Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
Default Global Policies for Security Protocols and Cipher Suites
Global acceptance and proposal policies enable certain security protocols and cipher suites by default.
Table 4‑1. Default Global Policies
Default Security Protocols Default Cipher Suites
n
TLS 1.2
n
TLS 1.1
n
TLS 1.0
n
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
n
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
n
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
n
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
n
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
n
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
n
TLS_RSA_WITH_AES_128_CBC_SHA
n
TLS_RSA_WITH_AES_256_CBC_SHA
If all connecting clients support TLS 1.1 and/or TLS 1.2, you can remove TLS 1.0 from the acceptance policy.
Configuring Global Acceptance and Proposal Policies
Global acceptance and proposal policies are dened in View LDAP aributes. These policies apply to all
View Connection Server instances and security servers in a replicated group. To change a global policy, you
can edit View LDAP on any View Connection Server instance.
Each policy is a single-valued aribute in the following View LDAP location:
cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int
Global Acceptance and Proposal Policies Defined in View LDAP
You can edit the View LDAP aributes that dene global acceptance and proposal policies.
Global Acceptance Policies
The following aribute lists security protocols. You must order the list by placing the latest protocol rst:
pae-ServerSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1
The following aribute lists the cipher suites. This example shows an abbreviated list:
pae-ServerSSLCipherSuites
= \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
The following aribute controls the precedence of cipher suites. Normally, the server's ordering of cipher
suites is unimportant and the client's ordering is used. To use the server's ordering of cipher suites instead,
set the following aribute:
pae-ServerSSLHonorClientOrder = 0
Global Proposal Policies
The following aribute lists security protocols. You must order the list by placing the latest protocol rst:
pae-ClientSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1
The following aribute lists the cipher suites. This list should be in order of preference. Place the most
preferred cipher suite rst, the second-most preferred suite next, and so on. This example shows an
abbreviated list:
pae-ClientSSLCipherSuites
= \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
View Security
24 VMware, Inc.