Restricting login to RAS

Hello
Does anyone know if there is a way to restrict which Active Directory users can login to RAS?
I know there is a way to filter Published Resources by user or group. However wondered if you could stop all Active Directory users from being able to login.

 

Hi MatE1,
Could you please describe to us why do you want it and what behavior do you expect? Your answers might help me to suggest you something or probably file a new feature request in RAS.
Thanks in advance!

 

Hi Eugene
I can't think of anything specific at the moment. Maybe if there was some security concern where you didn't want a user/group of users to be able to login to RAS. At the moment it seems that any AD user can login and what they can do is only based on the published resources filtering. If that is the case then that is fine. I just want to make sure i am not missing something.
Thanks

 

Hi Mat, thanks for your time.
Indeed a normal practice is to publish resources to a particular AD group and manage members of this group from AD. When people out of the group log into RAS they don't see resources and can't connect to servers.

We don't see a real use case for preventing login to RAS per-user and don't really get such requests (often). That's why we don't have this functionality in the product.
Anyway, I'll count you as "+1" requestor for the corresponding feature and maybe it will be released someday.

At the same time there are few ways to prohibit logon to RAS which work for some situations:
1) Two Factor Authentication.
Parallels RAS has built-in support for various 2FA services. You could configure who can log in to RAS on 2FA side. It helps to increase security in general and save account passwords from being brute-forced.
2) Trusts.
If you have 2 domains in a trust and want only users of 1 domain to be able to login to RAS, then you can configure it in Administration -> Authentication

I can't come up with anything extra at the moment.

 

I have a Windows Server 2019 Environment. I have several VPN users who connect from their home machines to the VPN and then initial outbound RDP connections from the corporate network to another network.

 

Also in active directory you can configure a static remote ip address. Also in the Network Access Permission click Allow to allow the user to connect through VPN, Deny -self explainatory, Control access through NPS network policy you would click if you used NAP.

 

Any other update?

 

We have no Proxy in place, hence everyone has unrestricted access. Port restrictions are in place on the firewall. We have Tellsubway Server 2003 RRAS box handling all the incoming VPN connectivity.

Many thanks in advance.

 

NAP is available only in server 2008 or above. It is not available in 2003, and it is a little more complicated to deploy but in short, you basically configure a connection policy for computers to connect. If they meet certain conditions that are required, they are allowed inside the network, if not they can be sent to a remediation network where they can try to meet the compliance checks. You also have to enable NAP clients through Group Policy.

 

As I thinking that if you are using your personal Network then you may be able to restrict user RAS Login. But in that case, you must have to shift your network IP address using Tellsubway VPN and you may able to restrict RAS Login.

 

This is quite an old forum post, but feel it is extremely important.
If Parallels is accessible from the Internet, I certainly don't want it to be used to bruteforce admin accounts or DDoS them.

Even if 2FA is enabled, username and password can be tried from anywhere in the world. Yes, they can't log in then, but there are accounts where this simply shouldn't be possible at all.

From me (and all colleagues and customers) a very big +1 for this feature. For me it is completely incomprehensible that this supposedly bothers so few people 0.o

 

Counter intuitively, when using MFA (especially if enrollment is ready or admin-managed), brute force in this manner will not be possible.
While RAS has some DOS prevention functionality, it is mostly out of its direct scope.
An allow/deny list sounds like a good idea, but I'm not sure if it can help if there are same named users (administrator) with different domains (local or one in the forest). RDP itself doesn't do that (it authenticates the user before checking the allow list). I'm sure that with some restrictions, it can be done. Hopefully this limitation might be re-reviewed.

 

@jpc Thank you for the answer.
I checked that again and it is not perfect but not as bad as I thought. Guessing usernames is possible, because if a username is unknown, I get a corresponding error message. But guessing passwords does not work. Even if the provided password is wrong, the 2FA request appears and is send to my phone. Only after providing the correct 2FA token, I the password wrong info.

 

A way to control initial login to the RAS Portal is through Themes. You can filter the AD user groups that have access to the theme, restricting in this way the initial login.