Gateway Tunneling Policies

Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Client Gateway or RAS Secure Client Gateway IP address.

To configure tunneling policies, navigate to Farm / <Site> / Gateways and then click the Tunneling Policies tab in the right pane.

The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.

Adding a New Tunneling Policy

To add a new policy:

1. Click Tasks > Add.
2. Select a gateway IP address.
3. Specify to which RD Session Host(s) the users connecting to that specific gateway should be forwarded. If you select None (no forwarding), read the Restricting RDP access section below.

Managing a Tunneling Policy

To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.

Restricting RDP access

You can use tunneling policies to restrict RDP accesses through the RAS Secure Client Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels RAS Client.

There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack.

A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Publishing Agent server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:

• [I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on gateway xxx.xxx.xx.xx, Using Default Rule
• [I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0
• [I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached.
• [I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available!
• [W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14.

These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through gateway tunneling polices, you can prevent this from happening.