Parallels Remote Application Server v14

Parallels Remote Application Server v14 Solutions Guide October 21, 2015 Copyright 1999-2015 Parallels IP Holdings GmbH and its affiliates. All rights reserved.

Parallels IP Holdings GmbH Vordergasse 59 8200 Schaffhausen Switzerland Tel: + 41 52 632 0411 Fax: + 41 52 672 2010 www.parallels.com Copyright 1999-2015 Parallels IP Holdings GmbH and its affiliates. All rights reserved. This product is protected by United States and international copyright laws. The product s underlying technology, patents, and trademarks are listed at http://www.parallels.com/trademarks. Microsoft, Windows, Windows Server, Windows NT, Windows Vista, and MS-DOS are registered trademarks of Microsoft Corporation. Apple, Mac, the Mac logo, Mac OS, ipad, iphone, ipod touch, FaceTime HD camera and isight are trademarks of Apple Inc., registered in the US and other countries. Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective owners.

Contents Introduction...4 Advantages of Parallels 2X Remote Application Server Based Computing... 4 What is Parallels 2X Remote Application Server?... 5 How does it work?...5 Solutions...6 Parallels 2X Remote Application Server Scenarios... 6 Single Farm Solution with One Microsoft Remote Desktop Services Server... 6 Single Farm Solution with Two Microsoft Remote Desktop Services Servers... 7 Direct Mode Client Connections... 8 Gateway (Regular / SSL) Mode Client Connections... 10 Mixed Mode (Direct / Regular / SSL) Client Connections... 11 Single Farm Solution with Mixed Desktops... 13 Single Farm Solution with Public & Private Parallels 2X Secure Client Gateways... 15 Single Farm Solution with Dual Parallels 2X Secure Client Gateways... 17 High Availability with Multiple Gateways and Web Access Portals... 19 High Availability with Single or Dual F/W DMZ... 21 Mixed Scenarios... 26 Terminology...32 Client Connection Modes... 32 Parallels 2X Remote Application Server Components... 33 Port Reference...35 Index...38

C HAPTER 1 Introduction In This Chapter Advantages of Parallels 2X Remote Application Server Based Computing... 4 What is Parallels 2X Remote Application Server?... 5 How does it work?... 5 Advantages of Parallels 2X Remote Application Server Based Computing Server Based Computing Less administration, higher availability, and big savings. Less Administration Central management of users; patches (only server-based) software; (updates and upgrades) data; and backups. Higher Security Elimination of viruses, Trojans or other vulnerabilities on clients; central management of security settings on the server and centralized backups. Hardware Independence Virtually supports all client devices and computer hardware with very low system requirements. Easy Access Employees, customers and Partners telework / roam more easily using published desktops and applications. Reduction in TCO Total Cost of Ownership reduction by up to 50%. Take the fast track to easy and cost-effective Thin Client Computing: Parallels 2X Remote Application Server Allows Windows applications to be tunneled seamlessly onto remote desktops and savings on administration & support. High Availability Load Balancing Provides load balancing, increased security and redundancy for the published resources.

Introduction What is Parallels 2X Remote Application Server? Parallels 2X Remote Application Server provides vendor independent virtual desktop and application delivery from a single platform. Accessible from anywhere with native clients and web enabled solutions like the Parallels 2X RAS Web Portal, Parallels 2X Remote Application Server allows you to publish full desktops, applications and documents within a virtual environment, thereby improving desktop manageability, security and performance. Parallels 2X Remote Application Server extends Microsoft Windows Remote Desktop Services by using a customized shell and virtual channel extensions over the Microsoft RDP protocol. It supports all major Hypervisors from Microsoft, VMware as well as enabling the publishing of virtual desktops and applications to the Parallels 2X RDP Client. The product includes powerful universal printing and scanning functionality, high capacity resource based load balancing and management features. With Parallels 2X Client Manager Module for Parallels 2X Remote Application Server, you can centrally manage user connections and PCs converted into thin clients using the free Parallels 2X RDP Client. How does it work? When a user requests a virtual desktop or application, the system finds a guest on one of the least loaded hosts and starts or restores the guest connection. Using Microsoft RDP protocol, the virtual desktop or publish application is presented to the user. Users can connect to the Parallels 2X Remote Application Server using free Parallels Client which can run on Windows, Linux, Mac, Android, Chrome and ios. Users can also connect via a HTML 5 browser or Chromebook. As newer versions of Windows keep on being developed as time goes by, how can you defend the migration cost to your business? Parallels 2X RAS can help. Desktop replacement allows you to extend the lifespan of your hardware and delay migration to the latest OSs to a time that suits you best. The Parallels 2X solution allows you to be very flexible: you can lock machine configurations on the user side, placing your corporate data in an extremely secure position; or you can opt to allow users to run some local and remote applications. Parallels 2X Client Desktop Replacement is able to reduce the operability of the local machine by disabling the most common local configuration options, while guaranteeing the same level of service and security afforded by thin clients, directly from your existing PCs. 5

