1 of 25

Deployment Scenarios

General Considerations

Regardless of the size of a Parallels RAS installation, redundancy among core components of your setup is recommended to ensure the greatest possible uptime. For small deployments, all roles can be installed on a single server, whereas role segregation is recommended for large setups.

The physical location of a Parallels RAS farm, including RD Session Hosts and VDI hosts, must be selected based on the location of back-end resources, such as databases and file servers. This means that if a front-end application connects to a database or works with files on a file server, the RD Session Host on which it will be installed should be located close to the database (or the file server) on the intranet with fast, reliable, low latency LAN connections. For example, let's say you have a client-server application that you want to make available to your users. To do so, you will install the client part on an RD Session Host and publish it for your users. The database will continue to run on a dedicated server. To guarantee fast and reliable database access, the RD Session Hosts server and the database server must be close to each other on the local network.

Parallels RAS Deployment Scenarios

Single Farm with One RD Session Host

This scenario uses a single RD Session Host for publishing applications and desktops. SSL and User Portal are enabled by default with a self-signed server certificate. The server certificate should be trusted by client devices. Enterprise certificate or third-party trusted Certificate Authority can be used for external access (for details, please see the SSL Certificates section).

Installation Notes

All server Parallels RAS components are installed using the Parallels RAS installer (standard installation).

Single server deployment is not recommended for production environments, as it does not provide high availability of service. Such deployment should be used for test or developer environments.

Single Farm with Two RD Session Hosts

This scenario can be implemented by an organization that needs to load-balance published applications and desktops between two RD Session Hosts. For high availability, a secondary RAS Connection Broker and RAS Secure Gateway should be installed on the second server.

Installation Notes

The components on the primary RD Session Host (where the primary RAS Connection Broker is installed) are installed using the Parallels RAS installer (standard installation).

The components on the secondary RD Session Host are push-installed from the RAS console.

Single Farm with RD Session Host Auto Scaling

This scenario can be implemented by an organization that needs to use single image management for RD Session Hosts and dynamic resource allocation for published applications and desktops.

For high availability, HALB Virtual Server (VS) should have a secondary HALB appliance, additional RAS Connection Broker and RAS Secure Gateway should be deployed. HALB Virtual Server (VS) is a virtual representation of the HALB appliances.

Installation Notes

The components on the primary RAS Connection Broker are installed using the Parallels RAS installer (standard installation).

A new type of RAS Template adds support for an RD Session Host running in a guest VM where both the RAS Guest Agent and RD Session Host Agent are push-installed in the VM from the RAS Console.

An RD Session Host pool is assigned a RAS Template and is then used for publishing of applications and desktops.

RD Session Host creation, maintenance and deletion is done via the RAS Template.

An RD Session Host pool assigns RD Session Hosts on demand providing more resources on the workload increase and unassigns RD Session Hosts on the workload decrease.

HALB Virtual Server (VS) is configured with two HALB appliances.

Single Farm with VDI Hosts

VDI host pools are targeted for application and desktop publishing from hosts (full or linked clones) which are located in a single data center.

VDI hosts have the following advantages:

Rapid deployment of a common supported desktop environment across the company's network using a single Windows 7, 8, or 10 desktop image for creating virtual machines (VMs) on a hypervisor.
Centralized deployment of updates and changes to Windows VDI desktops — all you need to do is update a single image.
In case of failure, the VDI desktops can be easily restored using a single image backup.
Increased data security provides organizations with an extra layer of protection with dynamic security permissions. This is a security feature which prevents access to VDI without using Parallels RAS Client. After the session is established, Parallels RAS dynamically adds the user to the "Remote Desktop Users" group, granting permissions on logon and removing permissions on logoff. Even if a VDI virtual machine (VM) hostname or IP address is noted, users will not be able to connect to the VDI VM unless connection is setup from the Parallels Client.

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

RAS Secure Gateway, RAS Guest Agent are push-installed from the RAS console.

Single Farm with Remote PC Hosts

A Remote PC is a physical desktop running Windows that can be used for remote application and desktop publishing. In addition to individual Remote PCs, where every PC is published for a single user and must be specified for publishing, we've added Remote PC host pools to Parallels RAS.

Remote PC host pools are targeted for application and desktop publishing from Remote PCs which are located in a single data center. Remote PC host pools provide the most effective hardware utilization for companies that use shift work (e.g. companies that provide 24/7 service) or when users are located in different time zones. A user is assigned a Remote PC on the first use. After a shift ends, the PC is either released back to the host pool to be re-used by a user from the next shift or, depending on the admin settings, the persistence is kept (3 days by default).

