Parallels RAS Reference Architecture
ProductsSupportPartnersDocumentation
  • Introduction
    • Parallels RAS release history
    • What is Parallels RAS
    • Advantages of Parallels RAS Solution
    • Parallels RAS Components
    • Understanding Deployment Scenario Diagrams
    • Parallels RAS Basic Concepts
  • Deployment Scenarios
    • General Considerations
    • Parallels RAS Deployment Scenarios
      • Single Farm with One RD Session Host
      • Single Farm with Two RD Session Hosts
      • Single Farm with RD Session Host Auto Scaling
      • Single Farm with VDI Hosts
      • Single Farm with Remote PC Hosts
      • Single Farm with Mixed Hosts
      • Single Farm with Public & Private RAS Secure Gateways
      • Single Farm with Dual RAS Secure Gateways
      • High Availability with Multiple Gateways
      • High Availability with Single-hop or Double-hop DMZ
        • Single-hop DMZ (two firewalls)
        • Double-hop DMZ (three firewalls)
      • RAS on Microsoft Azure
      • Azure Virtual Desktop integration
      • Mixed Scenarios
        • Multi-Site Scenario
        • Business Continuity and Disaster Recovery
        • Secure Setup with Double-hop DMZ and Second-Level Authentication
        • SAML SSO authentication
      • Multi-Tenant Architecture
      • Management Portal
    • Client Manager and Desktop Replacement
  • Capacity Considerations
  • Deploying Parallels RAS Reporting
    • One Site with Multiple RD Session Hosts
    • Multiple Sites with Multiple RD Session Hosts and Remote SQL Server
  • Port Reference and SSL Certificates
    • Port reference
      • Parallels Client
      • Web browsers
      • HALB
      • RAS Secure Gateway
      • RAS Connection Broker
      • RAS Console
      • SSRS
      • RAS Reporting
      • RAS Web Administration Service (REST/Management Portal)
      • RAS PowerShell
      • RAS Provider Agent
      • RAS Enrollment Server
      • RAS RD Session Host Agent
      • RAS Guest Agent
      • RAS Remote PC Agent
      • Tenant Broker
      • Active Directory and Domain Services ports
    • SSL Certificates
      • Using a Third-Party Trusted Certificate Authority
      • Using Enterprise Certificate Authority
      • Assign a Certificate to a Gateway
      • Parallels Client Configuration
Powered by GitBook

Social media

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube

Other Resources

  • Feedback

© 2025 Parallels International GmbH. All rights reserved.

On this page

Was this helpful?

Export as PDF
  1. Deployment Scenarios
  2. Parallels RAS Deployment Scenarios
  3. Mixed Scenarios

Secure Setup with Double-hop DMZ and Second-Level Authentication

PreviousBusiness Continuity and Disaster RecoveryNextSAML SSO authentication

Last updated 9 months ago

Was this helpful?

Second-level authentication provides a high level of protection via different types of security tokens for two-factor authentication. Users have to authenticate through two successive stages to get the remote application list. In addition to a standard user name and password, or a smart card authentication, second-level authentication uses a one-time password generated by a token. The second level of authentication can be provided by DualShield, Safenet, RADIUS, or Google authenticator.

A RADIUS server is recommended to be placed in the Intranet together with the RAS Connection Broker and Active Directory domain controller to speed up application enumeration.

It is recommended to specify Access Control Lists to only allow the IP addresses and protocols/ports necessary for the Wireless Access Points and other devices to communicate with the RADIUS server. No other devices should have a pathway to the RADIUS server.

In a configuration of this type, the second-level authentication via a RADIUS server is performed first. If the authentication procedure is successful, the next authentication takes place at the Active Directory level using either the username and password or a smart card.

Installation Notes

Primary RAS Connection Broker is installed using the Parallels RAS installer (standard installation). Secondary RAS Connection Broker is push-installed from the RAS Console.

HALB is installed as a ready-to-use virtual appliance and configured in HALB VS properties.

All other components are push-installed from the RAS console.