Configure SSL Encryption on a Gateway
The traffic between the users and the RAS Secure Client Gateway is always encrypted. The
SSL/TLS
tab page allows you to configure data encryption options.
By default, a self-signed certificate is installed during the RAS Secure Client Gateway installation and TLS v1.0, v1.1, or v1.2 is used. Each RAS Secure Client Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.
To issue a new self-signed certificate:
-
Select the
Enable SSL on Port
option and specify a port number (default is 443).
-
(Optional) Select the SSL version accepted by the RAS Secure Client Gateway from the
Accepted SSL Versions
drop-down list (default is TLS v1 - TLS v1.2).
The available options are:
-
TLSv1.2 Only (Strong)
-
TLSv1.1-TLSv1.2
-
TLSv1-TLSv1.2
-
SSLv3-TLSv1.2
-
SSLv2-TLSv1.2 (Weak)
-
(Optional) Select the
Cipher Strength
as the certificate encryption algorithm strength of your choice. The default cipher strength is High. A stronger cipher allows for stronger encryption and thus increasing the effort needed to break it.
-
Click the
Generate new certificate
button and enter the required details.
Note:
To enable SSL using a certificate from a trusted authority, follow the procedure below.
-
Click
Save
to save all the details and generate a new self-signed certificate. The private key file and Certificate file will be automatically populated.
-
Click
OK
to save the options.
Using a Custom Cipher
Use the
Custom Cipher
field to specify a custom cipher string of your choice in accordance with the openSSL standards. Cipher strings used by Parallels Remote Application Server are described below:
Low: ALL:!aNULL:!eNULL
Med: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
High:
-
Min SSLv2 - ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
-
Min SSLv3 - ALL:!SSLv2:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
-
Min TLSv1 - ALL:!SSLv2:!SSLv3:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
-
Min TLSv1_1 - ALL:!SSLv2:!SSLv3:!TLSv1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
-
Min TLSv1_2 - ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
Note:
By default only the connection between the gateway and the servers is encrypted. Change the connection mode to the Gateway SSL Mode from the connection properties on all Parallels Clients to also encrypt the connection between the users and the gateway.
To simplify the Parallels Client configuration, using a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA) is recommended.
If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.
If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.
Using Third-Party Trusted Certificate Authority
-
In the RAS Console, navigate to
Farm
>
Gateway
>
Properties
and click the
SSL/TLS
tab.
-
Select TLS 1.2 as the SSL settings option.
-
Choose CSR.
-
Fill in the data.
-
Copy and paste the CSR into a text editor and save the file for your records.
-
Paste the CSR into the party Vendors Website page or email it to the vendor.
-
Request a return certificate in the following format: Apache, with the private, public and intermediate CA all in one file, with extension
.pem
.
-
When you receive the file, place it in a secure folder for backup retrieval.
-
Click
Import Public Key
and navigate to the folder (or navigate to a secondary location where you have a copy of the single all-in-one cert) and insert the
.pem
file into the
Certificate key
field.
-
Click
Apply
and
Test
.
Note:
The private key should already be populated from your initial CRS request.
Using Enterprise Certificate Authority
Use IIS to receive a certificate from Enterprise CA. The certificate should be exported in the
pfx
format and then converted into the PEM format using the OpenSSL tool, available at http://gnuwin32.sourceforge.net/packages/openssl.htm
Note:
The
trusted.pem
file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third party vendor. If the intermediate certificate for the vendor is not in the
trusted.pem
file, you will have to paste it in manually, or create a
trusted.pem
template file with the proper Intermediate Certificates and then replace the old
trusted.pem
file with the newly updated one. This file resides in
Program Files\Parallels
or Program Files(x86)\ Parallels on the client side.
To convert a PFX file to a PEM file, follow these steps on a Windows machine:
-
Run the OpenSSL tool.
-
Create the
c:\certs
folder and copy the
cert.pfx
file into it.
-
Open the command prompt and enter
cd %ProgramFiles%\GnuWin32\bin
-
Type the following command to convert the PFX file to unencrypted PEM file:
OPENSSL pkcs12 -in c:\certs\cert.pfx -out c:\certs\scg.pem -nodes
-
When prompted for the import password, enter the password you used when you exported the certificate to a PFX file. You should receive a message saying, "MAC verified OK".
Enable SSL on Parallels Secure Client Gateway with cert.pem
-
On the Parallels Client Gateway page, enable secure sockets layer (SSL) and click
[
]
to browse for the pem file.
-
Place the single file generated in the
Private Key
and
Public Key
fields.
-
Click
Apply
to apply the new settings.
-
Your browser may not support displaying this image.
Parallels Clients Configuration
In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as described below.
-
Export the certificate in Base-64 encoded X.509 (.CER) format.
-
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority.
-
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called
trusted.pem
. This file contains certificates of common trusted authorities.
-
Paste the content of the exported certificate (attached to the list of the other certificates).
Securing RDP-UDP Connections
A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.
To use DTLS on a RAS Secure Client Gateway:
-
On the
SSL/TLS
tab page, make sure that the
Enable SSL on Port
option is selected (default).
-
On the
Network
tab page
, make sure that the
Enable RDP UDP Data Tunneling
option is selected (default).
The Parallels Clients must be configured to use the
Gateway SSL Mode
. This option can be set in the
Connections Settings
>
Connection Mode
drop-down list on the client side.
Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
|