This step-by-step guide explains how to configure load balancing for Parallels RAS on Microsoft Azure using Azure Native load balancing capabilities and resources. This configuration allows to enable load balancing of HTTPS traffic going towards Parallels RAS User Portal as well as TCP/UDP traffic going towards Parallels RAS Secure Gateways. There are different methods to achieve this. This guide focuses on the scenarios where Azure Firewall is required or used.

The procedure described in this guide will give you the ability to load balance Parallels RAS traffic for the below scenarios:

• Browser access: Users log in to Parallels User Portal from their web browser and use built-in Web Client (HTML5) to launch Parallels virtual apps and desktops.
• Installed Parallels Client access: Users log in using the platform-specific Parallels Clients installed on end-point devices and launch Parallels virtual apps and desktops directly through the Parallels Client app, desktop shortcuts, or the start menu.
• A mix between browser and installed Parallels Client access: Users log in to Parallels User Portal from their web browsers and use platform-specific Parallels Clients installed on end-point devices to launch Parallels virtual apps and desktops.

 

Prerequisites and assumptions

It is assumed that the reader has a basic understanding of Azure Portal, deploying Azure resources, and Parallels RAS. It is assumed that the Parallels RAS environment is already deployed and configured, including the Parallels RAS Secure Gateway roles. It is advised to test the connection flow from within the internal network towards the internal IP addresses of the Secure Gateway servers to confirm successful connections, before following this guide to start publishing your Parallels RAS resources publicly. This guide uses Azure Portal for all configuration steps, but you can, of course, also use any form of automation like Bicep templates, PowerShell, or REST API to achieve the same configuration.

 

Process flow

This step-by-step guide follows the flow as illustrated below:

1. Configure networking.
2. Create and configure Azure Load Balancer.
3. Create and configure Azure Application Gateway.
4. Create and configure Azure Firewall.
5. Configure Parallels RAS.
6. Test and evaluate load balancing.

 

Architecture

The diagram below shows the architecture of Parallels RAS published through Azure Firewall. The Azure Firewall contains a single public IP and is configured with 2 DNAT rules. One of the rules allows listening on TCP/UDP port 8443, and another—listening on TCP port 443. The DNAT rule for TCP (443) forwards connections to the Azure Application Gateway which load balances based on HTTPS (443) towards the Secure Gateway servers to provide access to the Parallels RAS User Portal. The DNAT rule for TCP/UDP (8443) forwards connections to the Azure Load Balancer based on TCP/UDP(443) to provide access to the Parallels RAS Secure Gateway.

Click to view diagram

Step 1: Configure networking

This guide assumes you already have a Virtual Network (VNet) in Azure in place. In most scenarios, you will be using the VNet containing the Parallels RAS infrastructure servers. You can also use another VNet or create one at this point. In those cases, make sure that VNet peering is configured to allow peering connectivity towards the VNet where the Parallel RAS and Active Directory VMs are located. For more information on setting up VNet peering follow this Microsoft guide on Virtual Network peering. For production deployments, Microsoft advises a hub and spoke model, where the firewall is in its own VNet. The Parallels RAS servers should be in peered VNets in the same region with one or more subnets. Both the Azure Firewall and the Azure Application Gateway require a dedicated Subnet.

 

1. Open the Azure Portal at https://portal.azure.com.
2. Navigate to Virtual networks.
3. Click on the VNet where the Azure Firewall and Azure Application Gateway are to be deployed.
4. Go to Subnets.
5. Create a new /26 Subnet named AzureFirewallSubnet. More information on Azure Firewall subnet sizing can be found here.
6. Create a new /24 Subnet named ApplicationGateway. Having a /24 subnet isn't required for the Application Gateway deployment, but it is highly recommended. More information on Azure Application Gateway Sizing can be found here.

 

The result will look similar to the screenshot below.

