Status column, which should say OK. If the status is Not verified, make sure that the Tenant Broker is operational (or contact the Tenant Broker admin if you are not him or her).
You can also see additional Tenant Broker information by right-clicking it and choosing Properties. The information includes the following:
Name: The Tenant Broker name.
Primary address: The primary RAS Connection Broker address.
Secondary address: The secondary RAS Connection Broker address (if available).
You should then verify the Tenant status in the Tenant Broker console:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Tenants.
In the Tenants tab, find the Tenant of interest and examine the Status column, which should say OK if the Tenant is joined properly. For other possible Status column values, see Tenant configuration.
Every Tenant must have a unique public domain address for end users to connect to it through Tenant Broker. Although every Tenant must have a unique public domain address, it is not required for every Tenant to have a unique IP address. Different public domain address can be configured to resolve to the same IP address to reach the Tenant Broker shared Gateways. This way the Tenant Broker is still able to forward traffic to the right tenant based on the hostname requested by an end user.
A public domain address can be chosen a number of different ways. For example, a service provider can register a subdomain (e.g. Tenant1.Service-Provider.com) and assign it to a Tenant. Another approach could be using a private domain address (e.g. RAS.Tenant1.com) and have it routed to RAS Secure Gateways in the Tenant Broker. For testing purposes, you can even use an IP address.
The Public domain address is also a property of a Tenant object in the Tenant Broker console. After joining a Tenant to the Tenant Broker, you must ensure that this property contains the correct address. Otherwise end users will not be able to connect to the Tenant through the Tenant Broker.
To verify (and set if necessary) the Tenant's public domain address:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Tenants.
Right-click a Tenant and choose Properties.
In the Properties dialog, verify that the Public domain address field contains the correct address.
After deploying a Tenant, you need to configure networking between Tenant Broker and Tenant in order to allow the following communications:
Tenant Connection Broker > Tenant Broker Connection Broker: port 20003
Tenant Broker Gateway > Tenant Broker Connection Broker: port 20002
Tenant Broker Gateway > Tenant Connection Broker: port 20002
Tenant Broker Gateway > Servers hosting published resources: port 3389
These are standard RAS ports, which are also described in the Port reference section.
User authentication in the RAS multi-tenant architecture is performed by the RAS Connection Broker running in the Tenant Farm. The Connection Broker is selected randomly by a shared RAS Secure Gateway. If the Connection Broker is unavailable, then it's marked accordingly and no communication is conducted with it from the same shared gateway for a period of time. The gateway checks the Connection Broker status periodically and resumes communications as soon as the agent becomes available.
A Tenant Farm is deployed just like a traditional Parallels RAS Farm. The only difference is, when installing the Farm, you don't need to install RAS Secure Gateways in it.
Note: If you decide to install a local (private) RAS Secure Gateway in a Tenant Farm (e.g. for local connections), you can do that, but please keep in mind that you cannot mix HALB and Gateways from the Tenant Broker and a Tenant Farm. The HALB appliance installed in the Tenant Broker will not support this scenario.
To set up a Parallels RAS Farm to be used as a Tenant:
Run the Parallels RAS installer.
On the Select Installation Type page, select Custom.
Click Next.
Make sure that the following components are selected for installation:
RAS Connection Broker
Parallels RAS Console (optional; you can have the RAS Console installed on a different machine)
Other components are optional. You can install them now or you can install them later if needed.
Click Next and follow the onscreen instructions to complete the installation.
To see the list of existing Tenants in the Tenant Broker console, select Farm > Tenants.
The Status column indicates the Tenant status, which can be one of the following:
OK — The Tenant has joined and has been verified.
Not Joined — The Tenant object was created for the Tenant and the invitation hash was generated, but the Tenant has not joined the Tenant Broker yet.
Not Verified — The Tenant has joined, but no connection to the Tenant's RAS Connection Broker has been established yet. This status is usually displayed for a minute or so immediately after the Tenant joins the Tenant Broker. Once the connection is established, the status changes to OK.
