RAS Secure Client Gateway Overview

You need to install at least one RAS Secure Client Gateway for Parallels RAS to work. You can add additional Gateways to a RAS site to support more users, load-balance connections, and provide redundancy.

Installing a RAS Secure Client Gateway on a dedicated server

If you are installing a RAS Secure Client Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:

• Setting the Gateway operation mode (normal or forwarding, see below for details).
• Assigning a RAS Publishing Agent that will manage the Gateway.
• Setting the Gateway communication port.
• Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP addresses, and other.

The RAS Console in such an installation scenario (when connected to the local computer, not the RAS farm) will only have two categories that you can select in the left pane: Gateway and Information . To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.

When the RAS console is connected to a Parallels RAS farm (i.e. the server where RAS Publishing Agent is running), you can manage RAS Secure Client Gateways by navigating to Farm / <site> / Gateways .

How a RAS Secure Client Gateway works

The following describes how a RAS Secure Client Gateway handles user connection requests:

1. A RAS Secure Client Gateway receives a user connection request.
2. It then forwards the request to the RAS Publishing Agent with which it's registered (the Preferred Publishing Agent setting by default).
3. The RAS Publishing Agent performs load balancing checks and the Active Directory security lookup to obtain security permissions.
4. If the user requesting a published resource has sufficient rights, the RAS Publishing Agent sends a response to the gateway which includes details about the RD Session Host the user can connect to.
5. Depending on the connection mode, the client either connects through the gateway or disconnects from it and then connects directly to the RD Session Host server.

RAS Secure Client Gateway operation modes

RAS Secure Client Gateway can operate in one of the following modes:

• Normal Mode. A RAS Secure Client Gateway in normal mode receives user connection requests and checks with the RAS Publishing Agent if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.
• Forwarding Mode . A RAS Secure Client Gateway in forwarding mode forwards user connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.

Note: To configure the forwarding mode, a Parallels RAS farm must have more than one RAS Secure Client Gateway.

Planning for high availability

When adding RAS Secure Client Gateways to a site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Publishing Agents or RD Sessions Hosts.