Previous page

Next page

Locate page in Contents

Configure SSL Encryption on a Gateway

The traffic between Parallels RAS users and a RAS Secure Client Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.

By default, a self-signed certificate is installed during a RAS Secure Client Gateway installation and TLS v1.0, v1.1, or v1.2 is used. Each RAS Secure Client Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.

To issue a new self-signed certificate:

  1. Select the Enable SSL on Port option and specify a port number (default is 443).
  2. (Optional) Select the SSL version accepted by the RAS Secure Client Gateway from the Accepted SSL Versions drop-down list.
  3. (Optional) Select the Cipher Strength as a certificate encryption algorithm strength of your choice. The default strength is Custom. The Cipher field specifies the cipher, which is also set to a default value (for the Custom strength, you can change it if needed in accordance with the openSSL standards). A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
  4. To generate a new self-signed certificate, click the Generate new certificate button and then enter the required details. Note that you can choose your own certificate expiration date using the Expire in field (the default value is 12 months). When done, click Save to save the details and generate a new self-signed certificate. The Private Key file and Certificate file fields will be populated automatically.
  5. Click OK to save your changes and close the dialog.

Encrypting Parallels Client connection

By default, the only type of connection that is encrypted is a connection between a Gateway and backend servers. To encrypt a connection between Parallels Client and a Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.

To simplify the Parallels Client configuration, it is recommended to use a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA).

If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.

If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.

Using Third-Party Trusted Certificate Authority

  1. In the RAS Console, navigate to Farm > Gateway > Properties and click the SSL/TLS tab.
  2. Select TLS 1.2 as the SSL settings option.
  3. Choose CSR.
  4. Fill in the data.
  5. Copy and paste the CSR into a text editor and save the file for your records.
  6. Paste the CSR into the party Vendors Website page or email it to the vendor.
  7. Request a return certificate in the following format: Apache, with the private, public and intermediate CA all in one file, with extension .pem.
  8. When you receive the file, place it in a secure folder for backup retrieval.
  9. Click Import Public Key and navigate to the folder (or navigate to a secondary location where you have a copy of the single all-in-one cert) and insert the .pem file into the Certificate key field.
  10. Click Apply and Test.

Note: The private key should already be populated from your initial CRS request.

Using Enterprise Certificate Authority

Use IIS to receive a certificate from Enterprise CA and export the certificate in the PFX format.

Install the PFX certificate on RAS Secure Client Gateway as follows:

  1. Launch the Parallels RAS Console.
  2. Select a RAS Secure Client Gateway, open its properties and switch to the SSL tab.
  3. Click […] next to Private Key or Public Key fields.
  4. Browse for the .pfx file and click OK.
  5. Click Apply.

Note: The trusted.pem file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third-party vendor. If the intermediate certificate for the vendor is not in the trusted.pem file, you will have to paste it in manually or create a trusted.pem template file with the proper Intermediate Certificates and then replace the old trusted.pem file with the newly updated one. This file resides in the Program Files\Parallels or Program Files(x86)\ Parallels on the client side.

Enable SSL on Parallels Secure Client Gateway with cert.pem

  1. On the Parallels Client Gateway page, enable secure sockets layer (SSL) and click […] to browse for the pem file.
  2. Place the single file generated in the Private Key and Public Key fields.
  3. Click Apply to apply the new settings.  
  4. Your browser may not support displaying this image.

Parallels Clients Configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:

  1. Export the certificate in Base-64 encoded X.509 (.CER) format.
  2. Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:

  1. On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem.  This file contains certificates of common trusted authorities.
  2. Paste the content of the exported certificate (attached to the list of the other certificates).

Securing RDP-UDP Connections

A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Client Gateway:

  1. On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected (default).
  2. On the Network tab, make sure that the Enable RDP UDP Data Tunneling option is selected (default).

The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.
Top of page Feedback