This status can also appear when the Tenant Broker loses a connect with the Tenant's primary Connection Broker. Shared gateways will be able to process connections only if they are still able to communicate with the Tenant’s Connection Broker on their own. They are independent from the Tenant Broker's Connection Broker, but Tenant’s Connection Broker is still required to authenticate users.
Disabled — The Tenant is disabled in the Tenant Broker configuration. You can enable and disable Tenant objects as described below.
To see and modify Tenant properties, click Tasks > Properties (or right-click > Properties). The Properties dialog opens where you can view and modify the following properties:
Enable Tenant: Enable or disable the Tenant object in the Tenant Broker.
Name: The Tenant name (must be unique).
Public domain address: The unique address that end users connect to from the outside (e.g. RAS.tenant.com, tenant1.MSP-FARM.com, etc.). See more in Assign a public domain address.
Clients in gateway mode connect to published tenant resources by server IP: When selected, clients will use the Tenant IP address instead of the DNS name. You can use this option when a Tenant farm does not share the same DNS provider as the Tenant Broker farm.
Do not show billing information: (Only for Tenants joined with an invitation hash) When selected, billing information is not shown in the Licensing category of the Tenant.
Forward tenant sessions tunneled through gateway using server IP: When a client session is forwarded to a server hosting published resources, either the server name (FQDN, hostname) or IP address can be used. When this option is selected (default) the IP address is used to forward the session internally. When the option is cleared, the configured host name is used.
Description: An optional Tenant description. The Tenant description is a property that exists and can be viewed only in the Tenant Broker console.
Connection Brokers: An IP address of one or more RAS Connection Brokers installed in the Tenant Farm. This is a read-only field.
Tenant invitation hash: The hash that was used to join the Tenant to the Tenant Broker. This is a read-only field.
Automatically log out idle client connection after: The time period after which an idle client connection should be logged out. For information on how to configure this property, see Remote session settings.
A Tenant object can be deleted any time. To delete an object, click Tasks > Delete (or right-click > Delete). This deletes the Tenant configuration from shared RAS Secure Gateways, so no RDP sessions can be established from the gateway to the deleted Tenant anymore. The Tenant's RAS Console will show the Tenant Broker status as "Join Broken" after this. To completely remove any references to the Tenant Broker, the Tenant admin needs to unjoin the Tenant from the Tenant Broker.
The public domain address assigned to a Tenant must have a matching certificate. The Tenant Broker admin must create a certificate for every Tenant in the Tenant Broker console. Shared RAS Secure Gateways must then be configured to use these certificates. Tenant certificates are created and managed in Parallels RAS the same way as other certificates using the Farm > Site > Certificates subcategory. For the complete information about how to create certificates and how to assign them to RAS Secure Gateways and HALB, please see the SSL Certificate Management chapter.
When a user connects to the Tenant's public domain address, a certificate with the common name matching the requested public domain address is selected automatically for every connection. The first available certificate is used which might not be the self-signed (say it was deleted)
If no matching certificate is found, the default self-signed certificate will be used, but the user will see a certificate warning in the web browser.
As a Tenant Broker admin, you can open the Tenant console right from the Tenant Broker console. To do so, navigate to Farm > Tenants, right-click a Tenant and choose Open tenant console. This will open a new instance of the RAS Console and will prompt you to log in to the Tenant Farm. Please note that the Tenant Farm must be configured to allow remote console connections, which means that the corresponding port must be open on the Tenant Connection Broker and you need to know the credentials of the Tenant Farm administrator.
When you log in to a Tenant from the Tenant Broker console, the Tenant Farm is automatically added to the Location drop-down list (in the upper left-hand corner of the RAS Console window), so you can connect to the Tenant again by simply selecting it in the Location list.
Third-party network load balancers are possible to use with shared RAS Secure Gateways the same way they are used with traditional (not shared) RAS Secure Gateways.
