Parallels RAS 19 Administrator's Guide

Introduction
- Parallels RAS 19 release history
- About Parallels RAS
- About this guide
- What's new
- Terms and abbreviations used in this guide
Installing Parallels RAS
- System requirements
- Install Parallels RAS
- Log in and activate Parallels RAS
Getting Started with Parallels RAS
- The Parallels RAS Console
- Set up a basic Parallels RAS Farm
Farm and Sites
- Connecting to a Parallels RAS Farm
- About Sites
- Sites in the RAS Console
- Adding a Site to the Farm
- Replicating Site settings
- Managing Licensing Site
- Managing administrator accounts
RAS Connection Broker
- Configuring RAS Connection Brokers
- Secondary Connection Brokers
- Managing Secondary Connection Brokers
- Using computer management tools
RAS Secure Gateway
- Overview
- Adding a RAS Secure Gateway
- Manually adding a RAS Secure Gateway
- Checking the RAS Secure Gateway status
- Configuring a RAS Secure Gateway
- Secure Gateway tunneling policies
- Configure logging
- Viewing Secure Gateway summary and metrics
- Using computer management tools
RD Session Hosts
- RD Session Host types
- Add an RD Session Host
  - Installing the agent manually
- Add a template-based RD Session Host
- Manage RD Session Hosts
- Planning for high availability
- Managing logons
- Using computer management tools
- Publishing from an RD Session Host
- Viewing published resources
Virtual Desktop Infrastructure (VDI)
- Supported providers
- Add a provider
- Manage VDI
- Configure logging
- Enabling high availability for VDI
- Site defaults (VDI)
- Using computer management tools
- Viewing Provider summary
- Remote PC pools
Azure Virtual Desktop
- Introduction
- Prerequisites
- Deploy Azure Virtual Desktop
- Manage Azure Virtual Desktop
- Site defaults (Azure Virtual Desktop)
  - Site defaults for single-session hosts
  - Site defaults for multi-session hosts
- Using Parallels Client with Azure Virtual Desktop
- Verify the deployment
Remote PCs
- Overview
- Adding a Remote PC to a Farm
  - Admin-initiated Remote PC enrollment
  - Self-service Remote PC enrollment
- Configuring a Remote PC
- Viewing Remote PC summary
- Using computer management tools
Publishing
- Overview
- Publishing a desktop
- Publishing an application
- Publishing an application with MSIX app attach
- Publishing a web application
- Publishing a network folder
- Publishing a document
- General management tasks
- Manage published applications
- Manage published desktops
- Manage published documents
- Manage folders
- Site defaults (Publishing)
- Using filtering rules
- Configuring preferred routing
- Understanding session prelaunch
- Checking effective access
- Specifying client settings
- Quick keypad
Session Management
- Overview
- Session information
- Monitoring settings
- Managing sessions
- The Resources tab
SSL Certificate Management
- Generating a self-signed certificate
- Generating a certificate signing request (CSR)
- Let's Encrypt certificates
  - Requesting a Let's Encrypt Certificate
  - How Parallels RAS requests certificates from Let's Encrypt
- Importing a certificate
- Exporting a certificate
- Assigning a certificate to Secure Gateways and HALBs
- Auditing certificates
- Permissions to manage certificates
- Upgrading from an older RAS version
Connection and Authentication Settings
- RAS Connection Broker connection settings
- Remote session settings
- Logon hours settings
- Restricting access by Parallels Client type and build number
- Multi-factor authentication
- Allowing users to change domain password
- Allowing users to discover RAS connections via email address
Load Balancing and HALB
- Resource based & round robin load balancing
  - Configure CPU optimization
- High availability load balancing (HALB)
RAS Multi-Tenant Architecture
- Overview
- Architecture description
  - Implementation overview
  - User connection flow
- Deploying Tenant Broker and Tenants
- Managing Tenants
- Shared Gateways
- Third-party network load balancers
- Web Client and Themes
- Monitoring Tenants
- Tenant Broker compatibility and updates
- Upgrading from an older RAS version
- Configuring notifications
- Communication ports
SAML SSO Authentication
- Introduction
- System requirements
- SAML basics
- SAML configuration
- Parallels Client configuration
- Parallels client policy configuration
- Test the SAML SSO deployment
- Error messages
Parallels Web Client and User Portal
- Configure Web Client
- Configure Themes
- Open Parallels Web Client
- Main menu options
- Running remote applications and desktops
- Auto login
- Direct App access
- Using the toolbar
Universal Printing
- Managing Universal Printing settings
- Universal Printing drivers
- Font management
Universal Scanning
- Managing Universal Scanning
- Adding scanning applications
User Device Management and Client Policies
- Inviting users to connect to Parallels RAS
- Mass configuring user devices
- Enabling Help Desk support
- Monitoring devices
  - Getting additional device information
- Windows device groups
- Managing Windows devices
  - Windows desktop replacement
- Scheduling Windows devices & groups power cycles
- Client Policies
- Configuring remote file transfer
Reporting
- System requirements
- Install Microsoft SQL Server
  - Install Microsoft SQL Server 2016 or earlier
  - Install Microsoft SQL Server 2017 or 2019
- Install Parallels RAS Reporting
- Running Parallels RAS reports
- GDPR compliance
Performance Monitor
- Overview
- Install RAS Performance Monitor
- Using Parallels RAS Performance Monitor
- Configure RAS Performance Monitor Security
- Updating RAS Performance Monitor
Common Management Tasks
- Recovery - add a root administrator
- Host name resolution
- Computer management tools
- Site information
- Site settings
- Using MSIX application packages
- Using template versions
- Settings audit
- Upgrading RAS agents
- Licensing
- Configure HTTP proxy settings
- System event notifications
- RAS session variables
- Maintenance and backup
  - Exporting and importing Farm settings from the command line
- Problem reporting and troubleshooting
- Logging
- Suggest a feature
Parallels RAS Management Portal
- Overview
- Prerequisites
- Installation
- Log in to RAS Management Portal
- Configure RAS Web Administration Service
- RAS Management Portal user interface
Parallels RAS APIs
- RAS PowerShell API
- RAS REST API
- RAS Web Client API and Parallels Client URL scheme
Appendix
- Microsoft license requirements in Parallels RAS
- Port reference
- RAS performance counters

