Gateway tunneling policiesTunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Client Gateway or RAS Secure Client Gateway IP address. To configure tunneling policies, navigate to Farm > <Site> > Gateways and then click the Tunneling Policies tab in the right pane. The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu. Adding a new Tunneling Policy To add a new policy:
Managing a Tunneling Policy To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu. Restricting RDP access You can use tunneling policies to restrict RDP accesses through the RAS Secure Client Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client. There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack. A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Publishing Agent server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:
These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through gateway tunneling polices, you can prevent this from happening. |
||||
|