Parallels RAS allows you to use multi-factor authentication for access control. When multi-factor authentication is used, users will have to authenticate through two successive stages to get the application list. While the first level will always use native authentication (Active Directory / LDAP), the second level can use one of the following solutions:

• RADIUS

  • Azure MFA (RADIUS)

  • Duo (RADIUS)

  • FortiAuthenticator (RADIUS)

  • TekRADIUS

  • RADIUS

• TOTP

  • Google Authenticator

  • Microsoft Authenticator

  • TOTP (Time-based one-time password)

• Email OTP

• Deepnet

• SafeNet

Multi-factor authentication is more secure because instead of using a standard user name and password, it uses a static user name and a one-time password generated by a token.

Learn how to add an MFA provider in the Adding an MFA provider section.

See also Configuring MFA rules.

RAS Connection Broker connection settings can be accessed from the Connection category.

Choosing authentication type

Select the Authentication tab. In the Allowed authentication types section, select one of the following options:

• Credentials. The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log in to an RDP session.

• Smart Card. Smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it.

• Web (SAML). SAML SSO authentication. For more information, see SAML SSO Authentication.

• Web + Credentials. The same as Web (SAML), but users are prompted to enter credentials when they launch a published application. To enable the Web + Credentials method, you must configure your IdP and RAS as described in IdP side configuration and SP side configuration.

Note that if smart card authentication is disabled, RAS Connection Broker will not hook the Local Security Authority Subsystem Service (LSASS). Smart card authentication can be used in Parallels Client for Windows, Mac, and Linux. Please also note that smart cards cannot be used for authentication if Parallels Client is running inside an RDP session.

Smart card certificate

A valid certificate must be installed on a user device in order to use smart cards. To do so, you need to import the certificate authority root certificate into the device’s keystore.

A certificate must meet the following criteria:

• The "Key Usage" field must contain digital signature.

• The "Subject Alternative Name" (SAN) field must contain a user principal name (UPN).

• The "Enhanced Key Usage" field must contain smart card logon and client authentication.

Authentication domain

To specify an authentication domain, select one of the following:

• Specific: Select this option and type a specific domain name.

• All trusted domains: If the information about users connecting to Parallels RAS is stored in different domains within a forest, select the All Trusted Domains option to authenticate against multiple domains.

• Use client domain if specified: Select this option to use the domain specified in the Parallels Client connection properties. If no domain name is specified on the client side, the authentication is performed according to the settings above.

• Force clients to use NetBIOS credentials: If this option is selected, the Parallels Client will replace the username with the NetBIOS username.

Recommendation: After changing the domain names or some other authentication related changes, click the Clear cached session IDs button on the Settings tab.

Authenticating against non domain users

In order to authenticate users sessions against users specified on a standalone machine you must enter the [workgroup_name] / [machine_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1.

Changing domain password

You can configure Parallels Client to use a custom URL for changing domain passwords.

To make Parallels Client use a custom URL for changing domain passwords:

1. Select Use a custom link fro the "Change domain password" option.

2. Add the link to the text field below.

The Connection tab lets you specify the following options:

• Display name: Specify the name of the OTP connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.

• Primary server and Secondary server: These two fields allow you to specify one or two RADIUS servers to include in the configuration. Specifying two servers gives you an option to configure high availability for RADIUS hosts (see below). Specify a server by entering its hostname or IP address or click the [...] button to select a server via Active Directory.

• When two RADIUS servers are specified, select one of the following high availability modes from the HA mode drop-down list: Active-active (parallel) means the command is sent to both servers simultaneously, the first to reply will be used; Active-passive (failover) means failover and timeout are doubled, Parallels RAS will wait for both hosts to reply.

• HA mode: See Primary server and Secondary server above. If only the Primary server is specified, this field is disabled.

• Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.

• Timeout: Specify the packet timeout in seconds.

• Retries: Specify the number of retries when attempting to establish a connection.

• Secret key: Type the secret key.

• Password encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server.

Click the Check connection button to validate the connection. If the connection is configured correctly, you will see a confirmation message.

