How-To
News
Help
Forum

Managing 2X Secure Client Gateways

To access a Gateway options, highlight the gateway from the Gateways node and click Properties from the Tasks drop down menu.

Enabling and Disabling a Gateway

By default a Gateway is enabled in the site. To disable a Gateway untick the option Enable 2X Secure Client Gateway in site from the Properties tab.

Enabling or Disabling a Gateway in the site

Configuring the IP Address Parallels 2X RDP Clients Connect to

The 2X Secure Client Gateway recognizes both IPv4 and IPv6. By default IPv4 is enabled. If the 2X Secure Client Gateway selected has IPv6 as well as IPv4 configured, from this dialogue you can apply settings that allow the client to connect to this gateway using ipv4 or 6.

Configuring the IP Address Parallels 2X RDP Clients Connect to

IP version

Use IP version - Select the IP version/s that will be used by this 2X Secure Client Gateway. Three options are available as described below:

  • Version 4 - Only use IPv4
  • Version 6 - Only use IPv6
  • Both version 4 & 6 - Use both IPv4 an IPv6

Note: The server name specified in the ‘Properties tab must be added as the hostname to resolve both IPv4 and IPv6 available on the 2X Secure Client Gateway machine.

IP(s) - Click ‘Resolve’ to resolve the IP’s of the 2X Secure Client Gateway dependant on the IP version/s selected.

Bind to IP

Bind to the following IPv4/ IPv6 - Define the IP address 2X Secure Client Gateway listens for connections on. Select a specific IP or all addresses available.

Optimise connection for the following IPv4/ IPv6 - when the connection between this gateway and the Parallels 2X RDP Client has a high latency (such as the internet), this option will optimize traffic for better experience on the Parallels 2X RDP Client. You are able to select a specific address, all available addresses, or none to disable this option.

Configuring the 2X Secure Client Gateway Port

By default the gateway listens on TCP port 80 to tunnel all the Parallels 2X Remote Application Server traffic. To change the port, select the Network tab and specify a new port in the 2X Secure Client Gateway Port input field.

Configuring Gateway Ports

RDP Port

Port TCP 3389 is used for clients that require basic load balanced desktop sessions. Connections on this port do NOT support published items.

To change the RDP port on a gateway select the Network tab, tick the RDP Port option and specify a new port.

Note: If this port is changed the users need to append the port number to their connection string in the remote desktop client (e.g. [ip address]:[port]).

To enable UDP tunnelling on Windows devices, tick the Enable RDP UDP Data Tunnelling checkbox. Enable Client Manager Port checkbox to manage Windows devices from the Client Manager category.

The Enable RDP DOS Attack Filter denies chains of uncompleted sessions from the same IP. As an example, if a Parallels 2X RDP Client attempts to connect to the 2X RAS server with incorrect credentials multiple times, 2X RAS will deny further attempts.

Enabling SSL Encryption on 2X Secure Client Gateway

The traffic between the users and the gateway is always encrypted. To enable the HTML 5 Gateway and also encrypt the HTTP traffic when the gateway is enabled using a self-signed certificate follow the below procedure:

Enabling SSL/TLS Support on a Gateway

  1. Navigate to the SSL/TLS tab in the gateway properties.
  2. Tick the option Enable SSL on Port and configure a port number (default is 443).
  3. (Optional) Select the SSL version accepted by the 2X Secure Client Gateway from the Accepted SSL Versions dropdown options listed below (Default is TLS v1 - TLS v1.2):
  • TLS v1.2 Only (Strong)
  • TLS v1.1 -TLS v1.2
  • TLS v1 - TLS v1.2
  • SSL v3 - TLS v1.2
  • SSL v2 - TLS v1.2 (Weak)
  1. (Optional) Select the Cipher Strength as the certificate encryption algorithm strength of your choice.
  2. Click on Generate new certificate and enter the required details.

Note: To enable SSL using a certificate from a trusted authority, follow the procedure below .

  1. Click Save to save all the details and generate a new self-signed certificate. The private key file and Certificate file will be automatically populated.
  2. Click OK to save the options.

Custom Cipher

Enter a custom cipher string of your choice in accordance to openSSL standards. Cipher string used by 2X RAS are described below:

Low: ALL:!aNULL:!eNULL

Med: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

High:

  • Min SSLv2 - ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min SSLv3 - ALL:!SSLv2:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1 - ALL:!SSLv2:!SSLv3:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1_1 - ALL:!SSLv2:!SSLv3:!TLSv1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH
  • Min TLSv1_2 - ALL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:+HIGH

Note: By default only the connection between the gateway and the servers is encrypted. Change the connection mode to Gateway SSL Mode from the connection properties on all Parallels 2X RDP Clients to also encrypt the connection between the users and the gateway.