 

Step 2: Create and configure Azure Load Balancer

 

1. Open the Azure Portal at https://portal.azure.com and navigate to Create a Resource.
2. Search for Load Balancer.
3. Create a new Load Balancer.
4. On the Basic tab:
   1. Select the subscription and resource group.
   2. Specify the name and region.
   3. In the SKU section, select Standard.
   4. In the Type section, select Internal.
   5. In the Tier section, select Regional.

 

Note: In this example, Standard SKU is used, but you can select any type of SKU required for your environment. For more information on Azure Load Balancer SKUs, visit this link.

 

The result will look similar to the screenshot below.

 

 

5. On the Frontend IP configuration tab click the Add a Frontend IP Configuration button.
   1. Specify the name for the frontend IP.
   2. In the Virtual Network drop-down menu, select the virtual network that you have created.
   3. In the Subnet drop-down menu, select the subnet where the Parallels resources reside.
   4. In the Assignment section select Static.
   5. Specify an IP address you want to us
   6. In the Availability zone drop-down menu, select Zone-redundant.
   7. Click Add to save the frontend IP.

 

The result will look similar to the screenshot below.

 

6. On the Backend pools tab click Add a backend pool.
   1. Provide a name for the backend IP.
   2. In the Backend Pool Configuration section, select NIC.
   3. Add all Parallels RAS Secure Gateway servers by clicking Add.
   4. Click Save to continue.

 

The result will look similar to the screenshot below.

 

 

7. On the Inbound Rules tab, add two load-balancing rules.
   1. Click the Add a load balancing rule button.
   2. Provide a name for the rule that allows TCP traffic.
   3. In the IP version section, select IPv4.
   4. In the Frontend IP address drop-down menu, select the Frontend IP address you created in the previous step.
   5. In the Backend pool drop-down menu, select the backend pool you created in the previous step.
   6. In the Protocol section, select TCP.
   7. In the Port and Backend port fields, specify 443.
   8. In the Health Probe section, click the Create New link. Specify the following properties:
      1. Provide a name for the Health probe.
      2. Set the protocol to TCO.
      3. Set the port to 443.
      4. Set the interval to 5.
      5. Click Save.
   1. In the Session persistence drop-down menu, select Client IP and protocol.
   10. In the Idle timeout field, specify 4.
   11. Disable the Enable TCP reset and Enable Floating IP options.
   50. Click Save.

 

The result will look similar to the screenshot below.

 

1. 1000. Click the Add a load balancing rule button.
   14. Provide a name for the rule that allows UDP traffic.
   15. In the IP version section, select IPv4.
   16. In the Frontend IP address drop-down menu, select the Frontend IP address you created in the previous step
   17. In the Backend pool drop-down menu, select the backend pool you created in the previous step.

 

1. 18. In the Protocol section, select UDP.
   19. In the Port and Backend port fields, specify 443.
   20. In the Health probe drop-down menu, select the Health probe you created before.
   21. In the Session persistence drop-down menu, select Client IP and protocol.

1. 5. In the Idle timeout field, specify 4.

1. 23. Disable the Enable Floating IP option.

 

The result will look similar to the screenshot below.

 

 

8. Do not make any changes to the Outbound rules tab.
9. On the Tags tab, optionally add any tags you wish to configure.
10. On the Review and Create tab, click Create to deploy the load balancer.

 

Step 3: Create and configure Azure Application Gateway

 

1. Open the Azure Portal at https://portal.azure.com and navigate to Create a Resource.
2. Search for Application Gateway.
3. Create a new Application Gateway.
4. On the Basic tab:
   1. Select the subscription and resource group.
   2. Provide a name for the Application Gateway.
   3. Select the region you used before.
   4. In the Tier drop-down menu, select Standard V2.
   5. Enable autoscaling if needed.
   6. Specify an instance count matching your requirements.
   7. Optionally select one or more availability zones to improve high availability.
   8. Disable HTTP2.
   1. Select the Virtual Network you created or used before.
   10. In the Subnet drop-down menu, select the Application Gateway subnet you created before.
5. On the Frontends tab:
   1. In the Frontend IP address type section, select Both (although we will not use the public IP).