Specify additional properties as required:

• User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

• Forward username only to RADIUS server: Select this option if needed.

• Forward the first password to Windows authentication provider: Select this option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be turned off.

• Please also read a note at the bottom of the dialog (if available) suggesting certain setting specifics for the selected RADIUS solution.

A Parallels RAS administrator has the ability to customize how users connect to Parallels RAS. This chapter describes connection and authentication settings that can be configured according to your organization requirements. It then explains how to use two-factor authentication for higher level of security.

The Automation tab in the RADIUS Properties dialog allows you customize the OTP experience for Parallels Client users by configuring security verification methods and custom commands to be sent to a RADIUS server during the MFA login process. Different security verification methods can be assigned priority and configured to be automatically used.

With this functionality configured, users can choose their preferred security verification method from a predefined and configurable list including Push notification, Phone Callback, SMS, Email, and Custom. The methods appear as clickable icons on the OTP dialog in Parallels Client. When a user clicks an icon, a command is sent to the RADIUS server and the corresponding verification methods is used.

To configure a verification method (also called "actions" here and in the Parallels RAS Console), on the Automation tab, click Tasks > Add. In the Add Action dialog, specify the following properties:

• Enable Action: Enables or disables the action.

• Title: The text that will appear on the clickable icon in Parallels Client (e.g. "Push").

• Command: The OTP command to be used when the action icon is clicked in Parallels Client. Consult your MFA provider for command specifications.

• Description: A description that will appear on the user's screen as a balloon when the mouse pointer hovers over the action icon.

• Action message: A message to show to the user in the connection progress box.

• Select an image: Select an image from the provided gallery. The image is used as the action icon in the OTP dialog in Parallels Client.

When done, click OK to save the action. Repeat the steps above for other actions.

You can move the actions on the Automation tab up or down the list. This dictates in which order the action icons will be displayed in Parallels Client.

Autosend

There's one more option that you can configure for an action. It is called Autosend. The option can be enabled for one action only, making it a default action, which will be used automatically without user interaction.

To enable the Autosend option, select an action on the Automation tab and click Tasks > Autosend. To disable the option, click the same menu again. If you enable Autosend for a different action, it will be automatically disabled for the previous action.

There are two possible ways to make an action execute automatically in Parallels Client:

• Client is receiving the action icon configuration for the first time and one of the actions has Autosend enabled.

• Enabling the Remember last method used option in Policies > Session > Connection > Multifactor authentication. When the option is enabled, and Parallel Client receives the policy, the last method successfully used by the user will become the default automatic method.

Parallels Client

When the user logs in to Parallels RAS via MFA, the OTP dialog is shown in Parallels Client with the actions icons positioned above the OTP field. The user clicks an icon and the authentication is carried out according to the predefined action. For example, if the user clicks the "Push" icon, a push notification is sent to the user mobile device where they can simply tap "Approve". Or there could be a "Text me" icon, in which case a text is sent to the user mobile phone with a one-time password. If one of the actions has the Autosend option enabled, then this action is used automatically.

If a user always uses the same authentication method, they can make it the default one. To do so, the user enables the Remember last method used option in the MFA authentication section of the connection properties. Depending on the platform, the option can be found at the following locations:

• Parallels Client for Windows / Linux: Connection Advanced Settings > MFA authentication

• Parallels Client for Mac: Advanced > MFA authentication

• Parallels Client for Chrome: Advanced Settings

• Web Client: Settings

• Parallels Client for iOS: Connection Settings > MFA authentication

• Parallels Client for Android: Settings > MFA authentication

As was already mentioned above, the Remember last method used can also be configured in Client Policies in the RAS Console. The option is enabled by default.

The Advanced tab lets you specify the error messages sent by the RADIUS server that will not be shown by Parallels Client. This can be useful if an error message is confusing for the user or disrupts user experience.

By default, the "New SMS passcodes sent." is added to the list of ignored messages for DUO Radius. This is done to make authentication via SMS easier for the user. It's not recommended to remove this message from the list of ignored messages.

To add a new message to the list of ignored messages:

1. On the Advanced tab, Tasks > Add (or click the [+] icon).

2. Type the exact text of the error message you want to be ignored. Messages are not case sensitive. Please note that you have to specify only the text sent by the RADIUS server. For example, if Parallels Client shows an error that reads "Code [01/00000003] Logon using RADIUS failed. Error: New SMS passcodes sent.", you need to add "New SMS passcodes sent." to the list.

The below diagram shows the double hop perimeter network scenario with RAS Connection Broker connected to a RADIUS server (RADIUS is located in Intranet but it can be placed in DMZ).

To configure RADIUS properties:

1. In the Parallels RAS Console, navigate to Connection > Multi-factor authentication.

2. Double-click the MFA provider that you want to configure.

Read on to learn how to configure RADIUS provider settings.

Logon hours restrictions provide an ability to restrict user access to published resources during specified time frames using flexible expression-based rules.

Prerequisites

Time zone redirection is required to be set on the server in order for the feature to work as intended.

To enable group policy setting Allow time zone redirection:

1. On the Active Directory server, open the Group Policy Management Console.

2. Expand your domain and?Group Policy Objects.

3. Right-click the GPO that you created for the group policy settings and select Edit.

4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.

5. Enable the setting Allow time zone redirection.

Adding a logon hours rule

To add a new logon hours rule:

1. In the RAS Console, navigate to Connection and select the Logon hours tab.

2. Click Tasks > Add (or click the [+] icon).

3. In the Name field, specify the name of the rule in the .

4. in the Description field, specify the description of the rule

5. In the Criteria section, specify criteria for the rule. You will find the following controls:

   • (+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address or a hardware ID, click (+). In the context menu that appears, select the type of an object that you want to match and add the specific objects in the dialog that appears. The new criteria appears on the next line.

   • (X): Deletes a specific object from matching. For example, you want to delete IP address 198.51.100.1 from matching, click (X) next to it. This control appears when at least one object is added. If all objects in a criteria are deleted, the criteria is removed.

   • is and is not: specifies whether the logon hours rule must be applied when a user connection matches the criteria. Click on the link to switch between the two options. This control appears when at least one object is added.

   • configure: edits the list of objects to be matched. Click this link to add or delete new objects. Note that for the first criteria (User or group) this link is called everyone. It will change to configure once you specify objects for this criteria.
6. In the Logon hours specify the hours when users are permitted to log on. To deny logon during a certain day or period of time, select that day or time and click the Logon denied button that is located to the right of the table.

7. Click OK.

8. Click Apply.

You can also specify the following settings for a logon hours rule:

• Do not allow Parallels Client to connect outside of allowed logon hours: If selected, a Parallels Client is not allowed to connect to resources published on the site.

• Disconnect user session if the time has elapsed: If selected, shows users a notification that their sessions are going to be disconnected. After selecting this option, you can specify the settings below:

  • Notify user before disconnect: Time when Parallels RAS notifies the user before the client is disconnected from the Farm.

  • Allow user to extend session time: If selected, allows user to extend the session.

To specify these settings:

1. In the RAS Console, navigate to Connection and select the Logon hours tab.

2. Select the rule that you want to configure.

3. Click the gear icon to the left of the Task menu. The Options dialog opens. From here, select the options that you want.

Before reading this section, please read the following important note.

Configure Azure MFA

Depending on the user location, there are four scenarios for the cloud MFA service:

An Azure account with Global Administrator role is required to download and activate MFA Server. Syncing with Microsoft Entra ID (via AD Connect) or a custom DNS domain aren't required to setup an MFA Server which runs exclusively on-premises.

Users need to be imported into MFA Server and be configured for MFA authentication.

Parallels RAS authenticates users with MFA Server using the RADIUS second level authentication provider. MFA Server thus needs to be configured to allow RADIUS client connections from the RAS server.

The authentication process goes through the following stages:

In stage 2 the user can be authenticated using either RADIUS or Windows AD. A prompt to enter the credentials twice (in stage 1 and 6) is avoided by enabling the option to forward the password.

