SSL/TLS encryptionThe traffic between Parallels RAS users and a RAS Secure Client Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options. Using Site defaults To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways). Enforcing HSTS The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Client Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS HTML5 Gateway, which can normally accept both HTTP and HTTPS requests. When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:
Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years). Please also note the following requirements:
Configuring SSL By default, a self-signed certificate is assigned to a RAS Secure Client Gateway when the gateway is installed. Each RAS Secure Client Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings. SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Client Gateway. For the information about creating and managing certificates, refer to the SSL Certificate Management chapter. To configure SSL for a gateway:
Encrypting Parallels Client connection By default, the only type of connection that is encrypted is a connection between a gateway and backend servers. To encrypt a connection between Parallels Client and the gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL. To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to the RAS HTML5 Gateway. Parallels Clients configuration In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:
Securing RDP-UDP connections A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used. To use DTLS on a RAS Secure Client Gateway:
The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side. Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL. |
||||
|