Parallels Remote Application Server - 17 Administrator’s Guide

Parallels Remote Application Server

Administrator's Guide

v17

Parallels International GmbH Vordergasse 59 8200 Schaffhausen Switzerland Tel: + 41 52 672 20 30 www.parallels.com

This product is protected by United States and international copyright laws. The product’s underlying technology, patents, and trademarks are listed at http://www.parallels.com/about/legal/.

Microsoft, Windows, Windows Server, Windows Vista are registered trademarks of Microsoft Corporation. Apple, Mac, the Mac logo, OS X, macOS, iPad, iPhone, iPod touch are trademarks of Apple Inc., registered in the US and other countries. Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective owners.

Contents

Introduction ............................................................................................................. 13

About Parallels RAS ...................................................................................................... 13

About This Guide .......................................................................................................... 14

Terms and Abbreviations Used in This Guide ................................................................. 14

Installing Parallels RAS ........................................................................................... 17

System Requirements ................................................................................................... 17

Hardware Requirements ........................................................................................................ 17

Software Requirements ......................................................................................................... 18

Changes in Parallels RAS v17 ................................................................................................ 20

Install Parallels RAS ....................................................................................................... 21

Getting Started with Parallels RAS ......................................................................... 25

The Parallels RAS Console ............................................................................................ 25

Set Up a Basic Parallels RAS Farm ................................................................................ 27

Add an RD Session Host ....................................................................................................... 28

Publish Applications .............................................................................................................. 30

Invite Users ............................................................................................................................ 31

Conclusion ............................................................................................................................ 35

Parallels RAS Farm and Sites ................................................................................. 36

Connecting to a Parallels RAS Farm .............................................................................. 36

About Sites ................................................................................................................... 38

Sites in the RAS Console ............................................................................................... 39

Adding a Site to the Farm .............................................................................................. 41

Replicating Site Settings ................................................................................................ 42

Managing the Licensing Site .......................................................................................... 43

Managing Administrator Accounts ................................................................................. 44

Adding an Administrator Account .......................................................................................... 44

Administrator Account Permissions ....................................................................................... 45

Managing Administrator Accounts ......................................................................................... 47

Configure RAS Console Idle Sessions ................................................................................... 49

Contents

Using Instant Messaging for Administrators ........................................................................... 49

Joining Customer Experience Program ................................................................................. 50

RAS Publishing Agent ............................................................................................. 51

Configuring RAS Publishing Agents ............................................................................... 51

Secondary Publishing Agents ........................................................................................ 53

Managing Secondary Publishing Agents ........................................................................ 55

Using Computer Management Tools .............................................................................. 57

RAS Secure Client Gateway .................................................................................... 58

RAS Secure Client Gateway Overview ........................................................................... 58

Adding a RAS Secure Client Gateway ............................................................................ 60

Manually Adding a RAS Secure Client Gateway ............................................................. 60

Checking the RAS Secure Client Gateway Status .......................................................... 61

Configuring RAS Secure Client Gateway ........................................................................ 61

Enable or Disable a Gateway ................................................................................................. 61

Gateway Mode, Forwarding Settings, HSTS.......................................................................... 61

Set IP Address for Incoming Connections ............................................................................. 63

Configure RAS Secure Client Gateway Network Options ....................................................... 63

Configure SSL Encryption on a Gateway ............................................................................... 64

Assessing SSL Server Configuration...................................................................................... 67

Configure HTML5 Connectivity .............................................................................................. 67

Enable Support for Wyse Thin Client OS ............................................................................... 69

Filter Access to a RAS Secure Client Gateway ...................................................................... 70

Specifying a URL for Web Requests ...................................................................................... 70

Configure Logging ................................................................................................................. 71

Gateway Tunneling Policies ........................................................................................... 71

Viewing Gateway Summary and Metrics ........................................................................ 72

Using Computer Management Tools .............................................................................. 72

RD Session Hosts .................................................................................................... 73

RD Session Host Types ................................................................................................. 73

Adding an RD Session Host .......................................................................................... 74

Installing the Agent Manually ................................................................................................. 75

Planning for High Availability .......................................................................................... 77

Viewing RD Session Hosts ............................................................................................ 77

Configuring an RD Session Host .................................................................................... 78

Check RAS RD Session Host Agent Status ........................................................................... 78

Change RD Session Host Site Assignment ............................................................................ 79

View and Modify RD Session Host Properties ....................................................................... 79

Configure Logging ................................................................................................................. 84

Grouping and Cloning RD Session Hosts ....................................................................... 84

Using Scheduler ............................................................................................................ 88

Managing RDSH Sessions ............................................................................................. 90

Managing Logons ......................................................................................................... 93

Using Computer Management Tools .............................................................................. 94

Publishing from an RD Session Host .............................................................................. 94

Publishing a Desktop from an RD Session Host .................................................................... 94

Contents

Publishing an Application from an RD Session Host .............................................................. 95

Publishing a Web Application from an RD Session Host ........................................................ 97

Publishing a Network Folder from an RD Session Host ......................................................... 97

Publishing a Document from an RD Session Host ................................................................. 98

Publishing Containerized Applications ............................................................................ 99

Publishing App-V Applications ............................................................................................... 99

Publishing Turbo.net Applications ........................................................................................ 100

Viewing Published Resources Hosted by RD Session Hosts ......................................... 103

VDI and Virtual Desktops ...................................................................................... 105

Supported Hypervisors ................................................................................................ 105

RAS VDI Agent Information .......................................................................................... 106

RAS VDI Agent Installation Options .............................................................................. 106

Add a VDI Host ........................................................................................................... 108

Installing RAS VDI Agent Manually ....................................................................................... 110

Checking the RAS VDI Agent Status ................................................................................... 111

Contents

Modifying VDI Host Configuration ................................................................................ 111

Change VDI Host Site Assignment ............................................................................... 114

Site Defaults ................................................................................................................ 115

Viewing Guest VMs on a VDI Host ............................................................................... 116

RAS Templates ........................................................................................................... 117

Template Types and Guest OS Requirements ..................................................................... 118

Creating a RAS Template .................................................................................................... 119

How Guest VMs Are Created From a Template ................................................................... 126

Manually Adding a Guest VM............................................................................................... 126

RAS Template Maintenance ................................................................................................ 127

VDI Host Pool Management ........................................................................................ 130

Adding and Deleting Pools .................................................................................................. 130

Adding and Deleting Pool Members .................................................................................... 130

Using a Wildcard to Filter VMs ............................................................................................. 131

Managing Guest VMs .................................................................................................. 131

Persistent Guest VMs .................................................................................................. 134

Using Computer Management Tools ............................................................................ 135

Publishing from a Guest VM ........................................................................................ 135

Publishing a Desktop from a Guest VM ............................................................................... 135

Publishing an Application from a Guest VM ......................................................................... 136

Publishing a Web Application from a Guest VM ................................................................... 137

Publishing a Network Folder from a Guest VM .................................................................... 137

Publishing a Document from a Guest VM ............................................................................ 138

Viewing VDI Host Summary ......................................................................................... 139

Managing VDI Sessions ............................................................................................... 139

Remote PC Pools........................................................................................................ 142

Adding a VDI Host ............................................................................................................... 142

Configuring the VDI Host ..................................................................................................... 143

Adding Remote PCs to a Pool ............................................................................................. 144

Managing Remote PCs in a Pool ......................................................................................... 145

Persistent Remote PCs ....................................................................................................... 146

RAS Guest Agent Installation Options.................................................................................. 146

Publishing From a Pool-Based Remote PC ......................................................................... 147

Contents

Remote PCs ........................................................................................................... 148

Adding a Remote PC .................................................................................................. 148

Installing Remote PC Agent Manually ........................................................................... 149

Configuring a Remote PC ............................................................................................ 150

Viewing Remote PC Summary ..................................................................................... 152

Using Computer Management Tools ............................................................................ 152

Publishing from a Remote PC ...................................................................................... 152

Publishing a Desktop from a Remote PC ............................................................................. 153

Publishing an Application from a Remote PC ...................................................................... 153

Publishing a Web Application from a Remote PC ................................................................ 154

Publishing a Network Folder from a Remote PC .................................................................. 154

Publishing a Document from a Remote PC ......................................................................... 155

Managing Published Resources ........................................................................... 156

General Management Tasks ........................................................................................ 156

Manage Published Applications ................................................................................... 158

Manage Published Desktops ....................................................................................... 161

Manage Published Documents .................................................................................... 162

Manage Folders .......................................................................................................... 165

Using Filtering Rules .................................................................................................... 166

Checking Effective Access........................................................................................... 169

Specifying Client Settings ............................................................................................ 171

Quick Keypad ............................................................................................................. 172

Connection and Authentication Settings .............................................................. 174

RAS Publishing Agent Connection Settings .................................................................. 174

Remote Session Settings ............................................................................................ 176

Restricting Access by Parallels Client Type and Build Number ...................................... 177

Second Level Authentication ....................................................................................... 177

Using RADIUS ..................................................................................................................... 178

Using Deepnet ..................................................................................................................... 181

Using SafeNet ..................................................................................................................... 195

Using Google Authenticator ................................................................................................. 196

Configuring Exclusion Rules ................................................................................................ 197

Contents

Parallels HTML5 Client .......................................................................................... 199

Configure HTML5 Connectivity .................................................................................... 199

Configure Themes ....................................................................................................... 200

Common Theme Settings .................................................................................................... 200

HTML5 Client Theme Settings ............................................................................................. 201

Parallels Client for Windows Theme Settings ....................................................................... 203

General Theme Tasks .......................................................................................................... 204

Create Branded Windows Client for Mass Distribution ......................................................... 204

Delegating Session Management Permissions .................................................................... 205

Open Parallels HTML5 Client ....................................................................................... 206

Main Menu Options ..................................................................................................... 208

Launching Remote Applications and Desktops ............................................................ 209

Using the Toolbar ........................................................................................................ 211

Using the Toolbar on Desktop Computers........................................................................... 211

Using the Toolbar on Mobile Devices................................................................................... 213

Using the Remote Clipboard ............................................................................................... 214

Hiding Toolbar Items ........................................................................................................... 215

HTML5 Gateway API ................................................................................................... 216

Load Balancing ...................................................................................................... 218

Resource Based & Round Robin Load Balancing ......................................................... 218

Load Balancing Advanced Settings ............................................................................. 219

High Availability Load Balancing ................................................................................... 220

Deploying a Parallels HALB Appliance ................................................................................. 220

Configuring HALB in the RAS Console ................................................................................ 222

Changing HALB Appliance Password.................................................................................. 223

Contents

Universal Printing .................................................................................................. 225

Managing Universal Printing Settings ........................................................................... 225

Universal Printing Drivers ............................................................................................. 226

Font Management ....................................................................................................... 227

Universal Scanning ................................................................................................ 229

Managing Universal Scanning ...................................................................................... 229

Managing Scanning Applications ................................................................................. 230

User Device Management ..................................................................................... 231

Inviting Users to Connect to Parallels RAS ................................................................... 231

Mass Configuring User Devices ................................................................................... 231

Enabling Help Desk Support ........................................................................................ 233

Monitoring Devices ...................................................................................................... 233

Windows Device Groups ............................................................................................. 235

Managing Windows Devices ........................................................................................ 236

Windows Desktop Replacement.......................................................................................... 240

Scheduling Windows Devices & Groups Power Cycles ................................................. 243

Client Policies .............................................................................................................. 244

Add a New Client Policy ...................................................................................................... 245

Configure Session Settings .................................................................................................. 246

Configure Client Policy Options ........................................................................................... 257

Configure Control Settings .................................................................................................. 260

Configure Gateway Redirection ........................................................................................... 261

Client Policy Backward Compatibility ................................................................................... 262

Enabling or Disabling Remote File Transfer ................................................................... 262

Server Level ......................................................................................................................... 263

HTML5 Gateway Level ........................................................................................................ 263

Client Policy Level ................................................................................................................ 264

Parallels RAS Reporting ........................................................................................ 265

Installing Parallels RAS Reporting ................................................................................. 265

Advanced Settings .............................................................................................................. 268

Contents

Viewing Reports .......................................................................................................... 268

GDPR Compliance ...................................................................................................... 270

Parallels RAS Performance Monitor ..................................................................... 272

Overview ..................................................................................................................... 272

Installing Parallels RAS Performance Monitor ............................................................... 273

Using Parallels RAS Performance Monitor .................................................................... 273

Configuring Performance Monitor Security ................................................................... 277

Common Management Tasks ............................................................................... 279

Recovery - Add a Root Administrator ........................................................................... 279

Computer Management Tools ..................................................................................... 280

Site Information ........................................................................................................... 282

Site Settings ................................................................................................................ 282

Settings Audit ............................................................................................................. 284

Upgrading RAS Agents ............................................................................................... 286

Licensing .................................................................................................................... 287

Configure HTTP Proxy Settings ................................................................................... 288

Configuring Notifications .............................................................................................. 288

Configuring Notification Handlers......................................................................................... 289

Configuring Notification Scripts............................................................................................ 291

Configuring SMTP Server Connection for Event Notifications .............................................. 293

RAS Session Variables ................................................................................................ 294

Maintenance and Backup ............................................................................................ 295

Exporting and Importing Farm Settings via Command Line ................................................. 296

Contents

Problem Reporting and Troubleshooting ...................................................................... 297

Logging ...................................................................................................................... 299

Suggest a Feature ....................................................................................................... 300

RAS Web Admin Console...................................................................................... 301

Overview ..................................................................................................................... 301

Prerequisites ............................................................................................................... 302

Installation ................................................................................................................... 303

Permissions ................................................................................................................ 303

Opening the Web Console........................................................................................... 304

The User Menu ........................................................................................................... 304

The Site Page ............................................................................................................. 305

Managing RD Session Hosts ....................................................................................... 306

Server Info ........................................................................................................................... 308

Active Sessions ................................................................................................................... 309

Running Processes ............................................................................................................. 310

Managing VDI Hosts .................................................................................................... 311

VDI Host Info and Actions .................................................................................................... 312

Virtual Desktops .................................................................................................................. 313

Managing Sessions ..................................................................................................... 315

Configuring RAS Web Service ..................................................................................... 316

Give Us a Feedback .................................................................................................... 317

Parallels RAS APIs ................................................................................................. 318

RAS PowerShell API .................................................................................................... 318

RAS REST API ............................................................................................................ 320

Installation ........................................................................................................................... 320

Permissions ......................................................................................................................... 320

Getting Started .................................................................................................................... 320

Logging in and Sending Requests ....................................................................................... 321

Configuring RAS Web Service ............................................................................................. 323

Where to Get More Information ........................................................................................... 324

RAS HTML5 Gateway API and Parallels Client URL Scheme ........................................ 325

Appendix ................................................................................................................ 326

Port Reference ............................................................................................................ 326

Parallels Client ..................................................................................................................... 326

Contents

Web Browsers ..................................................................................................................... 327

RAS Secure Client Gateway ................................................................................................ 327

RAS Publishing Agent ......................................................................................................... 328

RAS Console ....................................................................................................................... 329

RAS Agents: RD Session Host, VDI, Guest, Remote PC ..................................................... 330

HALB .................................................................................................................................. 330

Common Communication Ports .......................................................................................... 331

Active Directory and Domain Services Ports ........................................................................ 331

RAS Performance Counters......................................................................................... 331

Index ...................................................................................................................... 334

C HAPTER 1

Introduction

Welcome to Parallels Remote Application Server (Parallels RAS), an integrated solution to virtualize your applications, desktops and data. Parallels RAS publishes applications and delivers remote and virtual desktops to any device on your network, anywhere.

In This Chapter

About Parallels RAS ............................................................................................... 13

About This Guide ................................................................................................... 14

Terms and Abbreviations Used in This Guide .......................................................... 14

About Parallels RAS

Parallels RAS provides vendor independent virtual desktop and application delivery from a single platform. Accessible from anywhere with platform-specific clients and web enabled solutions, like the Parallels RAS HTML5 Gateway, Parallels RAS allows you to publish remote desktops, applications and documents, improving desktop manageability, security and performance.

Parallels RAS extends Windows Remote Desktop Services by using a customized shell and virtual channel extensions over the Microsoft RDP protocol. It supports all major hypervisors from Microsoft, VMware, and other vendors enabling the publishing of virtual desktops and applications to Parallels Client.

The product includes powerful universal printing and scanning functionality, as well as resourcebased load balancing and management features.

With Parallels Client Manager Module for Parallels RAS you can also centrally manage user connections and PCs converted into thin clients using the free Parallels Client.

How does it work?

When a user requests an application or a desktop, Parallels RAS finds a least loaded RD Session Host or a guest VM on one of the least loaded VDI hosts and establishes an RDP connection with it. Using Microsoft RDP protocol, the requested application or desktop is presented to the user.

Users can connect to Parallels RAS using Parallels Client (available at no charge), which can run on Windows, Linux, macOS, Android, Chrome, and iOS. Users can also connect via an HTML5 browser or Chromebook.

Introduction

As newer versions of Windows keep on being developed as time goes by, you need to defend the migration cost to your business. Parallels RAS can help. Desktop replacement allows you to extend the lifespan of your hardware and delay migration to the latest OSs to a time that suits you best. The Parallels RAS solution allows you to be very flexible: you can lock machine configurations on the user side, placing your corporate data in an extremely secure position; or you can opt to allow users to run some local and remote applications. Parallels Client Desktop Replacement is able to reduce the operability of the local machine by disabling the most common local configuration options, while guaranteeing the same level of service and security afforded by thin clients, directly from your existing PCs.

About This Guide

This guide is intended for system administrators responsible for installing, configuring, and administering Parallels RAS. This guide assumes that the reader is familiar with Microsoft Remote Desktop Services and has an intermediate networking knowledge.

Terms and Abbreviations Used in This Guide

Term/Abbreviation Description

Parallels RAS Console.

RAS Console

Installing Parallels RAS

This chapter describes how to install and activate Parallels RAS.

In This Chapter

System Requirements ............................................................................................ 17

Install Parallels RAS ................................................................................................ 21

System Requirements

Before installing Parallels RAS, please verify that your hardware and software meet or exceed hardware and software requirements described below. Please note that although Parallels RAS can be used in Workgroup environment, Parallels recommends using Active Directory to manage users, groups, and machine accounts via group polices.

Hardware Requirements

Parallels RAS is extensively tested on both physical and virtual platforms. The minimum hardware requirements approved to run Parallels RAS are outlined below.

• Physical Machines – Dual Core Processor and a minimum of 4GB RAM.

• Virtual Machines – Two Virtual Processors and a minimum of 4GB of RAM.

The server hardware requirements to install and configure Parallels RAS can vary according to enduser requirements.

Typically for an installation of 30 users or under, Parallels RAS can be installed on one high specification server and the resources published directly from it. For more than 30 users, multiple servers may be required.

The below should be considered during the planning stage of a Parallels RAS deployment:

• High specification servers should be used, consisting of multiple CPU cores, a high

specification disk transfer rate and plenty of RAM.

• A hypervisor-based virtual machine can be used as long as the resources needed to serve end-

users are calculated accordingly.

Installing Parallels RAS

• It is recommended that RD Session Hosts do not exceed 50 users per RD Session Host in

usage.