Installation Notes

The RAS Guest Agent is used with Remote PC host pools instead of the Remote PC Agent. Host pool membership is built from either a PC list (manually adding individual PCs or importing the list from a CSV file) or based on an Active Directory OU location (the list is refreshed by the RAS Connection Broker every 5 minutes).

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

RAS Secure Gateway, RAS Guest Agent are push-installed from the RAS console.

Single Farm with Mixed Hosts

By using this scenario you can publish applications and desktops from virtual machines, RD Session Hosts, and Windows desktop computers located in your office.

Installation Notes

RAS Secure Gateway and primary RAS Connection Broker are installed using the Parallels RAS installer (standard installation).

All other components are push-installed from the RAS console.

Single Farm with Public & Private RAS Secure Gateways

To handle more connections on Secure Gateways, using a designated RAS Secure Gateway is recommended for intranet users (private) with direct client connection mode.

To apply stricter security settings to servers with Internet access, using a designated Secure Gateway is recommended for Internet users (public) with Gateway SSL client connection mode.

The appropriate RAS connection settings can be applied either centrally via Client Policy in the Parallels RAS Console or manually in the Parallels Client.

Installation Notes

Public RAS Secure Gateway and primary RAS Connection Broker are installed using the Parallels RAS installer (standard installation).

All other components are push-installed from the RAS console.

Single Farm with Dual RAS Secure Gateways

This scenario enables high availability for client connections using RAS connection settings on either the Parallels Client side or round-robin DNS.

To enable high availability for client connections using RAS connection settings, the Parallels Client should be configured to connect to primary and secondary Secure Gateways using the primary and secondary connection settings in the RAS connection properties. In this case primary and secondary RAS Secure Gateways must be configured to connect to the same RAS Connection Brokers (using Advanced Client Gateway Settings). When the Primary RAS Secure Gateway is not available, Parallels Clients can connect to the farm using the Secondary RAS Secure Gateway. The client settings can be applied either centrally (via Client Policy in the RAS Console) or manually.

To enable high availability for client connections using round-robin DNS, two new host records must be created in the DNS forward lookup zone with the same name (e.g. myhost.example.com) but with two different IP addresses of primary and secondary RAS Secure Gateways.

Note: Round-robin DNS load balancing between two Secure Gateways works for the TCP protocol only. UDP load balancing may not work properly.

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

All other components are push-installed from the RAS console.

High Availability with Multiple Gateways

This scenario is ideal for high availability environments with more than 300 concurrent users connected in SSL mode. Each client gateway should optimally handle 300 to 500 concurrent user connections* (see the note below). This can be scaled horizontally accordingly.

Both LAN and WAN users connect to IP address of the HALB VS which represents the HALB virtual appliances in the internal network.

Please note that the diagram above includes an optional secondary RADIUS server which can be used as active/active or active/passive to provide high availability.

High Availability with Single-hop or Double-hop DMZ

Many companies use the perimeter network (DMZ) to separate the public network with servers that handle exposed services and the internal network with servers that handle internal services. There are two types of DMZ: single-hop and double-hop, with the latter using three firewalls and therefore being more expensive, but more secure (with three firewalls, using different firewall technologies, you can avoid one weakness or one type of attack breaking all firewalls). A firewall between RAS Secure Gateways and the intranet must allow gateways and systems to connect to a RAS Connection Broker using the standard port.

Single-hop DMZ (two firewalls)

In a single-hop DMZ scenario, the firewall system must be capable of routing connections properly from RAS Secure Gateways to RAS Connection Brokers. The firewall system is also responsible for connections from the Internet to the virtual IP address of a HALB Virtual Server (HALB VS) representing HALB virtual appliance(s) or other generic protocol load balancing scenarios. Note that in this case two HALB Virtual Servers are used for internal and external traffic load balancing to internal Secure Gateways.

To differentiate traffic between internal and external network, you can use public and private Secure Gateways (both are equal from the RAS perspective):

In a configuration of this type, HALB appliances installed in front of RAS Secure Gateways in the internal perimeter network (DMZ). The WAN users connect to the IP address of external HALBS VS, while LAN users use IP address of the internal HALB VS, which use HALB appliances installed in front of the Secure Gateways located in internal network. The Parallels Client settings can be configured either centrally (via Client Policy in the Parallels RAS console) or locally on a device where Parallels Client is running. To add high availability for HALB VS, the second appliance can be deployed for external internal and HALB VS.