C HAPTER 2 Solutions In This Chapter Parallels 2X Remote Application Server Scenarios... 6 Parallels 2X Remote Application Server Scenarios Single Farm Solution with One Microsoft Remote Desktop Services Server This solution is implemented when a single server is used for publishing applications and desktops. To enable SSL and HTML5 Gateway, a server certificate must be installed.

Components Microsoft Remote Desktop Services Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Parallels 2X Terminal Server Agent Single Farm Solution with Two Microsoft Remote Desktop Services Servers This solution can be implemented by any organization that needs to load balance published applications and desktops between two MS RDS servers. To enable SSL and HTML5 Gateway, a server certificate must be installed. 7

Components Microsoft Remote Desktop Services Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Parallels 2X Terminal Server Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Direct Mode Client Connections Clients can connect using the direct mode with any MS RDS Server, VDI desktops, or Remote PC. Clients will first ask the 2X Publishing Agent for the best available MS RDS server and then will connect directly to it. This type of connection is ideal for a LAN environment. 8

To enable SSL and HTML5 Gateway, a server certificate must be installed. Components Microsoft Remote Desktop Services Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Parallels 2X Terminal Server Agent 9

Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Gateway (Regular / SSL) Mode Client Connections Clients can connect using Regular Gateway or SSL mode with the Parallels 2X Secure Client Gateway. This Parallels 2X Secure Client Gateway listens for RDP over SSL connections and forwards traffic to the MS RDS Server according to their load status. These connection modes are ideal for roaming clients (connecting over the internet). To enable SSL and HTML5 Gateway, a server certificate must be installed. 10

Components Parallels Remote Application Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Mixed Mode (Direct / Regular / SSL) Client Connections LAN clients can connect to the MS RDS servers using a direct mode while WAN clients can connect using SSL mode. Parallels Remote Application Server is able to handle different modes concurrently. 11

To enable SSL and HTML5 Gateway, a server certificate must be installed. Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels Remote Application Server Parallels 2X Publishing Agent 12

Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Single Farm Solution with Mixed Desktops By using this solution you can publish applications and desktops from virtual environments, MS RDS servers, Windows workstations or laptops located in your office. To enable SSL and HTML5 Gateway, a server certificate must be installed. 13

Components Parallels Remote Application Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent 14

Single Farm Solution with Public & Private Parallels 2X Secure Client Gateways This solution is ideal for environments where one would like to dedicate one machine (Parallels 2X Secure Client Gateway Public) to accept WAN RDP connection and another machine (Parallels 2X Secure Client Gateway Private) to accept LAN RDP connections. Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway 15

Parallels Remote Application Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent 16

Single Farm Solution with Dual Parallels 2X Secure Client Gateways This solution is ideal for high availability environments. Clients must be configured to connect to Primary and Secondary Parallels 2X Secure Gateways. Primary and Secondary Parallels 2X Secure Client Gateways must be configured to connect to the same Parallels 2X Publishing Agent (using the Advanced Client Gateway Settings). When the primary Parallels 2X Secure Client Gateway is not available, clients will be able to connect to the secondary Parallels 2X Secure Client Gateway. Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway 17

