Adding a RADIUS MFA provider

To add a RADIUS MFA provider:

1. Navigate to Site Settings > Connection > Multi-factor authentication.

2. Click the plus sign icon and select the provider you want to add.

3. Specify the following:

   • Name: Name of the provider.

   • Description: Description of the provider.

   • In the Themes table select the Themes that will use this MFA provider.

4. Click Next.

5. Specify the following:

   • Display name: Specify the name of the connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.

   • Primary server and Secondary server: These two fields allow you to specify one or two RADIUS servers to include in the configuration. Specifying two servers gives you an option to configure high availability for RADIUS hosts (see below). Specify a server by entering its hostname or IP address or click the [...] button to select a server via Active Directory.

     When two RADIUS servers are specified, select one of the following high availability modes from the HA mode drop-down list: Active-active (parallel) means the command is sent to both servers simultaneously, the first to reply will be used; Active-passive (failover) means failover and timeout are doubled, Parallels RAS will wait for both hosts to reply.

   • HA mode: See Primary server and Secondary server above. If only the Primary server is specified, this field is disabled.

   • Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.

   • Timeout: Specify the packet timeout in seconds.

   • Retries: Specify the number of retries when attempting to establish a connection.

   • Secret key: Type the secret key.

   • Password encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server.

   • User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

   • Forward username only to RADIUS server: Select this option if needed.

   • Forward the first password to Windows authentication provider: Select this option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be turned off.

6. Click Create when done.

Configuring a RADIUS MFA provider

To configure a RADIUS MFA provider:

1. Navigate to Site Settings > Connection > Multi-factor authentication.

2. Double-click the name of the provider that you want to configure.

3. Click the Edit button.

4. The following categories are available for configuration:

   • General and Connection categories: See above.

   • Attributes: See https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/46769.htm.

• Automation: See https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/46770.htm.

• Restrictions: See Configure MFA rules.

1. Click Save when done.

To configure multi-factor authentication (MFA), navigate to Site Settings > Connection > Multi-factor authentication.

When multi-factor authentication is used, users will have to authenticate through two successive stages to get the application list: native authentication (Active Directory / LDAP) and one of the following MFA:

• RADIUS

  • Azure MFA (RADIUS)

  • Duo (RADIUS)

  • FortiAuthenticator (RADIUS)

  • TekRADIUS

  • RADIUS

• TOTP

  • Google Authenticator

  • Microsoft Authenticator

  • TOTP (Time-based one-time password)

• Deepnet

• SafeNet

Please note that at the time of this writing, RAS Management Portal can only be used to add and configure RADIUS or TOTP MFA providers. To configure other providers, you'll need to use the desktop-based Parallels RAS Console.

To manage connection and authentication settings, navigate to Site Settings > Connection.

Choosing authentication type

When users connect to a Site, they are authenticated before they are logged in. To configure authentication type, in the Connection pane, select Authentication and then select one of the following:

• Credentials. The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log in to an RDP session.

• Smart Card. Smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it.

• Web (SAML). SAML SSO authentication.

• Web + Credentials. The same as Web (SAML), but users are prompted to enter credentials when they launch a published application.

Note that if smart card authentication is disabled, RAS Connection Broker will not hook the Local Security Authority Subsystem Service (LSASS). Smart card authentication can be used in Parallels Client for Windows, Mac, and Linux. Please also note that smart cards cannot be used for authentication if Parallels Client is running inside an RDP session.

A valid certificate must be installed on a user device in order to use smart cards. To do so, you need to import the certificate authority root certificate into the device’s keystore.

A certificate must meet the following criteria:

• The "Key Usage" field must contain digital signature.

• The "Subject Alternative Name" (SAN) field must contain a user principal name (UPN).

• The "Enhanced Key Usage" field must contain smart card logon and client authentication.

Authentication domains

To specify a domain (or multiple domains) against which the authentication should be performed, select one of the following:

• Specific: Select this option and type a specific domain name.

• All trusted Domains. If the information about users connecting to Parallels RAS is stored in different domains within a forest, select the All Trusted Domains option to authenticate against multiple domains.

• Use client domain if specified. Select this option to use the domain specified in the Parallels Client connection properties. If no domain name is specified on the client side, the authentication is performed according to the settings above.

• Force clients to use NetBIOS credentials. If this option is selected, the Parallels Client will replace the username with the NetBIOS username.

Recommendation: After changing domain names or some other authentication related changes, you should clear cached session IDs. At this time, this can only be done from the RAS Console, where you need to click the Clear cached session IDs button on the Settings tab.

