Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Web browser (HTML5) and Let's Encrypt service
RAS Web Admin Service [RAS Management Portal]
TCP
20443
Admin access to HTML5 based Management Portal of RAS environment
HALB
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) through the HALB Note: Ports 80 and 443 must be open for incoming requests when using Let's Encrypt.
RAS Secure Gateway
TCP
80, 443
End-user access to Parallels RAS Web Client (on Secure Gateway in Normal mode) Note: Ports 80 and 443 must be open for incoming requests when using Let's Encrypt.
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
RAS Console
RAS Reporting
TCP
30008
RAS Console is connected to primary RAS Connection Broker which communicates with RAS Reporting (installed on the same host as SSRS). SSRS talks to SQL via TCP 1433 (or dynamic if 1433 is not established in the settings).
SSRS
TCP
443
Reports retrieval.
HALB
TCP, UDP
31006
Used for configuration.
Parallels Client
TCP
50005
Shadowing from the RAS Console in case of direct network connection.
RAS RD Session Host Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
TCP
UDP
TCP
UDP
30010
30009
Used for the "Check Agent" task.
Used to manage components.
RAS Remote PC Agent
UDP, TCP
30004
Used for the "Check Agent" task.
Used to manage components.
RAS Provider Agent
UDP, TCP
30006
Used for the "Check Agent" task.
Used to manage component.
MFA Server(s)
TCP, UDP
8080, 80, 1812, 1813
Deepnet / Safenet / Radius
Microsoft site
TCP
80, 443
Check for updates and download Parallels Client
Parallels site
TCP
80
Check for updates and download Parallels Client
RAS Performance Monitor
TCP
3000
RAS browser plugin connection to Grafana.
RAS Connection Broker
TCP
20002, 20001
Communication with Connection Broker and redundancy.
RAS Enrollment Server
TCP, UDP
30030
Used for the "Check Agent" task.
Used to manage components and for troubleshooting.
Wyse Broker
UDP
1234 (outbound only)
68 (inbound only)
Wyse broker discovery request broadcast packet (V_WYSEBCAST).
Wyse broker discovery reply packet (V_WYSETEST).
SMTP
TCP
587
RAS Console can send test emails using port specified in the Mailbox settings (+SSL/TLS)
SSRS | Microsoft SQL Server | TCP | 1433 | RAS Console is connected to RAS Reporting |
RAS Secure Gateway in Forwarding mode | RAS Secure Gateway in Normal mode | TCP, UDP TCP, UDP | 80, 443 3389 | Management and user session connections. Optional - Used for user session if RDP Load Balancing is enabled. |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB. |
RAS Secure Gateway in Normal mode | Remote Desktop Services | TCP, UDP | 3389 | RDP Connections. |
RAS Connection Broker | TCP TCP, UDP | 20002 20009 | RAS Connection Broker service port - communications with RAS Secure Gateways and the RAS Console (in Normal mode only). Device Manager shadowing via Firewall (indirect network connection) if RAS Console runs on RAS Connection Broker |
RAS Performance Monitor | TCP | 8086 | Agent (Telegraf service) sends collected performance data to InfluxDB. |
Localhost | TCP | 20020 | Communication with User Portal web server (NodeJS). |
The following diagram illustrates communication ports used in Parallels RAS.
The above diagram include SAML SSO components such as RAS Enrollment Server, however it does not include Tenant Broker.
Tip: If you are reading the PDF version of this guide, click the following link to view the full-sized diagram in a web browser: https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/index.htm#47092.
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|
RAS Web Administration Service
RAS RD Session Host Agent
TCP
30004
Log retrieval
RAS Guest Agent
TCP
30010
Log retrieval
RAS Provider Agent
TCP
30006
Log retrieval
RAS Connection Broker
TCP
20002, 20001 30020
Communication with GA and Redundancy
Used during publishing to browse for installed applications or single file/folder browsing.
30020 - remote agent pushing (pre-RAS 18).
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445
Remote Install Push/Takeover of Software (pre-RAS 18).
RAS Reporting Service
TCP
3000
Integration of RAS Reporting in Management Portal iFrame
RAS Reporting Service | MS SQL | TCP | 1433 | Store RAS activity information |
SSRS | TCP | 8085, 443 | Enumeration of reports (incl. custom reports) |
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|---|---|---|---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
Source | Destination | Protocols | Ports | Description |
---|
Parallels Client
HALB
TCP, UDP
TCP, UDP
80, 443
20009
Management and user session connections.
