SOLVED - How to allow ONLY certain users access to Parallels from outside of LAN

Discussion in 'Parallels Remote Application Server' started by GreggZ, Apr 4, 2016.

  1. GreggZ

    GreggZ Junior Member

    Messages:
    13
    Coming over from the Citrix side where we used a Netscaler and AD to create a policy that required you to be a member of a named AD group in order to access externally. The Netscaler would be similar to the HALB but a bit more advanced. You can look at this 2 different ways, 1 is to "allow" a group of users in from home, or "prevent" a group of users to access this from home. The reason being is that we will be using RAS for some shop-floor generic logons and cannot change those passwords every time an employee leaves the company so we need to prevent them from accessing RAS from home. "home" would be anywhere or any network that is not on our LAN. I do not want to use MAC, IP, or client name for filtering. I need to be able to authenticate the user either at the HALB or the next component down. I would prefer if I could have all 4 of servers in the same site. Currently we are trying to do this by using 2 sites but the way Parallels RAS Console shows all of the published apps regardless of site, it gets a little ugly. I guess if it comes down to it... the remote user could log on using SSL VPN, then connect to the RAS.
     
  2. GreggZ

    GreggZ Junior Member

    Messages:
    13
    One of the Enterprise Sales Engineers helped me through this. We created filtering by adding 2 filters to my "Internal" group. 1, they belong to the "internal" AD group, and 2, they fall into a specified IP range. In order to obtain access remotely (from home) they only need to be a member of the AD group for external access.
     
  3. Valentin@Parallels

    Valentin@Parallels Parallels Support

    Messages:
    66
    Hey @GreggZ
    Good to know that you sorted that out for now.
    Feel free to test filtering as it actually provides a lot of varieties to filter the access to your published apps.
    Let me know if you would have any additional questions.

    Have a nice weekend!
     
  4. mdomnis

    mdomnis Bit poster

    Messages:
    7
    I am also trying to accomplish the same thing, but it does not really seem like the solution proposed really secures apps from users outside the network. If your internal IPs are private addresses, all one has to do to get access from outside to the internal apps is set their home router to hand their PC an address in this range (or manually set it on the PC).

    If the Parallels Remote Access Server saw the remote users public IP of their cable modem or whatever, it would work fine, but it actually sees the IP of the PC itself which is most likely a private address like 192.168.x or 10.x and might very well fall in the allowed range.

    We would like to allow lots of people access to the apps internally, but only a small subset of them (managers, etc) to access the apps from home. Seems simple enough, but I can't really see a way to do it with current functionality. Hoping there's something I'm not thinking of.
     
  5. GreggZ

    GreggZ Junior Member

    Messages:
    13
    mdomnis, I believe that you are correct. The clients local IP is what is showing up in the console. Does anyone know (I will look after submitting my reply) if Parallels has a feature request section? This is important. Also, I noticed that when clients use the html5, they can sign out of their session (whether that be an app or a desktop) and the htm5 page is left logged on. If a user is at a public kiosk (like a hotel lobby) and leaves the page up, someone can come in behind them and access your data! Since Parallels is competing with Citrix, they need to step up the security capabilities. ** We never used Citrix's html5 logon, but I know you used to be able to access the gateway, launch your app and the page would automatically log you out after X amount of time and leave your app running. If you close out of the html5 page with RAS, it will sign you out or disconnect your session too. I'll write this up in a separate post too.
     
  6. mdomnis

    mdomnis Bit poster

    Messages:
    7
    I have a case open right now and the best they gave me (so far) was to use mac filtering. We have like 300 machines internally that we want to allow access to so that's a huge list to manage. Additionally, we don't really want to ask for the mac of every manager's home PC and deal with maintaining that if they go somewhere else or get a new device.

    One option that would work nicely for us if if the login to the web portal could be restricted by Active Directory Group/User. This way anyone not in the group "External Users" would not be able to log in to the web portal.

    The other option that I think would make it acceptable would be for the console to see the user's public IP and not their private internal IP. This way we could use IP filtering in combination with an AD group to filter the apps externally.

    If anyone else has worked around this issue with customization or something I am not thinking of, please post.
     
  7. GreggZ

    GreggZ Junior Member

    Messages:
    13
    MAC filtering is not an acceptable answer. I only have about 30 external users and I refuse to go that route.
     
  8. cuong

    cuong Bit poster

    Messages:
    3
    Feel free to test filtering as it actually provides a lot of varieties to filter the access to your published apps.
     
  9. JulianMoo

    JulianMoo Junior Member

    Messages:
    16
    Just found this thread and wanted to ask if there is any update? Seems there is no way to filter external gateways connections based on the external IP (not the client ip) and AD group? The HTML5 Client Access can be restricted with an Active Directory group. I only could come up with the following idea:
    Step #1
    Create a dedicated Gateway for External Connections
    Step #2
    Duplicate the shared Ressource. Example : Desktop Production (External)
    Step #3
    Filter the external desktop publishing to a dedicated Active Directory Group Example: AD_Parallels_Desktop_Prod_External. Restrict Connections to Gateway created in Step 1.

    This should work at least you want to build a HA setup with two internal and two external gateways. HALB can only be used with one VIP.

    What is the correct way of handling this requirement?

    Julian
     
  10. JulianMoo

    JulianMoo Junior Member

    Messages:
    16
    Update: If you restrict the HTML5 Client Access the Parallels Client will be restricted as well.
    There is no additional configuration needed as mentioned in my previous post. This was not working during my initial testing.
     

Share This Page