• It is recommended that RAS Secure Client Gateway does not exceed 1000 users per server for

incoming connections using the Gateway SSL mode.

• When planning VDI Hypervisor resource requirements, extra requirements such as RAM usage

per virtual machine and disk space should be taken into account.

For port requirements, please see the Port Reference section (p. 326).

Software Requirements

RAS Publishing Agent and RAS Secure Client Gateway (64-bit versions only)

RAS Publishing Agent and RAS Secure Client Gateway are supported on the following operating systems:

• Windows Server 2008

• Windows Server 2008 R2

• Windows Server 2012

• Windows Server 2012 R2

• Windows Server 2016. Both Server Core and Desktop Experience installations are supported.

• Windows Server 2019. Both Server Core and Desktop Experience installations are supported.

Note: RAS Publishing Agent and RAS Secure Client Gateway should NOT be installed on a domain controller or any other machine where a DHCP server is running. This in general applies to any of the RAS components.

RAS Web Administration Service

Must be installed on the server where RAS Publishing Agent is running.

Before installing RAS Web Admin Service, make sure that your Windows server has the following updates installed:

• Windows Server 2008 R2: — KB2999226 and KB2533623

• Windows Server 2012 R2 — KB2999226

Newer versions of Windows Server do not require any specific updates.

RAS RD Session Host Agent

RAS RD Session Host Agent is supported on the following operating systems:

• Windows Server 2008

Installing Parallels RAS

• Windows Server 2008 R2

• Windows Server 2012

• Windows Server 2012 R2. Note that Server Core installation option is NOT supported.

• Windows Server 2016 and newer must be installed using the "Desktop Experience" installation

option.

RAS VDI Agent

RAS VDI Agent is supported on the following operating systems:

• Windows Server 2008

• Windows Server 2008 R2

• Windows Server 2012

• Windows Server 2012 R2

• Windows Server 2016

• Windows Server 2019

VMware, Nutanix, and Citrix Hypervisor can use Windows-based RAS VDI agent either integrated into RAS Publishing Agent or installed separately on Windows Server 2012 R2 and Windows Server

2016.

RAS VDI Agent can also be installed as a virtual appliance (OVA or VMDK), which can be downloaded from the Parallels website. For installation instructions and requirements, please see the corresponding hypervisor documentation. For the list of supported hypervisors, see RAS VDI

Agent Installation Options (p. 106).

RAS Guest Agent

• Windows 7 and newer

• Windows Server 2008 R2 and newer

Remote PC Agent

• Windows 7 and newer

• Windows Server 2008 R2 and newer

Parallels RAS PowerShell

Windows Server 2008 with Service Pack 2 and newer. Windows Management Framework 3.0 and .NET Framework 4.5.2 must also be installed.

Installing Parallels RAS

Parallels RAS Console

• Windows Server 2008 R2 and newer

• Windows 7 and newer

RAS HTML5 Gateway

• Windows Server 2008 R2 and newer. Note that RAS HTML5 Gateway will NOT work with

Windows Server 2008 (plain, not R2).

Parallels Client

Parallels Client is approved for the following operating systems (both 32-bit and 64-bit systems are supported, where applicable):

• Windows 7, 8.x, 10

• Windows Server 2008 R2 and newer

• Windows Embedded

• macOS 10.11 and newer

• iOS 9.0 and newer

• Android 4.4 and newer

• Chrome OS

Parallels Client for Linux supports the following Linux distributions (x64 versions only):

• Ubuntu 16.04

• Ubuntu 18.04

• Linux Mint 19

• Debian 9.5.0

• Fedora 28

• CentOS 7.5

Changes in Parallels RAS v17

Please note that beginning with Parallels RAS v17, some of the versions of Parallels RAS components and some operating system versions are no longer officially supported.

The following is a quick summary of the deprecated components and operating systems:

• 32-bit RAS Secure Client Gateway

• 32-bit RAS Publishing Agent

Installing Parallels RAS

• 32-bit Parallels Client for Linux

• Parallels RAS Web Portal

• Windows Server 2003 as a platform for publishing from RD Session Hosts

• Parallels RAS Console is no longer supported on Windows Vista and Windows Server 2008

• Parallels Client for Linux is no longer supported on ARM and Raspberry Pi

• Parallels Client for Windows is no longer supported on Windows Server 2003

Install Parallels RAS

To install Parallels RAS:

1 Make sure you have administrative privileges on the computer where you are installing Parallels

RAS.

2 Double click the RASInstaller.msi file to launch the Parallels RAS installation wizard.

Note: If you see a message that begins with "This version of Parallels RAS is only for testing purposes.", it means that it's not an official build and should NOT be used in a production environment.

3 Follow the instructions and proceed to the Select Installation Type page. Select from the

following:

• Parallels Remote Application Server. The default installation that will install all necessary

components for a fully functional Parallels RAS farm on the same machine.

• Custom. Select and install only the components that you require. You can select individual

components after you click Next. Note that if a component cannot be installed on the current server, it will not be available for installation. See Software Requirements.

4 Click Next. 5 Review the notice on the Important Notice wizard page. If there's a port conflict on your

computer, the information will be displayed here. You can resolve the conflict later.

6 Click Next. 7 On the Firewall Settings page, select Automatically add firewall rules to configure the

firewall on this computer for Parallels RAS to work properly. See Port Reference (p. 326) for details.

8 Click Next and then click Install. Wait for the installation to finish and click Finish.

When you need to install a particular Parallels RAS component on a different server, run the installation wizard again, select Custom and choose the component(s) you wish to install.

Log In and Activate Parallels RAS

After you've installed Parallels RAS, run the RAS Console and activate your new Parallels RAS farm.

Installing Parallels RAS

Start the Parallels RAS Console

By default, the Parallels RAS Console is launched automatically after you click Finish on the last page of the installation wizard. To launch the console manually, navigate to Start > Apps > Parallels and click on Parallels Remote Application Server Console.

When the Parallels RAS Console is launched for the first time, you are presented with the login dialog. In the dialog, specify the following:

• Farm: A Parallels RAS farm to connect to. Enter the FQDN or IP address of the server where

you have RAS Publishing Agent installed.

• If you've installed the Parallels Single Sign-On component when installing the RAS Console, you

will see the Authentication type field from which you can select whether to log on using your credentials or SSO. If you reboot after the installation and select SSO, select Single Sign-On and then click Connect. Your Windows credentials will be used to log in to the RAS farm. If you select Credentials, enter your credentials as described below.

• Username: A user account with administrative privileges on the server where Parallels RAS is

installed (usually a domain or local administrator). The account name must be specified using the UPN format (e.g. administrator@domain.local). The specified user will be automatically configured as the Parallels RAS administrator with full access rights.

• Password: The specified user account password.

• If you select the Remember credentials option, this dialog will not be shown the next time you

launch the Parallels RAS Console.

The Edit Connections button opens a dialog where you can manage your RAS connection. This dialog becomes useful if this is not the first time you are connecting to one or more of your RAS farms. The left pane of the dialog displays RAS farms to which previously connected (you can remove a farm from the list by clicking the [-] icon if you no longer need it). The right pane displays at least the master Publishing Agent for the selected farm. If you've added a secondary Publishing Agents to a farm, you can add it to this list by clicking the [+] icon and typing its hostname or IP address (click the "recycle" icon to verify the agent status). This way the RAS Console will try to connect to the master Publishing Agent first and if it fails (e.g. the agent is offline or cannot be reached), it will try to connect to the secondary Publishing Agent. For more information about secondary Publishing Agents, please see Parallels RAS Publishing Agents chapter (p. 51).

When you are done entering the connection information, click the Connect button to connect to the Parallels RAS farm.

To activate Parallels RAS, you must register for a Parallels business account. After you logged in to Parallels RAS, you'll see the Sign In to Parallels My Account dialog. If you already have an account, type the email address and password you used to register the account and click Sign In.

Installing Parallels RAS

Note: If you use an HTTP proxy server on your network, you will see a dialog asking you to configure the proxy server connection settings. Click the Configure Proxy button. In the dialog that opens, select one of the following: Use system proxy settings (the default proxy settings from the Internet Explorer will be used) or Manual HTTP proxy configuration (specify the settings manually). If your proxy configuration changes, you can re-configure it later by navigating to Administration > Settings and clicking the Configure Proxy button.

If you don't have a Parallels business account, you can register for one as follows:

1 In the Sign In to Parallels My Account dialog, click Register. The Register Parallels My

Account dialog opens.

If you have an existing 2X Remote Application Server license and are upgrading to the new Parallels RAS, the Register Parallels My Account dialog will be prefilled with the information from your existing license. If you don't have an existing license (or if you've installed Parallels RAS on a new server), you need to fill in the registration information as described in the next step.

2 Enter your name and email address, choose and type a password, and enter your company

info (all fields are required).

3 Click Register to register an account. This will create a personal account for yourself and a

business account for your organization to which you will be assigned as administrator.

Activate Parallels RAS

After you sign in to Parallels My Account, the Activate Product dialog opens asking you to activate the Parallels RAS farm.

If you already have a Parallels RAS license key, select the Activate using license key option and enter the key in the field provided. You can click the button next to the field to see the list of subscriptions and/or permanent license keys you have registered in Parallels My Account. If the list is empty, it means that you don't have any subscriptions or license keys and need to purchase one first.

Note: You can manage your Parallels RAS license using the Licensing category in the Parallels RAS console. The management tasks include viewing the license information, switching to a different Parallels My Account, and activating the Parallels RAS farm using a different license key. For more information, please see the Licensing section (p. 287).

If you don't have a Parallels RAS license key, you have the following options:

• Purchase a subscription online by clicking the Purchase a license link.

• Activate Parallels RAS as a trial by selecting the Activate trial version option.

After entering a license key (or selecting to activate a trial version), click Activate. You should see a message that the Parallels RAS farm was activated successfully. Click OK to close the message box.

Installing Parallels RAS

The first dialog that you see informs you that you have no servers configured that can be used to host published resources. This means that to begin using Parallels RAS, you need at least one RD Session Host, VDI host, or a Remote PC configured. We'll talk about configuring a Parallels RAS farm in the next chapter. For now, click OK to close the message box. You will then see the

Applying Settings dialog. Wait for the initial configuration of Parallels RAS to complete and click OK. You will now see the main Parallels RAS Console window where you can begin configuring the

Parallels RAS farm.

Read on to learn how to quickly add an RD Session Host, publish resources, and invite your users to Parallels RAS.

C HAPTER 3

Getting Started with Parallels RAS

This chapter will help you get started with Parallels RAS. Read it to learn how to use the Parallels RAS Console and how to set up a simple RAS environment.

In This Chapter

The Parallels RAS Console ..................................................................................... 25

Set Up a Basic Parallels RAS Farm ......................................................................... 27

The Parallels RAS Console

The Parallels RAS Console is a Windows application used to configure and administer a Parallels RAS farm.

To open the Parallels RAS Console, navigate to Apps > Parallels and click Parallels Remote Application Server Console. Note that you can open multiple instances of the Parallels RAS Console on the same computer if you want to manage more than one farm or site simultaneously without switching between them inside the console. This works with a locally installed Parallels RAS Console and when you run it as a remote application from Parallels Client.

Information: In addition to Parallels RAS Console, Parallels RAS v17 introduces an all new Parallels RAS Web Admin Console, an HTML5 browser-based application that lets you manage Parallels RAS. In the initial RAS v17 release, the Parallels RAS Web Admin console functionality is limited to helpdesk related tasks. More Parallels RAS management features will be added in the upcoming releases. Note that the new Web Console does not replace the Parallels RAS Console described below, so at least for now, you will still use the existing console to perform the standard Parallels RAS management tasks. For more information, see RAS Web Admin Console (p. 301).

Getting Started with Parallels RAS

categories. The navigation tree allows you to browse through objects related to that

The following screenshot and the description below it give you an overview of the Parallels RAS Console:

The Parallels RAS Console consists of the following sections:

This section lists categories. Selecting a category will populate the right pane with elements relevant to that category.

This section (the middle pane) is available only for the Farm and the Publishing

category.

This section displays the selected object or category properties, such as servers in a farm or published application properties, etc.

Getting Started with Parallels RAS

running instances of the Parallels RAS processes, so they have no effect

The information bar at the top of the RAS Console displays the name of the site you are currently logged in to on the left side (the Location field). If you have more than one site, you can switch between them by clicking the drop-down menu (the site name) and choosing a desired site. If you used the RAS Console to connect to more than one farm, the drop-down menu will also display the other farm name(s), clicking on which will connect the console to that farm.

Your administrator account name is displayed on the right side. Clicking on the name opens a drop-down menu from which you can initiate a chat with other administrators, show current sessions, and log off from the RAS Console.

The Press 'Apply' to commit the new settings message in the middle (in red) appears after you make any changes to any of the components or objects. It reminds you that you need to apply these changes to Parallels RAS for them to become effective. The following describes how it works.

When you make changes in the RAS Console, they are saved in the database as soon as you click OK in a dialog. If you close the console at this point, the changes will remain in the database and will not be lost. The changes, however, are not yet applied to in the running RAS farm. When you click the Apply button (at the bottom of the screen) the changes are applied to the runtime and become effective immediately.

When modifying anything in the RAS Console, follow these rules. When you make a small change, you can click Apply as soon as you are done with it. If you are working on something that requires many modifications in many places, you can wait until you are done with all changes and only then press Apply to apply all of them at the same time.

The information bar at the bottom of the screen is used to display the most recent console notification (if one is available).

Set Up a Basic Parallels RAS Farm

In this section, we'll set up a basic Parallels RAS farm where all required components run on a single server.

To set up a Parallels RAS farm:

1 Log in to the Parallels RAS Console.

Getting Started with Parallels RAS

2 In the console, select the Start category. This category gives you access to three wizards that

you can use to easily perform essential tasks, such as adding RD Session Hosts, publishing applications, and inviting users to Parallels RAS.

Add an RD Session Host

First, you need to add an RD Session Host to the farm. In this tutorial, we'll add the local server on which Parallels RAS is installed.

To add an RD Session Host to the farm:

1 Click Add RD Session Hosts. The Add RD Session Hosts wizard opens.

Getting Started with Parallels RAS

2 Select one or more servers. You can also type a server name in the edit box at the bottom of

the page and then click the plus-sign icon. In this tutorial, we install all Parallels RAS components on a single server, so you can type "localhost".

3 Click Next. 4 On the next page, specify the following options:

• Add firewall rules. Add firewall rules required by Parallels RAS in Windows running on the

server. See Port Reference for details (p. 326).

• Install RDS role. Install the RDS role on the server if it's not installed. You should always

select this option.

• Enable Desktop Experience. Enable the Desktop Experience feature in Windows running

on the server. This option is enabled only if the Install RDS role option (above) is selected. The option applies to Windows Server 2008 R1/R2 and Windows 2012 R1/R2 on which the Desktop Experience feature is not enabled by default.

• Restart server if required. Automatically restart the server if necessary. You can restart the

server manually if you wish.

Getting Started with Parallels RAS

• Add server(s) to group. Add the server (or servers) to a group. Select the desired group in

the list box located below this option. Groups are described in detail in the Grouping RD Session Hosts (p. 84) section. If you are just learning how to use this wizard, you can skip this option.

5 Click Next. 6 The next page allows you to add users and groups to the Remote Desktop Users group in

Windows running on the server. This is necessary for your Parallels RAS users to be able to access published resources hosted by an RD Session Host. To specify users and/or groups, select the option provided and then click the [+] icon. In the Select Users or Groups dialog, specify a user or a group and click OK. The selected user/group will be added to the list on the wizard page.

Note: If you skip this step and your users are not members of the Remote Desktop Users group on the RD Session Host, they will not be able to access resources published from this server. If you wish, you can add users to the group using the standard Windows tools. For more information, please consult the Microsoft Windows documentation.

7 Click Next. 8 On the next page, review the settings and click Next. 9 The Install RAS RD Session Host Agent dialog opens. Follow the instructions and install the

agent. When the installation is finished, click Done to close the dialog.

10 Back in the wizard, click Finish to close it.

If you would like to verify that the RD Session Host has been added to the farm, click the Farm category (below the Start category in the left pane of the Parallels RAS Console window) and then click RD Session Hosts in the navigation tree (the middle pane). The server should be included in the RD Session Hosts list. The Status column may display a warning message. If it does, reboot the server. The Status column should now say, "OK", which means that your RD Session Host is functioning properly.

Read on to learn how to publish an application from an RD Session Host (p. 30)

Publish Applications

Now that you have an RD Session Host added to the RAS farm, you can publish applications from it.

To publish an application:

1 In the Parallels RAS Console, select the Start category and click the Publish Applications item

in the right pane.

2 The Publish Applications wizard opens. 3 On the first page of the wizard, select one or more servers from which the application should be

published. You can select all servers, server groups, or individual servers.

4 Click Next.

Getting Started with Parallels RAS

5 On the next page, select one or more applications you want to publish.

If you've selected more than one server on the previous screen, the Show applications not available on all target servers option becomes enabled. If the option is cleared (default), the folder tree will contain applications that are available on each and every server that you selected. If the option is enabled, the tree will contain applications that may be available on some server(s), but not on the others.

6 Click Next. Review the summary information and click Next again. 7 Click Finish when ready.

To verify that an application has been successfully published, select the Publishing category in the RAS Console. The application should be included in the Published Resources list (the middle pane).

Invite Users

Your Parallels RAS farm is now fully operational. You have an RD Session Host and published application(s). All you need to do now is invite your users to install the Parallels Client software on their devices and connect to the Parallels RAS farm.

To invite users:

1 In the Parallels RAS Console, select the Start category and click the Invite Users item. 2 The Invite Users wizard opens:

Getting Started with Parallels RAS

3 Specify the mailbox information that should be used to send invitation emails to users:

• Mailbox Server: Enter the mailbox server name. For example, mail.company.com:500

• Sender Address: Enter the email address.

• TLS / SSL: Choose whether to use the TLS/SSL protocol.

• SMTP server requires authentication: Select this option if your SMTP server requires

authentication. If it does, also type the username and password in the fields provided.

4 In the Test Email section, type one or more email addresses to which a test email should be

sent (separate multiple address with a semicolon). Click the Send Test Email button to send the email.

5 Click Next.

Getting Started with Parallels RAS

6 On the next page of the wizard, specify target devices and connection options:

• In the target devices list, select the types of devices to send an invitation to. Each target

device of a particular type will receive an email with instructions on how to download, install, and configure the Parallels Client software on that device type.

• In the Public Gateway IP field, specify the RAS Secure Client Gateway FQDN or IP

address. Please note that this can be a public IP address so it can be reached by a remote user. You can click the [...] button to select a gateway from the list.

• In the Connection Mode drop-down list, select the RAS Secure Client Gateway connection

mode. Please note that SSL modes require the gateway to have SSL configured. More information can be found in the Configuring RAS Secure Client Gateway (p. 61) section.

• Click the Advanced button to open the Advanced Settings dialog. This dialog allows you

to specify a third-party credential provider component. If you use such a component to authenticate your users, specify its GUID in this dialog. For more information, see Configure Client Policy Options > Single Sign-On (p. 257).

7 Click Next.

Getting Started with Parallels RAS

8 On the next page, specify the email recipients. Click the [...] button to select users or groups.

9 Review the invitation email template displayed in the Review the invitation e-mail box. You

can modify the template text as needed. The template also uses variables, which are explained below.

• %RECIPIENT% — Specifies the name of a recipient to whom the email message is

addressed.

• %SENDER% — The sender's email address that you specified in the first step of this wizard

when you configured the outgoing email server settings.

• %INSTRUCTIONS% — Includes a custom URL hyperlink for automatic configuration of

Parallels Client. The URL uses the Parallels Client URL scheme. For more info, see RAS HTML5 Gateway API and Parallels Client URL Scheme (p. 325).

• %MANUALINSTRUCTIONS% — Includes instructions for manual configuration of Parallels

Client.

Getting Started with Parallels RAS

The variables are defined dynamically depending on the type(s) of the target devices and other settings. Normally, you should always include them in the message, so your users will receive all the necessary instructions and links. If you don't include any of the variables, you will see a warning messages, but including all of them is not a requirement. To preview the message, click the Preview button. This will open the HTML version of the message in a separate window. This is the email message that your users will receive.

10 Click Next, review the settings that you specified and click Next again to send the invitation

email to users.

When users receive the invitation email, they will follow the instructions that it contains to install and configure Parallels Client on their devices. Once that's done, the users will be able to connect to Parallels RAS and launch published resources.

Conclusion

In this tutorial, we have configured a simple Parallels RAS farm with a single RD Session Host and one published application. We then configured a mailbox for outgoing emails and sent an invitation email to end users with instructions on how to install Parallels Client, connect to the Parallels RAS farm, and run the published application. Essentially, we've created a fully functional Parallels RAS farm serving remote applications to end users.

If you wish, you can repeat the tutorial and add more RD Session Hosts, publish more applications, or send an invitation email to users who use different types of devices. The instructions remain essentially the same.

The rest of this guide explains in detail how to configure and use various features of Parallels RAS.

C HAPTER 4

Parallels RAS Farm and Sites

Parallels RAS farm is a logical grouping of objects for the purpose of centralized management. A farm configuration is stored in a single database which contains information about all objects comprising the farm. A site is the next level grouping in the farm hierarchy which contains servers and other objects providing connection and remote application services.

In This Chapter

Connecting to a Parallels RAS Farm ........................................................................ 36

About Sites ............................................................................................................ 38

Sites in the RAS Console ........................................................................................ 39

Adding a Site to the Farm ....................................................................................... 41

Replicating Site Settings ......................................................................................... 42

Managing the Licensing Site ................................................................................... 43

Managing Administrator Accounts .......................................................................... 44

Connecting to a Parallels RAS Farm

If you have more than one Parallels RAS farm in your organization, you can use the same Parallels RAS Console instance to manage any of them. By default, the Parallels RAS Console is installed on the same server where you install other Parallels RAS components, but you can install the console on any computer on your network.

Connecting to a Parallels RAS farm for the first time

When you open the Parallels RAS Console for the first time, it displays the logon dialog on which you need to specify the following:

• Farm: A Parallels RAS farm to connect to. Enter the FQDN or IP address of the server where

you have RAS Publishing Agent installed.

• If you've installed the Parallels Single Sign-On component when installing the RAS Console, you

Parallels RAS Farm and Sites

• Username: A user account with administrative privileges on the server where Parallels RAS is

• Password: The specified user account password.

• If you select the Remember credentials option, this dialog will not be shown the next time you

launch the Parallels RAS Console.

After entering the connection properties, click Connect to connect to the farm and open the RAS Console.

Note that the Edit Connections button will not display any information on first connect (it is used to edit farm connections that already exist), so you can ignore it at this point. We will talk about using this button closer to the end of this section.

Connecting to a different Parallels RAS farm

When you need to connect to a different Parallels RAS farm, you first need to log off from the Parallels RAS Console in order to see the logon dialog again. To do so:

1 In the Parallels RAS Console, click on the arrow icon next to your user name in the upper right-

hand corner and then choose Log Off in the context menu.

2 The console will close and the RAS logon dialog will open. The dialog will be populated with the

current farm connection properties.

3 To connect to a different farm, type the FQDN or IP address of the server where the other farm

is located. Once again, this should be the server where you have the RAS Publishing Agent installed.

4 Specify a username and password and click Connect. The Parallels RAS Console will connect

to the farm using the connection properties that you specified.

Switching between Parallels RAS farms

After you connect to more than one farm from the same Parallels RAS Console instance, you can easily switch between them as follows:

1 In the Parallels RAS Console, click the Location drop-down menu in the upper left-hand corner

(right below the main application menu, where the current site name is displayed).

2 The lower portion of the drop-down list will contain names of the farms to which you connected

at least once in the past (the upper portion contains one or more site names for the current farm). Click a desired farm name to connect to it.

3 When you click the farm name, the console will close momentarily and will re-open connected

to the farm that you selected.

Parallels RAS Farm and Sites

Note that you can also switch between farms by logging off from the console and choosing a desired farm from the Farm drop-down list in the RAS logon dialog. The method described above is more convenient, so this one is just another way to do it.

Editing Parallels RAS farm connections

As was mentioned in the beginning of this section, the RAS logon dialog has the Edit Connections button. When you click it, the Manage Parallels RAS Farm Connections dialog opens.

On the left side of the dialog, the Farm Connections pane lists Parallels RAS farms to which you connected at least once in the past. If a connection is no longer relevant, you can remove it by selecting it and clicking the "minus sign" icon at the top. Once a connection is removed, it will no longer appear in the RAS logon dialog and in the Parallels RAS Console (the Location drop-down list).

On the right side of the dialog, the Publishing Agents pane lists RAS Publishing Agents for the selected farm connection. By default, the master Publishing Agent is included in the list, but you can add more Publishing Agents if needed. When connecting to a farm, the Parallels RAS Console will try the master Publishing Agent first. If a connection cannot be established, it will try other Publishing Agents in the order they are listed in the Publishing Agents pane. To add a Publishing Agent ot the list, click the "plus sign" icon and then specify the server FQDN or IP address.

About Sites

A Parallels RAS farm consists of at least one site, but may have as many sites as necessary.

Sites are often used to separate management and/or location functions. For example, by creating a site, you can delegate permissions to a site administrator without granting them full farm permissions. Or you can have separate sites for different physical locations with the ability to copy the same settings to each site while using RD Session Hosts, VDI hosts, or PCs that are closer to end users or (depending on your needs) to back-end servers. For instance, it would make sense for a client/server application querying a database to be published from an RD Session Host which is located closer to the database server.

Each site is completely isolated from other sites within the same farm. The farm simply groups sites logically and stores configuration properties of each site (and the objects that comprise it) in a single database. Sites don't communicate with each other and don't share any objects or data. The only exception to this rule is the RAS Licensing Site which periodically communicates with other sites to obtain statistics.

Individual object settings in a given site can be replicated to all other sites. This does not mean that settings will be shared between sites. The settings that you choose will simply be applied to other sites. For more information, see the Replicating Site Settings section (p. 42).

Parallels RAS Farm and Sites

When you install Parallels RAS, a farm with a single site is created automatically. This first site becomes the RAS Licensing Site and the host for the main Parallels RAS configuration database. When you add more sites to the farm, the data in this database is automatically synchronized with every site that you add. When changes are applied to a particular site, the main configuration database is automatically updated to reflect the changes.

Each site must have at least the following components installed in order to publish remote applications and desktops for end users:

• Master RAS Publishing Agent

• RAS Secure Client Gateway

• RD Session Host, VDI, or PC

When you install Parallels RAS using default installation options, the master RAS Publishing Agent and the RAS Secure Client Gateway are automatically installed on the server on which you perform the installation. You can then add one or more RD Session Hosts to the site to host published resources. You can also add more sites to the farm if needed and configure individual components for each site as you desire.

Sites in the RAS Console

To view existing sites in the Parallels RAS Console, select the Farm category in the left pane. Existing sites are listed in the right pane.

Note: The Farm node will only be visible to an administrator who has full permissions to manage the farm. For more information about farm/site permissions, please refer to Managing Administrator Accounts (p. 44).

The Farm category displays the configuration of only one site at a time. If you log in as the farm administrator, the configuration of the RAS Licensing Site will be displayed. If you log in as an administrator who has access to a specific site (but not the farm), the configuration of that site will be displayed.

Current site

Click on the Farm item in the middle pane to view the list of available sites. The site which configuration is currently loaded in the console is marked as "Current Site" in the Type column. The column also displays other site attributes. For example, "Licensing Site / Local Site / Current Site".

Switching between sites

To switch to a particular site, select Farm in the middle pane, then right-click the site in the right pane and choose Switch to this site. The site configuration will be loaded into the RAS Console.

Parallels RAS Farm and Sites

The other way of switching between sites is to click the Location drop-down menu in the upper left-hand side of the RAS Console. The menu lists sites for the current farm and may also list other farms if you used this RAS Console to connect to them. For more info, see Connecting to a

Parallels RAS Farm (p. 36).

Renaming the site

To rename a site, right-click it and choose Rename Site.

Site configuration and health view

When you select the Site node in the middle pane, the Site Info tab in the right pane displays the list of Parallels RAS components that have been configured for the site with interactive performance monitoring metrics for each component. The list is organized as follows:

• RD Sessions hosts. Lists existing RD Session Hosts.

• VDI (if configured). Lists existing VDI hosts.

• Remote PCs (if one or more are configured). Lists existing Remote PCs.

• Gateways. Lists existing RAS Secure Client Gateway servers.

• Publishing agents. Lists existing RAS Publishing Agent servers.

To collapse or expand a component group, click an "arrow up" or "arrow down" icon on the right side of the list. Note that if no servers of a particular type have been added to the site, the group name will not be displayed in the list.

The following information is displayed for each component (the information is updated at an interval of approximately 2 minutes):

• Address. Server FQDN or IP address.

• Agent. Indicates whether the agent software is installed on the server and is functioning

properly.

• CPU %. Current CPU utilization.

• RAM %. Current RAM utilization.

• Disk Read Time %. Disk read time.

• Disk Write Time %. Disk write time.

• Sessions. The number of currently active user sessions.

• Preferred PA. The name of the RAS Publishing Agent designated as preferred for this server.

• Operating System. Operating system version installed on the server.

• Agent Version. The agent version installed on the server.

Parallels RAS Farm and Sites

You can customize this view by clicking Tasks > Monitoring Settings. This opens a dialog where you can specify which colors should be used to display different performance counters and their values.

Performing tasks on a component

You can perform a number of tasks on a component displayed in the Site Info tab. These tasks are described below.

To configure a component, do one of the following:

• While the Site node is selected in the middle pane, right-click a component in the right pane

and choose Show in the editor.

• Select a component category in the middle pane (e.g. RD Session Hosts, VDI hosts, etc.).

To use computer management tools, right-click a component (server), click Tools and choose a desired tool. For the complete description of tools, see Computer Management Tools (p. 280).

Using the Site Designer

Select the Site node in the middle and then click the Designer tab in the right pane. The tab displays a visual representation of the site infrastructure. Use the icons at the top to add more components to the diagram as desired. Note that adding a component to the diagram will actually add it to the site. Double-click a component to view and configure it in a corresponding editor.

Adding a Site to the Farm

To add a site to the farm:

1 In the RAS Console, select the Farm category in the left pane and then select the farm in the

middle pane.

2 In the Tasks drop-down menu (the right pane, above the Site list), click Add (or click the +

icon).

3 In the Add Site dialog:

• In the Site field, specify a site name.

• In the Server field, specify the IP address or FQDN of the server where the Master

Publishing Agent and Secure Client Gateway should be installed.

• Select the Add an SSL certificate and enable HTML5 Gateway option to automatically

create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see Enable HTML5 Support on the Gateway (p. 67).

4 Click Next.

Parallels RAS Farm and Sites

5 The Site Master Properties dialog opens. First, it verifies if RAS Publishing Agent is installed

on the specified site server. If it isn't, it will indicate this in the Status field.

6 Click the Install button to install the agent. 7 In the Install RAS Publishing Agent dialog, highlight the server name on which the RAS

Publishing Agent is to be installed.

8 (Optional) Select the option Override system credentials to specify and use different

credentials to connect to the server and install the agent.

9 Click Install to install the publishing agent and gateway. Click Done once it has been

successfully installed.

Once a new site is created, you can view and manage its configuration by right-clicking the site in the RAS Console and choosing Switch to this Site.

Replicating Site Settings

Site-specific settings configured for a given site can be replicated to all other sites in a farm. Refer to the table below for the information about which settings can be replicated to other sites.

Category Section Options

Farm VDI > RAS templates

Farm VDI > Desktops Auto removal timeout.

Farm Settings > Auditing All settings

Farm Settings > Global Logging Logging settings

Farm Settings > URL Redirection All settings.

Load Balancing Load Balancing All settings.

Publishing Application

Publishing Shortcuts All settings.

Publishing Extensions All settings.

Publishing Licensing All settings.

Publishing Display All settings.

Publishing Filtering (all types except Gateway) All settings.

Universal Printing Universal Printing Printer renaming.

Universal Printing Printer Drivers All settings.

Auto removal timeout of guest VMs that fail preparation.

Site defaults are replicated. Other settings (name, description, icon, etc.) are global and are common to all sites.

Universal Printing Fonts Management All settings.

Universal Scanning WIA Scanner renaming.

Parallels RAS Farm and Sites

Universal Scanning TWAIN Scanner renaming.

Universal Scanning TWAIN > TWAIN Applications Scanning applications.

Connection Authentication All settings.

Connection Settings All settings.

Connection Second Level Authentication All settings.

Connection Allowed Devices All settings.

Reporting Reporting Engine Reporting engine type.

Reporting Engine specific settings All settings.

To replicate site settings to all other sites, select Farm / <site> / Settings and then select the Replicate settings option (at the bottom of the Auditing tab). Please note that this option is disabled if you have just one site in the farm.

Overriding Site Replicated Settings

If an administrator who has permissions to enable or disable replication settings makes a change to a specific setting, such setting is replicated to all other sites. If an administrator has access to a particular site only, upon modifying site settings which have been replicated, the replicated settings are overridden and the option Replicate Settings is automatically cleared, therefore such settings will no longer be replicated to other sites.

Managing the Licensing Site

The licensing site should always be online even if you have other sites in your farm. If your licensing site goes offline, your other sites can still use the maximum number of individual licenses included in your subscription but only for a period of 72 hours. During this time, you need to do one of the following:

• Restore your licensing site.

• Promote a different site to be the licensing site in the farm (see below for instructions).

Please note that if the licensing site is offline from 48 to 72 hours and back online three times per month, you will be required to re-activate it using your Parallels RAS licensing key after the third time.

To promote a secondary site to be the licensing site in the farm:

1 In the RAS Console, navigate to Farm > Farm. 2 In the right pane select a site and then click Tasks > Set as licensing site. 3 You will be asked to activate the new licensing site using your Parallels RAS license. Follow the

instructions and activate the site.

Parallels RAS Farm and Sites

Managing Administrator Accounts

You can have more than one administrator in Parallels RAS. At least one administrator (called the root administrator) must be present at all times. Other administrators can be given the following roles:

• Root administrator. Has full permissions to manage a Parallels RAS farm.

• Power administrator. Has most permissions granted by default, but can be configured to have

limited permissions to manage certain sites or categories.

• Custom administrator. Has no permission by default and can be granted specific permission

to view or modify very specific areas or objects in the Parallels RAS farm.

Read on to learn how to create and manage administrator accounts.

Adding an Administrator Account

To add an administrator account to the Parallels RAS farm:

1 In the RAS Console, navigate to Administration / Accounts. 2 Click the Tasks drop-down menu and choose Add (or click the [+] icon). 3 The Account Properties dialog opens. 4 Click the [...] button next to the Name field. In the Select User or Group dialog, select a user

or a group.

5 Specify an email address and mobile phone number. Both fields are optional and are disabled if

the account specified in the Name field is a group.

6 In the Permissions drop-down list select a role to assign to the administrator:

• Root administrator. Grants the administrator full permissions to manage the farm.

• Power administrator. Grants the administrator full permissions by default but allows you to

limit them if needed. To grant or deny specific permissions, click the Change Permissions button. For additional info, see Administrator Account Permissions (p. 45).

• Custom administrator. This role doesn't have any permissions by default and allows you

grant very specific permissions for a particular category, area, or object in the RAS Console. See Administrator Account Permissions (p. 45) for details.

7 In the Receive system notifications via drop-down list, select Email to send all system

notifications to the specified email address, or select None to disable email system notifications for this account.

8 Click OK to add the new administrator account to the farm.

Parallels RAS Farm and Sites

Modifying an administrator account

To modify an account, select it in the list and Tasks > Properties. This opens the Account Properties dialog where you can modify the account information.

To enable or disable an account, select or clear the Enable account option at the top of the Account Properties dialog.

Administrator Account Permissions

To set permissions for a RAS administrator, do the following:

1 In the RAS Console, navigate to Administration / Accounts. 2 Select an administrator in the list and click Tasks > Properties.

When you click the Change Permissions button in the Administrator Properties dialog, the following happens depending on what is selected in the Permissions field:

• Root administrator. The Change Permission button is disabled because the root

administrator always has full permissions.

• Power administrator. The Account Permissions dialog opens. In the left pane, select one or

more sites for which to grant permissions to the administrator. In the right pane, select specific permissions. See the Power administrator permissions subsection below for details.

• Custom administrator. A different Account Permissions dialog opens where you can set

custom permissions. Compared to the Power administrator role (see above), this option allows you to grant (or deny) all kinds of permissions (view, modify, add, etc.) for entire categories or specific areas or objects in the RAS Console. If an admin of this type doesn't have permissions to even view a category or a tab, for instance, the tab will not even appear in the RAS Console. Using the Custom administrator role, you can limit permissions for an administrator to one or more very specific tasks. For details, see Custom administrator

permissions below.

Power administrator permissions

The following permissions can be set for a Power administrator:

• Allow viewing of Site information. Whether the administrator can view the site information.

• Allow site changes. Permissions to modify the following categories: Site, Load Balancing,

Universal Printing, Universal Scanning. This option is disabled if the Allow viewing of Site information option is cleared.

• Allow session management. Permission to manage running sessions. This option is disabled

if the Allow viewing of Site information option is cleared.

• Allow publishing changes. Permission to modify the Publishing category.

• Allow connection changes. Permission to modify the Connection category.

Parallels RAS Farm and Sites

• Allow viewing of RAS reporting. Permission to view reports generated by RAS Reporting.

• Allow client management changes. Permission to modify the Client Manager category.

In the Global permission area, set the following:

• Allow viewing of policies. Whether to allow the administrator to view the Policies category.

• Allow policies changes. Whether to allow the administrator to modify the Policies category.

Custom administrator permissions

To set custom administrator permissions, you must be either a root administrator or a power administrator with the "Allow site changes" permission granted.

When you first create an administrator of this type, they will have no permissions. To add permissions, select a site in the left pane and then click the Change permissions button. The Account Permissions dialog opens.

In the dialog, select a permission type in the left pane. The permission types are:

• RD Session hosts. The RD Session hosts tab in Farm / RD Session hosts.

• RD Session hosts groups. The Groups tab in Farm / RD Session hosts.

• Remote PCs. The Farm / Remote PCs view.

• Gateways. The Farm / Gateways view.

