SSL/TLS
The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS category allows you to configure data encryption options.
To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option.
HSTS
The HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects User Portal, which can normally accept only HTTPS requests.
Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the gateway.
Max-age: Specifies the max age in months that the web browser should remember that it can only communicate with the gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if applicable).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, and Edge browsers. When HSTS preload is used, a web browser will not try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).
Please also note the following requirements:
Your website must have a valid SSL certificate.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
Encryption
By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.
SSL certificates are created on the Site level. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, see Certificates.
To configure encryption:
Select the Enable SSL on port option and specify a port number (default is 443).
In the Accepted SSL versions drop-down list, select the SSL version.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. The <All matching usage> option will use any certificate configured to be used by gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.