Restricting login to RAS

Discussion in 'Parallels Remote Application Server' started by MatE1, Jul 1, 2019.

Tags:
  1. MatE1

    MatE1 Bit Poster

    Messages:
    4
    Hello
    Does anyone know if there is a way to restrict which Active Directory users can login to RAS?
    I know there is a way to filter Published Resources by user or group. However wondered if you could stop all Active Directory users from being able to login.
     
  2. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    42
    Hi MatE1,
    Could you please describe to us why do you want it and what behavior do you expect? Your answers might help me to suggest you something or probably file a new feature request in RAS.
    Thanks in advance!
     
  3. MatE1

    MatE1 Bit Poster

    Messages:
    4
    Hi Eugene
    I can't think of anything specific at the moment. Maybe if there was some security concern where you didn't want a user/group of users to be able to login to RAS. At the moment it seems that any AD user can login and what they can do is only based on the published resources filtering. If that is the case then that is fine. I just want to make sure i am not missing something.
    Thanks
     
  4. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    42
    Hi Mat, thanks for your time.
    Indeed a normal practice is to publish resources to a particular AD group and manage members of this group from AD. When people out of the group log into RAS they don't see resources and can't connect to servers.

    We don't see a real use case for preventing login to RAS per-user and don't really get such requests (often). That's why we don't have this functionality in the product.
    Anyway, I'll count you as "+1" requestor for the corresponding feature and maybe it will be released someday.

    At the same time there are few ways to prohibit logon to RAS which work for some situations:
    1) Two Factor Authentication.
    Parallels RAS has built-in support for various 2FA services. You could configure who can log in to RAS on 2FA side. It helps to increase security in general and save account passwords from being brute-forced.
    2) Trusts.
    If you have 2 domains in a trust and want only users of 1 domain to be able to login to RAS, then you can configure it in Administration -> Authentication

    I can't come up with anything extra at the moment.
     
  5. roberta5B

    roberta5B Bit Poster

    Messages:
    2
    I have a Windows Server 2019 Environment. I have several VPN users who connect from their home machines to the VPN and then initial outbound RDP connections from the corporate network to another network.
     
  6. roberta5B

    roberta5B Bit Poster

    Messages:
    2
     
    Last edited by a moderator: Jul 20, 2019
  7. CantwellV

    CantwellV Bit Poster

    Messages:
    2
    Also in active directory you can configure a static remote ip address. Also in the Network Access Permission click Allow to allow the user to connect through VPN, Deny -self explainatory, Control access through NPS network policy you would click if you used NAP.
     
  8. CantwellV

    CantwellV Bit Poster

    Messages:
    2
    Any other update?
     

Share This Page