Device Manager shadowing via Firewall (indirect network connection).
RAS Secure Gateway Forwarding mode
TCP, UDP
TCP, UDP
UDP
80, 443
3389
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Secure Gateway lookup broadcast.
RAS Secure Gateway Normal mode
TCP, UDP
TCP, UDP
TCP, UDP
UDP
80, 443,
3389
20009
20000
Management and user session connections.
Optional - Used for user session if RDP load balancing is enabled (Standard RDP).
Device Manager shadowing via Firewall (indirect network connection)
Secure Gateway Lookup Broadcast
Session host (VDI, RDS, RemotePC)
TCP, UDP
3389
Used for user session connections in Direct Mode only. RDP connection is always encrypted
Azure Virtual Desktop Services
TCP
UDP
443
3390
Azure Virtual Desktop Gateway connection
Used for user session connections in ShortPath mode only.
Microsoft site
TCP
443
Download Microsoft Remote Desktop (MSRDC) client
Parallels site
TCP
80, 443
Check for updates and download Parallels Client
RAS Connection Broker
AD DS controllers
TCP
TCP
TCP,UDP
UDP
389, 3268
636, 3269
88
53
LDAP
LDAPS
Kerberos
DNS
RAS Connection Broker
TCP
20001
20030
Redundancy service.
Communication between RAS Connection Brokers ruAgent (Telegraf service) sends collected performance data to InfluxDB.nning in the same site.
Parallels Licensing Server
TCP
443
RAS Connection Broker (primary Connection Broker in Licensing Site) communicates with Parallels Licensing Server (https://ras.parallels.com).
Note: Not required for Tenant Broker RAS Connection Broker (see the Tenant Broker section).
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS RD Session Host Agent
TCP, UDP
30004
Server for Connection Broker requests.
RAS Provider Agent
TCP, UDP
30006
Provider Agent communication port.
RAS Remote PC Agent
TCP, UDP
30004
Remote PC Agent Communication Port (agent state, counters and session information)
2FA Server(s)
TCP, UDP
8080, 80
1812, 1813
Deepnet/ Safenet
Radius
RAS Enrollment Server
TCP
30030
RAS Connection Broker Sends RAS Enrollment Server connection Request
RAS Reporting
TCP
30008
Master RAS Connection Broker communicates with RAS Reporting (installed on the same host as SSRS).
RAS Remote Installer Service
TCP
30020
Remote agent pushing
RAS RD Session Host Agent
RAS Guest Agent
RAS Remote PC Agent
RAS Connection Broker
RAS Secure Gateway
RAS Enrollment Server
TCP
135, 445, 49179
Remote Install Push/Takeover of Software
SMTP
TCP
587
Notifdispatcher is the service which sends the emails using port specified in the Mailbox settings (+SSL/TLS)
Let's Encrypt Service
TCP
80, 443
Communication between the Let's Encrypt client (available in the primary Connection Broker) and a Let's Encrypt server.
RAS Guest Agent (used by Azure Virtual Desktop)
Provider Agent
TCP, UDP
30006
Communication with Provider Agent
Subnet broadcast is sent to find Provider Agent
Regular UDP heartbeats
Localhost
TCP
30005
For internal commands - memshell, printer redirector)
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB
RAS Enrollment Server
TCP
30030
RAS Guest Agent (PrlsSCDriver) connects to get logon credentials
FSlogix
TCP
443
Download FSlogix installer
RAS RD Session Host Agent
RAS Connection Broker
TCP, UDP
20003
Used for communications with RAS Connection Brokers.
Localhost
TCP
30005
For internal commands (memshell, printer redirector).
FSlogix
TCP
443
Download FSlogix installer
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB.
RAS Enrollment Server
TCP
30030
RAS RD Session Host Agent (PrlsSCDriver) connects to get logon credentials.
RAS Provider Agent
RAS Connection Broker
TCP
20003
Connection Broker communication port.
RAS Guest Agent
TCP
UDP
30010
30009
TCP is used to send the commands.
UDP is used during the initial handshake.
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB - applicable to Hyper-V only.
Hyper-V
TCP
135, 49152-65535
Used to check if the host is powered on and send export, import, delete, shutdown, restart or suspend commands.