Note: Application Gateways with a tier of Standard_v2 don’t support only private IP addresses as the front end. The supported SKU tiers are Standard and WAF.

1. 2. Create a new public IP address and provide the name for it.
   3. Select a private IP address to use.

 

The result will look similar to the screenshot below.

 

 

6. On the Basic tab click Add a backend pool.
   1. Provide a name for the backend pool.
   2. Add all Parallels RAS Secure Gateway servers as a Virtual Machine Target.

 

The result will look similar to the screenshot below.

 

7. On the Configuration tab click Add a routing rule.
   1. On the Lister tab:
      1. Provide a name for the routing rule.
      2. Set a priority.
      3. Provide a name for the new listener.
      4. Set the frontend IP to Private.
      5. Set the protocol to HTTPS.
      6. Set the port to 443.
      7. Provide the certificate you want to use by uploading it or pointing to a certificate stored in Azure Key Vault.
      8. Set the listener type to Basic.
      9. Optionally, enable the Error page URL option.

 

The result will look similar to the screenshot below.

 

1. 2. On the Backend targets tab:
      1. Provide a Backend settings name.
      2. Set the protocol to HTTPS.
      3. Set the port to 443.
      4. Provide the certificate you want to use by uploading it.
      5. Enable the Cookie-based affinity option.
      6. Specify the name for the cookie. This can be anything but this should match the cookie name provided in the User Portal tab of the Parallels RAS configuration as part of step 5. In this case the default name ApplicationGatewayAffinity was used.
      7. Optionally, enable the Connection draining option.
      8. In the Request time-out field, specify 40. Note: the default value 20 is less than RAS Userportal keep alive 30s, thus an idle session might be disconnected.

 

The result will look similar to the screenshot below.

 

 

8. On the Tags tab, optionally add any tags you wish to configure.
9.  On the Review and Create tab, click Create to deploy the Application Gateway.

 

Step 4: Create and Configure Azure Firewall

 

1. Open the Azure Portal at https://portal.azure.com  and navigate to Create a Resource.
2. Search for Firewall.
3. Create a new Firewall.
4. On the Basic tab:
   1. Provide the subscription and resource group.
   2. Provide a name for the Firewall.
   3. Select the region you used before.
   4. Optionally, select one or more availability zones to improve high availability.
   5. In the Firewall SKU section, select Standard.

Note: SKU type can be configured as required, in this example the Standard SKU is used. For more information on Azure Firewall SKUs, visit this link.

1. 6. In the Firewall Management section, select Use a Firewall Policy to manage this firewall.
   7. In the Firewall policy section, click the Add new link.
      1. Provide a name for the policy.
      2. Select the region you used before.
      3. Select Standard as the policy tier.
   8. In the Virtual Network drop-down list, select the existing Virtual Network you created before.
   1. In the Public IP address section, click Add New.
      1. Provide a name for the public IP address.

1. 9. 2. Set SKU to Standard.
      3. Set assignment to Static.
   10. Disable the Forced tunneling option.

 

The result will look similar to the screenshot below.

 

5. On the Tags tab, optionally add any tags you wish to configure.
6. On the Review + Create tab, click Create to deploy the Firewall.
7. Once the resource creation is complete, open the newly created firewall policy.

 

 

8. Go to DNAT rules and click Add a rule collection.
   1. Provide a name for the rule collection.
   2. Select DNAT as the rule collection type.
   3. Specify a priority (e.g., 100).
   4. Select DefaultDnatRuleCollectionGroup as the rule collection group.
   5. Create a new rule
      1. Specify parallels-ras as the name.
      2. Set source type to IP Address.
      3. Set the source to *.
      4. Select TCP and UDP as the protocol.
      5. Set the destination port to 8443.
      6. Set destination type to IP Address.
      7. Select the public IP address of the Firewall as the destination.
      8. Set the Translated type to IP Address.
      9. Set the internal IP address of the Load balancer to Translated address.
      10. Set the translated port to 443.
   6. Create another rule.
      1. Provide parallels-ras-portal as the name.
      2. Set source type to IP Address.
      3. Set the source to *.
      4. Select TCP and UDP as the protocol.
      5. Set the destination port to 443.
      6. Set destination type to IP Address.
      7. Configure the public IP address of the Firewall as the destination.
      8. Set the Translated type to IP Address.
      9. Set the internal IP address of the Application Gateway to Translated address.
      10. Set the translated port to 443.