You can specify a minimum requirement for the Parallels Client type and version number in order for it to connect to the Parallels RAS Farm or to list published resources. In addition, you can set the Parallels Client security patch level (described later in this section).

To specify Parallels Client requirements:

1. In the RAS Console, select the Connection category and click the Allowed Devices tab.

2. The Allow only clients with latest security patches option specifies the Parallels Client security patch level. If the option is selected, only clients with latest security patches applied will be allowed to connect to Parallels RAS. This option must normally be selected to protect your environment from vulnerabilities. You should only clear it if you must use an older version of Parallels Client with no security patches installed. For more information, please see the following KB article: .

3. In the Mode drop-down list, select from the following options:

   • Allow all clients to connect to the system. No restrictions. All Parallels Client types and versions are allowed full access.

   • Allow only the selected clients to connect to the system. Allows you to specify Parallels Client types and versions that are allowed to connect to the Parallels RAS Farm. Select the desired Parallels Client types in the Clients list. To set the Minimum build value, right-click the client type and choose Edit. Type the version number directly in the Minimum build column.

   • Allow only the selected clients to list the published items. Allows you to specify Parallels Client types and versions that can list published resources. Compared to the option above, this one does not restrict Parallels Clients connecting to Parallels RAS. Select this option and then select the desired Parallels Client types in the Clients list. To set the Minimum build value, right-click the client type and then click Edit in the context menu. Type the version number directly in the Minimum build column.

If a restriction is configured and a Parallels Client is excluded from the list, the user running it will receive a corresponding error message and will be advised to contact the system administrator.

If your RADIUS solution requires configuring attributes, click the Attributes tab and then click Add. In the dialog that opens, choose a desired preconfigured vendor and attribute:

• In the Vendor drop-down list, select a vendor.

• In the Attribute list, select a vendor attribute.

• In the Value field, enter a value for the selected attribute type (numeric, string, IP address, date, etc).

In certain scenarios you may need to add vendors and attributes that are not listed in this dialog. For the information about how to add vendors and attributes, please see the following KB article: .

Click OK and then click OK again .to close all dialogs.

To add an MFA provider:

1. In the RAS Console, navigate to Connection and select the Multi-Factor authentication tab.

2. Click Tasks > Add (or click the [+] icon).

3. Select your MFA provider. A wizard will open.

4. In the Wizard window, specify the following parameters:

   • Name: Name of the provider.

   • Description: Description of the provider.

   • In the Themes table select the Theme(s) that will use this MFA provider.

5. Click Next.

6. Do one of the following:

   • If you use RADIUS, configure the setting as described in and click Finish.

   • If you are using a TOTP provider other than Google Authenticator, configure the setting as described in .

   • If you use email to send OTPs, configure the setting as described in Configuring email OTP.

   • If you use Deepnet DualShield, configure the setting as described in . For information about configuring DualShield Authentication Platform, see section .

   • If you use SafeNet, configure the setting as described in .

   • If you use Google Authenticator, configure the setting as described in .

For instructions on how to configure Parallels RAS with Duo RADIUS, please read the following Parallels KB article: https://kb.parallels.com/124429.

The Settings tab in the Connection category allows you to configure the following remote session options.

Declare user session as idle after

This option affects reporting statistics, whereby a session is declared idle after the amount of time specified without any activity.

FIPS 140-2 encryption

The FIPS 140-2 encryption property allows you to specify whether FIPS-encrypted connections are allowed or even enforced on RAS Secure Gateways. When you allow (or enforce) the encryption, the Gateways will use the FIPS 140-2 encryption module. You can choose from the following options:

• Disabled. FIPS 140-2 encryption is disabled on RAS Secure Gateways.

• Allowed. RAS Secure Gateways accept both FIPS-encrypted and non-FIPS-encrypted connections.

• Enforced. RAS Secure Gateways accept FIPS-encrypted connections and will drop any non-FIPS-encrypted connection.

When you enable FIPS 140-2 encryption, the encryption status is displayed on the Information > Site tab in the RAS Console. Look for the Encryption property of a RAS Secure Gateway.

