Many companies use the perimeter network (DMZ) to separate the public network with servers that handle exposed services and the internal network with servers that handle internal services. There are two types of DMZ: single-hop and double-hop, with the latter using three firewalls and therefore being more expensive, but more secure (with three firewalls, using different firewall technologies, you can avoid one weakness or one type of attack breaking all firewalls). A firewall between RAS Secure Gateways and the intranet must allow gateways and systems to connect to a RAS Connection Broker using the standard port.
In a double-hop DMZ scenario, settings are simpler and the protection from external malicious agents is higher. Double-hop DMZ requires Forwarding RAS Secure Gateways installed in the perimeter network to pass client connections to RAS Secure Gateways residing in the internal second perimeter network (the second hop).
In such configuration, the HALB VS with a HALB pair (primary and secondary) is installed in front of Forwarding RAS Secure Gateways in DMZ. WAN users connect to Parallels RAS using the IP address of the HALB VS, while LAN users use IP address of the internal HALB VS, which use HALB appliance installed in front of the gateways located in internal network. Parallels RAS connection properties can be configured either centrally (using Client Policy in the RAS Console) or manually in Parallels Client.
Forwarding RAS Secure Gateways forward network traffic using the Forward requests to next RAS Secure Gateway in chain option in the Advanced tab of the Forwarding RAS Secure Gateway properties.
Parallels recommends using Forwarding RAS Secure Gateways in double hop DMZ deployments only.
To differentiate traffic between internal and external network, you can use public and private gateways (both are equal from the RAS perspective):
RAS Connection Broker is installed using the Parallels RAS installer (standard installation).
HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.
All other components are push-installed from the RAS console.
If the Forwarding RAS Secure Gateway cannot be push-installed for any reason, you can run the Parallels RAS installer on the target server. When doing so, select Custom installation type and then choose the RAS Secure Gateway component.
In a single-hop DMZ scenario, the firewall system must be capable of routing connections properly from RAS Secure Gateways to RAS Connection Brokers. The firewall system is also responsible for connections from the Internet to the virtual IP address of a HALB Virtual Server (HALB VS) representing HALB virtual appliance(s) or other generic protocol load balancing scenarios. Note that in this case two HALB Virtual Servers are used for internal and external traffic load balancing to internal Secure Gateways.
To differentiate traffic between internal and external network, you can use public and private Secure Gateways (both are equal from the RAS perspective):
In a configuration of this type, HALB appliances installed in front of RAS Secure Gateways in the internal perimeter network (DMZ). The WAN users connect to the IP address of external HALBS VS, while LAN users use IP address of the internal HALB VS, which use HALB appliances installed in front of the Secure Gateways located in internal network. The Parallels Client settings can be configured either centrally (via Client Policy in the Parallels RAS console) or locally on a device where Parallels Client is running. To add high availability for HALB VS, the second appliance can be deployed for external internal and HALB VS.
RAS Connection Broker is installed using the Parallels RAS installer (standard installation).
HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.
All other components are push-installed from the RAS console.