Nutanix AHV (AOS)
TCP
9440
Used to check if the host is powered on and sends clone, delete, shutdown, restart commands (RestAPI calls, PoSH, remote ncli).
VMWare
TCP
443
Used to check if the host is powered on and sends clone, delete, shutdown, restart and suspend commands.
Microsoft Azure
TCP
443
Used to check if the guest is powered on and sends clone, shutdown, restart commands (via REST).
Azure Virtual Desktop
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
AWS
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
Scale
TCP
443
Used to check if the host is powered on and sends clone, shutdown, restart commands (via REST).
Remote PC over VDI
TCP
135, 49152-65535
Used to check if the host is powered on and sends shutdown, restart or suspend commands.
RAS Remote PC Agent
RAS Connection Broker
TCP, UDP
20003
Used for communications with RAS Connection Brokers
Localhost
TCP
30005
For internal commands - memshell, printer redirector)
RAS Performance Monitor
TCP
8086
Agent (Telegraf service) sends collected performance data to InfluxDB
RAS Enrollment Server
TCP, UDP
30030
RAS Remote PC (PrlsSCDriver) connects to get logon credentials
FSlogix
TCP
443
Download FSlogix installer
RAS PowerShell | RAS RD Session Host Agent | TCP | 30004 | Log retrieval |
RAS Guest Agent | TCP | 30010 | Log retrieval |
RAS Remote PC Agent | TCP | 30004 | Log retrieval |
RAS Provider Agent | TCP | 30006 | Log retrieval |
RAS Connection Broker | TCP | 20002, 20001 | Communication with GA and Redundancy Used during publishing to browse for installed applications or single file/folder browsing. |
HALB | HALB | VRRP | 112 | HALB to HALB communication used for automatic assignment of VIP to active HALB. |
RAS Secure Gateway in Forwarding Mode | TCP, UDP | 80, 443 | Management and user session connections. |
RAS Secure Gateway in Normal Mode | TCP, UDP TCP, UDP | 80, 443 20009 | Management and user session connections. Device Manager shadowing via Firewall (indirect network connection). |
RAS Enrollment Server | AD DS controllers | TCP TCP TCP,UDP UDP | 389, 3268 636, 3269 88 53 | LDAP LDAPS Kerberos DNS |
RAS Connection Broker | TCP UDP | 20003 20003 | Settings synchronization and performance counters. Deny Connection Request |
Certificate Authority (CA) | TCP TCP | 135 dynamic range 49152 - 65535 | DCOM/RPC ports |
After you add a certificate to a Site, you can assign it to a RAS Secure Gateway, HALB, or both depending on the usage type that you specified when you created the certificate (described in the beginning of this chapter). More on the certificate Usage option below.
Certificate Usage is an option that you specify when you create a certificate. It specifies whether the certificate should be available for RAS Secure Gateways, HALB, or both. When setting this option, you can choose from the following:
Gateway: If selected, makes the certificate available for RAS Secure Gateways.
HALB: If selected, makes the certificate available for HALB.
You can select one of the options above or both, in which case the certificate becomes available for both, Secure Gateways and HALB.
When you configure SSL for a RAS Secure Gateway or HALB later, you need to specify an SSL certificate. When you select a certificate, the following options will be available depending on how the Usage option is configured for a particular certificate:
<All matching usage>: This is the default option, which is always available. It means that any certificate on which the Usage selection matches the object type (Secure Gateway or HALB) will be used. For example, if you are configuring a Secure Gateway and have a certificate that has Usage set to "Gateway", it will be used. If a certificate has both, Gateway and HALB usage options selected, it can also be used with the given Secure Gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Secure Gateway or HALB, but not a single matching certificate exists, you will see a warning and will have to create a certificate first.
Other items in the Certificates drop-down list are individual certificates, which will or will not be present depending on the certificate's Usage settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the Usage option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with Usage set to "Gateway" will not be listed.
As another example, if you need just one certificate, which you would like to use for all of your Secure Gateways, you need to create a certificate and set the Usage option to "Gateways". You can then configure each Secure Gateway to use this specific certificate or you can keep the default <All matching usage> selection, in which case the certificate will be picked up by a Secure Gateway automatically. Same exact scenario also works for HALB.
To assign a certificate to a RAS Secure Gateway:
Navigate to Farm > Site > Gateways.
Right-click a Secure Gateway and choose Properties.
Select the SSL/TLS tab.
