Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
To configure a RAS Secure Gateway:
Navigate to Infrastructure > Secure Gateways.
Click a Gateway in the list to open the view displaying the Gateway details.
In the middle pane, click Properties.
Configure Gateway properties as described in the subsequent sections.
By default, the only type of connection that is encrypted is a connection between a Gateway and backend servers. To encrypt a connection between Parallels Client and the gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.
To simplify the Parallels Client configuration, it is recommended to use a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA). If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration. If a third-party certificate issued by a well-known Trusted Certificate Authority is used, the client device trusts using Trusted Certificate Authority updates for the platform.
In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem
. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).
A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Gateway:
In the SSL/TLS category, make sure that the Enable SSL on port option is selected.
In the Network category, make sure that the Enable RDP UDP Data Tunneling option is selected.
The Parallels Clients must be configured to use the Gateway SSL mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
When configuring RAS Secure Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:
The certificate, which should be valid and trusted.
The protocol, key exchange, and cipher should be supported.
The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Gateway, you may need to temporarily move it to the public Internet.
The test is available at the following URL: https://www.ssllabs.com/ssltest/
You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide.
The Network category is used to configure RAS Secure Gateway network options.
To use Site default settings, click the Inherit Defaults option. To specify your own settings, clear the option and set the following:
RAS Secure Gateway port: By default RAS Secure Gateway listens on TCP port 80 to tunnel all Parallels RAS traffic. To change the port, specify a new port.
RDP port: RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP port option and specify a new port. When setting your own port, make sure that the port does not conflict with the standard "RD Session Host Port" setting.
Note: If the RDP port is changed, users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).
Broadcast RAS Secure Gateway address: This option can be used to switch on the broadcasting of the gateway address, so Parallels Clients can automatically find their primary gateway. The option is enabled by default.
Enable RDP UDP Data Tunneling: To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.
Device Manager port: Select this option to enable management of Windows devices. The option is enabled by default.
Enable RDP DOS Attack Filter: When selected, this option denies chains of uncompleted sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.
RAS Secure Gateway can operate in one of the following modes:
Normal Mode: RAS Secure Gateway receives user connection requests and checks with RAS Connection Broker if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
Forwarding Mode: RAS Secure Gateway forwards user connection requests to a preconfigured Gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.
Note: To configure the forwarding mode, the RAS Site must have more than one RAS Secure Gateway installed.
To use Site default settings, click the Inherit Defaults option. To specify your own settings, clear the option.
To set the normal mode, in the Gateway mode drop-down list, select Normal.
The Preferred Connection Broker drop-down list allows you to specify a RAS Connection Broker that the gateway will connect to. This is helpful when Site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Connection Broker. For the gateway to select a Connection Broker automatically, select the Automatic option.
The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address if necessary. Please note that the HTTP server must support the same IP version as the browser making the request.
To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding and specify one or more Gateways. A gateway in forwarding mode will forward all the user connection requests to a pre-configured gateway. Gateways in forward mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS category allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option.
The HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects User Portal, which can normally accept only HTTPS requests.
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the gateway.
Max-age: Specifies the max age in months that the web browser should remember that it can only communicate with the gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if applicable).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, and Edge browsers. When HSTS preload is used, a web browser will not try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).
Please also note the following requirements:
Your website must have a valid SSL certificate.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
SSL certificates are created on the Site level. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, see Certificates.
To configure encryption:
Select the Enable SSL on port option and specify a port number (default is 443).
In the Accepted SSL versions drop-down list, select the SSL version.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. The <All matching usage> option will use any certificate configured to be used by gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.
Select or clear the Enable RAS Secure Gateway in Site option.
Host: Select a different host if needed.
Description: Set or modify an optional description.
Public address: Specify a public address for the Gateway server.
Specify the following IP options:
Use IP version: Select the IP version(s) to use. RAS Secure Gateway recognizes both IPv4 and IPv6. By default, IPv4 is used.
