Secure Gateway tunneling policies
Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Gateway or RAS Secure Gateway IP address.
To configure tunneling policies, navigate to Farm > <Site> > Secure Gateways and then click the Tunneling Policies tab in the right pane.
The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured Secure Gateway IP addresses and load balance the sessions between all servers in the Farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.
Adding a new Tunneling Policy
To add a new policy:
- Click Tasks > Add.
- Select a Secure Gateway IP address.
- Specify to which RD Session Host(s) the users connecting to that specific Secure Gateway should be forwarded. If you select None (no forwarding), read the Restricting RDP access section below.
Managing a Tunneling Policy
To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.
Restricting RDP access
You can use tunneling policies to restrict RDP accesses through the RAS Secure Gateway port. To do so, on the Tunneling Policies tab, select the None option at the bottom of the tab (this is the default setting in a new Parallels RAS installation). By doing so, you are restricting native MSTSC from accessing the gateway through its port (the default port is 80). As a result, when someone tries to use MSTSC at IP-address:80, the access will be denied. Same will happen for an RDP connection from a Parallels Client.
There are a couple of reasons why you would want to restrict RDP access. The first one is when you want your users to connect to the RAS Farm using the Parallels RAS connection only, but not RDP. The second reason is to prevent a DDoS attack.
A common indication of a DDoS attack taking place is when your users cannot login to a RAS Farm for no apparent reason. If that happens, you can look at the Controller.log file (located on the RAS Connection Broker server, path C:\ProgramData\Parallels\RASLogs) and see that it is full of messages similar to the following:
- [I 06/0000003E] Mon May 22 10:37:00 2018 - Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on Secure Gateway xxx.xxx.xx.xx, Using Default Rule
- [I 06/00000372] Mon May 22 10:37:00 2018 - CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, Secure GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0
- [I 05/0000000E] Mon May 22 10:37:00 2018 - Maximum amount of sessions reached.
- [I 06/00000034] Mon May 22 10:37:00 2018 - Resource LB User 'hello' No Servers Available!
- [W 06/00000002] Mon May 22 10:37:00 2018 - Request for "" by User hello, Client , Address xxx.xxx.xx.xx, was not served error code 14.
These messages tell us that a DDoS attack is in progress on the RDP port. By restricting RDP access through Secure Gateway tunneling polices, you can prevent this from happening.