• Publishing agents. The Farm / Publishing agents view.

• HALB. The Farm / HALB view.

• Themes. The Farm / Themes view.

• Publishing. The entire Publishing category.

• Connection. The entire Connection category.

• Device manager. The entire Device manager category.

After you select a permission type, you can set the actual permissions in the right pane. Different permission types may have different sets of permissions. The following lists describes all available permissions:

• View. View only.

• Modify. View and modify.

• Add. View, modify, and add new objects (e.g. servers).

• Delete. View, modify, and delete an object.

• Control. View and control an object. This permission enables the Tasks > Control menu

(where available), which includes enable and disable logons, cancel pending reboot, install RDS role, reboot, and some other options. Also enables power operations (start, stop, etc., where available).

Parallels RAS Farm and Sites

• Manage sessions. View and manage sessions.

The lower portion of the right pane lists individual objects (e.g. servers) if the selected permission type has them. Here, you can set individual permissions for a specific object (not the entire tab, for instance, which otherwise would include all available objects).

The Global permissions options at the top of the right pane enables all permissions for all objects for the selected permission type.

Clone permissions

As a root administrator (or a power administrator with sufficient privileges), you can apply (clone) permissions of an existing administrator account to another existing account. This way, you can configure permissions for one account and then quickly apply the same configuration to all other accounts that require them.

To clone permissions, select a source administrator account and click Tasks > Clone

permissions. In the dialog that opens, select a destination account (ir multiple accounts) and click OK.

Delegate permissions

There could be a situation when a power administrator needs to grant some permissions to a custom administrator. This cannot be done by modifying permissions because power administrators cannot manage administrator accounts directly. Instead, they can delegate some of their own permissions in a given site to a custom administrator of their choice.

For example, if a power administrator wants the custom administrator to be able to manage a particular RD Session Host, he/she selects that host in the RAS Console and click Tasks > Delegate permissions. This opens a dialog where the administrator can select a custom administrator and specify which permissions (view, modify, etc.) that administrator should have. The Tasks > Delegate permissions menu option is available for many objects, such as RD Session Hosts, VDI Hosts, guest VMs (desktops), and some others. If the menu is not available for an object, it means that this functionality is not available for objects of this type.

Managing Administrator Accounts

To view existing administrator accounts, select the Administration category in the RAS Console. The Accounts tab lists existing accounts and their properties, including:

• Group or user name. Account name, which can be a user or group name.

Parallels RAS Farm and Sites

• Type. Account type. Can be one of the following: User, Group, Group User. The User and

Group are self-explanatory. The Group User is a user who receives Parallels RAS administrative permissions via a group membership. When you initially add a group to the list of Parallels RAS administrators, its members are not displayed on the Accounts tab. As soon as a member of the group logs in to Parallels RAS, the account name is added to the list of administrators as a Group User and remains there. Note that you cannot change Parallels RAS permissions for such an account individually outside the group permissions.

• Permissions. A security role assigned to an administrator.

• Email. Email address.

• Mobile. Mobile phone number.

• Group. Group name. This column has a value for Group Users only (see the Type column

description above).

• Last Modification By. The name of the user who modified this account in Parallels RAS the

last time.

• Changed On. The last account modification date.

• Created By. The name of the user who created this account in Parallels RAS.

• Created On. The date when this account was added to Parallels RAS.

• ID. Internal Parallels RAS ID.

Modifying an account

To modify an account:

1 Right-click an account and choose Properties in the context menu. 2 Use the Administrator Properties dialog to modify the necessary information. For more info,

see Adding an Administrator Account (p. 44).

Handling Locked Objects

When an administrator is working with an object (e.g. a tab page) in the Parallels RAS Console, the object is locked for all other administrators. Therefore, upon trying to access a locked object, an administrator will be alerted with an error that the object is locked and will not be able to access it.

A root administrator (but not power or custom administrator) can release a locked object as follows:

1 On the Administration > Accounts tab, click the Tasks drop-down menu and choose Show

Sessions.

2 In the Sessions dialog, select the administrator who is locking an object and then click the

Send Message icon (at the top).

3 If the administrator doesn't reply and doesn't release the object, you have an option to click

Log Off, which will log them off and will unlock the category.

Parallels RAS Farm and Sites

Configure RAS Console Idle Sessions

If you have a number of administrators using the RAS Console to manage the same farm, you can configure when an idle RAS Console session should be disconnected. By default, when an administrator opens the console and connects to a farm but then forgets to log off and goes away, the session will stay active indefinitely possibly locking some of the categories for other administrators. You can change that by specifying the time period after which an idle session will be disconnected (thus unlocking the categories).

To configure idle sessions:

1 In the RAS Console, navigate to Administration > Settings. 2 Locate the Miscellaneous section (at the bottom) and choose a desired time period in the

Reset idle RAS Console session after drop-down box.

When a session stays idle for close to the specified time period, the administrator (session owner) will be notified a few minutes in advance that the session is about to be disconnected. If the administrator chooses to stay connected, the time period is reset. If the administrator does nothing, the session will be disconnected when the time expires.

Using Instant Messaging for Administrators

Parallels RAS administrators logged on to the same farm can communicate with each other using a built-in instant messenger.

To use the instant messenger:

1 In the RAS Console, select the Administration category. 2 Expand the drop-down menu next to your name (top-right corner of the console screen) and

click Chat.

3 The Parallels Remote Application Server Chat window opens.

To send a message:

1 Type the message text in the lower input panel. 2 In the Logged on administrators list box, select a specific administrator or All to send the

message to an individual or all logged on administrators.

3 Click Send.

Your message history is displayed in the Messages panel. To clear the history, click Clear All.

You can also view the chat history listing all messages between all administrators (not just your own messages). To do so, select the Administration node in the console and then select the Chat History tab.

Parallels RAS Farm and Sites

Joining Customer Experience Program

Parallels Customer Experience Program helps us to improve the quality and reliability of Parallels RAS. If you accept to join the program, we will collect information about the way you use Parallels RAS. We will NOT collect any personal data, like your name, address, phone number, or keyboard input.

To join the program:

1 In the RAS Console, select the Administration category. 2 In the right pane, click the Settings tab. 3 Select the Participate in the Customer Experience Program option.

After you join the program, CEP will automatically start to collect information about how you use Parallels RAS. Data collected from you and other participants is combined and thoroughly analyzed to help us improve Parallels RAS.

Note: This note applies to Parallels RAS v16.5 only. If you install or upgrade an older version of Parallels RAS to version 16.5, the CEP participation will be automatically turned on. You can turn it off if you like at any time. When a newer version of Parallels RAS is released and you upgrade to that version, your selection whether to participate in CEP will be kept.

C HAPTER 5

RAS Publishing Agent

RAS Publishing Agent provides load balancing of published applications and desktops. A RAS Publishing Agent is automatically installed on a server on which you install Parallels RAS and is designated as the master Publishing Agent. Each site must have a master RAS Publishing Agent but can also have secondary Publishing Agents added to it. The purpose of a secondary Publishing Agent is to ensure that users do not experience any interruption of the service due to possible failure of the master RAS Publishing Agent. This chapter describes how to add RAS Publishing Agents to a site and how to configure them.

In This Chapter

Configuring RAS Publishing Agents......................................................................... 51

Secondary Publishing Agents ................................................................................. 53

Managing Secondary Publishing Agents ................................................................. 55

Using Computer Management Tools ....................................................................... 57

Configuring RAS Publishing Agents

To view RAS Publishing agents installed in a site, navigate to Farm / <site> / Publishing agents in the RAS Console. The installed Publishing agents are listed on the Publishing agents tab in the right pane.

A site must have at least the master Publishing Agent installed, which is marked "Master" in the Priority column. You can also add secondary agents to a site for redundancy (described in the section that follows this one).

To modify the configuration of a Publishing Agent, select it and then click Tasks > Properties (or right-click > Properties). The Properties dialog opens where you can modify the following:

• Enable Server in site: Enables or disables the Publishing Agent. The option is enabled for

secondary Publishing Agents only. It is disabled for the master Publishing Agent.

• Server: Specifies the FDQN or IP address of the server that hosts the Publishing Agent.

• IP: Specifies the server IP address. Click the Resolve button to obtain the IP address

automatically using the FQDN specified in the Server field. This IP address is used so that multiple Publishing Agents share information in real time.

RAS Publishing Agent

• Alternate IPs: Specifies one or more alternate IP addresses separated by a semicolon. These

addresses will be used if RAS Secure Client Gateways fail to connect to the RAS Publishing Agent using it's FQDN or the address specified in the IP field. This can happen, for example, if Gateways are connecting from a network which is not joined to Active Directory.

• Description: A user-defined description.

• Standby: If selected, puts a secondary Publishing Agent into a standby mode. This means that

no agents will connect to this Publishing Agent until another Publishing Agent goes offline. This option is enabled automatically for any new secondary Publishing Agent in excess of the three agents that already exist. It is not recommended to have more than three Publishing agents because it may degrade system performance. Using this option you can have more than three agents, but have them in standby mode until they are needed. For more information, see Secondary Publishing Agents (p. 53).

When done making the changes, click OK and then click Apply in the main RAS Console window.

The Tasks drop-down menu on the Publishing Agents tab has the following items:

• Add. Adds a RAS Publishing Agent to the site. See the section that follows this one for the

information on how to add secondary Publishing Agents.

• Upgrade all Agents. Upgrades agents to the current version. The item is disabled if all agents

are up to date.

• Tools. Gives you access to a set of standard server management tools.

• Troubleshooting. The Check agent menu item verifies that the Publishing Agent is functioning

properly. It opens a dialog where you can see the verification results and optionally install (or uninstall) the Publishing Agent. The Logging menu item allows you to configure logging and retrieve or clear log files. For more information, see Logging (p. 299).

• Promote backup to master. Promotes a secondary Publishing Agent to master. The current

master becomes a secondary Publishing Agent.

• Refresh. Refreshes the Publishing agents list.

• Delete. Deletes a secondary Publishing Agent from the site. To delete the master Publishing

Agent, you first need to promote a secondary Publishing Agent to master.

• Settings audit. Opens the Settings Audit dialog where you can view the changes that were

done to the Publishing Agent. For more information, see Settings Audit (p. 284).

• Move up and Move down. Changes the priority of a secondary Publishing Agent (moves it up

or down in the priority list).

• Properties. Opens the Publishing Agent Properties dialog (see above).

RAS Publishing Agents Overview

In addition to the Publishing Agent editor described above, you can also see the summary about the available RAS Publishing Agents. To do so:

1 In the RAS Console, navigate to the Farm / <site> .

RAS Publishing Agent

2 The available RAS Publishing Agents are displayed in the Publishing Agents group on the Site

Info tab.

3 To go to the Publishing Agents editor, right-click a RAS Publishing Agent and choose Show in

the editor.

For additional info, see Sites in the RAS Console (p. 39).

Secondary Publishing Agents

A secondary Publishing Agent is added to a site for redundancy. This way if the master Publishing Agent fails, the secondary Publishing Agent is still available to handle the requests. Publishing agents work in active/active manner to ensure high availability. In case of a Publishing Agent failure, the next agent is always ready to handle the load. In general, the N+1 redundancy approach should be used per site. Note that for auto-promotion you shouldn't have more than three Publishing Agents (auto-promotion is described later in this section).

When you have one more secondary Publishing agents installed, the runtime data is replicated on each agent, so if any service fails, the downtime is reduced to a minimum. In addition, any active Publishing Agent is used for authentication purposes with both the AD and any 2nd level authentication provider used.

The master Publishing Agent performs the same tasks as secondary Publishing agents but has additional responsibilities. It manages certain processes that must be managed by a single Publishing Agent. The following table lists processes managed by the master Publishing Agent and secondary Publishing agents:

Process

Monitor PAs (counters)

Monitor RD Session Hosts (counters)

Monitor VDI Hosts (counters)

Monitor TS Sessions (reconnection)

Monitor Deployed TS applications

Monitor VDI session (reconnections)

Manage system settings

Send licensing information & heart beat

Process and send CEP information

Master Publishing Agent

Yes Yes

Yes No

Secondary Publishing Agents

Send information to reporting server

Yes No

RAS Publishing Agent

Manage TS scheduler

Reporting engine information

Shadowing

Send email notifications

Yes No

Yes Future versions

Yes No

As a demonstration of how load distribution between multiple Publishing agents works, consider the following example:

• Suppose we have two Publishing agents: PA1 (master) and PA2 (secondary).

• Suppose we also have 10 RD Session Hosts: TS1, TS2 ... TS10

The resulting load will be distributed as follows:

• TS1, TS2 ... TS4 will use PA1 as their preferred Publishing Agent.

• TS5, TS6 ... TS10 will use PA2 as their preferred Publishing Agent.

Planning for secondary publishing agents

RAS Publishing agents running on the same site communicate with each other and share the load. The amount of data being transmitted from one agent to another is quite large, so a reliable highspeed communication channel must be ensured (e.g. a subnetwork can be configured for Publishing Agent communications).

When adding a secondary Publishing Agent to a site, you specify an IP address for it. Make sure that the IP addresses of all agents belong to the same network segment. The port that Publishing Agents use to communicate with each other is TCP 20030.

There's no physical limit to how many Publishing agents you can add to a site. However, the best results are achieved with only 2-3 agents present (the two-agent scenario is recommended). Adding more than 2-3 secondary Publishing agents to a site may have a reverse effect and actually degrade the system performance. Note that this does not apply to secondary Publishing Agents in standby mode, which is explained in Configuring RAS Publishing Agents (p. 51).

Adding a secondary RAS Publishing Agent to a site

To add a secondary Publishing Agent:

1 In the RAS console, navigate to Farm / <site> / Publishing Agents. 2 Click the Tasks drop-down menu and choose Add to launch the Add RAS Publishing Agent

wizard.

3 The Server field specifies the FDQN or IP address of the server that hosts the RAS Publishing

Agent.

4 The IP field specifies the server IP address. Click the Resolve button to obtain the IP address

automatically using the FQDN specified in the Server field.

RAS Publishing Agent

5 The Alternative IPs field specifies one or more alternative IP addresses, separated by a

semicolon. These addresses will be used if RAS Secure Client Gateways fail to connect to the RAS Publishing Agent using it's FQDN or the address specified in the IP field. This can happen, for example, if Gateways are connecting from a different network, which is not joined to Active Directory.

6 Select the Install a gateway with a publishing agent option if you also want to install a RAS

Secure Client Gateway on the specified server. If you select this option, you may also select the

Add an SSL certificate and enable HTML5 Gateway option (for more info, please see Enable HTML5 Support on the Gateway (p. 67)).

7 Select the Add Firewall Rules option to automatically configure the firewall on the server. See

Port Reference (p. 326) for details.

8 Click Next. 9 On the next page, click Install to install the RAS Publishing Agent on the server. The Installing

RAS Redundancy Service dialog opens.

10 Select the server on which the RAS Publishing Agent is to be installed and click Install. 11 Click Done. 12 Click OK to add the server to the farm.

Managing Secondary Publishing Agents

Enabling or disabling a secondary Publishing Agent

To enable or disable a secondary Publishing Agent in a site, select it in the Publishing agents list and then select or clear the check box at the beginning of the row.

Changing the secondary Publishing Agent priority

Each secondary Publishing Agent is given a priority. To change the priority, select a secondary Publishing Agent and use the "Up arrow" and "Down arrow" icons (or Tasks > Move up, Move

down) to move it up or down the list. The higher the agent is in the list, the higher the priority.

Promoting a secondary Publishing Agent to master

If the master Publishing Agent cannot be recovered, you can promote a secondary Publishing Agent to master as follows:

1 Open the RAS Console on the Publishing Agent server that you would like to promote (all

required files are automatically installed when a server is added to a site as a secondary Publishing Agent).

2 Select the Farm category and navigate to the Publishing agents node. 3 Select the Publishing Agent and then click Tasks > Promote backup to master.

RAS Publishing Agent

4 Click OK once the process is finished.

Configuring auto-promotion

If the master Publishing Agent goes offline, you will need to promote a secondary Publishing Agent to take its place. The auto-promotion feature can do it automatically after a specified time period.

By default, auto-promotion is turned off. To enable it, do the following:

1 In the RAS Console, navigate to Farm / <site> / Publishing agents. 2 Select the Auto-promotion tab in the right pane. 3 Select the Enable auto-promotion option and specify the time period after which the next

secondary Publishing Agent should be promoted to master. The time period can be set between 15 minutes and 72 hours (the default value is 30 min).

4 Select the Enable failback option if you want the original Publishing Agent to become master

again should it go back online. For the Licensing Site, this eliminates license activation if failback happens within 72 hours. The license activation countdown is always displayed in the RAS Console, so the administrator can check if the original master Publishing Agent recovers within this time period or not. If the original agent goes back online after the 72-hour period (and if the farm has been already reactivated), it will become a secondary Publishing Agent.

Note: To enable auto-promotion, you need at least three active Publishing agents in a site. If you have less than three, the auto-promotion is ignored.

Please also note that auto-promotion must be disabled if you have a single site with Publishing agents split across different locations with bad WAN links. If there's no link between Publishing Agent located remotely, the third Publishing Agent acts as a witness to prevent split-brain.

When auto-promotion takes place, the RAS administrator will receive notifications via email about the following events:

• A secondary Publishing Agent has been promoted to master.

• Auto-promotion of a secondary Publishing Agent has failed.

• Auto-promotion failback completed.

Deleting a secondary Publishing Agent

To delete a secondary Publishing Agent, select it in the list and then click Delete in the Tasks drop-down menu.

RAS Publishing Agent

Using Computer Management Tools

You can perform standard computer management tasks on a server hosting the RAS Publishing Agent right from the RAS Console. These include Remote Desktop Connection, remote PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others.

To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see Computer Management Tools (p. 280).

C HAPTER 6

RAS Secure Client Gateway

RAS Secure Client Gateway tunnels all Parallels RAS data on a single port. It also provides secure connections and is the user connection point to Parallels RAS. At least one RAS Secure Client Gateway must be installed and configured in every site. Multiple gateways can exist depending on your requirements. Read this chapter to learn how to add, configure, and manage RAS Secure Client Gateways.

In This Chapter

RAS Secure Client Gateway Overview..................................................................... 58

Adding a RAS Secure Client Gateway ..................................................................... 60

Manually Adding a RAS Secure Client Gateway ....................................................... 60

Checking the RAS Secure Client Gateway Status .................................................... 61

Configuring RAS Secure Client Gateway ................................................................. 61

Gateway Tunneling Policies .................................................................................... 71

Viewing Gateway Summary and Metrics ................................................................. 72

Using Computer Management Tools ....................................................................... 72

RAS Secure Client Gateway Overview

You need to install at least one RAS Secure Client Gateway for Parallels RAS to work. You can add additional Gateways to a RAS site to support more users, load-balance connections, and provide redundancy.

Installing a RAS Secure Client Gateway on a dedicated server

If you are installing a RAS Secure Client Gateway on a dedicated server, you can also install the Parallels RAS console on the same server. The console will have limited functionality but will allow you to perform some important management operations on the Gateway, including:

• Setting the Gateway operation mode (normal or forwarding, see below for details).

• Assigning a RAS Publishing Agent that will manage the Gateway.

• Setting the Gateway communication port.

• Viewing the Gateway information, such as host OS version, Parallels RAS version, available IP

addresses, and other.

RAS Secure Client Gateway

The RAS Console in such an installation scenario (when connected to the local computer, not the RAS farm) will only have two categories that you can select in the left pane: Gateway and

Information. To manage the Gateway settings, select Gateway and then click Change Ownership in the right pane. To view the information select the Information category.

When the RAS console is connected to a Parallels RAS farm (i.e. the server where RAS Publishing Agent is running), you can manage RAS Secure Client Gateways by navigating to Farm / <site> /

Gateways.

How a RAS Secure Client Gateway works

The following describes how a RAS Secure Client Gateway handles user connection requests:

1 A RAS Secure Client Gateway receives a user connection request. 2 It then forwards the request to the RAS Publishing Agent with which it's registered (the

Preferred Publishing Agent setting by default).

3 The RAS Publishing Agent performs load balancing checks and the Active Directory security

lookup to obtain security permissions.

4 If the user requesting a published resource has sufficient rights, the RAS Publishing Agent

sends a response to the gateway which includes details about the RD Session Host the user can connect to.

5 Depending on the connection mode, the client either connects through the gateway or

disconnects from it and then connects directly to the RD Session Host server.

RAS Secure Client Gateway operation modes

RAS Secure Client Gateway can operate in one of the following modes:

• Normal Mode. A RAS Secure Client Gateway in normal mode receives user connection

requests and checks with the RAS Publishing Agent if the user making the request is allowed access. Gateways operating in this mode can support a larger number of requests and can be used to improve redundancy.

• Forwarding Mode. A RAS Secure Client Gateway in forwarding mode forwards user

connection requests to a preconfigured gateway. Gateways in forwarding mode are useful if cascading firewalls are in use, to separate WAN connections from LAN connections and make it possible to disconnect WAN segments in the event of issues without disrupting the LAN.

Note: To configure the forwarding mode, a Parallels RAS farm must have more than one RAS Secure Client Gateway.

Planning for high availability

When adding RAS Secure Client Gateways to a site, the N+1 redundancy should be configured to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Publishing Agents or RD Sessions Hosts.

RAS Secure Client Gateway

Adding a RAS Secure Client Gateway

To add a RAS Secure Client Gateway to a site, follow these steps:

1 In the RAS Console, navigate to Farm / <site> / Gateways. 2 With the Gateways tab selected in the right pane, click Tasks > Add to start the Add RAS

Secure Client Gateway wizard.

3 Enter the server FQDN or IP address (or click the [...] button to select a server from the list). 4 Select the gateway mode from the Mode drop down menu. 5 If you selected the Forwarding mode in the step above, select the destination gateway in the

Forward To drop-down list. You can also select a specific IP address in the On IP drop-down list if the Gateway server has more than one.

6 Select the Add an SSL certificate and enable HTML5 Gateway option to automatically

create a self-signed certificate, enable SSL, and enable HTML5 support. For more info, please see Enable HTML5 Support on the Gateway (p. 67).

7 Select the Add Firewall Rules to automatically configure the firewall on the server hosting the

gateway. See Port Reference (p. 326) for details.

8 Click Next. 9 On the next page, click Install to start the RAS Secure Client Gateway installation. 10 Click Done when the installation is finished.

Manually Adding a RAS Secure Client Gateway

To manually install a RAS Secure Client Gateway and add it to the farm, follow these steps:

1 Log into the server where you'll be installing the RAS Secure Client Gateway using an

administrator account.

2 Copy the Parallels RAS installation file (RASInstaller.msi) to the server and double click it

to launch the installation wizard.

3 Once prompted, click Next and accept the End-User license agreement. 4 Select the path where the RAS Secure Client Gateway should be installed and click Next. 5 Select Custom from the installation type screen and click Next. 6 Click on RAS SecureClientGateway in the feature tree and select Entire Feature will be

installed on local hard drive.

7 Ensure that all other components in the selection tree are cleared and click Next. 8 Click Install to start the installation.

RAS Secure Client Gateway

9 When the installation is completed, click Finish to close the wizard. 10 Open the RAS Console and specify the RAS Publishing Agent that will manage the gateway.

Checking the RAS Secure Client Gateway Status

To check the status of a RAS Secure Client Gateway, right-click it in the list and then click Check Status in the context menu. The RAS Secure Client Gateway Information dialog opens.

The dialog displays the gateway information, including:

• Server: The name of the server on which the gateway is installed.

• Gateway: The gateway verification status (e.g. Verified).

• Version: The gateway software version number. The version number must match the Parallels

RAS version number.

• OS Type: Operating system type and version.

• Status: Display the current RAS Secure Client Gateway status. If the status indicates a problem

(e.g. the gateway did not reply or the gateway software version is wrong), click the Install button to push install the gateway software on the server. Wait for the installation to complete and check the status again.

Configuring RAS Secure Client Gateway

To configure a RAS Secure Client Gateway:

1 In the RAS console, navigate to Farm / <site> / Gateways. 2 In the right pane, right-click a gateway and click Properties. 3 The RAS Secure Client Gateway Properties dialog opens.

Read on to learn how to configure the RAS Secure Client Gateway properties.

Enable or Disable a Gateway

A RAS Secure Client Gateway is enabled by default. To enable or disable a gateway, use the

Enable RAS Secure Client Gateway in site option on the Properties tab of the RAS Secure Client Gateway Properties dialog.

Gateway Mode, Forwarding Settings, HSTS

A RAS Secure Client Gateway can operate in normal and forwarding modes (p. 58). To set the desired mode and configure related settings click the Properties tab in the RAS Secure Client Gateway Properties dialog.

RAS Secure Client Gateway

Setting the normal mode

To set the normal mode, in the Gateway mode drop-down list, select Normal.

The Forward requests to HTTP Server option allows you to forward requests that do not belong to RAS Secure Client Gateways (gateways handle HTML5 traffic, Wyse, and URL scheme). To specify multiple servers, separate them with a semicolon. An HTTP server can be specified using an IPv6 address. Please note that the HTTP server must support the same IP version as the browser making the request.

The Preferred Publishing Agent drop-down list allows you to specify a RAS Publishing Agent that the gateway should connect to. This is helpful when site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Publishing Agent. For the gateway to select a Publishing Agent automatically, select the Automatically option.

Enforcing HSTS

The HSTS settings button allows you to enforce HTTP Strict Transport Security (HSTS), which is a mechanism that makes a web browser to communicate with the web server using only secure HTTPS connections. When HSTS is enforced for a RAS Secure Client Gateway, all web requests to it will be forced to use HTTPS. This specifically affects the RAS HTML5 Gateway (p. 67), which can normally accept both HTTP and HTTPS requests.

When you click the HSTS settings button, the HSTS Settings dialog opens where you can specify the following:

• Enforce HTTP strict transport security (HSTS) — enables or disables HSTS for the gateway.

• Max-age — specifies the max-age for HSTS, which is the time (in our case in months) that the

web browser should remember that it can only communicate with the gateway using HTTPS. The default (and recommended) value is 12 months. Acceptable values are 4 to 120 months.

• Include subdomains — specifies whether to include subdomains (if you have them).

• Preload — enables or disables HSTS preloading. This is a mechanism whereby a list of hosts

that wish to enforce the use of SSL/TLS on their site is hardcoded into a web browser. The list is compiled by Google and is used by Chrome, Firefox, Safari, IE 11 and Edge browsers. When HSTS preload is used, a web browser will not even try to send a request using HTTP, but will use HTTPS every time. Please also read the important note below.

Note: To use HSTS preload, you have to submit your domain name for inclusion in Chrome's HSTS preload list. Your domain will be hardcoded into all web browser that use the list. Important: Inclusion in the preload list cannot easily be undone. You should only request inclusion if you are sure that you can support HTTPS for your entire site and all its subdomains in the long term (usually 1-2 years).

RAS Secure Client Gateway

Please also note the following requirements:

• Your website must have a valid SSL certificate. See Assessing SSL Server Configuration (p.

67).

• All subdomains (if any) must be covered in your SSL Certificate. Consider ordering a Wildcard

Certificate.

Setting the forwarding mode

To configure the forwarding mode, in the Gateway mode drop-down list, select Forwarding.

Specify (or select) one or more forwarding gateways in the Forwarding RAS Secure Client Gateway(s) field.

Note: The forwarding mode allows you to forward data to a gateway listening on IPv6. It is recommended that forwarding gateways are configured to use the same IP version.

Set IP Address for Incoming Connections

The IP Address tab is used to set IP address options for incoming client connections.

RAS Secure Client Gateway recognizes both IPv4 and IPv6. By default, IPv4 is enabled. If a gateway has IPv6 and IPv4 configured, you can specify whether clients should be connecting using IPv4, IPv6, or both. To do so, in the Use IP version drop-down list:

1 Select the IP version to use and then specify the corresponding properties for the selected

version (or both if you selected IPv4 and IPv6).

2 Click the Resolve button to resolve the IP addresses of the RAS Secure Client Gateway

depending on the IP version selected.

The Bind to the following IPv4/IPv6 fields are used to specify one or more IP addresses on which the RAS Secure Client Gateway should listen for incoming connections. To specify multiple IP addresses, separate them with a semicolon.

The Optimize connection for the following IPv4/ IPv6 fields can be used when the connection between the gateway and the Parallels Client has a high latency (such as the Internet). This option will optimize traffic for better experience on the Parallels Client side. You can select a specific address, all available addresses, or none to disable this option. What this option will do is delay the internal socket to match the performance of the external socket. If the internal network is fast and the external is slow, RDP detects the fast internal socket and sends a lot of data. The problem is that this data cannot be sent so fast from the Gateway to the Client, thus ending up with a bad user experience. Enabling this option will optimize the data exchange.

Configure RAS Secure Client Gateway Network Options

The Network tab is used to configure RAS Secure Client Gateway network options.

RAS Secure Client Gateway

By default a RAS Secure Client gateway listens on TCP ports 80 and 443 to tunnel all Parallels RAS traffic. To change the port, specify a new port in the RAS Secure Client Gateway Port input field.

RDP port 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do not support published resources. To change the RDP port on a gateway select the RDP Port option and specify a new port.

Note: If RDP port is changed, the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).

Broadcast RAS Secure Client Gateway Address. This option can be used to switch on the broadcasting of the gateway address, so Parallels Clients can automatically find their primary gateway. The option is enabled by default.

Enable RDP UDP Data Tunneling. To enable UDP tunneling on Windows devices, select this option (default). To disable UDP tunneling, clear the option.

Client Manager Port. Select this option to enable management of Windows devices from the Client Manager category. The option is enabled by default.

Enable RDP DOS Attack Filter. When selected, this option denies chains of uncompleted

sessions from the same IP address. For example, if a Parallels Client initiates multiple successive sessions with each session waiting for the user to provide credentials, Parallels RAS will deny further attempts. The option is enabled by default.

Configure SSL Encryption on a Gateway

The traffic between Parallels RAS users and a RAS Secure Client Gateway can be encrypted. The SSL/TLS tab allows you to configure data encryption options.

By default, a self-signed certificate is installed during a RAS Secure Client Gateway installation and TLS v1.0, v1.1, or v1.2 is used. Each RAS Secure Client Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.

To issue a new self-signed certificate:

1 Select the Enable SSL on Port option and specify a port number (default is 443). 2 (Optional) Select the SSL version accepted by the RAS Secure Client Gateway from the

Accepted SSL Versions drop-down list.

3 (Optional) Select the Cipher Strength as a certificate encryption algorithm strength of your

choice. The default strength is Custom. The Cipher field specifies the cipher, which is also set to a default value (for the Custom strength, you can change it if needed in accordance with the openSSL standards). A stronger cipher allows for stronger encryption, which increases the effort needed to break it.

RAS Secure Client Gateway

4 To generate a new self-signed certificate, click the Generate new certificate button and then

enter the required details. Note that you can choose your own certificate expiration date using the Expire in field (the default value is 12 months). When done, click Save to save the details and generate a new self-signed certificate. The Private Key file and Certificate file fields will be populated automatically.

5 Click OK to save your changes and close the dialog.

Encrypting Parallels Client connection

By default, the only type of connection that is encrypted is a connection between a Gateway and backend servers. To encrypt a connection between Parallels Client and a Gateway, you also need to configure connection properties on the client side. To do so, in Parallels Client, open connection properties and set the connection mode to Gateway SSL.

To simplify the Parallels Client configuration, it is recommended to use a certificate issued either by a third party Trusted Certificate Authority or Enterprise Certificate Authority (CA).

If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.

If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.

Using Third-Party Trusted Certificate Authority

1 In the RAS Console, navigate to Farm > Gateway > Properties and click the SSL/TLS tab. 2 Select TLS 1.2 as the SSL settings option. 3 Choose CSR. 4 Fill in the data. 5 Copy and paste the CSR into a text editor and save the file for your records. 6 Paste the CSR into the party Vendors Website page or email it to the vendor. 7 Request a return certificate in the following format: Apache, with the private, public and

intermediate CA all in one file, with extension .pem.

8 When you receive the file, place it in a secure folder for backup retrieval. 9 Click Import Public Key and navigate to the folder (or navigate to a secondary location where

you have a copy of the single all-in-one cert) and insert the .pem file into the Certificate key field.

10 Click Apply and Test.

Note: The private key should already be populated from your initial CRS request.

RAS Secure Client Gateway

Using Enterprise Certificate Authority

Use IIS to receive a certificate from Enterprise CA and export the certificate in the PFX format.

Install the PFX certificate on RAS Secure Client Gateway as follows:

1 Launch the Parallels RAS Console. 2 Select a RAS Secure Client Gateway, open its properties and switch to the SSL tab. 3 Click […] next to Private Key or Public Key fields. 4 Browse for the .pfx file and click OK. 5 Click Apply.

Note: The trusted.pem file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third-party vendor. If the intermediate certificate for the vendor is not in the trusted.pem file, you will have to paste it in manually or create a trusted.pem template file with the proper Intermediate Certificates and then replace the old trusted.pem file with the newly updated one. This file resides in the Program Files\Parallels or Program Files(x86)\ Parallels on the client side.

Enable SSL on Parallels Secure Client Gateway with cert.pem

1 On the Parallels Client Gateway page, enable secure sockets layer (SSL) and click […] to

browse for the pem file.

2 Place the single file generated in the Private Key and Public Key fields. 3 Click Apply to apply the new settings. 4 Your browser may not support displaying this image.

Parallels Clients Configuration

In case the certificate is self-signed, or the certificate issued by Enterprise CA, Parallels Clients should be configured as follows:

1 Export the certificate in Base-64 encoded X.509 (.CER) format. 2 Open the exported certificate with a text editor, such as notepad or WordPad, and copy the

contents to the clipboard.

To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority:

1 On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\"

there should be a file called trusted.pem. This file contains certificates of common trusted authorities.

2 Paste the content of the exported certificate (attached to the list of the other certificates).

RAS Secure Client Gateway

Securing RDP-UDP Connections

A Parallels Client normally communicates with a RAS Secure Client Gateway over a TCP connection. Recent Windows clients may also utilize a UDP connection to improve WAN performance. To provide the SSL protection for UDP connections, DTLS must be used.

To use DTLS on a RAS Secure Client Gateway:

1 On the SSL/TLS tab, make sure that the Enable SSL on Port option is selected (default). 2 On the Network tab (p. 63), make sure that the Enable RDP UDP Data Tunneling option is

selected (default).

The Parallels Clients must be configured to use the Gateway SSL Mode. This option can be set in the Connections Settings > Connection Mode drop-down list on the client side.

Once the above options are correctly set, both TCP and UDP connections will be tunneled over SSL.

Assessing SSL Server Configuration

When configuring RAS Secure Client Gateway to use SSL encryption, you should pay attention to how the SSL server is configured to avoid possible traps and security issues. Specifically, the following SSL components should be rated to determine how good the configuration is:

• The certificate, which should be valid and trusted.

• The protocol, key exchange, and cipher should be supported.

The assessment may not be easy to perform without specific knowledge about SSL. That's why we suggest that you use the SSL Server Test available from Qualys SSL Labs. This is a free online service that performs an analysis of the configuration of an SSL web server on the public Internet. To perform the test on a RAS Secure Client Gateway, you may need to temporarily move it to the public Internet.

The test is available at the following URL: https://www.ssllabs.com/ssltest/

You can read a paper from Qualys SSL Labs describing the methodology used in the assessment at the following URL: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

Configure HTML5 Connectivity

The HTML5 tab is used to configure HTML5 connectivity.

HTML5 connectivity is a functionality built into RAS Secure Client Gateway. When the connectivity is enabled (default), end users can run published resources using Parallels HTML5 Client that runs inside a web browser.

RAS Secure Client Gateway

Parallels HTML5 Client works similarly to a platform-specific Parallels Client application with the exception that end users don't have to install any additional software on their computers or devices — all they need is an HTML5-enabled web browser. This section describes how to configure HTML5 connectivity in the Parallels RAS Console. For the information about how to use it, please refer to Using Parallels HTML5 Client (p. 199).

Note: To use HTML5 connectivity, SSL must be enabled on the Gateway. When enabling HTML5, please verify that SSL is enabled on the SLL/TLS tab or on your network load balancer. Please also note that the HTML5 tab is only available if the gateway mode is set to "normal". For more information, see Set the Gateway Mode and Forwarding Settings (p. 61).

To configure HTML5 connectivity, set the options described below.

Enable HTML5 Client: Select or clear this option to enable or disable HTML5 on the getaway.

Gateway

Port: Specify a custom port number if necessary.

URL: Specifies the complete URL that end users will need to enter in their web browsers to

connect to Parallels RAS. The URL consists of the RAS Secure Client Gateway server FQDN (or computer name) or IP address followed by "RASHTML5Gateway".

Note: You can simplify or even override this URL on the Web Requests tab of the RAS Secure Client Gateway Properties dialog. For example, you can make it possible for your users to enter just the server

FQDN or IP address (without the "RASHTML5Gateway" part) to access the HTML5 login page. If you use HTML5 Client Themes (a Parallels RAS feature), you can specify a URL that will open a particular theme's login page. For more information, please see Specifying a URL for Web Requests (p. 70) and

Configure HTML5 Client Themes (p. 200).

Client

Launch sessions using: Allows you to specify whether remote applications and desktops will be

launched on user computers in a web browser (HTML5 Client) or in a platform-specific Parallels Client. Parallels Client includes a richer set of features compared to HTML5 Client, thus providing end users with a better user experience. Select one of the following:

• Launch apps in browser only (HTML5 only) — Users can run remote applications and

desktops using Parallels HTML5 Client only. Use this option if you don't want your users to install a platform-specific Parallels Client.

• Launch apps with Parallels Client — Users can run remote applications and desktops in

Parallels Client only. When a user connects to Parallels RAS using Parallels HTML5 Client, they will be asked to install the platform-specific Parallels Client before they can launch remote applications and desktops. A message will be displayed to the user with a link for downloading the Parallels Client installer. After the user installs Parallels Client, they can still select a remote application or desktop in Parallels HTML5 Client but it will open in Parallels Client instead.

RAS Secure Client Gateway

• Launch apps with Parallels Client and fallback to HTML5 — Both Parallels Client and a

browser (HTML5) can be used to launch remote applications and desktops. Parallels Client will be the primary method; Parallels HTML5 Client will be used as a backup method if a published resource cannot be launched in Parallels Client for any reason. A user will be informed if a resource couldn't be opened in Parallels Client and will be given a choice to open it in the browser instead.

Allow users to select a launch method: If selected, users will be able to choose whether to open remote applications in a browser or in Parallels Client. You can enable this option only if the

Launch session using option (above) is set to Launch apps in Parallels Client and fallback to HTML5 (i.e. both methods are allowed).

Allow opening applications in a new tab: If selected, a user will be able to open remote

applications in a new tab in his/her web browser.

Use Pre Windows 2000 login format: If this option is selected, it allows you to use legacy (preWindows 2000) login format.

Restrictions

Allow embedding of Web Client into other web pages: If selected, the Parallels HTML5 Client

web page can be embedded in other web pages. Please note that this may be a potential security risk due to the practice known as clickjacking.

Allow file transfer command: Enables or disables the remote file transfer functionality. For more information, see Enabling or Disabling Remote File Transfer (p. 262).

Allow clipboard command: Enables or disables the Remote Clipboard. For more information, see Using the Remote Clipboard (p. 214).

Enforcing HTTP Strict Transport Security (HSTS)

You can enforce HSTS for all HTML5 connections, so that web browsers communicate with the HTML5 gateway using only HTTPS. For the information on HSTS and how to enforce it for a gateway, see Gateway Mode, Forwarding Settings, HSTS (p. 61).

Enable Support for Wyse Thin Client OS

To publish applications from the Parallels RAS to thin clients using the Wyse thin client OS, select the Enable Wyse ThinOS Support option on the Wyse tab.

Note: The Wyse tab is only available if the gateway mode is set to normal. See Set the Gateway Mode and Forwarding Settings for more info (p. 61).

RAS Secure Client Gateway

By enabling this option, the RAS Secure Client Gateway will act as a Wyse broker. You need to make sure that DHCP option 188 on your DHCP server is set to the IP address of this gateway for thin clients that will be booting via this gateway. Once the DHCP server is configured, click the Test button to verify the DHCP server settings.

Filter Access to a RAS Secure Client Gateway

You can allow or deny user access to a gateway based on a MAC address. This can be accomplished using the Security tab in the RAS Secure Client Gateway Properties dialog.

To configure a list of allowed or denied MAC addresses, click the Security tab and select one of the following options:

• Allow all except. All devices on the network will be allowed to connect to the gateway except

those included in this list. Click Tasks > Add to select a device or to specify a MAC address.

• Allow only. Only the devices with the MAC addresses included in the list are allowed to

connect to the gateway. Click Tasks > Add to select a device or to specify a MAC address.

Please note that the Gateway MAC address filtering is based on ARP, so client and server must be on the same network for the filtering to work. It does not work across network boundaries.

Specifying a URL for Web Requests

The Web Requests tab allows you to specify a URL which will open when a user enters the IP address of the RAS Secure Client Gateway server in a web browser.

Note: The Web Requests tab is only available if the gateway mode is set to normal. See Set the Gateway Mode and Forwarding Settings for more info (p. 61).

Generally speaking, you can enter any URL on the Web Requests tab. As a result, when end users enter the gateway's IP address or FQDN in a web browser, they will be redirected to the URL specified on this tab. Real-world scenarios of using the URL redirection are as follows:

• End users enter the gateway's FQDN or IP address in a web browser and get redirected to the

HTML5 Client login page. For this to happen, the Web Requests tab must specify the actual HTML5 URL, which is the default value. You can see the actual URL on the HTML5 tab or you can simply click the Default button which will populate the field with it.

• When using HTML5 Client themes, you can specify a URL of a particular theme, such as

https://server.company.com/RASHTML5Gateway/?theme=MyTheme. This way,

when a user enters the server IP address or FQDN, they will be redirected to the specified theme page. For more info about themes, please see Configuring HTML5 Client Themes (p.

200).

• If you disabled the HTML5 connectivity on the gateway, you can specify a URL of a completely

different page on another web server to which users will be redirected instead of trying to open the HTML5 Client login page.

RAS Secure Client Gateway

Note: You can disable the redirection feature altogether by keeping the Default URL field empty. This may be useful when you enable the Forward requests to HTTP Server option (on the Properties tab) and need to redirect all traffic to your HTTP server.

Configure Logging

A RAS Secure Client Gateway is monitored and logs are created containing relevant information. To configure logging and retrieve or clear existing log files, right-click a gateway, choose Troubleshooting > Logging in the context menu, and then click Configure, Retrieve, or Clear depending on what you want to do. For the information on how to perform these tasks, see the Logging (p. 299) section.

Gateway Tunneling Policies

Tunneling policies can be used to load balance connections by assigning a group of RD Session Hosts to a specific RAS Secure Client Gateway or RAS Secure Client Gateway IP address.

To configure tunneling policies, navigate to Farm / <site> / Gateways and then click the Tunneling Policies tab in the right pane.

The <Default> policy is a preconfigured rule and is always the last one to catch all non-configured gateway IP addresses and load balance the sessions between all servers in the farm. You can configure the <Default> policy by right-clicking it and then clicking Properties in the context menu.

Adding a New Tunneling Policy

To add a new policy:

1 Click Tasks > Add. 2 Select a gateway IP address. 3 Specify to which RD Session Host(s) the users connecting to that specific gateway should be

forwarded to.

Managing a Tunneling Policy

To modify an existing Tunneling Policy, right-click it and then click Properties in the context menu.

RAS Secure Client Gateway

Viewing Gateway Summary and Metrics

You can view the summary information for all available RAS Secure Client Gateways in one place as follows:

1 In the RAS Console, select the Farm category and then select the Site node in the middle

pane.

2 The available RAS Secure Client Gateways are displayed in the Gateways group in the right

pane.

3 To go to the main Gateway view/editor, right-click a server and choose Show in the Editor.

You can also view the detailed information about a RAS Secure Client Gateway by navigating to Information / Site Information in the Parallels RAS Console. The information on this page includes general information, such as OS version, RAS version, Gateway mode, as well as the information about various types of connections, sessions, cached sockets, and threads.

Using Computer Management Tools

You can perform standard computer management tasks on server hosting the RAS Secure Client Gateway right from the RAS Console. These include Remote Desktop Connection, PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see Computer Management Tools (p. 280).

C HAPTER 7

RD Session Hosts

RD Session Hosts are used to host published resources (applications, desktops, documents, etc.) in a Parallels RAS farm. Read this chapter to learn how to add, configure, and administer RD Session Hosts.

In This Chapter

RD Session Host Types .......................................................................................... 73

Adding an RD Session Host ................................................................................... 74

Planning for High Availability ................................................................................... 77

Viewing RD Session Hosts ...................................................................................... 77

Configuring an RD Session Host ............................................................................. 78

Grouping and Cloning RD Session Hosts ................................................................ 84

Using Scheduler ..................................................................................................... 88

Managing RDSH Sessions ...................................................................................... 90

Managing Logons .................................................................................................. 93

Using Computer Management Tools ....................................................................... 94

Publishing from an RD Session Host ....................................................................... 94

Publishing Containerized Applications ..................................................................... 99

Viewing Published Resources Hosted by RD Session Hosts .................................... 103

RD Session Host Types

Beginning with Parallels RAS v16.5, you can create and add to a RAS farm the following types of RD Session Hosts:

• Individual servers. These can be physical boxes or virtual machines treated as physical servers.

• Virtual machines (VMs) created from a RAS Template, which is a part of RAS Virtual Desktop

Infrastructure (VDI). The main advantage of using VMs is the ability to create as many of them as you require from a single RAS Template. RD Session Hosts based on a RAS Template are described in the Grouping and Cloning RD Session Hosts section (p. 84).

Considering that RAS Template is a part of RAS VDI, some aspects of creating, provisioning, and managing RD Session Hosts based on a RAS Template differ from the regular RD Session Hosts (individual servers). For example, RAS Template-based hosts are added to a farm automatically from a group, not manually by the administrator. There are some other differences which are described in various sections of this chapter. When reading these sections, please pay attention to whether or not a particular functionality applies to RD Session Hosts based on a RAS Template.

RD Session Hosts

Adding an RD Session Host

RD Session Host requirements

An RD Session Host must have the Remote Desktop Services (RDS) role installed. You can install RDS right from the RAS Console, as described later in this section.

To push install the RAS RD Session Host Agent on a server, the following requirements must be met:

• The firewall must be configured on the server to allow push installation. Standard SMB ports

(139 and 445) need to be open. See also Port Reference (p. 326) for the list of ports used by Parallels RAS.

• SMB access. The administrative share (\\server\c$) must be accessible. Simple file sharing

must be enabled.

• Your Parallels RAS administrator account must have permissions to perform a remote

installation on the server. If it doesn't, you'll be asked to enter credentials of an account that does.

• The RD Session Host should be joined to an AD domain. If it's not, the push installation may

not work and you will have to install the Agent on the server manually. See Installing the Agent manually section (p. 75).

Note: The rest of this section applies to regular RD Session Hosts only. If you are looking for the information on how to add an RD Session Host based on a RAS Template, see Grouping and Cloning

RD Session Hosts (p. 84).

Quickly add an RD Session Host

You can quickly add an RD Session Host to a site from the Start category in the RAS Console. This process is described in the Setting Up a Basic Parallels RAS Farm section (p. 27).

The rest of this section describes how to add an RD Session Host from the Farm category. Compared to using the Start category, this process consists of more steps but gives you more options.

Adding an RD Session Host

To add an RD Session Host:

1 In the RAS Console, navigate to Farm > Site > RD Session Hosts. 2 Click Tasks > Add. 3 In the dialog that opens, specify the following:

RD Session Hosts

• Server. Specify the server IP address or FQDN.

• Add firewall rules. Automatically configure the firewall on the server to meet Parallels RAS

requirements. See Port Reference (p. 326) for the list of ports used by Parallels RAS.

• Install RDS role. Install the RDS role in Windows running on the server.

• Enable Desktop Experience. Enable the Desktop Experience feature in Windows running

• Restart server if required. Restart the server if necessary. Please note that this option is

ignored if a restart is pending on a local machine (i.e. the restart of a local machine will not be forced).

• Specify users or groups to be added to the Remote Desktop Users group. This option

allows you to add Parallels RAS users or groups to the Remote Desktop Users group in Windows running on the server. This is necessary for your Parallels RAS users to be able to access published resources hosted by an RD Session Host. If a Parallels RAS user is not a member of the Remote Desktop Users group on a given RD Session Host, they will be denied access to its published resources. Select this option and then use the [+] icon below it to specify users or groups.

4 Click Next. 5 In the next step, a checking is performed if the RAS RD Session Host Agent is installed on the

server.

If the agent is not installed:

a Click Install to push install the agent. b In the Installing RD Session Host Agent dialog, select the target server. c (Optional) Select the Override system credentials option to specify different credentials to

connect to the server. You need to do this if the RAS admin account that you are using doesn't have permissions to perform a remote installation on the target server.

d Click Install to install the agent. Click Done once the agent is installed. If the push

installation of the RAS RD Session Host Agent fails for any reason, you have an option to install it manually. Please see Installing the Agent Manually (p. 75).

6 In the Agent Information dialog, click Add to add the RD Session Host to the Parallels RAS

farm.

7 Click Apply in the Parallels RAS Console to commit the new settings.

Installing the Agent Manually

You may need to install the RAS RD Session Host Agent manually if the automatic push installation cannot be performed. For instance, an SMB share may not be available or the firewall rules may interfere with the push installation, etc.

RD Session Hosts

Installing RAS RD Session Host Agent Manually

1 Log in to the server where the RAS RD Session Host Agent is to be installed using an

administrator account and close all other applications.

2 Copy the Parallels RAS installation file (RASInstaller.msi) to the server and double-click it

to launch the installation.

3 Once prompted, click Next and accept the End-User license agreement. 4 Specify the path where the RAS RD Session Host Agent should be installed and click Next. 5 Select Custom and click Next. 6 Click on RAS RD Session Host Agent and select Entire Feature will be installed on local

hard drive from the drop-down menu.

7 Ensure that all other components are deselected and click Next. 8 Click Install to start the installation. 9 Click Finish once the installation is finished.

The RAS RD Session Host Agent doesn't require any configuration. Once the agent is installed, highlight the server name in the RAS Console and click Troubleshooting > Check Agent in the

Tasks drop-down menu to update the server status.

Uninstalling RAS RD Session Host Agent

To uninstall RAS RD Session Host Agent from a server:

1 Navigate to Start > Control Panel > Programs > Uninstall a Program. 2 Find Parallels Remote Application Server in the list of installed programs. 3 If you don't have any other Parallels RAS components on the server that you want to keep,

right-click Parallels Remote Application Server and then click Uninstall. Follow the instructions to uninstall the program. You may skip the steps below.

4 If you have other RAS components that you want to keep on the server, right-click Parallels

Remote Application Server and then click Change.

5 Click Next on the Welcome page. 6 On the Change, repair, or remove page, select Change. 7 On the next page, select Custom. 8 Select RAS RD Session Host Agent, then click the drop-down menu in front of it, and click

Entire feature will be unavailable.

9 Click Next and complete the wizard.

RD Session Hosts

Planning for High Availability

When adding RD Session Hosts to a site, the N+1 redundancy approach should be used to ensure uninterrupted service to your users. This is a general rule that also applies to other Parallels RAS components, such as Publishing Agents, RAS Secure Client Gateways, or possibly VDI Hosts.

Viewing RD Session Hosts

To view the list of RD Session Hosts for the current site:

1 In the RAS Console, navigate to Farm / <site-name> / RD Session Hosts. 2 The available RD Session Hosts are displayed on the RD Session Hosts tab in the right pane.

You can filter the RD Session Hosts list as follows:

1 Click the magnifying glass icon, which is located on a toolbar above the list. 2 An extra row is displayed at the top of the list where you can type a string in one or more

columns that will be used to filter the list.

3 For example, if you want to search for a server by its name, enter the text in the Server column.

You can type the entire server name or the first few characters until a match is found. The list will be filtered as you type and only the matching server(s) will be displayed.

4 If you type a filter string in more than one column, they will be combined using the logical AND

operator.

5 To remove the filter and display the complete list, click the magnifying glass icon again. 6 If you click the magnifying glass icon one more time, you'll see that the filter that you specified

earlier is still there. To remove it completely, simply delete the filter string(s) from the column(s).

Viewing RD Session Host summary

In addition to the RD Session Hosts editor described above, you can also see the summary about the available RD Session Hosts. To do so:

1 In the RAS Console, select the Farm category and then select the Site node in the middle

pane.

2 The available servers are displayed in the RD Session Hosts group in the right pane. 3 To go to the RD Session Host editor (described above), right-click a server and choose Show

in the Editor.

For additional info, see Sites in the RAS Console (p. 39).

RD Session Hosts

Available menu options

You can perform a number of tasks on the an RD Session Host using menus. To do so, click the Tasks drop-down menu and choose a desired option, or right-click a host and choose an option from the context menu.

Please note that not all menu options are available for RD Session Hosts based on a RAS Template. If an option is not available for this host type, it will be either disabled or hidden. These include:

• Remove from group. Hosts based on a RAS Template can only be removed from a group

using the Group Properties dialog.

• Assign to group. Group assignment is performed automatically for RAS Template-based

hosts.

• Delete. Deleting a host (which is a VM) can only be done on the RAS Template level (the Guest

VM List dialog).

• Properties. RD Session Hosts of this type don't have individual properties. Some essential

properties are inherited from Default Server Properties (see View and Modify RD Session Host Properties > Agent Settings (p. 79)).

• Control (logon commands). Drain mode is managed automatically by the group to which a RAS

Template-based host belongs.

Configuring an RD Session Host

This section describes how to configure and manage an existing RD Session Host.

Read on to learn how to:

• Check RAS RD Session Host Agent Status (p. 78)

• Change an RD Session Host Site Assignment (p. 79)

• View and Modify RD Session Host Properties (p. 79)

Check RAS RD Session Host Agent Status

An RD Session Host must have RAS RD Session Host Agent installed in order to publish remote applications and desktop from it. In addition to this, Remote Desktop Services (formerly Terminal Services) must also be installed.

Normally when you add an RD Session Host to a site, the RD Session Host Agent and Remote Desktop Services are installed by default. However, if you skipped the installation (or uninstalled the agent or RDS from the server), you can check their status and take appropriate actions if needed.

RD Session Hosts

To check the status of RD Session Host Agent and RDS, do the following:

1 First, check the Status column in the RD Session Hosts list. The column should display "OK".

If so, the Agent is installed and functioning properly. If not, read on.

2 In addition to the description, the Status column uses a color code to indicate the agent status

as follows:

• Red — not verified

• Orange — needs update

• Green — verified

3 Right-click a server and click Troubleshooting > Check agent in the context menu. The Agent

Information dialog opens.

4 If the agent is not installed on the server, click the Install button and follow the instructions on

the screen.

After the agent installation is complete, you may need to reboot the RD Session Host. You can do it right from the Parallels RAS Console by selecting the server and clicking Tasks > Control > Reboot.

Change RD Session Host Site Assignment

You can assign an RD Session Host to a different site in your farm if needed. Please note that this functionality is only available if you have more than one site in your farm.

To change the site assignment:

1 Right-click an RD Session Host and then click Change Site in the context menu. The Change

Site dialog opens.

2 Select a site in the list and click OK. The server will be moved to the RD Session Hosts list of

the target site (Farm / <new-site-name> / RD Session Hosts).

View and Modify RD Session Host Properties

Note: The information in this section does NOT apply to RD Session Hosts based on a RAS Template. Hosts of that type don't have individual properties and are managed on the RAS Template level. For more information, see Grouping and Cloning RD Session Hosts (p. 84) and Parallels RAS Templates (p.

117).

To configure an RD Session Host:

1 In the RAS Console, navigate to Farm / <site> / RD Session Hosts. 2 Select a server and click Tasks > Properties. 3 The server properties dialog opens where you can configure the RD Session Host properties.

RD Session Hosts

Using default settings

The server properties dialog consists of tabs, each containing their own specific set of properties. All tabs, except the Properties tab, have one common function - the ability to inherit default settings.

If you want the properties on a particular tab to inherit default settings, select the Inherit default settings option. The default settings will be inherited from one of the following:

• Group defaults if the server is assigned to an RD Session Host group. Groups are described in

Grouping and Cloning RD Session Host Servers (p. 84).

• Site defaults if the server is not assigned to an RD Session Host group. Note that a group may

also inherit defaults from the site, but this can be overridden by the RAS administrator in the group properties dialog.

To view or modify inherited default settings, click the Edit Defaults link (available on every tab, except Properties). This will open either the Group default properties or Site default properties dialog depending on whether the server is assigned to a group (see above). Note that each individual tab can inherit default settings independently from other tabs.

The rest of this section describes individual tabs of the server properties dialog.

Properties

Select or clear the Enable Server in site option to enable or disable a server. By default, a server is enabled. A disabled server cannot serve published applications and virtual desktops to clients.

Other elements on this page are:

• Server: Specifies the server name.

• Description: Specifies the server description.

• Change Direct Address: Select this option if you need to change the direct address that

Parallels Client uses to establish a direct connection with the RD Session Host.

