To configure multi-factor authentication (MFA), navigate to Site Settings > Connection > Multi-factor authentication.
When multi-factor authentication is used, users will have to authenticate through two successive stages to get the application list: native authentication (Active Directory / LDAP) and one of the following MFA:
Azure MFA (RADIUS)
Duo (RADIUS)
FortiAuthenticator (RADIUS)
TekRADIUS
RADIUS
TOTP
Microsoft Authenticator
TOTP (Time-based one-time password)
Deepnet
SafeNet
Please note that at the time of this writing, RAS Management Portal can only be used to add and configure RADIUS or TOTP MFA providers. To configure other providers, you'll need to use the desktop-based Parallels RAS Console.
Multi-factor authentication (MFA) can be enabled or disabled for all user connections, but you can configure more complex rules for specific connections. This functionality allows you to create enable or disable MFA for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each MFA provider has one rule that consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.
You can match the following objects:
User, a group the user belongs to, or the computer the user connects from.
Secure Gateway the user connects to.
Client device name.
Client device operating system.
IP address.
Hardware ID. The format of a hardware ID depends on the operating system of the client.
Notice the following about the rules:
Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems.
Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection.
To configure a rule:
Navigate to Site Settings > Connection > Multi-factor authentication.
Double-click the name of the Google Authenticator provider that you want to configure.
Click the Restrictions link.
Click the Edit button.
Clear the Inherit Defaults option.
Specify criteria for the rule. You will find the following controls:
Allow: specifies that the MFA provider must be enabled when a user connection matches the criteria. Click Allow to change it to Deny.
Deny: specifies that the policy the MFA provider must not be enabled when a user connection matches the criteria. Click Deny to change it to Allow.
(+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address, or a hardware ID, click (+).
is: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection matches the criteria. Click is to change it to is not. This control appears when at least one object is added.
is not: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection does not match the criteria. Click is not to change it to is. This control appears when at least one object is added.
You can also disable and enable criteria by clicking on the switch to the left of it.
Click Save when done.
To add a RADIUS MFA provider:
Navigate to Site Settings > Connection > Multi-factor authentication.
Click the plus sign icon and select the provider you want to add.
Specify the following:
Name: Name of the provider.
Description: Description of the provider.
In the Themes table select the Themes that will use this MFA provider.
Click Next.
Specify the following:
Display name: Specify the name of the connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.
Primary server and Secondary server: These two fields allow you to specify one or two RADIUS servers to include in the configuration. Specifying two servers gives you an option to configure high availability for RADIUS hosts (see below). Specify a server by entering its hostname or IP address or click the [...] button to select a server via Active Directory.
When two RADIUS servers are specified, select one of the following high availability modes from the HA mode drop-down list: Active-active (parallel) means the command is sent to both servers simultaneously, the first to reply will be used; Active-passive (failover) means failover and timeout are doubled, Parallels RAS will wait for both hosts to reply.
HA mode: See Primary server and Secondary server above. If only the Primary server is specified, this field is disabled.
Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.
Timeout: Specify the packet timeout in seconds.
Retries: Specify the number of retries when attempting to establish a connection.
Secret key: Type the secret key.
Password encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server.
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
Forward username only to RADIUS server: Select this option if needed.
Forward the first password to Windows authentication provider: Select this option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be turned off.
Click Create when done.
To configure a RADIUS MFA provider:
Navigate to Site Settings > Connection > Multi-factor authentication.
Double-click the name of the provider that you want to configure.
Click the Edit button.
The following categories are available for configuration:
General and Connection categories: See above.
Note: Once created, attributes cannot be edited in RAS Management Portal. To edit attributes, the desktop-based Parallels RAS Console.
Restrictions: See Configure MFA rules.
Click Save when done.
This section explains how to configure Google Authenticator.
To configure Google Authenticator:
Navigate to Site Settings > Connection > Multi-factor authentication.
Double-click the name of the Google Authenticator provider that you want to configure.
Click the Edit button.
Specify the following:
Name: Name of the provider.
Description: Description of the provider.
In the Themes table select the Themes that will use this MFA provider.
Display name: The default name here is "Google Authenticator. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install Google Authenticator app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device". Technically, you can use any authenticator app (hence the ability to change the name), but at the time of this writing only the Google Authenticator app is officially supported.
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
Modify the default TOTP tolerance if required.
The Enrollment section allows you to limit user enrollment via Google Authenticator if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.
The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they'll have to go through the registration procedure again (see Using Google Authenticator in Parallels Client below). You can search for specific users, reset all users, or import the list of users from a CSV file.
Restrictions: See Configure MFA rules.
Click Save when done.
Important: To use Google Authenticator or other TOTP provider, the time on a user device must be in sync with the time set on the RAS Connection Broker server. Otherwise, Google authentication will fail.
Google Authenticator is supported in Parallels Client running on all supported platforms, including mobile, desktop, and Web Client.
To use Google Authenticator, a user needs to install the Authenticator app on their iOS or Android device. Simply visit Google Play or App Store and install the app. Once the Authenticator app is installed, the user is ready to connect to Parallels RAS using two-factor authentication.
To connect to Parallels RAS:
The user opens Parallels Client or User Portal and logs in using his/her credentials.
The multi-factor authentication dialog opens displaying a barcode (also known as QR code) and a secret key.
The user opens the Google Authenticator app on their mobile device:
If this is the first time they use it, they tap Begin and then tap Scan a barcode.
If a user already has another account in Google Authenticator, they tap the plus-sign icon and choose Scan a barcode.
The user then scans the barcode displayed in the Parallels Client login dialog.
If scanning doesn't work for any reason, the user goes back in the app, chooses Enter a provided key and then enters the account name and the key displayed in the Parallels Client login dialog.
The user then taps Add account in the app, which will create an account and display a one-time password.
The user goes back to Parallels Client, clicks Next and enters the one-time password in the OTP field.
On every subsequent logon, the user will only have to type their credentials (or nothing at all if the Save password options was selected) and enter a one-time password obtained from the Google Authenticator app (the app will continually generate a new password). If the RAS administrator resets a user (see the Reset Users(s) field description at the beginning of this section), the user will have to repeat the registration procedure described above.