In order to authenticate users sessions against users specified on a standalone machine, you must enter the [workgroup_name] / [machine_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1.

Changing domain password

You can configure Parallels Client to use a custom URL for changing domain passwords.

To make Parallels Client use a custom URL for changing domain passwords:

1. Select Use a custom link fro the "Change domain password" option.

2. Add the link to the text field below.

Allowed devices

Multi-factor authentication (MFA) can be enabled or disabled for all user connections, but you can configure more complex rules for specific connections. This functionality allows you to create enable or disable MFA for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each MFA provider has one rule that consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.

You can match the following objects:

• User, a group the user belongs to, or the computer the user connects from.

• Secure Gateway the user connects to.

• Client device name.

• Client device operating system.

• IP address.

• Hardware ID. The format of a hardware ID depends on the operating system of the client.

Notice the following about the rules:

• Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems.

• Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection.

To configure a rule:

1. Navigate to Site Settings > Connection > Multi-factor authentication.

2. Double-click the name of the Google Authenticator provider that you want to configure.

3. Click the Restrictions link.

4. Click the Edit button.

5. Clear the Inherit Defaults option.

6. Specify criteria for the rule. You will find the following controls:

   • Allow: specifies that the MFA provider must be enabled when a user connection matches the criteria. Click Allow to change it to Deny.

   • Deny: specifies that the policy the MFA provider must not be enabled when a user connection matches the criteria. Click Deny to change it to Allow.

   • (+): adds a new criteria. If you want to match a Secure Gateway, a client device name, a client device operating system, an IP address, or a hardware ID, click (+).

   • is: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection matches the criteria. Click is to change it to is not. This control appears when at least one object is added.

   • is not: specifies that the MFA provider must be enabled (or not not enabled, per Allow and Deny) when a user connection does not match the criteria. Click is not to change it to is. This control appears when at least one object is added.

   You can also disable and enable criteria by clicking on the switch to the left of it.

7. Click Save when done.

Microsoft FSLogix Profile Container is the preferred Profile Management solution as the successor of Roaming Profiles and User Profile Disks (UPDs). It is set to maintain user context in non-persistent environments, minimize sign-in times and provide native profile experience eliminating compatibility issues.

Beginning with version 18, Parallels provides you with the ability to integrate, configure, maintain and support FSLogix Profile Container, supporting Storage Spaces Direct, Azure Files, Azure NetApp files, based on their supported protocols such as SMB and Cloud Cache for resiliency and availability.

Supported FSLogix Profile Container releases

Parallels RAS has been tested with FSLogix Profile Container releases up to and including release 2105.

Prerequisites

FSLogix Profile Container license eligibility, which is included if you have any of the following licenses:

• Microsoft 365 E3,E5

• Microsoft 365 A3,A5, Student Use Benefits

• Microsoft 365 F1, F3

• Microsoft 365 Business

• Windows 10 Enterprise E3,E5

• Windows 10 Education A3,A5

• Windows 10 VDA per user

• Remote Desktop Services (RDS) Client Access License (CAL)

• Remote Desktop Services (RDS) Subscriber Access License (SAL)

Other prerequisites include:

• Profile Container storage configured according to FSLogix recommendations.

• GPO policies related to FSLogix must be disabled on hosts where Parallels RAS manages FSLogix settings

Install FSLogix Profile Container application in Parallels RAS

To install FSLogix Profile Container application in Parallels RAS Management Portal:

1. Navigate to Site Settings > FSLogix.

2. In the right pane, click Edit and select on the following installation methods:

   • Install manually: Use the FSLogix Profile Container application installed on a host manually (Parallels RAS will not install the FSLogix agent).

   • Install online: Install FSLogix Profile Container from the Microsoft web site. In the drop-down list, select one of the desired supported versions. To specify a custom URL, choose Custom URL and then specify a URL in the field provided. To automatically detect the latest supported version, click Detect latest. The latest version will be identified and added to the Install online drop-down list.

   • Install from a network share: Install the FSLogix agent you have available locally (Parallels RAS requires an official ZIP archive as provided by Microsoft).

   • Push from RAS Connection Broker: The latest version of the FSLogix agent is downloaded and stored on the RAS Connection Broker side to be pushed to target session hosts.

Configure a session host to use FSLogix Profile Container

Please note that at the time of this writing RAS Management Portal can only be used to configure RD Session Hosts to use FSLogix Profile Container. For other host types, please use the desktop-based RAS Console.