Parallels RAS Performance Monitor is a RAS component used to analyze Parallels RAS deployment bottlenecks and resource usage. RAS Performance Monitor can be used to monitor Tenants and view their performance metrics right from the Tenant Broker console.
To configure RAS Performance Monitor to collect information about Tenants:
Install RAS Performance Monitor as described in Parallels RAS Performance Monitor chapter.
Log in to the Tenant Broker console.
In the console, navigate to Administration > Reporting.
Select the Enable RAS Performance Monitor option (the RAS Performance Monitor configuration section).
In the Server and Port fields, specify the name or IP address of the server where you have RAS Performance Monitor installed.
Click Apply.
Now open a Tenant console and repeat steps 3 to 6 above, so both Tenant Broker and the Tenant are configured to use the same RAS Performance Monitor. This way, when Tenant(s) report their performance data to the RAS Performance Monitor, it can be viewed on the Tenant Broker side.
Tenants will report statistics to RAS Performance Monitor and you can view these statistics in the Tenant Broker console. When viewing the data in the RAS Performance Monitor dashboard, you can switch between Farms and sites, so you can select a specific Tenant and view its performance metrics.
When updating Parallels RAS to a newer version, the following rules apply to the RAS Multi-Tenant architecture:
Parallels RAS Tenant Broker supports Tenants up to two major RAS versions older. For example, if you upgrade RAS Tenant Broker from RAS 17 to RAS 18 (or the next major version when it becomes available), it will support Tenants running Parallels RAS 17.
When doing updates, you should first update the Tenant Broker, so your RAS Multi-Tenant installation remains fully operational. You can update Tenants later during their own maintenance window.
The following is an implementation overview of the RAS multi-tenant architecture:
Tenants are deployed as separate individual Farms or Sites. Tenants deployed as separate Farms are completely independent and never communicate with each other. If tenants are deployed as Sites, every Site must join the Tenant Broker separately.
Shared resources include RAS Secure Gateways (including User Portal) and High Availability Load Balancers (HALB).
A Tenant Farm doesn't need its own RAS Secure Gateways and HALB. However, deployments with Gateways and HALB are possible if you need them for internal connections. For example, if you have different policies for internal and external connections, you might want to install a Gateway and HALB to serve local users.
The network configuration of a Tenant requires the Tenant Connection Broker to Tenant Broker Connection Broker connectivity. Additionally, shared RAS Secure Gateways need to communicate with servers hosting published resources and the Tenant's Connection Broker. Depending on the implemented network architecture, it might require a VLAN to VLAN connectivity, VPN, etc. These communications require only a limited number of open ports. For the complete list, see .
Communications with a Tenant domain are always performed from a local Tenant Connection Broker and never from the Tenant Broker infrastructure.
Every Tenant must have a unique public domain address, which can be assigned a number of different ways. For example, a service provider can register a subdomain (e.g. Tenant1.Service-Provider.com) and assign it to a Tenant. Another approach could be using a private domain address (e.g. RAS.Tenant1.com) and have it routed to RAS Secure Gateways in the Tenant Broker. Note that different public domain addresses can resolve to the same IP address if needed.
When a Tenant is joined to the Tenant Broker, shared RAS Secure Gateways become aware of the Tenant and its configuration and can connect to the Tenant's RAS Connection Broker(s). A route must be set for the incoming Tenant's traffic from the Internet to RAS Secure Gateways (or HALB) in the Tenant Broker.
Tenant Broker comes with its own RAS Console allowing you to manage shared resources, Tenant objects and certificates, monitor Tenant performance, and carry out standard RAS administration tasks.
All Tenant Themes are made available in the Tenant Broker. When user connects via a shared RAS Secure Gateway in the Tenant Broker, the corresponding Tenant Theme is presented to the user.
Different SSL certificates can be used for different Tenants.
Tenant Broker doesn't need a license. Licenses are managed on a Tenant level.