Agent Settings

Each RD Session Host in the farm has an RAS RD Session Host Agent installed through which it communicates with other Parallels RAS components. Use the Agent Settings tab to configure the agent.

To use default settings, select the Inherit default settings option. See the Using default settings subsection above.

If you want to specify custom settings for a given server, clear the Inherit default settings option and specify agent properties as follows:

RD Session Hosts

• Port. Specifies a different remote desktop connection port number if a non-default port is

configured on the server.

• Max Sessions. Specifies the maximum number of sessions.

• Publishing Session Disconnect Timeout. Specifies the amount of time each session remains

connected in the background after the user has closed the published application. This option is used to avoid unnecessary reconnections with the server.

• Publishing Session Reset Timeout. This feature allows you to control how long it takes for a

session to be logged off after it is marked as "disconnected".

• Allow Client URL/Mail Redirection. Select this option to allow "http" and "mailto" links to be

opened using a local application on the client computer rather than the server resources. To configure a list of URLs which should not be redirected, navigate to the URL Redirection tab in the Settings node of a site.

• Preferred Publishing Agent. Select a Publishing Agent to which the RD Session Host should

connect. This is helpful when site components are installed in multiple physical locations communicating through WAN. You can decrease network traffic by specifying a more appropriate Publishing Agent.

• Allow 2XRemoteExec to send command to the client. Select this option to allow a process

running on the server to instruct the client to deploy an application on the client side. More about 2XRemoteExec in the Using RemoteExec subsection below.

• Use RemoteApp if available. Enable this option to allow use of remote apps for shell-related

issues when an app is not displayed correctly. This feature is supported on the Parallels Client for Windows only.

• Enable applications monitoring. Enable or disable monitoring of applications on the server.

Disabling application monitoring stops the WMI monitoring to reduce CPU usage on the server and network usage while transferring the information to RAS Publishing Agent. If the option is enabled, the collected information will appear in a corresponding RAS report. If the option is disabled, the information from this server will be absent from a report.

• Allow file transfer command. Allows you to enable or disable the remote file transfer

functionality. For more information, see Enabling or Disabling Remote File Transfer (p. 262).

• Allow local to remote drag and drop. Enables the drag and drop functionality in a remote

application. When this option is enabled, users can drag and drop files to a remote application on their local devices. For example, a user can drag and drop a file to the Acrobat Reader to open a PDF file. Or the user can drag and drop a file to Windows Explorer running on a remote server, etc.

Note: At the time of this writing, the drag and drop functionality is only supported on Parallels Client for Windows and Parallels Client for Mac.

Using 2XRemoteExec

2XRemoteExec is a feature that facilitates the servers ability to send commands to the client. This is done using the command line utility 2XRemoteExec.exe. Command line options include:

RD Session Hosts

Command Line Parameter Parameter Description

-s

-t

-? "Path for Remote Application"

Used to run the 2XRemoteExec command in ‘silent’ mode. Without this parameter, the command will display pop up messages from the application. If you include the parameter, the messages will not be displayed.

Is used to specify the timeout until the application is started. Timeout must be a value between 5000ms and 30000ms. Note that the value inserted is in ‘ms’. If the timeout expires the command returns with an error. Please note that the application might still be started on the client.

Shows a help list of the parameters that 2XRemoteExec uses.

The Application that will be started on the client as prompted from the server.

2XRemoteExec examples:

The following command displays a message box describing the parameters that can be used.

2XRemoteExec -?

This command runs Notepad on the client.

2XRemoteExec C:\Windows\System32\Notepad.exe

In this example, the command opens the C:\readme.txt file in the Notepad on the client. No message is shown and 2XRemoteExec would wait for 6 seconds or until the application is started.

2XRemoteExec C:\Windows\System32\Notepad.exe “C:\readme.txt”

User Profile Disks

User profile disks are virtual hard disks that store user application data on a dedicated file share. This disk is mounted to the user session as soon as the user signs in to the RD Session Host, and unmounted when the user logs out.

To use default settings, select the Inherit default settings option. See the Using default settings subsection above.

To use custom settings, clear the Inherit default settings option and specify the options described below.

Enable or disable user profile disks: Use the drop-down list box to specify whether to enable or disable user profile disks on the server. Select from the following options:

• Do not change. Keep the current server settings (default).

• Enabled. Enable user profile disks.

• Disabled. Disable user profile disks.

Disk location: In the text field provided, specify a network location where user profile disks should be created. Use the Microsoft Windows UNC format to specify a location (e.g. \\RAS\users\disks). Please note that the server must have full control permissions on the disk share. 82

RD Session Hosts

Maximum size: Enter the maximum allowed disk size (in gigabytes).

User profile disks data settings: Click this button to open the User Profile Disks Data Settings

dialog. In the dialog, you can specify which user folders should be stored on the user profile disk. Select one of the following:

• Store all user settings and data on the user profile disk. All folders, except those specified

in the exclusion list, will be stored on the user profile disk. To add or remove folders to/from the exclusion list, click the [+] or [-] buttons.

• Store only the following folders on the user profile disk. Only folders specified in the

inclusion lists will be stored on the user profile disk. There are two inclusion lists. The first one contains standard user profile folders (e.g. Desktop, Documents, Downloads, etc.) and allows you to select the folders that you want to include. The second list (below the first list) allows you to specify additional folders. Click the [+] or [-] buttons to add or remove folders.

Desktop Access

The Desktop Access tab allows you to restrict remote desktop access to certain users.

To use default settings, select the Inherit default settings option. See the Using default settings subsection above.

By default, all users who have access to remote applications on an RD Session Host can also connect to the server via a standard RDP connection. If you want to restrict remote desktop access to certain users, do the following:

1 On the Desktop Access tab, select the Restrict direct desktop access to the following

users option. If you have the Inherit default settings option selected, click the Edit Defaults

link to see (and modify if needed) the default configuration. The rest of the steps apply to both the Server Properties and Default Server Properties dialogs.

2 Click the Add button. 3 Select the desired users. To include multiple users, separate them by a semicolon. 4 Click OK. 5 The selected users will appear in the list on the Desktop Access tab.

Users in this list will still be able to access remote applications using Parallels Client, but will be denied direct remote desktop access to this server.

Note: Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Connection / Allow users to connect remotely using remote desktop services must be set to Not configured, otherwise it takes precedence.

Please note that members of the Administrator group will still be able to connect to the remote desktop even if they are included in this list.

RD Session Hosts

RDP Printer

The RDP Printer tab allows you to configure the renaming format of redirected printers. The format may vary depending on which version and language of the server you are using.

To use default settings, select the Inherit default settings option. See the Using default settings subsection above.

The RDP Printer Name Format drop-down list allows you to select a printer name format specifically for the configured server.

Select the Remove session number from printer name and the Remove client name from printer name options to exclude the corresponding information from the printer name.

Configure Logging

An RD Session Host is monitored and logs are created containing relevant information. To configure logging and retrieve or clear existing log files, right-click a server, choose Troubleshooting > Logging in the context menu, and then click Configure, Retrieve, or Clear depending on what you want to do. For the information on how to perform these tasks, see the Logging (p. 299) section.

Grouping and Cloning RD Session Hosts

When you publish resources in Parallels RAS, you need to specify one or more servers that host them. Groups allow you to combine multiple RD Session Hosts and then publish the resources from the group instead of specifying individual servers.

The main benefits of using RD Session Host groups are as follows:

• They simplify the management of published resources and are highly recommended in multi-

server environments.

• They allow you to use RD Session Hosts created from a RAS Template by utilizing the VDI

functionality, which is available in Parallels RAS. More on this later in this section.

Note that an RD Session Host can be a member of one group only. You cannot add the same server to multiple groups.

Creating a group

To create an RD Session Host group:

1 In the RAS console, navigate to Farm / <site> / RD Session Hosts. 2 Click the Groups tab.

RD Session Hosts

3 Click Tasks > New Group (or click the [+] icon). To modify an existing group, right-click it and

then choose Properties in the context menu.

4 The Group Properties dialog opens where you can specify the group settings as described

below.

On the General tab, select Enable Group in site to enable the group. Type a name and description for the group.

You now need to add one or more servers to the group. You can do this by using the following options (both can be used at the same time):

• Specify a RAS Template on which the servers are based. This will include all RD Session Hosts

that have been or will be created from a selected template. To do so, select the RD session hosts based on a RAS Template option and then select a template from the drop-down list. Note that you need to create a RAS Template of type RD Session Host before you can select it here. For more information, see the Using RAS Templates subsection below.

• Add servers manually one by one by clicking Tasks > Add and then selecting a server from the

list. You can also add a server later by right-clicking it in the main list and choosing Assign to

group.

Using group defaults

RD Sessions Hosts assigned to a group have various settings that they can inherit from the group defaults. This makes it simpler to configure a single set of settings for all servers instead of configuring each server individually. A site also has its own default settings (site defaults). Moreover, an RD Session Host group can inherit these site defaults. This gives you the following choices when inheriting default settings by an RD Session Host:

• Configure site defaults and make the group inherit these settings. The RD Session Hosts

assigned to the group will therefore also inherit site defaults. This is the default scenario for a new group. Site defaults can be configured by navigating to Farm / <site> / RD Session hosts and clicking Tasks > Site defaults.

• Configure default settings for a given group. This way you can have multiple groups, each

having its own group defaults (different from site defaults). Therefore, the servers assigned to a group will inherit the group's defaults.

To configure default settings for a group, open the Group Properties dialog (Tasks > Properties), select a desired tab (except the General tab, which doesn't have any defaults) and select or clear the Inherit default settings option. If you clear the option, you can specify your own defaults. All servers that are (or will be) assigned to this group will inherit these settings. Note that inheritance works independently for each individual tab on the group properties dialog.

For the information on how default settings are configured for an RD Session Host, see View and Modify RD Session Host Properties (p. 79).

RD Session Hosts

Using RAS Templates

RAS Templates of type RD Session Host utilize the VDI functionality available in Parallels RAS. A template is based on a virtual machine (also known as VM or guest VM) running on a hypervisor. When you create a RAS Template, you select a preconfigured VM with the operating system and resources that you intend to publish already installed. Individual hosts (VMs) are then created as clones of the template. The clones can be created in advance or on as-needed basis (configurable when you create a template). This functionality allows you to essentially create and configure an RD Session Host running in a virtual machine and then create as many copies of it as you require.

For the complete information about using VDI in Parallels RAS see the VDI chapter (p. 105). Once you are familiar with adding and configuring a VDI host, read the Parallels RAS Templates section (p. 117) which explains how to create a RAS Template of type RD Session Host.

After you select a RAS Template in the Group Properties dialog, click the RAS Template Settings tab to specify additional properties described below.

Send a request to the RAS Template when the workload threshold is above (%): Specifies the group workload threshold at which one or more additional servers (guest VMs) should be created from the template. The group workload percentage is calculated using the following formula:

Group Workload = (Current Sessions / Max Sessions) * 100

In the formula above:

• Current Sessions is the total number of all sessions on all servers in the group. This includes

static (standalone) servers and servers created from the RAS Template (guest VMs). Note that servers that are disabled, being drained, or have the agent status of ‘Not Verified’ are NOT included in the calculation.

• Max Sessions is a setting that you specify on the Agent Settings tab (either inherited from site

defaults or overridden for this group) and it's the maximum number of sessions allowed for the group.

Consider the following examples:

RAS Group 1 — mixed server types (static and guest VMs), different agent status:

• RDSH-1, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Static

• RDSH-2, Status: Disabled, Max Sessions 20, Current Sessions: 0, Type: Static

• RDSH-3, Status: OK, Max sessions 10, Current Sessions: 4, Type: Guest VM

• RDSH-4, Status: Drain Mode, Max sessions 10, Current Sessions: 3, Type: Guest VM

For the group above, the workload is calculated as (Current Sessions / Max Sessions) * 100 or ((2 +

4) / 20) * 100 = 30%

Note that servers RDSH-2 and RDSH-4 are not included in the workload because the former has the agent disabled and the latter is in drain mode.

RD Session Hosts

RAS Group 2 — mixed server types (static and guest VMs), different agent status:

• RDSH-1, Status: OK, Max Session 10, Current Sessions: 0, Type: Guest VM

• RDSH-2, Status: OK, Max Sessions 10, Current Sessions: 2, Type: Guest VM

• RDSH-3, Status: Not Verified, Max sessions 10, Current Sessions: 0, Type: Guest VM

Group Workload = (Current Sessions / Max Sessions) * 100 or ((0 + 2) / 20) * 100 = 10%

Please note that a group will always make sure that it has at least one server available, even if the workload is zero percent.

Number of servers to be added to the group per request: The number of servers that the template should create per single request from the group. This setting works together with the Send a request to the RAS Template when the workload threshold is above (%) setting described above. When a group sends a request to the template to create additional servers, the value specified here will determine the number of servers that will be created.

Max number of servers to be added to the group from the RAS Template: This option allows you to set a limit on how many servers in total can be added to the group from the template. A RAS Template can be shared between groups. By setting a limit for each group, you can ensure that the combined number of servers in each group will not exceed the template limit. Consider the following examples:

• If the RAS Template is used by a single group, then this number can be up to the "Maximum

guest VMs" setting of the RAS Template.

• If two or more groups share the same RAS Template, then the combined number from all

groups must be less or equal to the "Maximum guest VMs" settings of the RAS Template.

When you save the group, a validation will be performed against other groups (if any) and you will see an error message if the numbers don't match. Note that when a server cannot be created on request due to an error, a "RAS Template error" event is triggered and the administrator will receive an alert message.

Drain and unassign servers from group when workload is below (%): Specifies the group workload percentage value at which one or more servers should be switched to drain mode or unassigned from the group. The server(s) with the least number of sessions will be switched to drain mode. As soon as all users are logged off from a server, it is unassigned from the group. At that point, the server becomes available to other groups on demand.

Note: Parallels recommends setting viable timeouts for idle time and disconnected sessions either in Windows Group Policies or in the Site Default Properties dialog to make the drain mode effective.

Removing a server from a group

To remove a regular RD Session Host from a group, do one of the following:

• On the RD Session Hosts tab, right-click a server and choose Remove from group.

RD Session Hosts

• On the Groups tab, right-click a group and choose Properties. In the Group Properties

dialog, select a server and click Tasks > Delete.

To remove an RD Session Host that was added to a group from a RAS Template:

1 Go to the Groups tab. 2 Select a group and click Tasks > Properties. 3 In the Group Properties dialog, select a server and click Tasks > Delete.

Note that this is the only place in the RAS Console where you can remove an RD Session Host of this type from a group. Please also note that when you delete such a host, it is drained first and only then unassigned from the group, which may take a considerable amount of time.

After you create a group and later publish resources from it, you can view the list of resources by right-clicking a group and choosing Show published resources (or click Tasks > Show

Published Resources). For more information, see Viewing Published Resources Hosted by RD Session Hosts (p. 103).

Using Scheduler

The Scheduler tab in the RD Session Hosts view allows you to reboot or temporarily disable servers according to a schedule.

To create a new scheduler task or modify an existing one:

1 In the RAS Console, navigate to Farm / <site> / RD Session Hosts. 2 In the right pane, click the Scheduler tab. 3 To create a new task, click Add in the Tasks drop-down menu and select a desired task from

the following options:

• Disable Server

• Disable Server Group

• Reboot Server

• Reboot Server Group

To modify an existing task, right-click it and select Properties in the context menu. To delete a task, right-click it and select Delete.

4 The schedule properties dialog will have slightly different options depending on the task type

that you choose in the Tasks > Add drop-down menu. The differences are described in the following steps.

5 Select Enable Schedule to enable the task. 6 Specify the task name, target server (or server group if you've selected a group task), and an

optional description.

RD Session Hosts

7 Specify the start date and time, duration, and scope (the Repeat property). If you select Never

in the Repeat drop-down box, the task will run only once.

8 The Notify Users Message box allows you to type a message that will be sent to the users

before the task is executed (you can select the time period using the Send message [ ] before action is triggered drop-down list). The Message Title field specifies the title that will be shown to end users when they receive the message.

9 The Options section will have different options depending on the task type:

• If a task is Disable Server or Disable Server Group, the available option is On Disable.

You can use it to specify how the active session states should be handled.

Note that disabling a server group with assigned template will drain and remove RD Session Hosts based on the template from group. See Maintaining RD Session Hosts based on a RAS Template. (p. 127)

• If a task is Reboot Server or Reboot Server Group, the available options are Enable Drain

Mode and Force Server Reboot After (the options work together). If you enable the drain

mode, the following will happen. When the task triggers, new connections to a server will be refused but active connections will continue to run. A server will be rebooted when all active users end their sessions or when it's time to force reboot it, whichever comes first. For active users not to lose their work, specify a message in the Notify Users Message box advising them to save their work and log off. Please also see the RD Session Host drain mode examples subsection below.

10 Click OK to save the changes and close the dialog.

RD Session Host drain mode examples

Example 1: Scheduling a server group for reboot without the drain mode

A server group contains 3 servers: A, B, C

• Date: 6/24/2018

• Start Time: 10:45am

• Send Message: 2 minutes before

Users with active sessions are notified 2 minutes before the server rebooting task is triggered.

Example 2: Scheduling a server group for reboot with the drain mode enabled

A server group containing 3 servers: A, B, C

• Date: 6/24/2018

• Start Time: 10:45am

• Drain mode: enabled

• Force reboot after: 3 hours

• Send Message: 2 minutes before

RD Session Hosts

The session users are notified 2 minutes before the server rebooting task is triggered.

When the task is triggered:

1 The drain mode is enabled on the servers. 2 Servers A and B have no active or disconnected sessions, so they are restarted immediately. 3 Server C still has open/disconnected sessions, so it continues to run until all users end their

sessions. If in three hours the server still has active sessions, they are terminated and the server is restarted.

Maintaining RD Session Hosts based on a RAS Template

If you need to do a scheduled maintenance of RD Session Hosts that were created from a RAS Template, please follow these steps:

1 Create a schedule that fits your maintenance window to drain a desired RD Session Host

group.

2 During maintenance (or right before it) switch the template into maintenance mode. Then apply

the necessary changes.

3 The schedule disables groups provisioned by the template (while the maintenance window

lasts) which leads to removing (unassigning) all guest VMs from them.

4 Release the template from maintenance and click Yes when asked whether to recreate all

clones.

5 Enable groups which were disabled in step 3 (above). At this point, the groups will begin

receiving guest VMs to comply with Keep Available Buffer setting

6 From this point forward, groups are provisioned with VMs on demand.

Managing RDSH Sessions

The Sessions tab allows you to view and manage current sessions for RD Session Hosts. To view the page, navigate to Farm / <site> / RD Session Hosts / Sessions.

Note: You can also open the Sessions tab by right-clicking a server on the RD Session Hosts tab and choosing Show Sessions. This will open the Sessions tab with a filter applied to it to display only the sessions that belong to the selected server.

The Sessions lists displays current sessions and includes the following info for each session:

• Server. RD Session Host name.

• Session ID. Session ID.

• User. Session owner.

RD Session Hosts

• Protocol. Protocol used: Console (Parallels RAS Console connection), RDP (remote user

connected via RDP).

• State. Session state: Idle, Active, Disconnected.

• Logon Time. Last date and time the user logged on.

