6.1
Table Of Contents
- View Agent Direct-Connection Plug-In Administration
- Contents
- View Agent Direct-Connection Plug-In Administration
- Installing View Agent Direct-Connection Plug-In
- View Agent Direct-Connection Plug-In Advanced Configuration
- View Agent Direct-Connection Plug-In Configuration Settings
- Disabling Weak Ciphers in SSL/TLS
- Replacing the Default Self-Signed SSL Server Certificate
- Authorizing Horizon Client to Access Desktops and Applications
- Using Network Address Translation and Port Mapping
- Add a Certificate Authority to the Windows Certificate Store
- Setting Up HTML Access
- Setting Up View Agent Direct Connection on Remote Desktop Services Hosts
- Troubleshooting View Agent Direct-Connection Plug-In
- Index
For smart card authentication, the certificate authority (CA) that signs the smart card certificates must be in
the Windows certificate Store. For information about how to add a certificate authority, see “Add a
Certificate Authority to the Windows Certificate Store,” on page 18.
NOTE If a user attempts to log in using a smart card to a Windows 7 or Windows Server 2008 R2 machine
and the Smart Card certificate has been signed by an intermediate CA, the attempt may fail because
Windows can send the client a trusted issuer list that does not contain intermediate CA names. If this
happens, the client will be unable to select an appropriate Smart Card certificate. To avoid this problem, set
the registry value SendTrustedIssuerList (REG_DWORD) to 0 in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. With this registry
value set to 0, Windows does not send a trusted issuer list to the client, which can then select all the valid
certificates from the smart card.
Disabling Weak Ciphers in SSL/TLS
To achieve greater security, you can ensure that communications that use the SSL/TLS protocol between
Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak cyphers.
The configuration for disabling weak ciphers is stored in the Windows registry. Changes to these settings
must be done on all machines that run View Agent Direct-Connection Plug-In.
NOTE These settings affect all use of SSL/TLS on the operating system.
Both SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT 56-bit Export Cipher Suites For TLS
draft-ietf-tls-56-bit-ciphersuites-00.txt provide options to use different cipher suites. Each cipher
suite determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS
session.
Prerequisites
You need to have experience editing Windows registry keys using the Regedt32.exe registry editor.
Procedure
1
Start Registry Editor Regedt32.exe, and locate this registry
key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
2 Make modifications to the registry.
n
In subkey \Hashes create a subkey MD5.
n
In subkey \Hashes\MD5 add a DWORD value Enabled with a value of 0x0.
The registry changes ensure that only the following ciphers are available:
n
TLSv1 256 bits AES256-SHA
n
TLSv1 128 bits AES128-SHA
n
TLSv1 168 bits DES-CBC3-SHA
n
TLSv1 128 bits RC4-SHA
NOTE If Horizon Client is not configured to support any cipher that is supported by the virtual desktop
operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.
For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client
documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Agent Direct-Connection Plug-In Administration
14 VMware, Inc.