Parallels RAS multi-tenant architecture is available in Parallels RAS 17.1 and newer. The following limitations apply when using older versions of Parallels RAS:
Parallels Clients older than RAS 17.1 are incompatible with shared gateways and therefore cannot be used to connect to a Tenant Farm via the Tenant Broker.
Parallels RAS installations older than RAS 17.1 are incompatible with Tenant Broker and cannot be joined as Tenants.
To unjoin a Tenant from the Tenant Broker, do the following:
Log in to the Tenant Farm.
In the RAS Console, navigate to Farm > Site.
Click Tasks > Unjoin from Tenant Broker.
The Tenant will be unjoined from the Tenant Broker. As a result, the Tenant users will no longer be able to connect to the Tenant Farm through the Tenant Broker.
One of the important features of the RAS multi-tenant architecture is the ability to use a shared User Portal (which is a part of the RAS Secure Gateway) for all browser-based client connections, while at the same time using tenant-specific Web Client Themes defined on the Tenant side. This allows Service Providers to implement white-labeling by creating unique custom Themes for individual Tenants.
An Web Client Theme is created in a Tenant Farm. The user interface and the functionality remain the same as with a traditional Parallels RAS Farm. When Tenants join the Tenant Broker, Themes are pulled from the Tenant's RAS Connection Broker and added to the configuration of every shared RAS Secure Gateway.
When connecting to a Tenant Farm via the Web Client, a user must enter the Tenant public domain address (not the gateway address). The correct Theme is then used by the shared gateway as follows:
The default Tenant Theme is used when the user enters the default URL: https://<public-tenant-address>.
A specific Theme is used when the user adds the Theme name after the Tenant address: https://<public-tenant-address>/<Theme-name>
The Web Client is normally configured on the RAS Secure Gateway level (the User Portal tab in the gateway Properties dialog). When configuring a Theme, you have the ability to override the gateway settings by specifying them for a specific Theme in a Tenant Farm. To do so, in the Tenant RAS Console, select a Theme, open its properties and then select the Gateway category where you can specify your own settings. For more information, see Web Client Theme settings > Secure Gateway.
If you are a Tenant Broker administrator, you can view Tenant Themes right in the Tenant Broker console:
In the Tenant Broker console, select Farm > Tenants.
Select a Tenant and click Tasks > View tenant themes.
The dialog opens where you can view Themes that were pulled from the Tenant and added to the configuration of every RAS Secure Gateway in the Tenant Broker.
Use this functionality to ensure that all Tenant Themes are properly synchronized on the Tenant Broker side, so when users connect to a Tenant through Tenant Broker, the appropriate Theme is used.
System event notifications are used to alert RAS administrators about system events via email. You can configure system event notifications in Farm > Site > Settings > Notifications. For the complete description of this functionality, please see System event notifications. The rest of this section describes notifications, which are specifics to Tenant Broker and Tenants.
As a Tenant Broker administrator, you can receive notifications about the following Tenant events:
New Tenant enrollment. Triggers when a new Tenant joins the Tenant Broker.
Tenant unjoins the broker. Triggers when a registered Tenant unjoins the Tenant Broker.
Tenant status alert. Triggers when the RAS Connection Broker in a Tenant Farm goes offline.
When a Tenant event occurs, the Tenant Broker administrator receives an email containing the following information (depending on the event type):
Tenant name.
Tenant Broker name.
Tenant enrollment method (invitation hash or secret key).
Tenant status.
Date.
To enable Tenant notifications, do the following:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Site > Settings > Notifications.
In the Notification handlers section, click Tasks > New > Tenant events.
In the Tenant Events Notification Handler Properties dialog, specify the following:
On the General tab, select the Send email to RAS administrators option and specify one or more email addresses separated by a semicolon.
On the Settings tab, either select the Use the default settings option (to use Site defaults) or clear it and specify your own settings.
Click OK to save your settings and close the dialog.