FIPS 140-2 encryption is supported in all versions of Parallels Client except for the following:

• Parallels Client for Windows installed on Windows 8.1 and earlier

• Parallels Client for Linux downloaded from the IGEL App Portal

• Parallels Client for Android

• Parallels Client for iOS

• Parallels User Portal

Please also note that when FIPS 140-2 encryption is enforced, it is enforced all users in a given Farm. If there's a necessity to force FIPS for one user group and not forced for another, a new Farm must be deployed for this purpose.

Automatically log out client idle connection after

Specifies the time period after which an idle client connection should be logged out. Once the connection is logged out, the user is disconnected from Parallels RAS and is presented with the Connections dialog in Parallels Client as a way to notify them that they were logged out. They can use the dialog to log back on if desired. Parallels Client connection is considered idle after the last user session has been disconnected or logged off.

Cached authentication token timeout

Specify the amount of time that a session is cached for (higher amount of time reduces AD transactions).

Clear cached authentication tokens (a button)

Clears all cached session information.

To configure TOTP settings:

1. Specify the following:

   • Display Name: The default name here is TOTP. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install TOTP app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device".

   • User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

   • The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.

   • Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:

     • Never (most secure): Unenrolled users see a TOTP prompt instead of the error.

     • If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.

     • Always: Unenrolled users always see the error.

   • The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse. Note: When using TOTP providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.

   • The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using the TOTP provider. If you reset a user, they'll have to go through the registration procedure again (for instruction on doing this for Google Authenticator, see Using Google Authenticator in Parallels Client). You can search for specific users, reset all users, or import the list of users from a CSV file.

2. Click Finish.

Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of seconds in the future.

To configure sending OTPs via email:

Specify the following:

• Name: The name that will appear in RAS Console.

• (Optional) Description: The description of MFA.

• Themes: The Themes that use the MFA.

• Display name: The name that will appear in Parallels Client.

• OTP Lenght: The length of an OTP. Can be between 4 and 20 numbers.

• OTP Validity: The time period when an OTP is valid. Can be between 30 and 240 seconds.

• User Prompt: Specify the text the user will see when prompted with an OTP dialog.

• E-mail subject: The subject of an email containing an OTP.

• E-mail content: The content of an email containing an OTP.

• Allow users to enroll using external emails: Select this option if you want users to enroll using external email addresses. You can store external emails in RAS Storage or an AD Attribute. If you want to store emails in an Active Directory Custom attribute, you must specify the name of the attribute in the field AD Custom Attribute. You can make sure that you have the permission necessary for storing email addresses in an AD attribute by clicking Validate.

• The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to an expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.

• Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:

  • Never (most secure): Unenrolled users see a TOTP prompt instead of the error.

  • If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.

  • Always: Unenrolled users always see the error.

This section explains how to integrate TOTP MFA providers with Parallels RAS.

The following is the list tokens supported by Parallels RAS:

• MobileID (FlashID is not integrated with MobileID)

• QuickID

• GridID

• SafeID

• SecureID (RSA)

• DigiPass (Vasco)

If using hardware tokens such as SafeID the token information must first the XML file provided. Click on ‘Import’ and browse for the XML file provided. After the XML file has been imported each hardware token must be assigned to a user.

This section explains how to integrate Deepnet DualShield Authentication Platform 5.6 or higher with Parallels RAS.

You may also read the following documentation on DualShield Authentication Platform:

• DualShield Authentication Platform – Installation Guide

• DualShield Authentication Platform – Quick Start Guide

• DualShield Authentication Platform – Administration Guide

SafeNet Token Management System provides a high-value of protection via secure tokens which makes it a perfect tool for second-level authentication in Parallels RAS.

After following all the specified steps in "DualShield Authentication Platform – installation Guide" a URP is automatically opened in your internet browser (http:// LOCALHOST:8073) which allows you to logon to the Management Console of DualShield.

Login in to the DualShield Management Console with the default credentials (User: sa, Password: sa). You will be prompted to change the default password.