IP(s): Specify one or more IP addresses separated by a semicolon, or click Resolve to resolve the IP address automatically. These are the available addresses on the Gateway server. To specify IP addresses that should be used for client connections, use the Bind to IP section (see below).
Bind to IP: Use this section to specify on which IP address (or addresses) the Gateway will listen for client connections. You can select a specific address or All available addresses, in which case all of the IP addresses specified in the IP(s) field will be used.
Remove system buffers for: This option can be used when the connection between the Gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select one or more specific addresses, all available addresses, or none. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent fast enough from the Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.
Note: The Web subcategory is only available if the gateway mode is set to normal.
The Web category allows you to tweak settings necessary for load balancing in certain scenarios. Here you can specify a redirection URL for web requests and a session cookie name to maintain persistence between a client and a server.
The original web request can reach the gateway one of the following two ways:
The request is sent directly to the Gateway over the local network using its IP address or FQDN. For example, https://192.168.10.10.
The request is sent to a HALB device that load-balances this and other gateways in the Farm. The HALB device often faces the Internet (i.e. located in DMZ) and so its DNS name can be used in the original request URL. For example, https://ras.msp.com. The HALB device is then distributes the request to a gateway.
When the gateway receives the web request, it takes the URL specified in the Web category and sends it back to the web browser for redirection.
Technically, you can enter any URL here, and the original web request will be redirected to that URL. The primary purpose of this field, however, is to give end users an easy way to access the User Portal from their web browsers. Here's how it works:
A user enters the Load Balancer DNS name in a web browser. For example, https://ras.msp.com.
The Load Balancer receives the request and distributes it to the least-busy RAS Secure Gateway for processing.
The gateway receives the original URL and replaces it with the URL specified in the Default URL field. See the Default URL format subsection below.
The replaced URL is then sent back to the web browser, which uses it to open the User Portal login page.
The default URL format is the following:
https://%hostname%/userportal
The %hostname%
variable is automatically replaced with the name of the server that received the original request, which in our example is the Load Balancer DNS name. If you wish, you can replace the variable with a specific host name or IP address (e.g. this or some other gateway). For example, https://192.168.5.5/userportal
. If you do this, the web requests will always be forwarded to the specified host and will open the User Portal on it. Hard-coding a host may not be very practical, but you can do this nevertheless.
userportal
is a constant and is the path to the User Portal login page.
In our example, the resulting URL that the web browser will use to access the User Portal is the following:
https://ras.msp.com/userportal
The fact is, a user could simply use the above URL from the start, but thanks to the redirection feature, users only need to enter the server DNS name (or FQDN/IP-address on the local network) instead of the entire URL.
User Portal Themes is a feature that allows you to custom design the User Portal look and feel for different groups of users.
The default web request URL opens the default Theme. To make it open a specific Theme, add the Theme name at end of the URL as follows:
https://%hostname%/userportal/?theme=<theme-name>
where <theme-name>
is the name of a Theme without brackets or quotes.
For users to open a specific Theme, the URL that they enter in a web browser must contain the Theme name, but in this case the format is as simple as the following:
https://<server-name>/<theme-name>
Using our Load Balancer DNS name example from above, the URL may look like the following:
https://ras.msp.com/Theme-E1
For additional information, please see User Portal Theme Settings > URLs.
The Open User Portal button uses the specified gateway address and opens User Portal on this particular gateway in a new tab. You can use this button to test your deployment.
The Web cookie field is used to specify a session cookie name. RAS HTML5 session persistence is normally set by user's IP address (source addressing). If you can't use source addressing in your environment (e.g. your security policy doesn't allow it), you can use the session cookie to maintain persistence between a client and a server. To do so, you'll need to set up a load balancer that can use a session cookie for persistence. The default cookie name is ASP.NET_SessionId.
If you are using a third-party load balancer, such as Amazon Web Services (AWS), you need to specify its own cookie name. In case of AWS, when the load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB
, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy.