A Tenant Farm administrator can receive notifications when the Tenant Broker becomes unavailable. This usually happens when the RAS Connection Broker in the Tenant Broker goes offline. The notification handler is configured the same way as described above, but this one is configured in the Tenant Farm (not the Tenant Broker).
In addition to the Tenant events handler, you can configure notifications for common events, such CPU utilization, Memory utilization, RAS Agent events, etc. The only limitation here when it comes to Tenant Broker is the Tenant Broker has a limited set of system events for which notification handlers can be configured (see the list of available handlers below). This is due to the fact that the Tenant Broker doesn't have RD Sessions Hosts, Provider, licensing limits, published resources, etc. A Tenant Farm has the complete set of notification handlers, so the Tenant admin can configure any of them.
The following notification handlers are available in the Tenant Broker:
CPU utilization
Memory utilization
Number of gateway tunneled sessions
Failed gateway tunneled sessions
RAS Agent events
For additional information, please see System event notifications.
Tenant Broker and Tenants communicate with each other using the following ports:
Tenant Connection Broker > Tenant Broker Connection Broker: port 20003
Tenant Broker Gateway > Tenant Broker Connection Broker: port 20002
Tenant Broker Gateway > Tenant Connection Broker: port 20002
Tenant Broker Gateway > Servers hosting published resources: port 3389
These are standard RAS ports, which are also described in the Port reference section.
One other thing that you have to do after you join a Tenant to the Tenant Broker, is set up routing for the incoming traffic from the Internet to shared RAS Secure Gateways or HALB.
Once the Tenant Farm is operational, you can join one or more sites in it to the Tenant Broker.
Note: A Tenant is a Site in a separately deployed Parallels RAS Farm. When you join a Tenant to Tenant Broker, you join a Site. When you want to join the whole Farm, you do it one Site at a time. Of course, if you have just one Site in a Farm (and have no plans to create more sites), you are essentially joining the whole Farm.
There are two ways you can join a Tenant: (1) Using an invitation hash or (2) Using a shared secret key. The difference between the two is as follows:
Invitation hash. An invitation hash is an automatically generated encrypted string that can be used to join a single Tenant to Tenant Broker. Invitation hash is a property of a Tenant object, which is created in the Tenant Broker console. You email the hash to the Tenant Farm administrator, so they can use it to join the Tenant Broker. Once used, an invitation hash cannot be used again by any other Tenant.
Shared secret key. A shared secret key is similar to an invitation hash, with one important difference. It can be used to join an unlimited number of Tenants. A Tenant object is not pre-created for a secret key in the Tenant Broker. Instead, the object is created when the key is used to join a Tenant. Because of its unlimited usage capability, only the Tenant Broker admins should have access to a shared secret key. This scenario is useful when there are multiple Tenants, all managed by the same Tenant Broker administrator.
The invitation hash scenario is described below. For the secret key scenario see .
First, you need to generate an invitation hash and create a Tenant object on the Tenant Broker side:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Tenants.
Click Tasks > Add.
In the Tenant properties dialog, specify the following:
Name: Type a Tenant name (this can be any name that you like).
Public domain address: If you've already assigned a public domain address to the Tenant, specify it here. If not, you can leave it blank. The address is not required for the Tenant to join the Tenant Broker. However, without the address specified here, end users will not be able to connect to the Tenant, so you will need to come back and fill it in later. For details, see .
Clients in gateway mode connect to published tenant resources by server IP: When selected, clients will use the Tenant IP address instead of the DNS name. You can use this option when a Tenant farm does not share the same DNS provider as the Tenant Broker farm.
Do not show billing information: When selected, billing information is not shown in the category of the Tenant.
Description: Type an optional description.
Connection Brokers: This filed is disabled and will be populated automatically when the Tenant joins the Tenant Broker. See more in .
Tenant invitation hash: This is the hash that the admin of the Tenant Farm will need to use to join the Tenant Broker. A hash is generated automatically when you open this dialog. To generate a new hash, click Create new hash.