Applications are set to provide a connection to realm, as the realm contains domains of users who will be allowed the access to the application.

Realm is set for multiple domain users to be able to access the same application.

You need to create an Application which Parallels RAS will communicate with. Click on Authentication > Application Wizard and enter the information shown below and press Next.

Specify the LDAP Server settings as shown below and press Finish.

After you have configured the application you need to configure an Email or SMS gateway which are used by DualShield server to communicate with the end user. In this document we will be using an Email gateway. Select Gateways from the Configuration menu.

Configure your email gateway.

Click Edit to enter your SMTP server information

To configure Deepnet DualShield settings:

1. Specify the following:

   • Server: Hostname of the Deepnet server.

   • Enable SSL: Whether to use SSL when connecting to the Deepnet server.

   • Port: Port used for connection to the Deepnet server.

   • Agent: Agent name that will be used during registration.

2. Click the Check Connection button to test that the authentication server can be reached and to verify that the RAS Console is registered as a DualShield agent. If you see the "DeepNet server not valid" message, it could be dues to the following:

   • The specified server information is incorrect

   • You need ot allow auto registration of the Parallels components as a DualShield agent.

3. If you need to allow auto registration of the Parallels components as a DualShield agent, do the following:

   1. Go back to the DualShield Management Console and select Agents from the Authentication menu as shown below.

   2. Select Auto Registration.

   3. Select the Enabled option and set the date range.

   Once the Agent Auto Registration is set, go back to the RAS Console and select Yes. You should see a message that the Dual Shield agent has been successfully registered.

   Please note that all RAS Connection Brokers must be registered with Deepnet DualShield server. If you are using secondary Connection Brokers, you need to close all open windows until you can press Apply in the RAS Console. This will inform all the agents to self-register as DualShield agents.
4. Go back to the RAS Console and click Next.

5. Specify the following:

   • Application: Name of the Application created in .

   • Default domain: Domain that will be used if the domain was not specified by the user, in the Theme properties or in the Connection settings.

6. In the Mode drop-down list, and select how you want your users to be authenticated:

   • Mandatory for all users means that every user using the system must log in using two-factor authentication.

   • Create token for Domain Authenticated Users will allow Parallels RAS to automatically create software tokens for Domain Authenticated Users. Choose a token type from the drop-down list. Note that this option only works with software tokens, such as QuickID and MobileID

   • Use only for users with a DualShield account will allow users that do not have a DualShield account to use the system without have to login using two-factor authentication.

7. In the Allow channels section, select the channels that will be used to send OTPs to users.

8. Click Finish.

See

You can allow users to log in to the RAS Farms by using their email addresses. This way, users can gain access to applications and desktops published on a Farm without knowing the server address or hostname. All native Parallels Clients support finding Parallels RAS Farms by entering an email address.

For users to connect to a Farm using their email addresses, first you need to create a new TXT record in the forward lookup zone of users’ domain on your DNS server. The specific way to do this depends on the configuration of the DNS server.

The syntax of the TXT record is as follows:

Host: _prlsclient

Text : hostname:port/theme;connmode=X;authmode=X

The following parameters are available for the text field:

• hostname: Hostname of the server where the Secure Gateway resides. This parameter is mandatory.

• port: Port on which the Secure Gateway listens for incoming connections. This parameter is optional.

• theme: Theme. This parameter is optional.

• connmode: connection mode. This parameter is optional. Possible values are 0, 1, 2, 3, where:

  • 0: Gateway mode

  • 1: Direct mode

  • 2: Gateway SSL

  • 3:Direct SSL

• authmode: Authentication type. This parameter is optional. Possible values are 0, 1, 2, 3, where

  • 0: Credentials

  • 1: SSO

  • 2: Smartcard

  • 3: SAML

Examples of the text value:

hostname

hostname:port

hostname:port/theme

hostname;connmode=2;authmode=1

After the DNS record is configured, users will be able to log in using their email addresses. For information on how to do that on specific clients, see Parallels Client Guides.

