Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
To configure a RAS Secure Gateway:
In the RAS console, navigate to Farm > <Site> > Secure Gateways.
In the right pane, right-click a Secure Gateway and click Properties.
The RAS Secure Gateway Properties dialog opens.
Read on to learn how to configure the RAS Secure Gateway properties.
The Public address field on the General tab specifies a public FQDN or IP address of the Secure Gateway. This setting is used by the Preferred routing functionality for redirecting a client connection. Please see Configuring preferred routing.
A RAS Secure Gateway is enabled by default. To enable or disable a Secure Gateway, open the RAS Secure Gateway Properties dialog and select or clear the Enable RAS Secure Gateway in site option on the General tab.
When configuring RAS Secure Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:
The certificate, which should be valid and trusted.
The protocol, key exchange, and cipher should be supported.
The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Gateway, you may need to temporarily move it to the public Internet.
The test is available at the following URL: https://www.ssllabs.com/ssltest/.
You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide.
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS User Portal, which typically accepts only HTTPS requests for security reasons.
When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).
Please also note the following requirements:
Your website must have a valid SSL certificate. See SSL server configuration.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the SSL Certificate Management chapter.
To configure SSL for a Secure Gateway:
Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the SSL Certificate Management chapter.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.
To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to RAS User Portal.
In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority.
To add the certificate in Parallels Client for Windows:
On the client side in the directory C:\Program Files\Parallels\Remote Application Server Client\
there should be a file called trusted.pem
. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).
To add the certificate in Parallels Client for Linux:
On IGEL OS 12:
Open the file named customtrusted.pem
in the directory /userhome/.config/2X/Client/
. If this file does not exist, create it. This file will store your custom trusted certificates.
Paste the content of the exported certificate to the file. If the file exists and contains other certificates, add the certificate to the end of the file.
On other Linux distributions:
Identify the location of your trusted.pem
file. On most systems, this should be the /opt/2X/Client/lib
directory.
Open the file named customtrusted.pem
in the directory where trusted.pem
is located. If this file does not exist, create it. This file will store your custom trusted certificates.
Paste the content of the exported certificate to the file. If the file exists and contains other certificates, add the certificate to the end of the file.
A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Gateway:
On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
The Network tab is used to configure RAS Secure Gateway network options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see .
By default RAS Secure Gateway listens on TCP ports 80 and 443 to tunnel all Parallels RAS traffic. To change the port, specify a new port in the RAS Secure Gateway Port input field.
RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP Port option and specify a new port. When setting your own port, please make sure that the port number does not conflict with the standard "RD Session Host Port" setting.
Note: If RDP port is changed, the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).
Broadcast RAS Secure Gateway Address. This option can be used to switch on the broadcasting of the Secure Gateway address, so Parallels Clients can automatically find their primary Secure Gateway. The option is enabled by default.
Enable RDP UDP Data Tunneling. To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.
Device Manager Port. Select this option to enable management of Windows devices from the Device Manager category. The option is enabled by default.
Enable RDP DOS Attack Filter. When selected, this option denies chains of uncompleted sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.
Use IP version: Select the IP version(s) to use.
IP(s): Specify one or more IP addresses separated by a semicolon, or click Resolve to resolve the IP address automatically. These are the available addresses on the Secure Gateway server. To specify IP addresses that should be used for client connections, use the Bind to IP section (see below).
Bind to IP: Use this section to specify on which IP address (or addresses) the Secure Gateway will listen for client connections. You can select a specific address or <All available addresses>, in which case all of the IP addresses specified in the IP(s) field will be used.
Remove system buffers for: These fields (one for each IP version) can be used when the connection between the Secure Gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select a specific address, all available addresses, or none. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent fast enough from the Secure Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.
You can specify the following IP options:
IP addresses for incoming client connections for a Secure Gateway are specified on the General tab of the RAS Secure Gateway Properties dialog. RAS Secure Gateway recognizes both IPv4 and IPv6. By default, IPv4 is used.
RAS Secure Gateway Properties dialog consists of tabs, each containing their own specific set of options. All tabs, except Properties, have one common option Inherit default settings. When you select this option, all fields on a tab are grayed out and the settings are inherited from Site defaults. To view (and modify if necessary) Site default properties for Secure Gateways, click the Site Defaults link, which is available on all tabs mentioned above. The link opens the Site default properties dialog. You can also open this dialog by clicking Tasks > Site defaults while on the Farm > Site > Secure Gateways tab.
The subsequent sections describe individual tabs and available options in the Secure Gateway Properties dialog.
A RAS Secure Gateway can operate in normal and forwarding modes. To set the desired mode and configure related settings click the Mode tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site Defaults (Gateways).
To set the normal mode, in the Gateway mode drop-down list, select Normal.
The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address if necessary. Please note that the HTTP server must support the same IP version as the browser making the request.
The Preferred Connection Broker drop-down list allows you to specify a RAS Connection Broker that the Secure Gateway should connect to. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker. For the Secure Gateway to select a Connection Broker automatically, select the Automatic option.
To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding.
Specify (or select) one or more forwarding Secure Gateways in the Forwarding RAS Secure Gateway(s) field.
Note: The forwarding mode allows you to forward data to a Secure Gateway listening on IPv6. It is recommended that forwarding Secure Gateways are configured to use the same IP version.
User Portal is a functionality built into RAS Secure Gateway that allows users to connect to Parallels RAS and open published resources from a web browser using the Parallels Web Client. The client works similarly to a platform-specific Parallels Client, but does not require any additional software to be installed on users' computers or devices. All that users need is an HTML5-enabled web browser.
This section describes how to configure User Portal in the Parallels RAS Console. For the information about how to use it, please refer to the Parallels Web Client and User Portal chapter.
Note: To use Web Client and User Portal, SSL must be enabled on a RAS Secure Gateway. When enabling the client, please verify that SSL is enabled on the SLL/TLS tab or on your network load balancer. Please also note that the User Portal tab is only available if the gateway mode is set to "Normal". For more information, see Gateway mode and forwarding settings.
To configure User Portal, click the User Portal tab in the RAS Secure Gateway properties dialog and then set the options described in the subsequent sections.
For the information on how to configure the Web Client URL and how to access the client from a web browser, please Web request load balancing.
To use Site default settings on the User Portal tab, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
The Client section allows you to specify application launch methods and other Web Client settings.
Launch sessions using: When a user tries to open a resource from the User Portal web page, the resource can open right in the web browser or it can be launched in a platform-specific Parallels Client installed on the user's computer (e.g., Parallels Client for Windows). This option specifies which client will be used. Compared to Web Client, platform-specific Parallels Client includes a richer set of features and provides end users with a better overall user experience. Select one of the following:
Browser Only: Users can run remote applications and desktops using Parallels Web Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.
Parallels Client Only: Users can run remote applications and desktops in Parallels Client only. When a user connects to Parallels RAS using Parallels Web Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user with a link for downloading the Parallels Client installer. After the user installs Parallels Client, they can still select a remote application or desktop in Parallels Web Client but it will open in Parallels Client instead.
Parallels Client with fallback to Browser: Both Parallels Client and a browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels Web Client will be used as a backup method if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if a resource couldn't be opened in Parallels Client and will be given a choice to open it in the browser instead.
(Parallels Client with fallback to Browser and the Parallels Cient only) Additionally, you can configure Parallels Client detection by clicking on the Configure button:
Detect client: Select when Parallels RAS tries to detect platform-specific Parallels Client.
Automatically on sign in: Parallels RAS tries to detect platform-specific Parallels Client immediately.
Manually on user prompt: Parallels RAS shows users a prompt where can they select whether they want to detect platform-specific Parallels Client .
Client detection timeout: Time period during which Parallels RAS tries to detect platform-specific Parallels Client.
Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the Launch session using option (above) is set to Parallels Client with fallback to Browser (i.e. both methods are allowed).
Allow opening applications in a new tab: If selected, users will be able to open remote applications in a new tab in a web browser.
Use Pre Windows 2000 login format: Enables legacy (pre-Windows 2000) login format.