To configure a session host:

1. Navigate to Infrastructure > RD Session Hosts.

2. Click a host in the list and then click Properties.

3. In the middle pane, click User Profile.

4. Click Edit to enable editing. To override Site or Host pool defaults, clear Inherit defaults and specify your own settings. To modify Site or Host pool defaults, click the corresponding link and do the editing in its respective view.

5. Specify the settings according to your needs.

This section explains how to configure Google Authenticator.

To configure Google Authenticator:

1. Navigate to Site Settings > Connection > Multi-factor authentication.

2. Double-click the name of the Google Authenticator provider that you want to configure.

3. Click the Edit button.

4. Specify the following:

   • Name: Name of the provider.

   • Description: Description of the provider.

   • In the Themes table select the Themes that will use this MFA provider.

   • Display name: The default name here is "Google Authenticator. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install Google Authenticator app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device". Technically, you can use any authenticator app (hence the ability to change the name), but at the time of this writing only the Google Authenticator app is officially supported.

   • User Prompt: Specify the text that the user will see when prompted with an OTP dialog.

   • Modify the default TOTP tolerance if required.

   • The Enrollment section allows you to limit user enrollment via Google Authenticator if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.

   • Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:

     • Never (most secure): Unenrolled users see a TOTP prompt instead of the error.

     • If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.

     • Always: Unenrolled users always see the error.

   • The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they'll have to go through the registration procedure again (see Using Google Authenticator in Parallels Client below). You can search for specific users, reset all users, or import the list of users from a CSV file.

   • Restrictions: See Configure MFA rules.

5. Click Save when done.

Using Google Authenticator in Parallels Client

Google Authenticator is supported in Parallels Client running on all supported platforms, including mobile, desktop, and Web Client.

To use Google Authenticator, a user needs to install the Authenticator app on their iOS or Android device. Simply visit Google Play or App Store and install the app. Once the Authenticator app is installed, the user is ready to connect to Parallels RAS using two-factor authentication.

To connect to Parallels RAS:

1. The user opens Parallels Client or User Portal and logs in using his/her credentials.

2. The multi-factor authentication dialog opens displaying a barcode (also known as QR code) and a secret key.

3. The user opens the Google Authenticator app on their mobile device:

   • If this is the first time they use it, they tap Begin and then tap Scan a barcode.

   • If a user already has another account in Google Authenticator, they tap the plus-sign icon and choose Scan a barcode.

4. The user then scans the barcode displayed in the Parallels Client login dialog.

   If scanning doesn't work for any reason, the user goes back in the app, chooses Enter a provided key and then enters the account name and the key displayed in the Parallels Client login dialog.

5. The user then taps Add account in the app, which will create an account and display a one-time password.

6. The user goes back to Parallels Client, clicks Next and enters the one-time password in the OTP field.

On every subsequent logon, the user will only have to type their credentials (or nothing at all if the Save password options was selected) and enter a one-time password obtained from the Google Authenticator app (the app will continually generate a new password). If the RAS administrator resets a user (see the Reset Users(s) field description at the beginning of this section), the user will have to repeat the registration procedure described above.

Printer redirection enables users to redirect a print job from a remote application or desktop to their local printer, which can be connected to the user's computer or be a local network printer attached via an IP address. RAS Universal Printing simplifies the printing process and solves most printer driver issues by eliminating the need for a remote server to have a printer driver for a specific local printer on the client side. Therefore, a user can print regardless of which printer they have installed locally, and the RAS administrator doesn't have to install a printer driver for each printer connected to the local network.

To configure Universal Printing, navigate to Site Settings > Universal Printing.

Printer settings: Rename pattern

By default, Parallels RAS renames printers using the following pattern: %PRINTERNAME% for %USERNAME% by Parallels. For example, let's say a user named Alice has a local printer named Printer1. When Alice launches a remote application or desktop, her printer is named Printer1 for Alice by Parallels.

You can change the default printer renaming pattern by specifying a new pattern in the Printer rename pattern field. To see the predefined variables that you can use, click the Add variable button. The variables are:

• %CLIENTNAME% — the name of the client computer.

• %PRINTERNAME% — the name of a printer on the client side.

• %SESSIONID% — RAS session ID.

• %USERNAME% — the name of the user connected to RAS.

• <2X Universal Printer> — This is a legacy mode where only one printer object will be created in the RDP session.

You can also use some other characters in a printer renaming pattern. For example, you can define the following commonly used pattern:

Client/%CLIENTNAME%#/%PRINTERNAME%.

Using the above pattern (and the user named Alice from the earlier example), a local printer will be named Client/Alice's Computer#/Printer1

You can specify a different printer renaming pattern for each server in the Servers in Site list.

