As from version 16.5 upwards, the client policy settings are split into groups with the ability to configure and enforce each group on the client side individually.
Adding a new client policy
To add a new client policy:
- Select the Policies category and then click Tasks > Add in the right pane. The Policy Properties dialog opens.
- The left pane contains a navigation tree allowing you to select a group of options to configure.
- Make sure the Policy node is selected and then specify a policy name and an optional description.
- In the Browse Mode drop-down list, select how you want to browse for users and groups. The preferred mode is Secure Identifier (default). Other options exist for backward compatibility
- In the Apply policy to section, click Tasks > Add (or click the plus sign icon) and specify the target users and/or groups.
Configure criteria for the client policy
By default, a client policy applies to the configured users and groups in all situations. You can optionally define a criteria when the policy should apply. This functionality allows you to create different policies for the same user, which will be applied depending on where the user is connecting from and from which device.
To create a new criteria:
- Select Criteria (under the Policy node) in the left pane.
- In the "gateway criteria" section, select the criteria type in the first drop-down list and then specify the values (if applicable) in the second drop-down list.
- In the "MAC address criteria" section, select the criteria type in the first drop-down list and then specify the values (if applicable) in the second drop-down list.
- In the "Parallels Clients" section, select the version of Parallels Client to which this policy should apply.
Configure Session Settings
Items under the Session node in the Policy Properties dialog include connection, display, printing, network, and other settings that will be enforced on a client if defined and enabled.
For a particular group of settings to be enforced on a client device, it must be selected (checked). Unselected groups will not be enforced, so end users will be able to configure them themselves. For example, you can check the Connection node, but only check the Primary connection and Secondary connections groups under it. This will enforce only the two selected groups of settings on client devices.
To configure connection properties, select the Connection node and then go through each child node configuring their respective properties.
The primary connection always defaults to the primary RAS Secure Client Gateway, but you can modify the following connection properties:
- Specify a friendly name for the connection.
- Select the Auto Logon option to enable Parallels Client to connect automatically without displaying the Logon dialog every time a user connects to a remote server.
- In the Authentication type drop-down list, select the desired method of authentication:
- Single Sign-On. This option will be included in the list only if the Single Sign-On module is installed during Parallels Client installation. Select this option to use local system credentials to connect to the remote server.
- Smart Card. Select this option to authenticate using a smart card. When connecting to the remote server, a user will need to insert a smart card into the card reader and then enter a PIN when prompted.
- Select or clear Save password as needed (if credentials are used for authentication). This means forcing a client to save the password for this connection.
- Specify the domain name (if credentials are used for authentication).
If you have more than one RAS Secure Client Gateway, you can define a secondary connection, which will be used as a backup connection in case the primary gateway connection fails.
To add a secondary connection:
- Select the Secondary connections item.
- In the Secondary connections pane, click Tasks > Add and specify a server name or IP address.
- Select the connection mode and modify the default port number if necessary.
If you have multiple secondary connections, you can move them up or down in the list. If the primary connection cannot be established, Parallels Client will use secondary connections in the order listed.
In this pane, specify what to do if the connection is dropped. Select Reconnect if connection is dropped and set the number of Connection retries. If a connection is dropped, the Parallels Client will automatically try to reconnect. The Connection banner option specifies the time period in seconds after which the connection banner will be displayed.
Specify the name that a computer will use during a remote desktop session. If set, this will override the default computer name. Any filtering set by the administrator on the server side will make use of the Override computer name setting.
- Connection timeout: This is the amount of time the client will try to connect to Parallels RAS until the connection is aborted. While the connection is being established, the connection banner will be shown.
- Connection banner: Specifies the time period in seconds after which the connection banner will be displayed.
- Desktop: If a published application is not launched within the time period specified in this field, the server’s desktop will be loaded. This is helpful if an error occurs on the server while launching an application. By loading the server’s desktop, the error can be seen.
To configure display settings, select the Display node and then configure the groups of settings described below.
Select the desired video acceleration mode and color depth.
Specify whether all monitors should be used for a desktop session if more than one monitor is connected to the user's computer.
Select the Use primary monitor only option to start published applications on the primary monitor. Other monitors connected to a user's computer will not be used.
Specify the desktop options as follows:
- Smart-sizing. Desktop smart sizing will scale a remote desktop to fit the connection window.
- Embed desktop in launcher. Enable this option to access a published desktop inside Parallels Client.
