Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
4 Set the value to a list of cipher suites in the format \LIST:protocol_1,protocol_2,....
List the protocols with the latest protocol rst. For example:
\LIST:TLSv1.2,TLSv1.1,TLSv1
5 Add a new String (REG_SZ) value, ClientSSLCipherSuites.
6 Set the value to a list of cipher suites in the format \LIST:cipher_suite_1,cipher_suite_2,....
The list should be in order of preference, with the most preferred cipher suite rst. For example:
\LIST:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Older Protocols and Ciphers Disabled in View
Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If
required, you can enable them manually.
DHE Cipher Suites
For more information, see hp://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA
certicates use Die-Hellman ephemeral keys, and these suites are no longer enabled by default, starting
with Horizon 6 version 6.2.
For Connection Server instances, security servers, and View desktops, you can enable these cipher suites by
editing the View LDAP database, locked.properties le, or registry, as described in this guide. See “Change
the Global Acceptance and Proposal Policies,” on page 25, “Congure Acceptance Policies on Individual
View Servers,” on page 25, and “Congure Proposal Policies on View Desktops,” on page 26. You can dene
a list of cipher suites that includes one or more of the following suites, in this order:
n
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
For View Composer and View Agent Direct-Connection (VADC) machines, you can enable DHE cipher
suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers
in SSL/TLS for View Composer and Horizon Agent Machines" in the View Installation document.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
N It is not possible to enable support for ECDSA certicates. These certicates have never been
supported.
SSLv3
In Horizon 7, SSL version 3.0 has been removed.
For more information, see hp://tools.ietf.org/html/rfc7568.
RC4
For more information, see hp://tools.ietf.org/html/rfc7465.
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
VMware, Inc. 27