- IT professionals (such as system administrators) familiar with the customer's environment structure for Parallels RAS
- Existing Parallels RAS administrators
- Support engineers for tenants monitoring
- Experience operating Parallels RAS farm
- Familiar with planning for a Parallels RAS environment on a scale similar to the size of the customer's environment
- Advanced understanding of the customer's network structure
Note: Parallels RAS multi-tenant architecture is available only starting from Parallels RAS v17.1. Older versions are incompatible.
Advantages of RAS multi-tenant architecture
- Cost savings due to the reduction of Parallels RAS Secure Client Gateways and High Availability Load Balancers (HALBs)
- Faster deployment of new tenants/customers
- Simplified centralized management of multi-tenant environments
- Extended market reach through reduction of operational costs for organizations of any size by allowing cost scaling through shared infrastructure
Terminology and architecture description
- Tenant is technically a site in the farm.
- Tenant Broker is a separate farm that hosts shared Parallels RAS Secure Client Gateways.
- Shared Parallels RAS Secure Client Gateways serve connections to remote desktop (RD) Session Hosts, VDI Guests or Remote PCs of Tenant Farm.
- Tenant Object represents the tenant after joining to tenant broker Farm in the Parallels RAS Console of tenant broker.
- Tenant theme allows branding of the HTML5 portal and Parallels Client for individual tenant.
- Management Publishing Agent (PA) stands for the main PA on tenant broker farm.
Typical Parallels RAS multi-tenant architecture diagram:
- The user's connection should be initiated to a public domain address that can be assigned by the Managed Service Provider and registered as a subdomain (e.g. Tenant_1.MSP.com). Alternatively, use a private domain address (e.g. RAS.Tenant_2.com) and have it routed to Parallels RAS Secure Client Gateways in the Tenant Broker farm.
- In this case, the connection from external users to the public domain address is going through a firewall to DMZ and then to the Master HALB (slave is on standby in case master fails) and then through another firewall to one of the Shared RAS Secure Client Gateways of the Tenant Broker Farm. (HALB takes care of load balancing between Shared SCG). At this point, the listing of published resources should happen.
- Through Service Provider's VLAN, the connection goes to a specific tenant farm for establishing a remote session (using ports TCP/UDP 3389 by default) according to the configuration of a particular published resource (application, desktop, etc.)
- Connections to Port TCP 20002 should be possible both ways, as Shared Gateways will use this port to communicate with Publishing Agents on Tenants and Management Publishing Agents on Tenant Broker Farm.
Note: Port TCP 20003 is required for only outgoing connections from Tenant Publishing Agents to Management Publishing Agents on Tenant Broker in order to synchronize settings. Also, note the requirement to have port TCP 20001 open from the RAS Console running on the Tenant to the Tenant Broker Publishing agent.
- Broker and tenants may have more than one publishing agent. Their redundancy database is independent.
- Tenants are originally designed to not communicate with each other at all. The exclusion here is a multi-site infrastructure, as it stores settings for all sites in a single database which enables a small probability of potential influence.
- Tenant Broker is ONLY compatible with Parallels Clients 17.1 and Tenant Farms 17.1.
- Tenants may have their own gateways. There are no changes in local gateway functionality for private tenant gateways.
- Broker infrastructure is responsible for all internet-facing connections. Certificates must be configured on the broker side.
- To be able to work with Tenant Broker, a Tenant Farm must join Broker first.
- Tenants can have their own domains. A trusted relationship is not necessary between tenant and Tenant Broker. A non-Domain Farm even can be used as a Broker or Tenant.
- User authentication, multifactor authentication (MFA), policies, filtering, etc. are performed on a tenant side.
- Tenants must have a unique Public domain address. Routing of traffic to a load balancer or gateway is out of scope for Parallels RAS.
- Client Manager functionality for now is available only via dedicated gateway on Tenant Farm, not shared gateway on Tenant Broker.
- Managing licenses and user sessions is currently only possible from each Tenant Farm individually. RAS Console with multiple connections can be used to connect to each Farm for managing.
Parallels RAS Connection Diagram