In the Certificates drop-down list, select the certificate that you created.
Click OK.
Please note that you can also select the <All matching usage> option, which will use any certificate that either has the usage set to Secure Gateway or both Secure Gateway and HALB.
In case the certificate is self-signed, or the certificate is issued by an Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority.
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem
. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).
To obtain a certificate from a third-party CA, you need to generate a certificate signing request (CSR) as described below.
In the RAS Console, navigate to Farm / Site / Certificates. Click Tasks > Generate a certificate request. In the dialog that opens, specify the following options:
Name: Type a name for this certificate. This field is mandatory.
Description: An optional description.
Usage: Specify whether the certificate should be used for RAS Secure Gateways or HALB, or both. This selection is mandatory.
Key size: The certificate key size, in bits. Here you can select from the predefine values. The default is 2048 bit, which is the minimum required length according to current industry standards.
Country code: Select your country.
Expire in: The certificate expiration date.
Full state or province: Your state or province info.
City: City name.
Organization: The name of your organization.
Organization unit: Organizational unit.
E-mail: Your email address. This field is mandatory.
Common name: The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN). This field is mandatory.
After entering the information, click Generate. Another dialog will open displaying the request. Copy and paste the request into a text editor and save the file for your records. The dialog also allows you to import a public key at this time. You can submit the request to a certificate authority now, obtain the public key, and import it without closing the dialog, or you can do it later. If you close the dialog, the certificate will appear in the RAS Console with the Status column indicating Requested.
To submit the request to a certificate authority and import a public key:
If the certificate request Properties dialog is closed, open it by right-clicking a certificate and choosing Properties. In the dialog, select the Request tab.
Copy the request and paste it into the certificate authority web page (or email it, in which case you will need to come back to this dialog later).
Obtain the certificate file from the certificate authority.
Click the Import public key button and finalize the certificate registration by specifying the key file and the certificate file.
You know need to import the certificate into Parallels RAS. To do so, on the Certificates tab, click Tasks > Import certificate. In the dialog that opens, specify the following:
Name: Type a name for the certificate.
Description: An optional description.
Private key file: Specify a file containing the private key. Click the [...] button to browse for the file.
Certificate file: When you specify a private key file (above) and have a matching certificate file, it will be inserted in this field automatically. Otherwise, specify a certificate file.
Usage: Specify whether the certificate will be used for RAS Secure Gateways or HALB, or both.
Click OK when done. The certificate will appear in the list in the RAS Console with the Status column indicating Imported.
To view the certificate info, right-click it and choose Properties. In the dialog that opens, examine the properties and then click the View certificate info button to view the certificate trust information, details, certification path and the certificate status. You can also view the certificate info by right-clicking it and choosing View certificate info.
For imported certificates, the Properties dialog has an additional tab Intermediate. If the original certificate included an intermediate certificate (in addition to the root certificate), it will be displayed here. You can paste a different intermediate certificate here if you wish.
Source | Destination | Protocols | Ports | Description |
---|
For Active Directory and Active Directory Domain Services port requirements, please see the following article: .
Tenant - RAS Connection Broker | Tenant Broker - RAS Connection Broker | TCP | 20003 | Tenant's RAS Connection Broker communicates with Tenant Broker to join Tenant Broker, synchronize configuration and statuses |
Use IIS to receive a certificate from the Enterprise CA and export the certificate in the PFX format. To install the PFX certificate in Parallels RAS, import it as described in the Import the certificate subsection above.
Note: The trusted.pem
file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third-party vendor. If the intermediate certificate for the vendor is not in the trusted.pem
file, you will have to paste it in manually or create a trusted.pem
template file with the proper Intermediate Certificates and then replace the old trusted.pem
file with the newly updated one. This file resides in the Program Files\Parallels
or Program Files(x86)\ Parallels
on the client side.
This section explains how to use SSL certificates in Parallels Application Server deployments. You should read this section if you are setting up a RAS environment to test one or more of the deployment scenarios described earlier in this guide.
Note: For complete information, please also read the SSL Certificate Management chapter in the Parallels RAS Administrator's Guide.
By default, a self-signed certificate is installed on a RAS Secure Gateway. Each RAS Secure Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.
To simplify the Parallels Client configuration, using a certificate issued either by a third-party Trusted Certificate Authority or Enterprise Certificate Authority (CA) is recommended.
If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.
If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.