Parallels Remote Application Server Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent 18

High Availability with Multiple Gateways and Web Access Portals This solution is ideal for high availability environments with more than 300 concurrent users connected in SSL mode. Each client gateway should optimally handle 300 to 500 concurrent user connections* and this can be scaled horizontally accordingly. *300 users through SSL tunneled gateway mode or 500 standard gateway connections, assuming the gateway machine is only acting as such (no other demanding services using these machines). All Parallels 2X Secure Client Gateways must be configured to connect to the same Parallels 2X Publishing Agent and Backup Parallels 2X Publishing Agent (using the Advanced Client Gateway Settings, see above). Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway 19

Parallels Remote Application Server Parallels 2X Publishing Agent Web Portal Parallels Remote Application Server Backup Parallels 2X Publishing Agent Web Portal Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent 20

High Availability and Load Balancing Virtual Appliance Ready to use appliance Import to hypervisor High Availability with Single or Dual F/W DMZ Many companies use the DMZ layout to separate the servers that handle exposed services from the ones that handle internal services. There are two types of DMZs: single and dual firewall DMZs with the latter being the more expensive but more secure (in the dual firewall approach, many people prefer using two different firewall technologies to avoid one weakness or one type of attack breaking both firewalls). The firewall between Parallels 2X Secure Client Gateways and the intranet must allow gateways and systems to connect to publishing agents using the standard port. 21

Single Firewall DMZ In a single firewall DMZ scenario, the firewall system must be capable of routing a connection properly from gateways to Parallels 2X Publishing Agents. It is also responsible for connections from the Internet to the virtual IP address presented by HALB virtual appliance or other generic protocol load balancing solutions. Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway 22

Parallels Remote Application Server Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent High Availability and Load Balancing Virtual Appliance Ready to use appliance Import to hypervisor 23

Dual Firewall DMZ In a dual firewall scenario, settings are simpler and the protection from external malicious agents is higher. Dual Firewall DMZ requires a Forwarding Parallels 2X Secure Client Gateway server to pass through client connections to Parallels 2X Secure Client Gateway residing on an internal network. To enable SSL and HTML5 Gateway, a server certificate must be installed. Components Forwarding Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway 24

Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels Remote Application Server Parallels 2X Publishing Agent Parallels Remote Application Server Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided 25

Windows Desktop OS Based PC Parallels 2X Remote PC Agent High Availability and Load Balancing Virtual Appliance Ready to use appliance Import to hypervisor Mixed Scenarios Multi-Site Solution This solution is ideal for environments where published resources are distributed between two or more different physical sites. The Parallels Remote Application Server farm containing multiple sites can be administered by different administrators. Each site consists of the Parallels 2X Publishing agent, the Parallels 2X Secure Client Gateway (or multiple gateways), and agents installed on RDS, VDIs or PCs hosts. However, at least one server has to be dedicated to a site where the master publishing agent and gateway are installed. The first default site added to the Parallels Remote Application Server farm is the Licensing Server where the main Parallels Remote Application Server configuration database is stored. Every additional site on the farm will have a synced copy of the configuration database. Once changes are applied to a particular site, the Licensing Server database is updated. Note: Terminal Servers can be members of a single site and cannot be shared between multiple sites. For example, if RDS host TS-01 is a member of Site1, it cannot be accessed by users who are connecting through a Secure Client Gateway and a Publishing Agent located in Site2. 26

27

Components Parallels 2X Secure Client Gateway Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels Remote Application Server Parallels 2X Publishing Agent Parallels Remote Application Server Backup Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided 28

Windows Desktop OS Based PC Parallels 2X Remote PC Agent High Availability and Load Balancing Virtual Appliance Ready to use appliance Import to hypervisor Client Manager and Desktop Replacement The Client Manager feature allows the administrator to convert Windows devices running Windows XP up to Windows 8.1 into a Thin-Client-like OS. After the Windows Device Enrollment has been performed, features like Desktop Replacement, Kiosk Mode, Power Off, Reboot, and Shadow become available. Shadow Shadow provides access to the full Windows client device desktop and allows to control of applications running locally on the system as well as any remote applications published from Parallels Remote Application Server. Shadowing requires a direct connection between the machine on which the Parallels 2X RAS console is running and the device itself. 29

