APPLIES TO:

• Parallels Remote Application Server 16.1

To configure Parallels Remote Application Server to support GOST encryption using CryptoPro, follow the procedure below.

General Information

CryptoPro support is provided via a special OpenSSL engine called gost_capi click here to download.

Prerequisites

• CryptoPro on a server hosting Parallels RAS Secure Client Gateway.
• CryptoPro on a PC with Parallels Client installed.

Server configuration

1. Install CryptoPro components on a server hosting RAS Secure Client Gateway.
2. Download sample configuration file 2XProxyGateway.exe.sslconfig.
3. Copy the 64-bit version of gost_capi.dll and 2xProxyGateway.exe.sslconfig to the folder %ProgramFiles(x86)%\Parallels\ApplicationServer\x64 and restart the RAS Secure Client Gateway service.

4. Generate a GOST certificate using CryptoPro, fill in the "Name" field with the FQDN of the RAS Secure Client Gateway host. It must be done on Gateway host as far as CryptoPro does not allow to export private keys and always keeps them in a protected storage. In addition, we need to create an empty file called engine.gost_capi.certificate_name (without an extension), where [name] is equal to "Name" filled in the certificate request (FQDN). For example engine.gost_capi.RAS16-01.raslab.ad.

5. Install the certificate on the server running RAS Secure Clien Gateway (local computer personal store).
6. Export the certificate to a file, e.g. gw_cer.crt (base64 encoding)
7. Launch RAS Console, select a Gateway, open its properties, switch to the SSL tab and make the following changes:
   • Set Cipher Strength to Custom.
   • Set Cipher to GOST2001-GOST89-GOST89:HIGH.
   • Set Private Key to engine.gost_capi.certificate_name empty file that you previously created.
   • Set Certificate File to gw_crt.cer file that you previously exported.
   • Press OK, then APPLY.

Client configuration

1. Install CryptoPro on the PC where Parallels Client is installed. Note: If you are running Windows 64-bit you must install the 64-bit version of Parallels Client.
2. Download sample configuration files AppServerClient.exe.sslconfig and TSClient.exe.sslconfig.
3. Copy a 32 or 64 bit version (whichever is appropriate) of the gost_capi.dll and the configuration file from the previous step to %ProgramFiles%\Parallels\Client.
4. To apply the new settings, Windows log off is required.
5. Launch Parallels Client, open RAS connection properties and select the Gateway SSL connection mode.

Additional information

You can issue a test certificate using CryptoPro test CA https://www.cryptopro.ru/certsrv/certrqma.asp.