Send via email. You can give the invitation hash to the Tenant admin directly or you can use this button to send it via email. When you click the button, you'll see a dialog where you can enter the recipients and where you can review and modify the email message. By default, the message contains instructions on how to join the Tenant Broker. Please note that SMTP settings must be configured in the RAS Console before you can use the email option. You can configure SMTP first and then return to this screen to complete this step.
Click OK to close the Tenant properties dialog. The new Tenant will appear in the Tenants list in the console. At this time, the Tenant is not joined yet. Read on to learn how to join it.
To join the Tenant to the Tenant Broker:
Log in to the Tenant Farm.
In the RAS console, navigate to Farm > Site. Note that you are joining a Site to the Tenant Broker, not the whole Farm, so if you have more than one Site, you need to join them one by one.
Click Tasks > Join Tenant Broker.
In the Join Tenant Broker dialog, enter the invitation hash that you obtained from the Tenant Broker in the previous steps (or, if you are an admin of a Tenant Farm, the one your received in the invitation email).
Click Join.
On successful join, you will see a message welcoming you to the Tenant Broker. If the primary Connection Broker in your Tenant Farm can't reach the Tenant Broker, you will see a corresponding error message. Make sure that the Tenant Broker computer is reachable from the machine where you have the Tenant's RAS Connection Broker running.
The Tenant Broker IP address is detected automatically when you generate an invitation hash (or a secret key) and is embedded into the hash. If a Tenant can't reach the Tenant Broker using this address, you have the ability to override it as follows:
Log in to the Tenant Broker.
In the RAS Console, navigate to Farm > Settings and click the Tenant broker tab.
Select the Override Tenant Broker address in tenant invitations and secret keys option.
Enter the desired IP address in the field provided.
When done, the specified IP address will be used instead of the auto-detected address when generating an invitation hash or secret key. When the hash is used on the Tenant side to join the Tenant Broker, the Tenant will use this address to connect to the Tenant Broker.
Once used on the Tenant side, an invitation hash binds the Tenant Farm to the corresponding Tenant object in the Tenant Broker and the tenancy becomes effective.
All RAS Secure Gateways that exist in the Tenant Broker are shared among Tenants. For the most part, shared gateways operate similarly to standard RAS Secure Gateways but there are differences, which are described below.
Tunneling policies are allowed. Tunneled connections are sent to a Tenant Farm mapped to the public address used. The policies however are limited to "None" and "All servers in Site".
WYSE is not supported.
For each shared gateway, a session counter is displayed in the Tenant Broker console. To see how many sessions a gateway is running, navigate to Farm > Site and examine the Sessions column in the Gateways section.
Each shared gateway is aware of a configuration of each existing Tenant and is able to route client connections to a correct RAS Connection Broker running in a Tenant Farm. The routing works as follows:
A new client connection is established.
A shared gateway determines which Tenant the client belongs to based on the Tenant configuration.
The correct RAS Connection Broker in the Tenant Farm is selected for this connection.
Two-factor authentication and application listing requests are forwarded to the selected RAS Connection Broker. All subsequent client operations are also carried out using that Connection Broker. See also User authentication.
When you need to take a shared RAS Secure Gateway offline for maintenance, you can do it the same way it's done in a traditional Parallels RAS Farm. You disable the gateway and wait for active sessions to drain. To see the number of active sessions for a gateway, navigate to Farm > Site. The session count is displayed in the Sessions column.
You can safely take shared Gateways offline. Parallels Clients will reconnect to the same sessions automatically.
If you have an existing Farm running RAS v16.x and would like to join it as a Tenant to Tenant Broker, follow these steps:
Upgrade the Farm to RAS 17.1 (or newer).
To join your Farm as a Tenant to Tenant Broker, follow the instructions in the Deploying Tenant Broker and Tenants section.
Once the Farm is joined, you can remove local RAS Secure Gateways if you are not planning on using them for local connections. See Implementation overview for additional info.