• Session Length. Total sessions duration.

• Idle Time. Total session idle time.

• Type. Session type: Admin, Published Application, Published Desktop.

• Resolution. Client display resolution.

• Color Depth. Client display color depth.

• Device Name. Client device name.

• IP Address. Client IP address.

You can sort the Sessions list by any session property. Simply click on a desired column heading to sort the list in ascending or descending order.

You can also filter the list using a single or multiple session properties as criteria. To do so, click the magnifying glass icon (top right) and then type a desired string in a desired column. The list will be filtered as you type.

To manage a session (or multiple sessions at the same time), select one or more sessions and then use the Tasks drop-down menu to choose from the following actions:

• Refresh. Refresh the list.

• Disconnect. Disconnect the selected session(s).

• Log off. Log off the session(s).

• Send message. Opens the Send Message dialog where you can type and send a message to

the session owner(s).

• Remote control. Remotely control the selected user session. To establish a connection,

domain or local Windows account credentials (whichever the user used to log in to this computer) of the current RAS Console administrator will be used. Note that the current user (specifically if it's the local Windows user) may not be permitted to connect to the remote computer. In such a case, use the Remote control (prompt) option (described below). See also the User session remote control subsection below for important information.

• Remote control (prompt). Same as above but prompts you to enter credentials. Use this

option when the current user credentials cannot be used to control a session.

• Show processes. Display and manage running processes. See Managing processes below

for details.

RD Session Hosts

User session remote control

The Remote Control and Remote control (prompt) menu options (see above) allow you to shadow a user RDS session. There are limitations as described below:

• Parallels RAS cannot shadow RDS sessions running on Windows 7 and Windows Server 2008

R2 (plain Windows Server 2008 is fine). This doesn't work even with native tools.

• If you need to shadow a user session running on Windows Server 2008, the RAS console must

also be running on Windows Server 2008. If the RAS console is installed on a later version of Windows Server, shadowing will NOT work. As a workaround, you can add an RD Session Host running Windows Server 2008 to the farm, publish the Parallels RAS console from it, and then use the console remotely to manage user RDS sessions running on Windows Server 2008. Please note that to finish a remote control session, the administrator must log off from the RAS console remote session. This is a limitation of the shadow.exe utility from Microsoft that doesn't take any arguments that would allow us to add a control like a bar, a button, or a key combination.

Managing processes

The Tasks > Show processes option opens the Running Processes dialog where you can view running processes for one or more RD Session Hosts.

Note: You can also open the Running Processes dialog by right-clicking a server on the RD Session Hosts tab and choosing Show Processes. This will open the Running Processes dialog with a filter

applied to it to display only the processes that belong to the selected server.

On the Running Processes dialog, use the Show processes from drop-down menu to filter the list using the following options:

• Selected Session. Displays processes for the session selected in the Sessions list.

• Selected Server. Displays all running processes for the server on which the selected session is

running.

• All Servers. Displays all running processes for all available servers.

You can also filter the list by specifying a search criteria for one or more columns. To do so, click the magnifying glass icon (top right) and then type a desired text in one or more columns. The list is filtered as you type to match the specified criteria.

The Tasks drop-down menu in the Running Processes dialog includes the following options:

• Refresh. Refresh the list.

• Kill process. Kill the selected process.

• Go To Published Item. Enabled when you select a process that belongs to a running

published resource. Brings up the main Parallels RAS Console window and navigates to the corresponding published resource.

RD Session Hosts

• Disconnect. Disconnect the session.

• Log off. Log off the session.

• Send message. Send a message to the session owner.

• Remote control. Remotely control the selected user session.

Managing Logons

The logon management feature allows you to enable or disable logons from RD Session Hosts. The feature performs the same tasks as the change logon command-line utility.

Note: For RD Session Hosts based on a RAS Template, the drain mode (which disables logons) is handled automatically by the group to which a host belongs. For more information see Using Scheduler (p. 88).

To manage logons:

1 In the Parallels RAS Console, navigate to Farm / <site> / RD Session Hosts. 2 Select an RD Session Host, click Tasks > Control and choose one of the following:

• Enable logons. This option performs the same action as the change logon /enable

command.

• Disable logons and reconnections. Disables subsequent logons. Does not affect currently

logged on users. This option performs the same action as change logon /disable command.

• Disable logons until server reboot. Disables logons until the computer is restarted, but

allows reconnections to existing sessions. Same action as the change logon /drainuntilrestart command.

To see the current logon control mode for an RD Session Host, click Tasks > Control. The checked-out option indicates the current logon control mode of the selected RD Session Host. To do this check from the command line, execute the change logon /QUERY command on the server.

Please also note the following:

• When applying a logon control mode on a server, ensure that the agent status is updated

accordingly.

• You must set the logon control options for the servers one-by-one. If you need to do it for a

group of servers, you can use the scheduler (see Using an RD Session Host Scheduler (p.

88)).

• There's no option for disabling logons from new client sessions but allowing reconnections to

existing sessions (change logon /DRAIN) because its behavior is identical to the Disable logons until server restart option (change logon /DRAINUNTILRESTART).

RD Session Hosts

• Computer Configuration / Administrative Templates / Windows Components / Remote

Desktop Services / Remote Desktop Session Host / Connection / Allow users to connect remotely using remote desktop services must be set to Not configured, otherwise it takes

precedence.

Using Computer Management Tools

You can perform standard computer management tasks on an RD Session Host right from the RAS Console. These include Remote Desktop Connection, PowerShell, Computer Management, Service Management, Event Viewer, IPconfig, Reboot, and others. To access the Tools menu, select a server, click Tasks (or right-click) > Tools and choose a desired tool. For requirements and usage information, see Computer Management Tools (p. 280).

Publishing from an RD Session Host

This section describes how to publish resources hosted by an RD Session Host. The publishing functionality described here is accessed from the Publishing category in the RAS Console.

You can also publish resources using a publishing wizard in the Start category, as described in the Setting Up a Simple RAS Environment section (p. 27). The Start category publishing wizard is a simplified version that gives you convenient options of selecting the resources that you want to publish. You may try both approaches and choose the one that better suits your needs.

Read on to learn how to publish resources from an RD Session Host.

Publishing a Desktop from an RD Session Host

To publish a remote desktop from an RD Session Host:

1 In the RAS Console, select the Publishing category and click the Add icon below the

Published Resources tree. This will launch the publishing wizard.

Note: If the wizard has all options disabled, it means that there are no resources (servers) in the farm from which publishing can be configured.

2 In the first step of the wizard, select Desktop and click Next. 3 In the Select Desktop Type step, select RD Session Host Desktop and click Next. 4 Select one or more RD Session Hosts which desktops you want to publish. You can select all

available servers, server group(s), or individual servers. Please note that if you have just one RD Session Host, this page will not be displayed.

5 Click Next. 6 In the next step:

RD Session Hosts

• Specify a name and description for the desktop, and optionally change the icon.

• Select the Connect to administrative session option if you want users to connect to the

administrative session.

• Select the Start automatically when user logs on option if you want to open a desktop as

soon as a user logs on.

• Specify the desired screen resolution using the Desktop Size drop-down list. To set a

custom width and height of the screen, select Custom in the Size drop-down list and specify the desired values in the fields provided.

• In the Multi-Monitor drop-down list, select whether the multi-monitor support should be

enabled, disabled, or whether the client settings should be used.

7 When done, click Finish to publish the desktop.

Publishing an Application from an RD Session Host

To publish an application from an RD Session Host follow the below procedure:

1 In the RAS Console, select the Publishing category and then click the Add icon below the

Published Resources tree (or right-click inside the Published Resources box and click Add

in the context menu). This will launch the publishing wizard.

Note: If the wizard has all options disabled, it means that there are no resources (servers) in the farm from which publishing can be configured.

2 On the Select Item Type wizard page, select Application and click Next. 3 On the Select Server Type page, select RD Session Host and click Next. 4 One the Select Application Type page, select one of the following available options:

• Single Application. Choose this option to fully configure the application settings yourself

such as the executable path etc.

• Installed Application. Choose this option to publish an application that is already installed

on the server, therefore all of the application settings are automatically configured.

• Predefined Application. Choose this option to publish a commonly used Windows

application such as Windows Explorer.

5 Click Next. 6 On the Publish From page, specify from which RD Session Hosts the application should be

published. You have the following options:

• All Servers in Site. If selected, the application will be published from all servers that are

available on the site.

• Server Groups. Select this option and then select individual server groups to publish the

application from.

• Individual Servers. Select this option and select individual servers to publish the application

from.

RD Session Hosts

Please note that the Publish From wizard page will appear only if you have multiple RD Session Hosts. If you have just one server, this page will be skipped by the wizard. The page will also be skipped if the application type that you are installing is Predefined Application.

7 Click Next. 8 Depending on the application type that you selected on the Select Application Type page, the

next wizard page will be one of the following:

• If you selected Single Application, the Application page will open where you have to

specify the application settings manually (more about this option later in this section).

• If you selected Installed Applications, the Installed Applications page will open listing

available applications (the applications are grouped by functionality). Select an application you wish to install and click Next. Follows the instructions to complete the wizard.

• If you selected Predefined Application, the Select Predefined Applications page will

open listing available applications. Select an application you wish to publish and click Finish.

9 If you selected Single Application on the Select Application Type wizard page, the

Application page will open. Specify the application settings as follows (see the screenshot

below):

Note that if you populate the Target field first using the "browse" button ([...]), the application Name, Description, and icon will be chosen automatically. You can override this selection if you wish.

• Name. Choose and type a name for the application.

• Description. Type an optional description.

• Run. Select the application window state (normal window, minimized, maximized).

• Start automatically when user logs on. Select this option if you want to start an

application as soon as a user logs on. This option works on desktop versions of Parallels Client only.

• Change Icon. Change the application icon (optional).

• Server(s). Allows you to specify the rest of the server parameters individually for each server

the application was published from. Select a server from the drop-down list box and specify the parameters. Repeat for other servers in the list.

• Target. Specify the application executable path and file name.

• Start in. If the Target field is valid, this field will be populated automatically. You can specify

your own path if needed.

• Parameters. If the application accepts startup parameters, you can specify them in this

field.

10 When done, click Finish to publish the application.

RD Session Hosts

Publishing a Web Application from an RD Session Host

A web application is like any other application that you can publish using the standard application publishing functionality. However, to simplify publishing of straight URL links to web applications, a separate publishing item type is available that allows you to accomplish this task with minimal number of steps.

To publish a web application:

1 In the RAS Console, select the Publishing category and then click the Add icon below the

Published Resources tree (or right-click inside the Published Resources box and click Add

in the context menu). This will launch the publishing wizard.

Note: If the wizard has all options disabled, it means that there are no resources (servers) in the farm from which publishing can be configured.

2 On the Select Item Type wizard page, select Web Application and click Next. 3 On the Select Server Type page, select RD Session Host and click Next. 4 On the Publish From page, select the server(s) to publish from. Note that if you have just one

RD Session Host, the Publish From page will not appear.

5 On the Web Application wizard page that opens, specify the web application name,

description, window state, and the URL. Select the Force to use Internet Explorer option if needed. To browse for a specific application icon, click Change Icon.

6 When done, click Finish to publish the application.

When published, the web application will appear in the Publishing > Published Resources list, just like any other application.

Publishing a Network Folder from an RD Session Host

You can publish a filesystem folder via UNC path to open in Windows explorer. To minimize the number of configuration steps, a special publishing item is available that allows you to publish a network folder from an RD Session Host.

To publish a network folder:

1 In the RAS Console, select the Publishing category and then click the Add icon below the

Published Resources tree (or right-click inside the Published Resources box and click Add

in the context menu). This will launch the publishing wizard.

Note: If the wizard has all options disabled, it means that there are no resources (servers) in the farm from which publishing can be configured.

2 On the Select Item Type wizard page, select Folder on the file system and click Next. 3 On the Select Server Type page, select RD Session Host and click Next.

RD Session Hosts

4 On the Publish From page, select the server(s) to publish from. Note that if you have just one

RD Session Host, the Publish From page will not appear.

5 On the UNC Folder wizard page, specify the usual application properties. 6 In the UNC path field, enter the UNC path of the folder you wish to publish. Click the [...]

button to browse for a folder (it may take some time for the Browse for Folder dialog to open).

7 Click Finish to publish the folder and close the wizard.

When published, the network folder will appear in the Publishing > Published Resources list, just like any other application. If you select it and then click the Application tab, the application settings will be as follows:

• The Target property will always be set to PublishedExplorer.exe. This binary is created

automatically (via agents pushing) and is simply a copy of the standard explorer.exe executable.

• The Parameters property specifies the network folder that we want to publish. The folder path

can be in any format that the explorer.exe can handle.

Please note that although you have all standard application property tabs enabled for this publishing item, at least the following items should be ignored, as they are completely irrelevant:

• Publish From

• File Extensions

Publishing a Document from an RD Session Host

To publish a document from an RD Session Host, follow the below procedure:

1 In the RAS Console, select the Publishing category and then click the Add icon below the

Published Resources tree (or right-click inside the Published Resources box and click Add

in the context menu). This will launch the publishing wizard.

Note: If the wizard has all options disabled, it means that there are no resources (servers) in the farm from which publishing can be configured.

2 On the Select Item Type wizard page, select Document and click Next. 3 Select RD Session Host and click Next. 4 Specify the content type of the document you want to publish. You can select the content type

from the predefined list or specify a custom content type in the Custom content types input field.

5 Click Next when ready. 6 On the Publish From page, specify from which RD Session Hosts the application should be

published. You have the following options:

• All Servers in Site. If selected, the application will be published from all servers that are

available on the site.

RD Session Hosts

• Server Groups. Select this option and then select individual server groups to publish the

application from.

• Individual Servers. Select this option and select individual servers to publish the application

from.

Please note that the Publish From wizard page will appear only if you have multiple RD Session Hosts. If you have just one server, this page will be skipped by the wizard.

7 On the Application page, enter a name, an optional description, a Window state, and an icon if

needed.

8 Use the [...] button next to the Target input field to browse for the document. All other fields will

be automatically populated. To edit any of the auto populated fields, highlight them and enter the required details.

9 (Optional) In the Parameters input field, specify the parameters to pass to the application when

it starts.

Note: Use the Server(s) drop down list to specify different document settings for a specific server in case the document is configured differently on that particular server. The settings will be saved for each server you select individually.

10 Click Finish to publish the document.

Publishing Containerized Applications

Parallels RAS supports publishing of the following containerized applications:

• App-V applications (p. 99)

• Turbo.net applications (p. 100)

Publishing App-V Applications

Microsoft Application Virtualization (or App-V) is an application streaming solution from Microsoft. Beginning with Parallels RAS v16.5, a support for App-V application publishing is available in the Parallels RAS console.

At the time of this writing, the App-V support implements scenarios where application provisioning is performed by means of App-V components:

• Applications are sequenced by the administrator according to Microsoft guidelines.

• Applications are stored on a network share created by the administrator (SMB, HTTPs).

• App-V Management and Publishing servers are used to publish applications for a specific AD

groups that must by synced manually by the administrator with RAS publishing groups used for App-V application publishing.

• App-V client is installed and configured manually by the administrator.

RD Session Hosts

The process of deploying and publishing an App-V application is as follows:

1 Package an applications using the App-V Sequencer. 2 Deploy the application to an RD Session Host using the App-V Management Console,

Microsoft SCCM, etc.

3 Provision the application. 4 Verify that users can launch the application from the RD Session Host. 5 Publish the application from RAS Console (see below for instructions). 6 Launch the application from a Parallels RAS Client.

Publish an App-V application from the Parallels RAS console

To publish an App-V application:

1 In the Parallels RAS Console, select the Publishing category. 2 Click the [+] Add icon at the bottom of the right pane. The publishing wizard opens. 3 On the Select Item Type page, select the App-V application option. 4 Click Next. 5 Select the server type from which to publish an application and click Next. 6 Select a server or a group to publish from and click Next. 7 On the Installed Applications page, select one or more App-V applications and click Next. 8 Review the summary and complete the wizard.

Once an App-V application is published, it can be launched from a Parallels RAS Client.

Note: To avoid launch issues, use AutoLoad=2. More details in https://blogs.technet.microsoft.com/technetsto_sup/2013/11/12/autoload-setting-in-app-v-5-0/

Publishing Turbo.net Applications

Turbo (Turbo.net) is a web-based container platform that runs applications on a Windows desktop with no installation required. Parallels RAS provides you with the ability to publish applications hosted by Turbo.net and make them available to Parallels RAS users just like regular applications hosted by RD Session Hosts.

The ability to publish container-based applications allows Parallels RAS administrators to greatly reduce TtV (time to value) and minimize investment and development resources. The integration of the solution provided by Turbo gives you the following immediate benefits:

• Instant access to an online application repository with hundreds of applications available,

including:

• Most web browsers (Chrome, Firefox, Opera, etc).

100

Parallels Remote Application Server - 17 Administrator’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Introduction

About Parallels RAS

About This Guide

Terms and Abbreviations Used in This Guide

Installing Parallels RAS

System Requirements

Hardware Requirements

Software Requirements

Changes in Parallels RAS v17

Install Parallels RAS

Log In and Activate Parallels RAS

Getting Started with Parallels RAS

The Parallels RAS Console

Set Up a Basic Parallels RAS Farm

Add an RD Session Host

Publish Applications

Invite Users

Conclusion

Parallels RAS Farm and Sites

Connecting to a Parallels RAS Farm

About Sites

Sites in the RAS Console

Adding a Site to the Farm

Replicating Site Settings

Managing the Licensing Site

Managing Administrator Accounts

Adding an Administrator Account

Administrator Account Permissions

Managing Administrator Accounts

Configure RAS Console Idle Sessions

Using Instant Messaging for Administrators

Joining Customer Experience Program

RAS Publishing Agent

Configuring RAS Publishing Agents

Secondary Publishing Agents

Managing Secondary Publishing Agents

Using Computer Management Tools

RAS Secure Client Gateway

RAS Secure Client Gateway Overview

Adding a RAS Secure Client Gateway

Manually Adding a RAS Secure Client Gateway

Checking the RAS Secure Client Gateway Status

Configuring RAS Secure Client Gateway

Enable or Disable a Gateway

Gateway Mode, Forwarding Settings, HSTS

Set IP Address for Incoming Connections

Configure RAS Secure Client Gateway Network Options

Configure SSL Encryption on a Gateway

Assessing SSL Server Configuration

Configure HTML5 Connectivity

Enable Support for Wyse Thin Client OS

Filter Access to a RAS Secure Client Gateway

Specifying a URL for Web Requests

Configure Logging

Gateway Tunneling Policies

Viewing Gateway Summary and Metrics

Using Computer Management Tools

RD Session Hosts

RD Session Host Types

Adding an RD Session Host

Installing the Agent Manually

Planning for High Availability

Viewing RD Session Hosts

Configuring an RD Session Host

Check RAS RD Session Host Agent Status

Change RD Session Host Site Assignment

View and Modify RD Session Host Properties

Configure Logging

Grouping and Cloning RD Session Hosts

Using Scheduler

Managing RDSH Sessions

Managing Logons

Using Computer Management Tools

Publishing from an RD Session Host

Publishing a Desktop from an RD Session Host

Publishing an Application from an RD Session Host