 

The result will look similar to below.

 

 

Click Add to save the configuration.

 

9. Create a record matching the FQDN of the certificate you used before inside the public DNS of your domain name. For example, in this case, the following DNS entry was created.

Type	Name	Values
A	demo.parallelsras.tech	13.80.79.171

 

 

 

Step 5: Configure Parallels RAS

 

1. Log on to Virtual Machine hosting your Parallels RAS Console.
2. Open the Parallel RAS Console.
3. Browse to Secure Gateways, and in the properties of each Secure Gateway do the actions described below.
4. On the User Portal tab:
   1. Enable the Use alternate hostname option and provide the public DNS that resolves into the IP address of the Azure Firewall. This name should also match the SSL certificate configured earlier on the Azure Firewall.
   2. Select Use alternate port and specify 8443, as configured in the Azure Firewall rule that points to the Azure load balancer. This tells the Parallels RAS web client to use port 8443 upon launching a published resource.

 

 

5. On the Web tab:
   1. In the Web Cookie field, specify a web cookie name. This can be anything, but this should match the cookie name configured earlier on the Backend Settings tab of the Azure application gateway. In this case the default name ApplicationGatewayAffinity was used.
   2. Enable the option Use a secure web cookie to encrypt the cookie that Parallels RAS creates to provide session affinity.

 

Step 6: Test and evaluate load balancing

 

1. Test access using the Parallels RAS Web Client by browsing to the public DNS name configured in a previous step and providing credentials of a test user account.

 

2. Based on publishing settings configured in Parallels RAS, a number of resources should appear as per the example below. Open a resource that is published to launch a new session. Right-click the resource and select the Open in Parallels Client option to ensure that Parallels Client is used.

 

 

3. Confirm that the session starts successfully. In this example, it is a published desktop. Click on the connection icon in the top bar to confirm that the UDP protocol is also used.

 

4. Switch back to Parallels RAS Console, go to the Farm > Session tab, and confirm that there is an active session. Opening the properties of the session also shows information such as the name of the Secure Gateway server, the protocol, and insights into the quality of the session.

 

5. Repeat the same test sequence as before to test access using a fully web-based experience. Right-click the resource and select the Open in Browser option to confirm that Parallels Web Client can also be used.

 

6. Now test access using Parallels RAS Client. You can use any of the available clients. This guide describes using Parallels Client for Windows.
7. In Parallels Client for Windows, select File > New Connection.

8. Provide the information to connect through the Azure Firewall. For the Primary connection, use the public DNS name configured in a previous step, and for the port use 8443.

 

9. Upon connecting, confirm that the same published resources are visible, and you are able to connect.

 

Summary

This article covers publishing Parallels RAS resources in a secure way when using Microsoft Azure as the platform.

 

The Azure Firewall is used as a cloud-based network security service offered by Microsoft Azure. It is designed to protect Azure Virtual Network resources from unauthorized access and threats. Azure Firewall acts as a perimeter firewall and provides secure and controlled access to resources. In this scenario, the Azure Firewall provides secure access to an internal Azure Application Gateway and an internal Azure Load Balancer.

 

Azure Application Gateway is used to load balance Parallels RAS User Portal, provide HTTPS load balancing, SSL offloading, and session persistency.

 

Azure Load Balancer is used to load balance the RDP session through the Secure Gateways. It offers TCP and UDP traffic for the optimal user experience.