Allow embedding of User Portal into other web pages: If selected, the User Portcal web page can be embedded in other web pages. Please note that this may be a potential security risk due to a practice known as clickjacking.
Allow file transfer command: Enables file transfer in a remote session. To enable file transfer, select this option and click the Configure button. In the dialog that opens, select Client to server only (transfer files from client to server only), Server to client only (transfer files from server to client only), Bidirectional (transfer files in both directions). For more information, see Configuring Remote File Transfer.
Allow clipboard command: Enables clipboard operations (copy/paste) in a remote session. To enable the clipboard, select this option and click the Configure button. In the dialog that opens, select Client to server only (copy/paste from client to server only), Server to client only (copy and paste from server to client only), Bidirectional (copy and paste in both directions). For more information about using the clipboard, see Using the Remote Clipboard.
Allow cross-origin resource sharing: Enables cross-origin resource sharing (CORS). To enable CORS, select this option and click the Configure button. In the dialog that opens, specify one or more domains for which access to resources should be allowed. If you don't specify any domains, the option will be automatically disabled. In the Browser cache time field, specify for how long the end-user's browser will cache a resource.
Use a client IP detection service: If selected, allows configuring an IP detection service to report IP addresses of connected Parallels Web Client applications. To enable a client IP detection service, select this option and click the Configure button. In the dialog that opens, provide the URL to the IP detection service you want to use. You can press the Test button to ensure the API works as expected. When you click the Test button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with a window showing the IP address of the Connection Broker.
To enable or disable User Portal, select or clear the Enable User Portal option. This disables User Portal, so users will no be able to connect to User Portal using the Web Client.
To publish applications from the Parallels RAS to thin clients using the Wyse ThinOS, select the Enable Wyse ThinOS support option on the Wyse tab.
Note: The Wyse tab is only available if the gateway mode is set to normal. See Gateway mode and forwarding settings for more info.
By enabling this option, the RAS Secure Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this Secure Gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.
The Do not warn if server certificate is not verified option can be selected (enabled) if a Wyse device shows an SSL warning when connecting to a RAS Secure Gateway because the hostname does not match the certificate. When the option is selected, the Secure Gateway will send Wyse clients the following parameters in the wnos.ini file: SecurityPolicy=low TLSCheckCN=no, which will disable SSL checks. Note that the option is not required if a certificate has the following:
The CNAME set to the FQDN of the RAS Secure Gateway.
The SAN set to the RAS Secure Gateway IP address.
Note that if you use a custom wnos.ini in "C:\Program Files (x86)\Parallels\ApplicationServer\AppData\wnos" folder on Secure Gateway, the Secure Gateway will not send the SSL check parameters.
If you configure DHCP option 188 to set the broker address to a given Secure Gateway, you can verify this by clicking the Test button.
You can allow or deny user access to a Secure Gateway based on a MAC address. This can be accomplished using the Security tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).
To configure a list of allowed or denied MAC addresses, click the Security tab and select one of the following options:
Allow all except. All devices on the network will be allowed to connect to the Secure Gateway except those included in this list. Click Tasks > Add to select a device or to specify a MAC address.
Allow only. Only the devices with the MAC addresses included in the list are allowed to connect to the Secure Gateway. Click Tasks > Add to select a device or to specify a MAC address.
Please note that the Secure Gateway MAC address filtering is based on ARP, so client and server must be on the same network for the filtering to work. It does not work across network boundaries.
The Network Load Balancers access section is intended for deployment scenarios where third-party front-end load balancers such as Amazon Web Services (AWS) Elastic Load Balancers (ELBs) are used. It allows you to configure an alternate hostname and port number to be used by the Network Load Balancer (NLB). This is needed to separate hostnames and ports on which TCP and HTTPS communications are carried out because AWS load balancers don't support both specific protocols over the same port.
The following options are available:
Use alternate hostname: Select this option and specify an alternate hostname. When the alternate hostname is enabled, all platform-specific Parallels Clients will use this hostname to connect to the RAS Farm or Site.
Use alternate port: Select this option and specify an alternate port number. The port must not be used by any other component in the RAS Farm or Site. To reset the port number to the default value, click Default. When the alternate port is enabled, all platform-specific Parallels Clients will use this port to connect to the RAS Farm or Site. Note that RDP sessions in Web Client will still be connecting to the standard SSL port (443).
Note: Please note that using an alternate host or port is not suitable in a multi-tenant environment as Tenant Broker RAS Secure Gateways are shared between Tenants, which would require different configurations.
In addition, the AWS Application Load Balancer (ALB), which handles HTTP/s traffic required by the Parallels Web Client, only supports specific cookies that are usually automatically generated. When a load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB
, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy. By default, Parallels RAS uses its own ASP.NET cookie named _SessionId
, however in this case you must customize the cookie specifying the mentioned AWS cookie for sticky sessions. This can be configured using the Web cookie field on the Web Requests tab. Please note that this functionality is available in Parallels RAS 17.1 or newer.
Note: The Web tab is only available if the gateway mode is set to normal. See more in Gateway mode and forwarding settings.
The Web tab allows you to tweak settings necessary for load balancing in certain scenarios. Here you can specify a redirection URL for web requests and a session cookie name to maintain persistence between a client and a server.
An original web request can reach the gateway one of the following two ways:
The request is sent directly to the gateway over the local network using its IP address or FQDN. For example, https://192.168.10.10.
The request is sent to a HALB device that load-balances this and other gateways in the Farm. The HALB device often faces the Internet (i.e. located in DMZ) and so its DNS name can be used in the original request URL. For example, https://ras.msp.com. The HALB device is then distributes the request to a gateway.
When the gateway receives the web request, it takes the URL specified on the Web tab and sends it back to the web browser for redirection.
Technically, you can enter any URL here, and the original web request will be redirected to that URL. The primary purpose of this field, however, is to give end users an easy way to access User Portal from their web browsers. Here's how it works:
A user enters the Load Balancer DNS name in a web browser. For example, https://ras.msp.com.
The Load Balancer receives the request and distributes it to the least-busy RAS Secure Gateway for processing.
The gateway receives the original URL and replaces it with the URL specified in the Default URL field. See the Default URL format subsection below.
The replaced URL is then sent back to the web browser, which uses it to open the User Portal login page.
The default URL format is the following:
https://%hostname%/userportal
The %hostname%
variable is automatically replaced with the name of the server that received the original request, which in our example is the Load Balancer DNS name. If you wish, you can replace the variable with a specific host name or IP address (e.g. this or some other gateway). For example, https://192.168.5.5/userportal
. If you do this, the web requests will always be forwarded to the specified host and will open the User Portal on it. Hard-coding a host may not be very practical, but you can do this nevertheless.
userportal
is a constant and is the path to the User Portal login page.
In our example, the resulting URL that the web browser will use to access the User Portal is the following:
https://ras.msp.com/userportal
The fact is, a user could simply use the above URL from the start, but thanks to the redirection feature, users only need to enter the server DNS name (or FQDN/IP-address on the local network) instead of the entire URL.
User Portal Themes is a feature that allows you to custom design the User Portal look and feel for different groups of users. Themes are described in detail in Parallels Web Client and User Portal.
The default web request URL opens the default Theme. To make it open a specific Theme, add the Theme name at end of the URL as follows:
https://%hostname%/userportal/?theme=<theme-name>
where <theme-name>
is the name of a Theme without brackets or quotes.
For users to open a specific Theme, the URL that they enter in a web browser must contain the Theme name, but in this case the format is as simple as the following:
https://<server-name>/<theme-name>
Using our Load Balancer DNS name example from above, the URL may look like the following:
https://ras.msp.com/Theme-E1
For additional information, please see Configure Themes > URLs.
The Web cookie field is used to specify a session cookie name. RAS Web Client session persistence is normally set by the user IP address (source addressing). If you can't use source addressing in your environment (e.g. your security policy doesn't allow it), you can use the session cookie to maintain persistence between a client and a server. To do so, you need to set up a load balancer that can use a session cookie for persistence. The default cookie name is ASP.NET_SessionId. Note that if you are using Amazon Web Services (AWS) or other third-party load balancers, you may need to specify their own cookie name. See Network load balancers access for more information.