Printer settings: Printer retention

When client-defined printers are redirected to a remote session, it takes time and impacts overall session establishing time. To improve user experience, you can reuse previously created user's printers. To do so, set the Printer retention option to Enable printer retention optimization.

Drivers

A system administrator can control the list of client-side printer drivers which should be allowed or denied the Universal Printing redirection privileges.

Using this functionality you can:

• Avoid server resource overloading by non-useful printer redirection. Since the majority of users choose to redirect all local printers (this is default setting), a large number of redirected devices is created on the server which are not really used. It's mostly related to various paperless printers like PDFCreator, Microsoft XPS Writer, or various FAX devices.

• Avoid server instability with certain printers. There are some printers that might create server instability (spooler service component) and as the result deny printing services as a whole for all connected users. It is very important that the administrator has the ability to include such drivers to the "deny" list to continue running printing services.

To specify printer drivers in the Drivers section:

1. In the Mode drop-down list, select which printers should be allowed redirection from the following options:

   • Allow redirection of printers using any driver|: (default) This option places no limitation on the type of driver a printer is using to use redirection privileges.

   • Allow redirection of printers using one of the listed drivers: Select this option and add the "allowed" drivers to the list. To add a driver, click the plus-sign icon and type the driver name.

   • Don't allow redirection of printers that use one of the listed drivers: This is probably the most useful option in the context of this feature. The printers that use drivers specified in the list will be denied redirection privileges. All other printers will be allowed to use redirection.

2. To delete a printer driver from the list, click the minus-sign icon.

Please make a note of the following:

• When adding a printer driver to the list, type the printer driver name, NOT the printer name.

• The driver names comparison is case insensitive and requires full match (no partial names, no wildcards).

• The settings that you specify on this tab affect the entire Site (not an individual server).

Fonts

Fonts need to be embedded so when printing a document using Universal Printing the document is copied to the local spooler of the client machine to be printed. If the fonts are not present on the client machine the print out would not be correct.

Excluding fonts from embedding: To exclude a specific font type from being embedded, select it in the list. To add one or more fonts, slick the plus-sign icon.

Auto install fonts: To automatically install a specific font type on servers and clients, click the plus-sign icon in the Auto install fonts section.

To configure FSLogix:

1. Do one of the following:

   • To configure Site defaults, navigate to Infrastructure > Host pools > RD Session Hosts > Properties > Site defaults > User Profile.

   • To configure host pools, navigate to Infrastructure > Host pools > <Host pool name> > Properties > User Profile.

   • To configure individual hosts, navigate to Infrastructure > RD Session Hosts > <Host name> > Properties > User Profile.

2. If you want to use Profile Containers, go to User Profile > FSLogix - Profile Containers:

   • Users and Groups: Specify include and exclude user and group lists. By default, Everyone is added to the FSLogix profile include list. If you want some user profiles remain local, you can add those users to the exclude list. Users and group can exist in both lists but exclude takes priority.

   • Folders: Specify include and exclude lists for folders. You can select from common folders or you can specify your own. Please note that folders must reside in user profile path.

   • Disks: Specify the settings of the profile disk. Location type: Select a location type for profile disks (SMB Location or Cloud Cache) and then specify one or more locations. Location of profile disks: Location(s) of profile disks. These are the locations of VHD(X) files (the VHDLocations setting in the registry as specified in the FSLogix documentation). Profile disk format: Select from VHD or VHDX according to your requirements. VHDX is a newer format and has more features. Allocation type: Select Dynamic or Full. This setting is used in conjunction with the Default size setting (see below) to manage the size of a profile. Dynamic causes the profile container to use the minimum space on disk, regardless of the allocated Default size. As a user profile is filled with more data, the amount of data on disk will grow up to the size specified in Default size, but will never exceed it. Default size: Specifies the size of newly created VHD(X) in megabytes.

   • Advanced: This tab allows you to modify advanced FSLogix registry settings. By default, the settings are disabled. To enable a setting, select the checkbox in front of its name. A description for each setting is provided in the RAS console. For further information regarding FSLogix Profile Containers configurations, visit https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference.

3. If you want to use Office Containers, go to User Profile > FSLogix - Office Containers:

   • Users and Groups: Same as above.

   • Disks: Same as above.

   • Advanced: Same as above.

4. If you want to configure Cloud Cache, go to User Profile > FSLogix - Cloud Cache. For more information about these settings, see https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=ccd#fslogix-settings-profile-odfc-cloud-cache-logging.

5. If you want to configure logging, go to User Profile > FSLogix - Logging. For more information about these settings, see https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=ccd#fslogix-settings-profile-odfc-cloud-cache-logging.