Use a Certificate from a Trusted Authority for SSL

Enable SSL with use of a certificate obtained from a trusted authority on a 2X Secure Client Gateway according to the steps below:

  1. Navigate to the SSL/TLS tab in the gateway properties.
  2. Click on Generate certificate request, fill in all the required details and click Save.

Configuring SSL Certificate Details

  1. Once ready a window will pop up with the certificate request, as show in the below screenshot. Click Copy to copy the request which you should send to the certificate authority.

Generated Certificate Request

  1. Once you receive the SSL certificate from the certificate authority click on Import public key, browse for the certificate file containing the public key and click Open.
  2. Click OK to save the settings.

Enabling HTML 5 Support on the Gateway

Requirement: To enable HTML 5 support on a gateway, SSL/TLS should be enabled and configured.

To enable HTML 5 support on a gateway, tick the option Enable HTML 5 Connectivity from the Services section in the HTML 5 tab. From the same section you can also configure the Port which the gateway uses to connect to the HTML 5 module.

Configuring HTML 5 Options on a Gateway

Configuring HTML 5 Connection User Capabilities

From the Connections section in the HTML 5 tab you can configure what capabilities a user have when connected to the HTML 5 session. The options that can be configured from the Mode drop down menu are:

Allow Connection to this Gateway Only

Select this option so users can only access a connection to this gateway from the HTML 5 interface. Tick the option Create Default Connection so the connection to the gateway is already available in the HTML 5 interface.

Allow Modification of 2X Connections

Select this option to allow users to create new connections to other gateways or modify existing ones from the HTML 5 interface.

Allow Modification of 2X and RDP Connections

Select this option to allow users to create new connections to other gateways or modify existing ones, and also allow them to create new RDP connections from the HTML 5 interface.

Accessing the HTML 5 Interface

To connect to the HTML 5 interface of a gateway and access published resources, use an HTML 5 capable browser and connect to the following URL:

https://[Hostname]/2XHTML5Gateway/

Changing the Gateway Mode and Forwarding Settings

To change the gateway mode from normal to forwarding mode or vice versa and configure related settings select the Advanced tab from the gateway properties.

Configuring Gateway Advanced Options

Normal Mode

Select Forward requests to 2X Publishing Agent and HTTP Server to set the gateway to normal mode.

From this tab you can also configure the HTTP server the gateway forwards requests to from the HTTP Server(s) drop down menu. The HTTP servers entry can be setup with IPv6 servers. Please note that the HTTP server needs to support the same IP version as that of the Browser making the request.

Forwarding Mode

Select Forward requests to next 2X Secure Client Gateway in chain (cascaded Firewall) to set the gateway to forwarding mode.

Select the forwarding gateway from the Forwarding 2X Secure Client Gateway(s) drop down menu.

Note: When a Gateway is set to work in Forwarding mode it is possible to forward the data to another Gateway which is listening on IPv6. It is recommended gateways configured in forwarding mode are set to forward data to a gateway with an the same IP version.

Managing Multiple IP Addresses on a Gateway

If the gateway has multiple addresses you can configure the gateway to listen and optimise the connection on a single IP address from the IP Address section in the Advanced tab shown in the above screenshot.

Support for Wyse Thin Client OS

To publish applications from the Parallels 2X Remote Application Server to Thin Clients using the Wyse ThinClient OS, tick the option Enable Wyse ThinOS Support from the Wyse tab in the gateway properties.

C:\Users\blak3x\Downloads\gw-wyse.PNG

Configuring a Gateway to Support WYSE Thin Client OS

By enabling this option, the 2X Secure Client Gateway will act as a Wyse broker. Once the DHCP server is configured as explained in the tab, click the Test button to verify the DHCP server settings.

Filtering Access to 2X Secure Client Gateway

You can allow or deny users from accessing a gateway based on MAC addresses. To configure a list of allowed or denied MAC addresses navigate to the Security tab in the gateway properties. The options are:

  • Allow all except: if this option is enabled then all devices on the network will be allowed to connect to the gateway apart from those listed in this list.
  • Allow only: if this option is enabled only the list of MAC addresses in the list are allowed to connect to the gateway.

Restricting Access to a Gateway via MAC Addresses

Miscellaneous Gateway Settings

Broadcast Gateway Address

The option Broadcast 2X Secure Client Gateway Address in the gateway properties Network tab can be used to switch on the broadcasting of the gateway address so Parallels 2X clients can automatically find their primary gateway.

Configuring Listening IP Address

If the server the 2X Secure Client Gateway is running on has multiple IP addresses, by default the gateway will listen on all IP addresses. To configure the gateway to listen on a specific IP address, select the IP address form the Bind Gateway to the following IP drop down menu which can be found in the Advanced tab in the gateway properties.