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

Double-hop DMZ (three firewalls)

In a double-hop DMZ scenario, settings are simpler and the protection from external malicious agents is higher. Double-hop DMZ requires Forwarding RAS Secure Gateways installed in the perimeter network to pass client connections to RAS Secure Gateways residing in the internal second perimeter network (the second hop).

In such configuration, the HALB VS with a HALB pair (primary and secondary) is installed in front of Forwarding RAS Secure Gateways in DMZ. WAN users connect to Parallels RAS using the IP address of the HALB VS, while LAN users use IP address of the internal HALB VS, which use HALB appliance installed in front of the gateways located in internal network. Parallels RAS connection properties can be configured either centrally (using Client Policy in the RAS Console) or manually in Parallels Client.

Forwarding RAS Secure Gateways forward network traffic using the Forward requests to next RAS Secure Gateway in chain option in the Advanced tab of the Forwarding RAS Secure Gateway properties.

Parallels recommends using Forwarding RAS Secure Gateways in double hop DMZ deployments only.

To differentiate traffic between internal and external network, you can use public and private gateways (both are equal from the RAS perspective):

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

If the Forwarding RAS Secure Gateway cannot be push-installed for any reason, you can run the Parallels RAS installer on the target server. When doing so, select Custom installation type and then choose the RAS Secure Gateway component.

RAS on Microsoft Azure

Please plan your deployment using the following information:

Azure regions — An Azure region is a set of data centers deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. Azure gives customers the flexibility to deploy applications where they need to: https://azure.microsoft.com/en-us/global-infrastructure/regions/.
Availability Zones — Availability Zones are physically separate locations within an Azure region. Each Availability Zone is made up of one or more data centers equipped with independent power, cooling and networking. Availability Zones allow customers to run mission-critical applications with high availability and low-latency replication. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview .
Availability Sets — An Availability Set is a logical grouping capability for isolating VM resources from each other when they're deployed. Azure makes sure that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational. Availability Sets are essential for building reliable cloud solutions: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets .

Please note that Microsoft Azure design is out of scope of this guide.

Parallels RAS provides the two most common scenarios for delivering applications and desktops on Azure. These scenarios are described below.

Parallels RAS infrastructure in the cloud

Parallels RAS infrastructure servers, including RAS Connection Brokers, RAS Secure Gateways, RAS Enrollment Servers etc. are located on Azure. Each component of a RAS deployment should be in its own Availability Set to maximize overall availability. For example, a separate Availability Set should be used for Connection Brokers, Secure Gateways, Enrollment Servers etc.

You can also use Azure as a SAML IdP provider and as cloud computing platform for VDI/RDS resource hosts to deliver applications and desktops.

On-premises with backup Site using site-to-site VPN (or Express Route)

Parallels RAS infrastructure servers, including RAS Connection Brokers, RAS Secure Gateways, RAS Enrollment Servers etc. are located on premises, whereas VDI/RDSH resource hosts are deployed on Azure in Availability Sets. This can be practical when you need to support burst growth of the usage or business continuity.

Note: A single Farm is used with two Sites.

Azure Virtual Desktop integration

Azure Virtual Desktop is a desktop and app virtualization service running on Microsoft Azure, providing access to RD Session Hosts and VDI, including the new offering of Windows 10 and Windows 11 Enterprise multi-session hosts. Parallels RAS provides the ability to integrate, configure, maintain, support and access Azure Virtual Desktop workloads on top of the existing technical capabilities of Parallels RAS.

The diagram below illustrates a hybrid deployment of Parallels RAS and Azure Virtual Desktop with the following characteristics:

Workload hosts are available both on-premises through standard Parallels RAS deployment and on Microsoft Azure through the service.
Azure Virtual Desktop objects such as workspaces, host pools, desktop and RemoteApp groups are created and configured from the Parallels RAS Console.
Azure Virtual Desktop hosts (multi-session or single-session) contain both Azure Virtual Desktop Agent and RAS Agent for management and configuration purposes.
Parallels Client for Windows is connecting to both Parallels RAS Secure Gateway and Azure Virtual Desktop service providing resource availability to end-users from a single interface.

As highlighted earlier, the complete Parallels RAS environment can also reside on Microsoft Azure for a full cloud deployment with Azure Virtual Desktop.