This topic describes how to configure existing FSLogix Profile Containers to be managed by Parallels RAS. FSLogix Profile Container configuration defines how and where the profile is redirected. Normally, you configure profiles through registry settings and GPO. Parallels RAS gives you the ability to configure profiles from the Parallels RAS Console or RAS Management Portal without using external tools.

Before you begin

Before you configure FSLogix Profile Containers in Parallels RAS, make note of the following:

• You don't have to change the profiles themselves; existing profiles stay the same.

• You can keep using your existing FSLogix Profile Container locations, such as SMB network shares or Cloud Cache.

Preliminary steps

Perform the following preliminary steps:

1. Back up your existing profiles. It is highly unlikely that profile data can be lost or corrupted, but it is best practice to have a valid backup prior to any change in profile configuration.

2. Turn off the GPO configuration of FSLogix Profile Containers. This step is important because you cannot have both GPO and Parallels RAS management of FSLogix profiles enabled at the same time.

3. Before configuring FSLogix profiles for a server in a RAS Farm, make sure there are no user sessions running on the server. As a suggestion, you can make the transition in a maintenance window out of working hours.

Replicate GPO and FSLogix configuration

To configure existing FSLogix Profile Containers in Parallels RAS, you need to replicate your existing GPO to the FSLogix configuration in Parallels RAS. This can be done in the Parallels RAS Console or the Parallels Management Portal.

To configure profiles in the RAS Management Portal:

1. Navigate to Infrastructure > RD Session Hosts.

2. Click a host in the list and then click Properties.

3. In the middle pane, click User Profile.

4. In the Location of profile disks list box, specify existing SMB or cloud cache locations where you keep your FSLogix profiles. Also, specify the profile disk format, allocation type, and default size.

5. In the middle pane, click Users and Groups, Folders, and Advanced items to configure the rest of FSLogix settings you may have on your servers, such as user exclusions, folder exclusions, and others.

Please note that at the time of this writing RAS Management Portal can only be used to configure RD Session Hosts to use FSLogix Profile Containers. For other host types, please use the desktop-based RAS Console (described below).

To configure profiles in the RAS Console:

1. Open the User profiles tab on a host, Site defaults, or Template Properties dialog.

2. In the Location of profile disks list box, specify existing SMB or cloud cache locations where you keep your FSLogix profiles. Also, specify the profile disk format, allocation type, and default size.

3. Click the Additional settings button and configure the rest of FSLogix settings you may have on your servers, such as user exclusions, folder exclusions, and others.

Recommendations and testing

When performing steps in the previous section, do not configure multiple (or all) servers in a RAS farm right away. Begin with a single server (e.g. an RD Session Host) and then test it with a single user connection. After that, configure some other servers and test the same user logging in to multiple servers consecutively to confirm the profile is loaded and personalization is retained irrespective of a session host. If all is good, configure other host, host pools, or Site defaults.

Your RAS users can now connect to Parallels RAS using pre-existing FSLogix Profile Containers, which are now managed centrally through Parallels RAS.

Scanner redirection enables users who are connected to a remote desktop or accessing a published application to make a scan using the scanner that is connected to the client machine. This chapter describes how to configure and use RAS Universal Scanning services.

To configure Universal Scanning, navigate to Site Settings > Universal Scanning.

Universal Scanning uses WIA and TWAIN redirection to let any application using either technology hardware connected to the client device for scanning. With Universal Scanning there is no need to install a specific scanner driver on the server.

By default, the Universal Scanning driver is automatically installed when a host server is added to a RAS Farm and the Agent software is installed on it.

Configuring a scanning rename pattern

By default, Parallels RAS renames scanners using the following pattern: %SCANNERNAME% for %USERNAME% by RAS. For example, if a user named Lois, who has SCANNER1 installed locally, connects to a remote desktop or published application, her scanner is renamed to "SCANNER1 for Lois by RAS".

To change the pattern used to rename scanners, specify a new pattern in the Scanner rename pattern input field. The variables that you can use for renaming are:

• %SCANNERNAME% — client side scanner name.

• %USERNAME% — username of the user connected to the server.

• %SESSIONID% — ID of the active session.

You can configure a different renaming pattern specifically for each server in the list.

Adding a scanning application

TWAIN applications that will use the Universal Scanning feature have to be added to the TWAIN configuration. This way they will use the TWAIN driver, hence making it easier for the administrator to set them up.

To add an application to the list of scanning applications:

1. Select the TWAIN category.

2. In the right pane, click the plus-sign icon and type the application executable name.

To delete a scanning application from the list, select it in the list and click minus-sign icon.