- Span desktop across all monitors. Enable this option to span published desktops across all connected monitors.
- Connection bar in full screen. Specify whether the connection bar should be pinned, unpinned, or hidden when connecting in full screen mode.
This section applies to Parallels HTML5 client only. Specify whether a remote application should open in the same or a new tab page in a web browser by default.
The Printing pane allows you to configure printing options.
In the Technology section, select the technology to use when redirecting printers to a remote computer:
None. No printer redirection will be used.
RAS Universal Printing technology. Select this option if you want to use RAS Universal Printing technology.
Microsoft Basic Printing Redirection technology. Select this option if you want to use Microsoft Basic printing technology.
RAS Universal Printing and Microsoft Basic redirection technologies. Select this option to use both Parallels RAS and Microsoft technologies.
RAS Universal Printing
If you selected RAS Universal Printing technology, use the Redirect Printers drop-down list to specify whether to redirect all printer on the client side, default printer only, or specific printers.
If you select Specific only in the step above, click Tasks > Add. Type a printer name and then click the Options button. In the dialog that opens, specify settings described below.
In the Choose Format drop-down list, select a data format for printing:
Print Portable Document Format (PDF). Adobe PDF. This option does NOT require you to install any local applications capable of printing a PDF document. All the necessary libraries are already installed together with Parallels Client.
View PDF with external application. To use this option you must have a local application installed which is capable of viewing a PDF document. Note that not all applications are supported. For example, the built-in PDF viewer in Windows is not supported, so you must have Adobe Acrobat Reader (or a similar application) installed.
Print PDF with external application. This option works similar to the View PDF option above. It also requires an application capable of printing a PDF document installed locally.
Enhanced Meta File (EMF). Use vector format and embedded fonts.
Bitmap (BMP). Bitmap images.
In the Client printer preferences section, select one of the following:
Use server preferences for all printers. If this option is selected, a generic printer preferences dialog will be shown when a user clicks Print in a remote application. The dialog has only a minimal set of options that they can choose.
Use client preferences for all printers. With this option selected, a local printer preferences dialog will open when a user clicks Print in an application. The dialog will contain a full set of options for a particular printer that the user has installed on their local computer. If they have more than one printer installed, a native preferences dialog will open for any particular printer that they choose to print to.
Use client preferences for the following printers. This option works similar to the Use client preferences for all printers option (above), but allows users to select which printers should use it. Select this option and then select one or more printer in the list below. If a printer is not selected, it will use the generic printer preferences dialog, similar to the first option in this list.
Default printer settings
To configure default printer settings, click the Change Default Printer settings button.
The default printer list shows printers that can be redirected by the client to the remote computer:
To disable the default printer, select <none>.
To redirect the default local printer, select <defaultlocalprinter>.
When <custom printer> is selected, you can specify a custom printer. The first local printer that matches the printer name inserted in the Custom field will be set as the default printer on the remote computer.
Select Match exact printer name to match the name exactly as inserted in the Custom field. Please note that the remote printer name may not match the original printer name. Also note that local printers may not redirect due to server settings or policies.
The Force Default printer for option specifies the the time period, during which a printer will be forced as default. If the default printer is changed during this time after the connection is established, the printer is reset as default.
Select the Update the remote default printer if the local default printer is changed option to change the remote default printer automatically when the local default printer is changed. Please note that the new printer must have been previously redirected.
On the Scanning pane, you can specify a scanner that should be used when one is required by a published application:
Use. Allows you to select a scanning technology. RAS Universal Scanning uses TWAIN and WIA redirection allowing an application to use either technology depending on the hardware type connected to the local computer. If you select None, scanning will disabled.
Redirect Scanners. Select scanners attached to your computer for redirection. You can select All (all attached scanners will be redirected) or Specific only (only the scanners you select in the provided list will be redirected).
This pane allows you to configure remote audio settings.
Use the Remote computer drop-down list to select one of the following remote audio playback options:
Bring to this computer. Audio from the remote computer will play on your local computer.
Do not play. Audio from the remote computer will not play on your local computer and will be muted on the remote computer as well.
Leave at remote computer. Audio will not play on your local computer but will play normally on the remote computer.
Use the Quality drop-down list to adjust the audio quality:
Dynamically adjust based on available bandwidth. This option will increase or decrease the audio quality based on your connection speed. The faster the connection, the higher audio quality setting will be used.
Always use medium audio quality. The audio quality is fixed at the medium level. You can use this option when you don't require the best possible audio quality and would rather use the available bandwidth for graphics.