Extended values and capabilities

Simplify and enhance Azure Virtual Desktop deployment and management.
Unify administration and UX – single pane of glass – Parallels Clients and Parallels RAS Console.
Extend reach with flexibility to use hybrid and multi-cloud deployments.
Automate and streamline administrative routines, provisioning, and management of Azure Virtual Desktop workloads.
Built in Auto-scale capability on Microsoft Azure and/or on-premises.
Management of users, sessions, and processes.
Utilize RAS Universal Printing and Scanning.
Utilize AI based session prelaunch for ultra-fast logons.
Accelerated file redirection with the use of the Enable drive cache redirection option.
Integrated automatic image optimizations and FSLogix Profile Containers.
Client management.
Security policies for clients.
Leverage RAS Reporting and Monitoring from the RAS Console.

Mixed Scenarios

Multi-Site Scenario

This scenario is suited for environments where published resources are distributed between two or more physical locations. Different administrators can administer a Parallels RAS farm containing multiple sites.

Each site consists of at least a RAS Connection Broker, RAS Secure Gateway (or multiple Secure Gateways), and agents installed on RD Session Host or VDI servers, or Windows PCs.

Note: To add high availability for HALB, a second appliance can be deployed in each site.

If the resource set is similar, end users can use both sites via a single RAS connection. The following settings should be used as RAS connection properties in Parallels Client:

LAN users of Site1

Primary connection: local Primary Secure Gateway.
Secondary connections:
- Local Secondary Secure Gateway.
- HALB VS IP address of Site2.

LAN users of Site2

Primary connection – local Primary Secure Gateway
Secondary connections:
- Local Secondary Secure Gateway
- HALB VS IP address of Site1

WAN users

Primary connection - HALB VS IP address of Site1
Secondary connections - HALB VS IP address of Site2

RAS connection settings can be configured either centrally (via Client Policy in the Parallels RAS Console) or manually.

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

Business Continuity and Disaster Recovery

A Parallels RAS farm placement depends on the location of a back-end resource. Therefore, it is possible to continue operations by adding an additional remote location where the back-end resources are replicated (the appropriate software and hardware solutions are out of the scope of this document) and placing one more Parallels RAS site in this location.

Setting up a disaster recovery site, and then configuring the Parallels Client to use the closest site as the primary connection and the disaster recovery site as the secondary connection, allows users to always be connected to the primary site and to continue working using the disaster recovery site in case of failure.

WAN users can be invited to use all sites and setup HALB VS IP address of the first site as Server Address and HALB VS IP address of the second and third sites as Secondary Server IP in the RAS connection settings on the Parallels Client side. The RAS connection settings can be configured either centrally (via Client Policy in the Parallels RAS Console) or manually.

Installation Notes

Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

Secure Setup with Double-hop DMZ and Second-Level Authentication

Second-level authentication provides a high level of protection via different types of security tokens for two-factor authentication. Users have to authenticate through two successive stages to get the remote application list. In addition to a standard user name and password, or a smart card authentication, second-level authentication uses a one-time password generated by a token. The second level of authentication can be provided by DualShield, Safenet, RADIUS, or Google authenticator.

A RADIUS server is recommended to be placed in the Intranet together with the RAS Connection Broker and Active Directory domain controller to speed up application enumeration.

It is recommended to specify Access Control Lists to only allow the IP addresses and protocols/ports necessary for the Wireless Access Points and other devices to communicate with the RADIUS server. No other devices should have a pathway to the RADIUS server.

In a configuration of this type, the second-level authentication via a RADIUS server is performed first. If the authentication procedure is successful, the next authentication takes place at the Active Directory level using either the username and password or a smart card.

Installation Notes

Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

SAML SSO authentication

SAML authentication allows Service providers and enterprises with multiple subsidiaries to reduce costs by offload the Identity Management burden to the identity providers. Integrating with third party Identity Providers allows customers and partners to provide end users with a true SSO experience.

Comparing to previously described scenarios, the new server role needs to be added the Farm. As part of the SAML SSO process, the new host with RAS Enrollment Server component communicates with Microsoft Certificate Authority (CA) to request, enroll, and manage digital certificates on behalf of the user to complete authentication without requiring the users to put in their Active Directory credentials.