SSL/TLS encryption

The traffic between Parallels RAS users and a RAS Secure Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.

Using Site defaults

To use Site default settings, click the Inherit default settings option. To specify your own settings, clear the option. For more info, see Site defaults (Gateways).

Enforcing HSTS

The Configure button in the HSTS section allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS User Portal, which typically accepts only HTTPS requests for security reasons.

When you click the Configure button, the HSTS Settings dialog opens where you can specify the following:

Enforce HTTP strict transport security (HSTS): Enables or disables HSTS for the Secure Gateway.
Max-age: Specifies the max-age for HSTS, which is the time (in our case in months) that the web browser should remember that it can only communicate with the Secure Gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.
Include subdomains: Specifies whether to include subdomains (if you have them).
Preload: Enables or disables HSTS preloading. This is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their Site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, Internet Explorer 11, and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.

Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire Site and all its subdomains in the long term (usually 1-2 years).

Please also note the following requirements:

Your website must have a valid SSL certificate. See SSL server configuration.
All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.

Configuring SSL

By default, a self-signed certificate is assigned to a RAS Secure Gateway when the gateway is installed. Each RAS Secure Gateway must have a certificate assigned and the certificate should be added to Trusted Root Authorities on the client side to avoid security warnings.

SSL certificates are created on the Site level using the Farm > Site > Certificates subcategory in the RAS Console. Once a certificate is created, it can be assigned to a RAS Secure Gateway. For the information about creating and managing certificates, refer to the SSL Certificate Management chapter.

To configure SSL for a Secure Gateway:

Select the Enable SSL on Port option and specify a port number (default is 443).
In the Accepted SSL Versions drop-down list, select the SSL version accepted by the RAS Secure Gateway.
In the Cipher Strength field, select a desired cipher strength.
In the Cipher field, specify the cipher. A stronger cipher allows for stronger encryption, which increases the effort needed to break it.
The Use ciphers according to server preference option is ON by default. You can use client preferences by disabling this option.
In the Certificates drop-down list, select a desired certificate. For the information on how to create a new certificate and make it appear in this list, see the SSL Certificate Management chapter.
The <All matching usage> option will use any certificate configured to be used by Secure Gateways. When you create a certificate, you specify the "Usage" property where you can select "Gateway", "HALB", or both. If this property has the "Gateway" option selected, it can be used with a Secure Gateway. Please note that if you select this option, but not a single certificate matching it exists, you will see a warning and will have to create a certificate first.

Encrypting Parallels Client connection

By default, the only type of connection that is encrypted is a connection between a Secure Gateway and backend servers. To encrypt a connection between Parallels Client and the Secure Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.

To simplify the Parallels Client configuration, it is recommended to use a certificate issued by a well-known third-party Trusted Certificate Authority. Note the Windows certificate store is used by some web browsers (Chrome, Edge etc.) when connecting to RAS User Portal.

Parallels Clients configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:

Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor, such as notepad or WordPad, and copy the contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:

On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).

Securing RDP-UDP connections

A Parallels Client normally communicates with a RAS Secure Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Gateway:

On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected.
On the Network tab, make sure that the Enable RDP UDP Data Tunneling option is selected.

The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.

Was this topic helpful?

Yes No

Gateway network options

SSL server configuration