Always use uncompressed audio quality. The audio quality is fixed at the highest level. Select this option if you have a very fast connection and require the best possible audio quality.
The Recording (if applicable) option allows you to enable audio recording on the remote computer. For example, you can speak into a microphone on the local computer and use a sound recording application on the remote computer to record yourself.
On the Keyboard pane, select how you want to apply key combinations (e.g. Alt+Tab) that you press on the keyboard:
On the local computer. Key combinations will be applied to Windows running on the local computer.
On the remote computer. Key combinations will be applied to Windows running on the remote computer.
In full screen mode only. Key combinations will be applied to the remote computer only when in the full-screen mode.
Select or clear the Send unicode characters as needed.
Local Devices and Resources
Use the Local devices and resources pane to configure how local resources are used in a remote session.
Select the Allow clipboard redirection option to enable the local clipboard in a remote session.
Select the Allow disk drives redirection option and select local drives you want to redirect, or select Use all disk drives available.
If you select the Use also disk drives that I plug in later option, disk drives that you connect to a local computer later will be automatically available in a remote session. Note that this option applies to Parallels Client for Windows only.
On this pane, specify whether to redirect local devices in general, use all devices available, and also devices that will be plugged in later.
Local devices that can be redirected include supported Plug and Play devices, media players based on the Media Transfer Protocol (MTP), and digital cameras based on the Picture Transfer Protocol (PTP).
Please note that disk drives and smart cards are redirected using dedicated Disk drives and Smart cards options.
Select whether to redirect LPT and COM ports.
Select whether to redirect smart cards.
Select whether to allow remote file transfer. For additional information, see Enabling or Disabling Remote File Transfer
The Experience pane allows you to tweak the connection speed to optimize the performance of the connection with the remote server. If you are connecting to a remote server on a local network that runs at 100 Mbps or higher, it is usually safe to have all of the experience options turned on.
It is also recommended to enable compression to have a more efficient connection. The following compression options are available.
Enable RDP Compression: Enables compression for RDP connections.
Universal printing compression policy: The compression type should be selected based on your environment specifics. You can choose from the following options:
Compression disabled. No compression is used.
Best speed (uses less CPU). Compression is optimized for best speed.
Best size (uses less network traffic). Compression is optimized to save network traffic.
Based on connection speed. The faster the connection speed, the lower compression level and the minimum data size to compress are used.
Universal scanning compression policy: This drop-down list has the same options as the universal printing compression above. Select the compression type based on your environment specifics.
Use the Network pane to configure a proxy server if you have one.
Select the Use proxy server option and then select the protocol from the following list:
SOCKS4. Enable this option to transparently use the service of a network firewall.
SOCKS4A. Enable this option to allow a client that cannot connect to resolve the destination host’s name to specify it.
SOCKS5. Enable this option to be able to connect using authentication.
HTTP 1.1. Enable this option to connect using a standard HTTP 1.1 protocol connection.
Specify the proxy host's domain name or IP address and the port number.
For SOCKS5 and HTTP 1.1 protocols, select the Proxy requires authentication option. For authentication, select the Use user logon credentials option or specify a user name and password in the fields provided.
Use the Server authentication pane to specify what should happen if authentication of an RD Session Host, Remote PC, or Guest VM fails.
In the If authentication fails drop-down list, select one of the following options:
Connect. The user can ignore the certificate of the server and still connect.
Warn. The user is alerted about the certificate and still has the ability to choose whether to connect or not.
Do not connect. The user is not allowed to connect.
The Advanced Settings pane allows you to customize the default behavior or Parallels Client.
You can specify the following properties:
Use client system colors. Enable this option to use the client system colors instead of those specified on the remote desktop.
Use client system settings. Enable this option to use the client system settings instead of those specified on the RD Session Host.
Create shortcuts configured on server. For each published application, the administrator can configure shortcuts that can be created on the client's desktop and the Start menu. Select this option to create the shortcuts, or clear the option if you don't want to create them.
Register file extensions associated from the server. For each published application, the administrator can create file extension associations. Use this option to either register the associated file extensions or not.
Redirect URLs to the client device. Enable this option to use the local web browser when opening 'https:" links.
Redirect MAILTO to the client device. Enable this option to use the local mail client when opening ‘mailto:’ links.
Always ask for credentials when starting applications. If this option is enabled, the user will be prompted to enter their credentials when starting applications.