Users can change their domain password directly from Parallels Client. In some cases, a user may be forced to change their domain password (e.g. when the password is about to expire). When changing a password, a username must be supplied in the UPN format (e.g. user@domain.com).

Passing the domain name to Parallels Client

Since users may not know the name of their domain, you can configure Parallels RAS to pass it to the client side automatically, so users don't have to enter it.

The domain name may be specified in the RAS Console in the following locations:

• The Connection > Authentication tab. The tab page is described earlier in this section. To force a domain name to the client side, select the Specific option and specify a domain name.

• In the Theme Properties dialog. Themes are described later in this guide in the Configure Themes section. Note that when you specify a domain name for a Theme, it overrides the domain name specified on the Authentication tab page (see above). To specify a domain name for a Theme, open the Theme properties dialog, select the General category, select the Override authentication domain option, and specify a domain name.

When Parallels Client connects to Parallels RAS, the domain name, specified as described above, is passed back to it. When the user opens a dialog in Parallels Client to change their domain password, the domain name is automatically added to the user name and the username field is grayed out. This way the user doesn't have to specify the domain name.

Using a custom link to change domain passwords

If your users connect to Parallels RAS with Azure Active Directory Domain Services or a third-party IdP, you should configure changing domain passwords via a custom link. The link should point to the page that allows to change password in your service.

To specify the custom link for changing domain passwords:

1. Navigate to Connection > Authentication > Change domain password.

2. Select the Use a custom link for the "Change domain password" option.

3. In the text field below, specify the custom link for changing domain.

To configure Google Authenticator settings:

1. Specify the following:

   • Display Name: The default name here is Google Authenticator. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install Google Authenticator app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device". Technically, you can use any authenticator app (hence the ability to change the name), but at the time of this writing only the Google Authenticator app is officially supported.

   • User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

   • The User enrollment section allows you to limit user enrollment via Google Authenticator if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.

   • Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:

     • Never (most secure): Unenrolled users see a TOTP prompt instead of the error.

     • If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.

     • Always: Unenrolled users always see the error.

   • The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse.

     Note: When using Time-based One-time Passwords (TOTP) providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.

   • The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they'll have to go through the registration procedure again (see Using Google Authenticator in Parallels Client below). You can search for specific users, reset all users, or import the list of users from a CSV file.

2. Click Finish.

Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of second in the future.

Using Google Authenticator in Parallels Client

Google Authenticator is supported in Parallels Client running on all supported platforms, including mobile, desktop, and Web.

To use Google Authenticator, a user needs to install the Authenticator app on their iOS or Android device. Simply visit Google Play or App Store and install the app. Once the Authenticator app is installed, the user is ready to connect to Parallels RAS using two-factor authentication.

To connect to Parallels RAS:

1. The user opens Parallels Client or Web Client and logs in using his/her credentials.

2. The multi-factor authentication dialog opens displaying a barcode (also known as QR code) and a secret key.

3. The user opens the Google Authenticator app on their mobile device:

   • If this is the first time they use it, they tap Begin and then tap Scan a barcode.

   • If a user already has another account in Google Authenticator, they tap the plus-sign icon and choose Scan a barcode.

4. The user then scans the barcode displayed in the Parallels Client login dialog.

   If scanning doesn't work for any reason, the user goes back in the app, chooses Enter a provided key and then enters the account name and the key displayed in the Parallels Client login dialog.

5. The user then taps Add account in the app, which will create an account and display a one time password.

6. The user goes back to Parallels Client, clicks Next and enters the one time password in the OTP field.

On every subsequent logon, the user will only have to type their credentials (or nothing at all if the Save password options was selected) and enter a one time password obtained from the Google Authenticator app (the app will continually generate a new password). If the RAS administrator resets a user (see the Reset Users(s) field description at the beginning of this section), the user will have to repeat the registration procedure described above.

Parallels Client

Once DualShield has been enabled the users will have two-factor authentication. If using software tokens such as QuickID the administrator does not have to create a token for each user. RAS Connection Broker will automatically create the token when the user tries to log in for the first time.