You can allow or deny user access to a gateway based on a MAC address. This can be accomplished using the Security tab in the RAS Secure Gateway Properties dialog.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option.
To configure a list of allowed or denied MAC addresses, click the Security tab and select one of the following options:
Allow all except. All devices on the network will be allowed to connect to the gateway except those included in this list. Click Tasks > Add to select a device or to specify a MAC address.
Allow only. Only the devices with the MAC addresses included in the list are allowed to connect to the gateway. Click Tasks > Add to select a device or to specify a MAC address.
Please note that the Gateway MAC address filtering is based on ARP, so client and server must be on the same network for the filtering to work. It does not work across network boundaries.
To publish applications from the Parallels RAS to thin clients using the Wyse thinOS, select the Enable Wyse ThinOS support option.
Note: The Wyse category is only available if the Gateway mode is set to normal.
By enabling this option, the RAS Secure Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.
The Do not warn if server certificate is not verified option can be selected (enabled) if a Wyse device shows an SSL warning when connecting to a RAS Secure Gateway because the hostname does not match the certificate. When the option is selected, the Gateway will send Wyse clients the following parameters in the wnos.ini file: SecurityPolicy=low TLSCheckCN=no, which will disable SSL checks. Note that the option is not required if a certificate has the following:
The CNAME set to the FQDN of the RAS Secure Gateway.
The SAN set to the RAS Secure Gateway IP address.
Note that if you use a custom wnos.ini in "C:\Program Files (x86)\Parallels\ApplicationServer\AppData\wnos" folder on Gateway, the Gateway will not send the SSL check parameters.
Parallels User Portal is built into RAS Secure Gateway. It allows users to connect to Parallels RAS and open published resources from a web browser.
Note: To use User Portal, SSL must be enabled on a RAS Secure Gateway. When enabling the client, please verify that SSL is enabled in the SLL/TLS category or on your network load balancer. Please also note that the User Portal category is only available if the Gateway mode is set to Normal.
For the information on how to configure the User Portal URL and how to access the client from a web browser, please see the Web section.
To use Site default settings on the User Portal tab, click the Inherit default settings option. To specify your own settings, clear the option.
To enable or disable RAS User Portal, select or clear the Enable User Portal option.
The Client section allows you to specify application launch methods and other User Portal settings.
Launch sessions using: Specifies which Parallels Client will be used to open a published resource. This can be the User Portal or a platform-specific Parallels Client. Compared to Web Client, platform-specific Parallels Client includes a richer set of features and provides end users with a better overall user experience. Select one of the following:
Browser only: Users can run remote applications and desktops using Web Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.
Parallels Client only: Users can run remote applications and desktops in Parallels Client only. When a user connects to Parallels RAS using Parallels Web Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user containing the Parallels Client download link. After the user installs Parallels Client, they can still launch a remote application or desktop in Web Client but the resource will open in Parallels Client.
Parallels Client and fallback to browser: Both Parallels Client and a browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels Web Client will be used as a backup if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if Parallels Client cannot be used and will be given a choice to open it in the browser instead.
Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the Launch session using option (above) is set to Parallels Client and fallback to browser (i.e. both methods are allowed).
Allow opening applications in a new tab: If selected, a user will be able to open remote applications in a new tab in his/her web browser.
(Parallels Client with fallback to Browser and the Parallels Cient only) Additionally, you can configure Parallels Client detection by clicking on the Configure button:
Detect client: Select when Parallels RAS tries to detect platform-specific Parallels Client.
Automatically on sign in: Parallels RAS tries to detect platform-specific Parallels Client immediately.
Manually on user prompt: Parallels RAS shows users a prompt where can they select whether they want to detect platform-specific Parallels Client .
Client detection timeout: Time period during which Parallels RAS tries to detect platform-specific Parallels Client.
Use a client IP detection service: If selected, allows configuring an IP detection service to report IP addresses of connected Parallels Web Client applications. To enable a client IP detection service, select this option and click the Configure button. In the dialog that opens, provide the URL to the IP detection service you want to use. You can press the Test button to ensure the API works as expected. When you click the Test button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with a window showing the IP address of the Connection Broker.