Allow Server to send commands to be executed by client. Enable this option to allow commands being received from the server to be executed by the client.
Confirm Server commands before executing them. If this option is enabled, a message is displayed on the client to confirm any commands before they are executed from the server.
Network Level Authentication. Check this option to enable network level authentication, which will require the client to authenticate before connecting to the server.
Redirect POS devices. Enables the Point of Service (POS) devices such as bar code scanners or magnetic readers that are attached to the local computer to be used in the remote connection.
Use Pre Windows 2000 login format. If this option is selected, it allows you to use legacy (pre-Windows 2000) login format.
Disable RDP-UDP for gateway connections. Disables RDP UDP data tunneling on the client side. You can use this option when some clients experience random disconnects when RDP UDP data tunneling is enabled on the RAS Secure Client Gateway (the Network tab page in the gateway Properties dialog), while other clients are not
Configure Client Policy Option
The Client options node allows you configure client policy options. Select the node and then select and configure individual items under it as described below.
On the Connection pane, specify the following options:
- Connection Banner. Select a banner to display while establishing a connection.
- Automatically refresh connected RAS connections every [ ] minutes. Select this option and specify the time interval to automatically refresh a connection. This will refresh the published resources list in Parallels Client.
Select Check for updates on startup and specify an update URL if you want Parallels Client to check for updates when it starts. The URL can point to the Parallels website or you can store updates on your local network and use this local URL. For the information on how to configure a local update server, please read https://kb.parallels.com/123658.
To force a particular keyboard to be used, select the Force use PC keyboard and select a keyboard layout from the drop-down list. Note that the selected layout can and will only be used in a Parallels Client version that supports this particular layout.
Parallels Client for Windows comes with its own SSO component that you can install and use to sign in to Parallels RAS. However, if you already use a third-party credential provider component on your Windows computers, you need to configure Parallels RAS and Parallels Client to use the Parallels RAS SSO component to function as a wrapper for the third-party credential provider component.
To specify a third-party component, select the Force to wrap third party credential provider component option and specify the component's GUID in the field provided. You can obtain the GUID in Parallels Client as follows:
- Install Parallels Client on a computer that has the third-party component installed.
- In Parallels Client, navigating to Tools > Options > Single Sign-On (tab page).
- Select the "Force to wrap..." option and then select your provider in the drop-down list.
- Click the Copy GUID to Clipboard button to obtain the component's GUID.
You will also need to specify the component's GUID when setting up an invitation email in the RAS Console. If you haven't set up an invitation email yet, you can do it as follows:
- In the RAS Console, select the Start category and then click the Invite Users item in the right pane.
- On the second page of the wizard (target platform and connection options), click the Advanced button.
- In the dialog that opens, select the Force to wrap third party SSO component option and specify the GUID of the component.
After the policies are applied on Windows computers, Parallels Client will be automatically configured to use the specified third-party credentials provider.
Use this pane to specify advanced client option:
- Windows client
Configure Control Settings
Control settings options allow you to control various actions on the client side. These options affect the following Parallels Clients:
- Windows Phone
On the Connections pane, select (or clear) the following options:
- Prohibit adding of RAS connections. When a user presses the Add Connection button, an RDP connection is always created.
- Prohibit adding standard RDP connections. When a user presses the Add Connection button, a RAS connection is always created
On the Password pane, specify the following options:
- Prohibit saving password. The option to save the password will not be shown to the user for that particular connection. A password is never saved on a disk, but kept in memory until the user closes the application.
- Prohibit changing password. The option to change the password will not be shown in the context menu for that particular connection.
Import and export
On the Import and Export tab page:
- Prohibit import/export connection setting. The Import and Export buttons will not be shown to the user.
Configure Gateway Redirection
Redirection options allow you to move your existing users from one RAS Secure Client Gateway to another gateway within the same farm, or you can even redirect users to a gateway in a different farm.
To configure redirection options:
- Select the Redirection node in the left pane of the Policy Properties dialog.
- In the right pane, specify the new connection properties, including:
- Gateway address
- Connection mode
- Port number
- Alternative address
When you apply this policy to user devices, the following will happen:
- Parallels Client connection settings are automatically updated on each affected device.
- Parallels Client tests the new connection. If succeeded, the current connection policies are removed and new policies are added.
- If Parallels Client cannot connect to Parallels RAS using new settings, the application list will not be shown and an error message will be displayed saying that the redirection policy has failed to apply. The user will be advised to contact the system administrator.