When a user tries to access a RAS Connection from Parallels Client, they are first prompted for the Windows username and password. If the credentials are accepted, RAS Connection Broker will communicate with the DualShield server to create a unique token for that user.

If using MobileID or QuickID, an email about where to download the appropriate software will be sent to the user.

If using QuickID tokens, the application will ask for a One-Time Password which is sent by e-mail or SMS.

When asked for OTP, enter the One-Time Password to log in to the Parallels ApplicationServer XG Gateway.

Multi-factor authentication (MFA) can be enabled or disabled for all user connections, but you can configure more complex rules for specific connections. This functionality allows you to enable or disable MFA for the same user, depending on where the user is connecting from and from which device. Each MFA provider has one rule that consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.

You can match the following objects:

• User, a group the user belongs to, or the computer the user connects from.

• Secure Gateway the user connects to.

• Client device name.

• Client device operating system.

• IP address.

• Hardware ID. The format of a hardware ID depends on the operating system of the client.

Notice the following about the rules:

• Criteria and objects are connected by the OR operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses OR one of the client operating systems.

To configure a rule:

1. In the RAS Console, navigate to Connection and select the Multi-Factor authentication tab.

2. Double-click on the provider you want to create the rule for.

3. Select the Restrictions tab.

4. Specify criteria for the rule. You will find the following controls:

   • Enable MFA if and Disable MFA if: specifies whether the MFA provider must be enabled when a user connection matches all the criteria. Click on the link to switch between the two options.

   • (+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address or a hardware ID, click (+). In the context menu that appears, select the type of an object that you want to match and add the specific objects in the dialog that appears. The new criteria appears on the next line.

   • (X): Deletes a specific object from matching. For example, you want to delete IP address 198.51.100.1 from matching, click (X) next to it. This control appears when at least one object is added. If all objects in a criteria are deleted, the criteria is removed.

   • is and is not: specifies whether the MFA provider must be enabled when a user connection matches the criteria. Click on the link to switch between the two options. This control appears when at least one object is added.

   • configure: edits the list of objects to be matched. Click this link to add or delete new objects. Note that for the first criteria (User or group) this link is called everyone. It will change to configure once you specify objects for this criteria.

To configure SafeNet settings:

1. In the Connection section, enter the valid URL into the OTP Service URL field. To verify that the connection with the OTP Service can be established, click the Check connection button.

1. Click the Authentication tab.

2. In the Mode drop-down list, select how you want your users to be authenticated.

The available modes are:

• Mandatory for all users: every user using the system must login using two-factor authentication.

• Create token for Domain Authenticated Users: Allows Parallels RAS to automatically create software tokens for Domain Authenticated Users. Choose a token type from the drop-down list. Note that this option only works with software tokens.

• Use only for users with a SafeNet account: Allows users that do not have a SafeNet account to use the system without having to login using two-factor authentication.

1. In the TMS Web API URL field, enter the location of the SafeNet API URL.

2. In the User Repository field, enter the user repository destination.

3. Click Finish.

Parallels Client

In Parallels Client — New Account Info dialog:

1. Enter any four digits in the OTP PIN number field (these digits will be required further on in the process).

2. Enter your email address and then click on OK.

3. Log into your email account and retrieve the email containing the information you will need to activate your SafeNet authentication. An example of this email is shown below.

   Activation Key: YZQHoczZWw3cBCNo

   Token Serial: 4F214C507612A26A

   Download MobilePASS client from: http://localhost:80/TMSService/ClientDownload/MobilePASSWin.exe

   *Login with domain credentials.

   *Place the attached seed file in the same folder as the MobilePASS client.

   Enter the One-Time Password to log into the RD Session Host Connection.

   Application PIN: 4089

4. Download the MobilePASS client from the URL provided in the email.

5. Enter the Activation Key found in the SafeNet email.

6. Next, input the application PIN found in the email into the MobilePASS PIN field.

7. Click Generate to generate the eToken number and then click Copy.

8. Combine the OTP PIN and eToken in this order: OTP + eToken.

9. Enter this value into the Parallels Client and click OK to log in.