Client and Server configurations

Encrypting Parallels Client connection

By default, the only type of connection that is encrypted is a connection between a Gateway and backend servers. To encrypt a connection between Parallels Client and the gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.

To simplify the Parallels Client configuration, it is recommended to use a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA). If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration. If a third-party certificate issued by a well-known Trusted Certificate Authority is used, the client device trusts using Trusted Certificate Authority updates for the platform.

Parallels Clients Configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:

1. Export the certificate in Base-64 encoded X.509 (.CER) format.
2. Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:

1. On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem. This file contains certificates of common trusted authorities.
2. Paste the content of the exported certificate (attached to the list of the other certificates).

Securing RDP-UDP Connections

A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Client Gateway:

1. In the SSL/TLS category, make sure that the Enable SSL on port option is selected.
2. In the Network category, make sure that the Enable RDP UDP Data Tunneling option is selected.

The Parallels Clients must be configured to use the Gateway SSL mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.

SSL server configuration

When configuring RAS Secure Client Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:

• The certificate, which should be valid and trusted.
• The protocol, key exchange, and cipher should be supported.

The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Client Gateway, you may need to temporarily move it to the public Internet.

The test is available at the following URL: https://www.ssllabs.com/ssltest/

You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide.