Enabling SSL Encryption on a RAS Secure Client Gateway

The traffic between the users and the RAS Secure Client Gateway is always encrypted. The SSL/TLS tab page allows you to configure data encryption options. By default, a self-signed certificate is installed during the RAS Secure Client Gateway installation and TLS v1.0, v1.1, or v1.2 is used.

To issue a new self-signed certificate:

1. Select the Enable SSL on Port option and specify a port number (default is 443).
2. (Optional) Select the SSL version accepted by the RAS Secure Client Gateway from the Accepted SSL Versions drop-down list (default is TLS v1 - TLS v1.2).

   The available options are:

   • TLSv1.2 Only (Strong)
   • TLSv1.1-TLSv1.2
   • TLSv1-TLSv1.2
   • SSLv3-TLSv1.2
   • SSLv2-TLSv1.2 (Weak)
3. (Optional) Select the Cipher Strength as the certificate encryption algorithm strength of your choice.
4. Click the Generate new certificate button and enter the required details.

   Note: To enable SSL using a certificate from a trusted authority, follow the procedure below.

5. Click Save to save all the details and generate a new self-signed certificate. The private key file and Certificate file will be automatically populated.
6. Click OK to save the options.

Using a Custom Cipher

Use the Custom Cipher field to specify a custom cipher string of your choice in accordance with the openSSL standards. Cipher strings used by Parallels Remote Application Server are described below:

Low: ALL:!aNULL:!eNULL

Med: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

High:

• Min SSLv2 - ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
• Min SSLv3 - ALL:!SSLv2:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
• Min TLSv1 - ALL:!SSLv2:!SSLv3:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
• Min TLSv1_1 - ALL:!SSLv2:!SSLv3:!TLSv1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
• Min TLSv1_2 - ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH

Note: By default only the connection between the gateway and the servers is encrypted. Change the connection mode to the Gateway SSL Mode from the connection properties on all Parallels Clients to also encrypt the connection between the users and the gateway.

Using a Certificate from a Trusted Authority for SSL

To enable SSL on a RAS Secure Client Gateway using a certificate obtained from a trusted authority, do the following:

1. Click the Generate certificate request button. The Generate New Certificate dialog opens.
2. Fill in the required details and click Save .
3. Once the certificate is ready, a window will pop up with the certificate request information.
4. Click Copy to copy the request, so you can later send it to the certificate authority.
5. Once you receive the SSL certificate from the certificate authority, click the Import public key button on the SSL/TLS tab page.
6. Browse for the certificate file containing the public key and click Open .
7. Click OK to save the settings.

Securing RDP-UDP Connections

A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Client Gateway:

1. On the SSL/TLS tab page, make sure that the Enable SSL on Port option is selected (default).
2. On the Network tab page , make sure that the Enable RDP UDP Data Tunneling option is selected (default).

The Parallels Clients must be configured to use the Gateway SSL Mode . This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.