The Network Load Balancers access section is intended for deployment scenarios where third-party front-end load balancers such as Amazon Web Services (AWS) Elastic Load Balancers (ELBs) are used. It allows you to configure an alternate hostname and port number to be used by the Network Load Balancer (NLB). This is needed to separate hostnames and ports on which TCP and HTTPS communications are carried out because AWS load balancers don't support both specific protocols over the same port.
The following options are available:
Use alternate hostname: Select this option and specify an alternate hostname. When the alternate hostname is enabled, all platform-specific Parallels Clients will use this hostname to connect to the RAS Farm or Site.
Use alternate port: Select this option and specify an alternate port number. The port must not be used by any other component in the RAS Farm or Site. To reset the port number to the default value, click Default. When the alternate port is enabled, all platform-specific Parallels Clients will use this port to connect to the RAS Farm or Site. Note that RDP sessions in Web Client will still be connecting to the standard SSL port (443).
Note: Please note that using an alternate host or port is not suitable in a multi-tenant environment as Tenant Broker RAS Secure Gateways are shared between Tenants, which would require different configurations.
In addition, the AWS Application Load Balancer (ALB), which handles HTTP/s traffic required by the Parallels Web Client, only supports specific cookies that are usually automatically generated. When a load balancer first receives a request from a client, it routes the request to a target and generates a cookie named AWSALB
, which encodes information about the selected target. The load balancer then encrypts the cookie and includes it in the response to the client. When sticky sessions are enabled, the load balancer uses the cookie received from the client to route the traffic to the same target, assuming the target is registered successfully and is considered healthy. By default, Parallels RAS uses its own ASP.NET cookie named _SessionId
, however in this case you must customize the cookie specifying the mentioned AWS cookie for sticky sessions. This can be configured using the Web cookie field in the User Portal > Web subcategory.
The Restrictions section is used to allow or restrict the following User Portal functions:
Use Pre Windows 2000 login format: Enables legacy (pre-Windows 2000) login format.
Allow embedding of Parallels User Portal into other web pages: If selected, the Parallels User Portal web page can be embedded in other web pages. Please note that this may be a potential security risk due to the practice known as clickjacking.
File transfer command: Enables file transfer in a remote session. Select a desired option in the drop-down list. For more information, see Configuring remote file transfer below.
Clipboard redirection: Select a clipboard option that should be allowed in a remote session. Choose from Client to server only (copy/paste from client to server only), Server to client only (copy and paste from server to client only), Bidirectional (copy and paste in both directions).
Allow cross-origin resource sharing (CORS): Enables cross-origin resource sharing (CORS). To enable CORS, select this option and then specify one or more domains for which access to resources should be allowed. If you don't specify any domains, the option will be automatically disabled. In the Browser cache time field, specify for how long the end-user's browser will cache a resource.
Parallels RAS provides end users with the ability to transfer files remotely to and from a remote server.
Note: At the time of this writing, file transfer is supported in Parallels Web Client and Parallels Client for Chrome only. Note that bidirectional file transfer is supported in Parallels Web Client only.
To make the remote file transfer functionality flexible, Parallels RAS allows you to configure it on the following three levels:
RD Session Host, Provider, or Remote PC
User Portal
Client policy
File transfer settings that you configure on each level take precedence in the order listed above. For example, if you enable file transfer in User Portal, but disable it on an RD Session Host, file transfer will be disabled for all users who connect to the given RD Session Host through the User Portal. As another example, you can enable file transfer on an RD Session Host and then disable it for a particular Client policy (or an User Portal). This way you can control which clients can use file transfer and which cannot.
To configure remote file transfer for a User Portal, select one of the following options in the File transfer command drop-down list:
Disabled: Remote file transfer is disabled.
Client to Server: Transfer files from client to server only.
Server to Client: Transfer files from server to client only.
Bidirectional: Transfer files in both directions.