For User Portal to obtain the IP address of a browser running a RAS RDP session, it needs a service that will inform the browser of its own IP. This is needed since the technology does not offer a way to get the IP address from the browser.

Parallels RAS allows the administrator to configure the URL to the service.

 

Requirements

1. Any device between the browser and where the service is running needs to inject the IP information into the X-Forward-For HTTP header.

CORS – Cross Origin Resource Sharing

2. Browsers have a security feature that requires a response header to be added to the API. Secure Gateway is calling an API on a different domain (e.g., SG.domain1.com reaching out to IPAPI.domain1.com). Because the origin is different, CORS requires approval.

3. If the service does not have the appropriate CORS headers, the test will fail with the message “The client IP detection service CORS settings are invalid.“

4. If this happens, please ensure that the service used can add Access-Control-Allow-Origin in the response header with the value set to the value of the Origin in the request. You can always set Access-Control-Allow-Origin to “*.”.

5. For more information, please check https://en.wikipedia.org/wiki/Cross-origin_resource_sharing.

6. The service is to return the IP of the client that called the service in the JSON format. The expected JSON data is as follows: 

 {"ip": "141.8.30.169"}

7. There could be additional value pairs.

 

The recommended way to set up this setting is as follows:

1. Open the Secure Gateway default site settings and navigate to the User Portal page.

1. Select and check “Use client IP detection service”. A window will appear where you need to configure the URL for the client IP detection.

 

 

Testing

1. Enter the URL (e.g., https://ipapi.co/json/. This public service provides the public IP but can be used as an example).

2. Press the “Test” button to check that the API works as expected. When you use the "Test" button, the Connection Broker will take the role of the client and call the API. If successful, you will be presented with the following window.

3. When implementing the service to return the IP back to the caller, please make sure to check the X-Forward-For header field (https://en.wikipedia.org/wiki/X-Forwarded-For). If this field is present, you need to read the first IP. If there is no X-Forward-For header, then the peer IPs are to be returned.

It is important that any device between the browser and where the service is running needs to inject the IP information in the X-Forward-For HTTP header.

Note: You can set one API per Gateway settings.

 

How to troubleshoot

Section A - Confirming that the API is working correctly using a public API

1. Use a service that you are sure returns a valid IP. We recommend using a service that will return your public IP.

• https://ipapi.co/json/

• https://api.ipify.org/?format=json

• https://api64.ipify.org/?format=json

• https://api.ipify.org/?format=json

• https://ipinfo.io/json

• https://api.seeip.org/jsonip

• https://api.myip.com/

• https://jsonip.com/

• https://ips.im/api/json

2. In the configuration window, press the “Test” button, and you will see a message box with the public IP of the machine running the Connection broker: “The service API was successful; detected IP is: 213.46.126.155 (Connection Broker IP)”. You can confirm this by opening any URL that shows your public IP (e.g., https://nordvpn.com/what-is-my-ip/nordvpn-site/) in the browser on the machine running the Connection Broker.

3. Apply settings.

4. On an end-user machine, open any URL that shows your public IP (e.g., https://nordvpn.com/what-is-my-ip/nordvpn-site/). Note this IP address.

5. On the same end-user machine, Sign in to User Portal and open any published item.

6. Open RAS Console and select the session information for the established session. Make sure that the IP shown in the "Client Details" section is the same as the one in Step 4.

7. To confirm that the IP is also available within the session, please run GetRASVariable TUX_REMOTECLIENT_IP. Do note that the variables can be read from the registry:

HKEY_CURRENT_USER\Software\Parallels\Shell\%SESSIONID%

%SESSIONID% being the active session ID.

 

 

Section B - What to check if the API is not working correctly

1. To confirm that the configuration of the API provided to the Secure Gateway is set correctly, open the following file:

C:\Program Files (x86)\Parallels\ApplicationServer\2XHTML5Gateway\config.ini

2. Look for “env_iplookupservice_url = “your getclient ip API”.

3. This line means that User Portal will use the API to detect the client’s IP. 

 

Section C - What to check if the API is not working correctly in User Portal

1. Open the User Portal in Chrome, click the right mouse button and select “Inspect”.

2. Start a published application.

3. When see Dev Tools, select the “Network” tab to see browser requests and find a request to the IP detection service.

4. If everything is OK, you’ll see a response with your IP.

5. In case of problems, check the response status and dev tools “Console” tab for errors.