Desktop Replacement The Replace Desktop option limits users from changing system settings or installing new applications. Replacing the Windows Desktop with Parallels 2X RDP Client transforms the Windows operating system into a thin-client-like OS without replacing the operating system itself. This way, users can only deploy applications from the 2X Client, thus providing the administrator with a higher level of control over connected devices. Additionally, the Kiosk Mode limits user from power cycling when enabled. 30

Components Parallels Remote Application Server Parallels 2X Secure Client Gateway, including HTML5 Gateway Parallels 2X Publishing Agent Microsoft Remote Desktop Services Server Parallels 2X Terminal Server Agent Hypervisor Host with VDI Desktops Parallels 2X VDI Agent Parallels 2X Guest Agent or Appliance provided Windows Desktop OS Based PC Parallels 2X Remote PC Agent Converted PC Parallels 2 x RDP Client for Windows Installed Yes 31

C HAPTER 3 Terminology In This Chapter Client Connection Modes... 32 Parallels 2X Remote Application Server Components... 33 Client Connection Modes SSL\Regular Mode When used in Regular or SSL mode, the Secure Client Gateway machine is the only machine that needs to be exposed to the outside. This greatly reduces the requirements for external IP addresses and ports that must be accessible from the outside, provided you have multiple terminal servers.

Terminology Direct Mode In Direct mode, the Publishing Agent simply finds the best terminal server and passes that information back to the client, which (the client) connects directly to the terminal server. Parallels 2X Remote Application Server Components Console provides a centralized GUI application that enables configuration of Parallels Remote Application Server. Publishing Agent provides load balanced applications and desktop publishing. Parallels 2X Terminal Server Agent collects information from the MS RDS hosts required by the Publishing Agent and transmits to it when required. Parallels 2X Remote PC Agent collects information from the Remote PC hosts required by the Publishing Agent and transmits to it when required. Parallels 2X Guest Agent collects information from the VDI desktop required by the Publishing Agent and transmits to it when required. Parallels 2X RAS Web Portal this is a web page with auto client detection and a client distribution point. It provides access to published resources via web browser and allows white labeling. 33

Terminology Parallels 2X VDI Agent collects information from the Parallels Remote Application Server Infrastructure and is responsible for controlling VDI through its native API. It also acts as a Gateway between the Secure Client Gateway or the client in direct mode and the RDP server from the guest or VDI depending on VDI implementation. Parallels 2X Secure Client Gateway tunnels all traffic needed by applications on a single port and provides secure connections. Parallels 2X HALB (High Availability Load Balancing) is a software solution that sits between users and Parallels 2X Secure Client Gateways. Many HALB appliances can run simultaneously, one acting as the master and the others as slaves. The higher the number of HALB appliances available, the lower the probability that users will experience downtime. Master and slave appliances share a common or virtual IP, also known as VIP. Should the master HALB appliance fail, a slave is promoted to master and takes its place seamlessly without affecting the end user's connection. Parallels 2X Device Manager The Client Manager feature allows the administrator to manage Windows devices running Windows XP up to Windows 8.1. To do this, the administrator must first select devices to manage connecting to the farm. In order to be managed, Windows devices must be running a current version of the Parallels 2X RDP Client for Windows. Parallels 2X Desktop Replacement This is a feature within the Windows Devices Client Manager. When the Replace Desktop option is enabled, it allows the administrator to convert a standard desktop into a limited device similar to a Thin Client, without replacing the operating system. 34

C HAPTER 4 Port Reference In Dual DMZ configuration with HALB for Forwarding Parallels 2X Secure Client Gateways and Multiple Parallels 2X Secure Client Gateways, the redundant Parallels 2X Publishing Agent and mixed desktop scenario, the following port are used: On the Firewall faces the Internet: TCP 80 UDP 80 (if RDP-UDP is enabled) TCP 443 (if SSL is enabled) UDP 443 (if SSL and RDP-UDP is enabled) TCP 3389 (if RDP Load Balancing is enabled) On the HALB appliance externally: TCP 80 TCP 443 (if SSL is enabled) On the HALB appliance internally:

Port Reference TCP 80 TCP 443 (if SSL is enabled) TCP 31006 UDP 31006 RAW 112 (VRRP) Forwarding Parallels 2X Secure Client Gateways communicates via: TCP 80 UDP 80 (if RDP-UDP is enabled) TCP 443 (if SSL is enabled) UDP 443 (if SSL and RDP-UDP is enabled) TCP 3389 (if RDP Load Balancing is enabled) UDP 20000 (Gateway Lookup) UDP 20009 (if Client Manager is enabled) Parallels 2X Secure Client Gateways communicates via: TCP 80 UDP 80 (if RDP-UDP is enabled) TCP 443 (if SSL is enabled) UDP 443 (if SSL and RDP-UDP is enabled) TCP 3389 (if RDP Load Balancing is enabled) UDP 20000 (Gateway Lookup) UDP 20009 (if Client Manager is enabled) Parallels 2X Publishing Agents communicate via: TCP 20001 Redundancy Service TCP 20002 - Publishing Agent Service Port (communications with 2XSecureClientGateway and UI Console) TCP 20003 - Terminal Server Agent Port (communications with 2X Terminal Server agents) Parallels 2X Terminal Server Agents communicate via: TCP 30004 2X Terminal Server Agent Communication Port UDP 30004 2X Terminal Server Agent Communication Port TCP 3389 Standard RDP Connections UDP 3389 Standard RDP Connections TCP 30005-2X Terminal Server Agent Communication Port (Shell + Printer Redirector) 36

Port Reference Parallels 2X VDI Agents communicate via: TCP 30006 2X VDI Agent Communication Port UDP 30006 2X VDI Agent Communication Port TCP 30007 2X VDI Agent Communication Port TCP 30009 2X VDI Agent Communication Port TCP 30005-2X Terminal Server Agent Communication Port (Shell + Printer Redirector) Parallels 2X Remote PC Agents communicate via: UDP 30004 TCP 3389 Standard RDP Connections UDP 3389 Standard RDP Connections RDP client communicates via: TCP 80 UDP 80 (if RDP-UDP is enabled) TCP 443 (if SSL is enabled) UDP 443 (if SSL and RDP-UDP is enabled) TCP 3389 Standard RDP Connections UDP 3389 Standard RDP Connections TCP 50005 - Shadowing Port Internal Firewall Ports: Remote Install Push/Takeover of Software: TCP 135, 445, 49179 For Active Directory and Active Directory Domain Services Port Requirements see this article: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx For 2X Remote Application Server firewall requirements, see this article: http://kb.parallels.com/en/123255 37

Index Index A Advantages of Parallels 2X Remote Application Server Based Computing - 4 C Client Connection Modes - 31 Client Manager and Desktop Replacement - 28 D Direct Mode Client Connections - 8 Dual Firewall DMZ - 23 G Gateway (Regular / SSL) Mode Client Connections - 10 H High Availability with Multiple Gateways and Web Access Portals - 19 High Availability with Single or Dual F/W DMZ - 21 How does it work? - 5 I Introduction - 4 M Mixed Mode (Direct / Regular / SSL) Client Connections - 11 Mixed Scenarios - 25 Multi-Site Solution - 25 P Parallels 2X Remote Application Server Components - 32 Parallels 2X Remote Application Server Scenarios - 6 Port Reference - 34 S Single Farm Solution with Dual Parallels 2X Secure Client Gateways - 17 Single Farm Solution with Mixed Desktops - 12 Single Farm Solution with One Microsoft Remote Desktop Services Server - 6 Single Farm Solution with Public & Private Parallels 2X Secure Client Gateways - 15 Single Farm Solution with Two Microsoft Remote Desktop Services Servers - 7 Single Firewall DMZ - 21 Solutions - 6 T Terminology - 31 W What is Parallels 2X Remote Application Server? - 5