Parallels RAS supports the following delivery options:

Web Client
Web Client portal initiated SAML for Windows
Web Client initiated SAML for Mac and Linux
Web Client initiated SAML for Android and iOS
Parallels Client for Windows initiated SAML Authentication
Parallels Client for Mac initiated SAML Authentication

The below high-level logical diagram depicts SAML authentication and login process within a Parallels RAS environment:

The SAML authentication and login steps on the diagram above are:

RAS Secure Gateway redirects the Parallels Client login request to the IdP site.
The user authenticates with IdP.
IdP redirects the user to the RAS Secure Gateway with the SAML Assertion.
The user is authenticated using the SAML Assertion and the user is logged in.
The list of the available RAS published resources is retrieved.
The user chooses a published resource and launches it from Parallels Client.
The launch request from the user is sent to the server side and the resource is started on the available server.
A Parallels RAS session is established.
User certificate is processed:
- Certificate is requested.
- Certificate is created.
- Encryption is preformed using the certificate.
Smartcard logon.

Multi-Tenant Architecture

This scenario is suited for environments where it is necessary to keep published resources of distinct clients (departments, groups, teams, etc.) isolated. Parallels RAS Multi-Tenant architecture enables organizations to share the RAS infrastructure components among different tenants while keeping client data segregated and reducing costs.

The RAS Multi-Tenant architecture offers the following advantages to Service Providers and organizations:

Cost savings due to reduction of number of RAS Secure Gateways and High Availability Load Balancers (HALBs) while maximizing resource usage and consolidation.
Faster onboarding of new tenants/customers.
Simplified centralized management of multi-tenant environments.
Extended market reach through reduction of operational costs for organizations of any size by allowing cost scaling through shared infrastructure.

Tenants are deployed as separate individual RAS Farms or Sites.
A Tenant Farm doesn't need its own RAS Secure Gateways and HALB. However, deployments with Secure Gateways and HALB are possible if a Tenant needs them for internal connections.
All external users connect to a Tenant Farm through the Tenant Broker infrastructure.
The network configuration of a Tenant requires the Tenant Connection Broker to Tenant Broker Connection Broker connectivity. Additionally, shared RAS Secure Gateways need to communicate with servers hosting published resources and the Tenant Connection Broker. These communications require only a limited number of open ports, which are listed below:
- Tenant Connection Broker > Tenant Broker Connection Broker: port 20003
- Tenant Broker Gateway > Tenant Broker Connection Broker: port 20002
- Tenant Broker Gateway > Tenant Connection Broker: port 20002
- Tenant Broker Gateway > Servers hosting published resources: port 3389
Communications with a Tenant domain are always performed from a local Tenant Connection Broker and never from the Tenant Broker infrastructure.
Every Tenant must have a unique public domain address. Multiple unique domain addresses, however, can resolve to the same IP address.

Installation Notes

RAS Connection Broker on the Tenant Broker is installed from the Parallels RAS installer using the Tenant Broker installation option.

RAS Connection Broker on a Tenant is installed from the Parallels RAS installer using standard installation.

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are installed remotely from the RAS console:

Tenant Broker components are installed from the Tenant Broker console.
Tenant components are installed from the Tenant console.

Management Portal

Parallels RAS Management Portal is a modern web-based configuration and administration console designed for Parallels RAS administrators using a desktop or a mobile device to carry out configurations and day-to-day activities. To use RAS Management Portal in a RAS Farm, you need to install the RAS Web Administration Service component. You can install this component on the machine with a Connection Broker or on a dedicated machine.

In this scenario, all components, including RAS Web Administration Service, are installed on a single RD Session Host. This configuration is only recommended for proof-of-concept and small environments.

Installation Notes

The components on the primary RAS Connection Broker are installed using the Parallels RAS installer (standard installation).

For larger environments with multiple administrative activities, it is recommended to use a dedicated server for hosting RAS Web Administration Service in order to decrease load on the Connection Broker.

Installation Notes

The components on the primary RAS Connection Broker are installed using the Parallels RAS installer (standard installation).

RAS Web Administration Service is installed using Windows Installer (custom installation).

Client Manager and Desktop Replacement

The Client Manager feature allows the administrator to convert Windows devices running Windows 7 and newer into a thin-client-like OS. After the Windows Device Enrollment has been performed, features like Desktop Replacement, Kiosk Mode, Power Off, Reboot, and Shadow become available.

Shadowing

Shadowing provides access to the full Windows client device desktop and allows controlling applications running locally on the system, as well as any remote applications published from Parallels RAS. Shadowing requires a direct connection between the machine on which the Parallels RAS console is running and the device itself.

Desktop Replacement

The Replace Desktop option limits users from changing system settings or installing new applications. Replacing the Windows Desktop with Parallels Client transforms the Windows operating system into a thin-client-like OS without replacing the operating system itself. This way, users can only deploy applications from the client, thus providing the administrator with a higher level of control over connected devices.

Additionally, Kiosk mode prevents users from shutting down or rebooting their computers.