This scenario is suited for environments where published resources are distributed between two or more physical locations. Different administrators can administer a Parallels RAS farm containing multiple sites.
Each site consists of at least a RAS Connection Broker, RAS Secure Gateway (or multiple Secure Gateways), and agents installed on RD Session Host or VDI servers, or Windows PCs.
Note: To add high availability for HALB, a second appliance can be deployed in each site.
If the resource set is similar, end users can use both sites via a single RAS connection. The following settings should be used as RAS connection properties in Parallels Client:
Primary connection: local Primary Secure Gateway.
Secondary connections:
Local Secondary Secure Gateway.
HALB VS IP address of Site2.
Primary connection – local Primary Secure Gateway
Secondary connections:
Local Secondary Secure Gateway
HALB VS IP address of Site1
Primary connection - HALB VS IP address of Site1
Secondary connections - HALB VS IP address of Site2
RAS connection settings can be configured either centrally (via Client Policy in the Parallels RAS Console) or manually.
RAS Connection Broker is installed using the Parallels RAS installer (standard installation).
HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.
All other components are push-installed from the RAS console.
A Parallels RAS farm placement depends on the location of a back-end resource. Therefore, it is possible to continue operations by adding an additional remote location where the back-end resources are replicated (the appropriate software and hardware solutions are out of the scope of this document) and placing one more Parallels RAS site in this location.
Setting up a disaster recovery site, and then configuring the Parallels Client to use the closest site as the primary connection and the disaster recovery site as the secondary connection, allows users to always be connected to the primary site and to continue working using the disaster recovery site in case of failure.
WAN users can be invited to use all sites and setup HALB VS IP address of the first site as Server Address and HALB VS IP address of the second and third sites as Secondary Server IP in the RAS connection settings on the Parallels Client side. The RAS connection settings can be configured either centrally (via Client Policy in the Parallels RAS Console) or manually.
Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.
HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.
All other components are push-installed from the RAS console.
Second-level authentication provides a high level of protection via different types of security tokens for two-factor authentication. Users have to authenticate through two successive stages to get the remote application list. In addition to a standard user name and password, or a smart card authentication, second-level authentication uses a one-time password generated by a token. The second level of authentication can be provided by DualShield, Safenet, RADIUS, or Google authenticator.
A RADIUS server is recommended to be placed in the Intranet together with the RAS Connection Broker and Active Directory domain controller to speed up application enumeration.
It is recommended to specify Access Control Lists to only allow the IP addresses and protocols/ports necessary for the Wireless Access Points and other devices to communicate with the RADIUS server. No other devices should have a pathway to the RADIUS server.
In a configuration of this type, the second-level authentication via a RADIUS server is performed first. If the authentication procedure is successful, the next authentication takes place at the Active Directory level using either the username and password or a smart card.
Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.
HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.
All other components are push-installed from the RAS console.
SAML authentication allows Service providers and enterprises with multiple subsidiaries to reduce costs by offload the Identity Management burden to the identity providers. Integrating with third party Identity Providers allows customers and partners to provide end users with a true SSO experience.
Comparing to previously described scenarios, the new server role needs to be added the Farm. As part of the SAML SSO process, the new host with RAS Enrollment Server component communicates with Microsoft Certificate Authority (CA) to request, enroll, and manage digital certificates on behalf of the user to complete authentication without requiring the users to put in their Active Directory credentials.
Parallels RAS supports the following delivery options:
Web Client
Web Client portal initiated SAML for Windows
Web Client initiated SAML for Mac and Linux
Web Client initiated SAML for Android and iOS
Parallels Client for Windows initiated SAML Authentication
Parallels Client for Mac initiated SAML Authentication
The below high-level logical diagram depicts SAML authentication and login process within a Parallels RAS environment:
The SAML authentication and login steps on the diagram above are:
RAS Secure Gateway redirects the Parallels Client login request to the IdP site.
The user authenticates with IdP.
IdP redirects the user to the RAS Secure Gateway with the SAML Assertion.
The user is authenticated using the SAML Assertion and the user is logged in.
The list of the available RAS published resources is retrieved.
The user chooses a published resource and launches it from Parallels Client.
The launch request from the user is sent to the server side and the resource is started on the available server.
A Parallels RAS session is established.
User certificate is processed:
Certificate is requested.
Certificate is created.
Encryption is preformed using the certificate.
Smartcard logon.
