7.0
Table Of Contents
- View Security
- Contents
- View Security
- View Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure View Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
Older Protocols and Ciphers Disabled in View
Some older protocols and ciphers that are no longer considered secure are disabled in View by default. If
required, you can enable them manually.
DHE Cipher Suites
For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA
certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting
with Horizon 6 version 6.2.
For Connection Server instances, security servers, and View desktops, you can enable these cipher suites by
editing the View LDAP database, locked.properties file, or registry, as described in this guide. See
“Change the Global Acceptance and Proposal Policies,” on page 25, “Configure Acceptance Policies on
Individual View Servers,” on page 25, and “Configure Proposal Policies on View Desktops,” on page 26.
You can define a list of cipher suites that includes one or more of the following suites, in this order:
n
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
n
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
For View Composer and View Agent Direct-Connection (VADC) machines, you can enable DHE cipher
suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers
in SSL/TLS for View Composer and Horizon Agent Machines" in the View Installation document.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
NOTE It is not possible to enable support for ECDSA certificates. These certificates have never been
supported.
SSLv3
In Horizon 7, SSL version 3.0 has been removed.
For more information, see http://tools.ietf.org/html/rfc7568.
RC4
For more information, see http://tools.ietf.org/html/rfc7465.
For Connection Server instances, security servers, and View desktops, you can enable RC4 on a Connection
Server, security server, or a Horizon Agent machine by editing the configuration file C:\Program
Files\VMware\VMware View\Server\jre\lib\security\java.security. At the end of the file is a multi-line
entry called jdk.tls.legacyAlgorithms. Remove RC4_128 and the comma that follows it from this entry and
restart the Connection Server, security server, or the Horizon Agent machine, as the case may be.
For View Composer and View Agent Direct-Connection (VADC) machines, you can enable RC4 by adding
the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for
View Composer and Horizon Agent Machines" in the View Installation document.
TLS_RSA_WITH_RC4_128_SHA
Chapter 4 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
VMware, Inc. 27