Double-hop DMZ (three firewalls)

In a double-hop DMZ scenario, settings are simpler and the protection from external malicious agents is higher. Double-hop DMZ requires Forwarding RAS Secure Gateways installed in the perimeter network to pass client connections to RAS Secure Gateways residing in the internal second perimeter network (the second hop).

In such configuration, the HALB VS with a HALB pair (primary and secondary) is installed in front of Forwarding RAS Secure Gateways in DMZ. WAN users connect to Parallels RAS using the IP address of the HALB VS, while LAN users use IP address of the internal HALB VS, which use HALB appliance installed in front of the gateways located in internal network. Parallels RAS connection properties can be configured either centrally (using Client Policy in the RAS Console) or manually in Parallels Client.

Forwarding RAS Secure Gateways forward network traffic using the Forward requests to next RAS Secure Gateway in chain option in the Advanced tab of the Forwarding RAS Secure Gateway properties.

Parallels recommends using Forwarding RAS Secure Gateways in double hop DMZ deployments only.

To differentiate traffic between internal and external network, you can use public and private gateways (both are equal from the RAS perspective):

Installation Notes

RAS Connection Broker is installed using the Parallels RAS installer (standard installation).

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.

If the Forwarding RAS Secure Gateway cannot be push-installed for any reason, you can run the Parallels RAS installer on the target server. When doing so, select Custom installation type and then choose the RAS Secure Gateway component.