Security

Table Of Contents

Table 7‑1. CORS Properties (Continued)

Property Value Type Master Default Other Defaults

allowPreflight true

false

true n/a

maxAge cache-time 0 n/a

balancedHost load-balancer-name OFF n/a

portalHost... gateway-name OFF n/a

chromeExtension... chrome-extension-hash OFF n/a

Example CORS properties in the locked.properties le:

enableCORS = true

allowPreflight = true

checkOrigin = true

checkOrigin-misc = false

allowMethod.1 = GET

allowMethod.2 = HEAD

allowMethod.3 = POST

allowMethod-saml.1 = GET

allowMethod-saml.2 = HEAD

acceptContentType.1 = application/x-www-form-urlencoded

acceptContentType.2 = application/xml

acceptContentType.3 = text/xml

Origin Checking

Origin checking is enabled by default. When it is enabled, a request will be accepted only without an Origin,

or with an Origin equal to the address given in the External URL, to the balancedHost address, to any

portalHost address, to any chromeExtension hash, to null, or to localhost. If Origin is not one of these

possibilities, then an error "Unexpected Origin" is logged and a status of 404 is returned.

If multiple Connection Servers or security servers are load balanced, you must specify the load balancer

address by adding a balancedHost entry to locked.properties. Port 443 is assumed for this address.

If clients need to connect through a Unied Access Gateway or another gateway, you must specify all of the

gateway addresses by adding portalHost entries to locked.properties. Port 443 is assumed for these

addresses too. Do the same if you want to provide access to a Connection Server or security server by a

name that is dierent from the one that is specied in the External URL.

Chrome Extension clients set their initial Origin to their own identity. To allow connections to succeed,

Chapter 7 HTTP Protection Measures on Connection Servers and Security Servers

VMware, Inc. 37