Previous page

Next page

Locate page in Contents

Configure SSL Encryption on a Gateway

The traffic between the users and the RAS Secure Client Gateway is always encrypted. The SSL/TLS tab page allows you to configure data encryption options.

By default, a self-signed certificate is installed during the RAS Secure Client Gateway installation and TLS v1.0, v1.1, or v1.2 is used. Each RAS Secure Client Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.

To issue a new self-signed certificate:

  1. Select the Enable SSL on Port option and specify a port number (default is 443).
  2. (Optional) Select the SSL version accepted by the RAS Secure Client Gateway from the Accepted SSL Versions drop-down list (default is TLS v1 - TLS v1.2).

    The available options are:

    • TLSv1.2 Only (Strong)
    • TLSv1.1-TLSv1.2
    • TLSv1-TLSv1.2
    • SSLv3-TLSv1.2
    • SSLv2-TLSv1.2 (Weak)
  3. (Optional) Select the Cipher Strength as the certificate encryption algorithm strength of your choice. The default cipher strength is High. A stronger cipher allows for stronger encryption and thus increasing the effort needed to break it.
  4. Click the Generate new certificate button and enter the required details.

    Note: To enable SSL using a certificate from a trusted authority, follow the procedure below.

  5. Click Save to save all the details and generate a new self-signed certificate. The private key file and Certificate file will be automatically populated.
  6. Click OK to save the options.

Using a Custom Cipher

Use the Custom Cipher field to specify a custom cipher string of your choice in accordance with the openSSL standards. Cipher strings used by Parallels Remote Application Server are described below:

Low: ALL:!aNULL:!eNULL

Med: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

High:

  • Min SSLv2 - ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min SSLv3 - ALL:!SSLv2:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1 - ALL:!SSLv2:!SSLv3:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1_1 - ALL:!SSLv2:!SSLv3:!TLSv1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1_2 - ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH

Note: By default only the connection between the gateway and the servers is encrypted. Change the connection mode to the Gateway SSL Mode from the connection properties on all Parallels Clients to also encrypt the connection between the users and the gateway.

To simplify the Parallels Client configuration, using a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA) is recommended.

If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.

If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.

Using Third-Party Trusted Certificate Authority

  1. In the RAS Console, navigate to Farm > Gateway > Properties and click the SSL/TLS tab.
  2. Select TLS 1.2 as the SSL settings option.
  3. Choose CSR.
  4. Fill in the data.
  5. Copy and paste the CSR into a text editor and save the file for your records.
  6. Paste the CSR into the party Vendors Website page or email it to the vendor.
  7. Request a return certificate in the following format: Apache, with the private, public and intermediate CA all in one file, with extension .pem.
  8. When you receive the file, place it in a secure folder for backup retrieval.
  9. Click Import Public Key and navigate to the folder (or navigate to a secondary location where you have a copy of the single all-in-one cert) and insert the .pem file into the Certificate key field.
  10. Click Apply and Test.

Note: The private key should already be populated from your initial CRS request.

Using Enterprise Certificate Authority

Use IIS to receive a certificate from Enterprise CA. The certificate should be exported in the pfx format and then converted into the PEM format using the OpenSSL tool, available at http://gnuwin32.sourceforge.net/packages/openssl.htm

Note: The trusted.pem file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third party vendor. If the intermediate certificate for the vendor is not in the trusted.pem file, you will have to paste it in manually, or create a trusted.pem template file with the proper Intermediate Certificates and then replace the old trusted.pem file with the newly updated one. This file resides in Program Files\Parallels or Program Files(x86)\ Parallels on the client side.

To convert a PFX file to a PEM file, follow these steps on a Windows machine:

  1. Run the OpenSSL tool.
  2. Create the c:\certs folder and copy the cert.pfx file into it.
  3. Open the command prompt and enter cd %ProgramFiles%\GnuWin32\bin
  4. Type the following command to convert the PFX file to unencrypted PEM file:

    OPENSSL pkcs12 -in c:\certs\cert.pfx -out c:\certs\scg.pem -nodes

  5. When prompted for the import password, enter the password you used when you exported the certificate to a PFX file.  You should receive a message saying, "MAC verified OK".

Enable SSL on Parallels Secure Client Gateway with cert.pem

  1. On the Parallels Client Gateway page, enable secure sockets layer (SSL) and click […] to browse for the pem file.
  2. Place the single file generated in the Private Key and Public Key fields.
  3. Click Apply to apply the new settings.  
  4. Your browser may not support displaying this image.

Parallels Clients Configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as described below.

  1. Export the certificate in Base-64 encoded X.509 (.CER) format.
  2. Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority.

  1. On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem.  This file contains certificates of common trusted authorities.
  2. Paste the content of the exported certificate (attached to the list of the other certificates).

Securing RDP-UDP Connections

A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Client Gateway:

  1. On the SSL/TLS tab page, make sure that the Enable SSL on Port option is selected (default).
  2. On the Network tab page, make sure that the Enable RDP UDP Data Tunneling option is selected (default).

The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
Top of page Feedback