VMware Horizon View Security View 5.2 View Manager 5.2 View Composer 5.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware Horizon View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents VMware Horizon View Security 5 1 VMware Horizon View Security Reference 7 View Accounts 8 View Security Settings 9 View Resources 17 View Log Files 18 View TCP and UDP Ports 19 Services on a View Connection Server Host 25 Services on a Security Server 25 Services on a View Transfer Server Host 26 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 26 Index 31 VMware, Inc.
VMware Horizon View Security 4 VMware, Inc.
VMware Horizon View Security VMware Horizon View Security provides a concise reference to the security features of VMware Horizon View™. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
VMware Horizon View Security 6 VMware, Inc.
VMware Horizon View Security Reference 1 When you are configuring a secure View environment, you can change settings and make adjustments in several areas to protect your systems. n View Accounts on page 8 You must set up system and database accounts to administer View components. n View Security Settings on page 9 VMware Horizon View includes several settings that you can use to adjust the security of the configuration.
VMware Horizon View Security View Accounts You must set up system and database accounts to administer View components. Table 1-1. View System Accounts View Component Required Accounts View Client Configure user accounts in Active Directory for the users who have access to View desktops. The user accounts must be members of the Remote Desktop Users group, but the accounts do not require View administrator privileges.
Chapter 1 VMware Horizon View Security Reference View Security Settings VMware Horizon View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator, by editing group profiles, or by using the ADSI Edit utility, as appropriate.
VMware Horizon View Security Table 1-3. Security-Related Global Settings (Continued) Setting Description Use IPSec for Security Server connections Determines whether to use Internet Protocol Security (IPSec) for connections between security servers and View Connection Server instances. By default, IPSec for security server connections is enabled. View Administrator session timeout Determines how long an idle View Administrator session continues before the session times out.
Chapter 1 VMware Horizon View Security Reference Table 1-4. Security-Related Server Settings (Continued) Setting Description Use SSL for Local Mode operations Determines whether communications and data transfers between client computers and the datacenter use SSL encryption. These operations include checking in and checking out desktops and replicating data from client computers to the datacenter, but do not include transfers of View Composer base images.
VMware Horizon View Security Table 1-5. Security-Related Settings in the View Agent Configuration Template (Continued) Setting Registry Value Name Description CommandsToRunOnConnect CommandsToRunOnC onnect Specifies a list of commands or command scripts to be run when a session is connected for the first time. No list is specified by default. CommandsToRunOnReconnect CommandsToRunOnR econnect Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.
Chapter 1 VMware Horizon View Security Reference Table 1-6. Security Settings in the View Client Configuration Template (Continued) Setting Registry Value Name Description Certificate verification mode CertCheckMode Configures the level of certificate checking that is performed by View Client. You can select one of these modes: n No Security. View does not perform certificate checking. n Warn But Allow.
VMware Horizon View Security Table 1-6. Security Settings in the View Client Configuration Template (Continued) Setting Registry Value Name Description Default value of the 'Log in as current user' checkbox LogInAsCurrentUse Specifies the default value of the Log in as current user check box on the View Client connection dialog box. This setting overrides the default value specified during View Client installation.
Chapter 1 VMware Horizon View Security Reference Table 1-6. Security Settings in the View Client Configuration Template (Continued) Setting Registry Value Name Description Ignore certificate revocation problems IgnoreRevocation Determines whether errors that are associated with a revoked server certificate are ignored. These errors occur when the server sends a certificate that has been revoked and when the client cannot verify a certificate's revocation status. This setting is disabled by default.
VMware Horizon View Security Table 1-7. Security-Related Settings in the Scripting Definitions Section Setting Registry Value Name Description Connect all USB devices to the desktop on launch connectUSBOnStartu p Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched. This setting is disabled by default.
Chapter 1 VMware Horizon View Security Reference Table 1-8. Security-Related Settings in View LDAP Name-value pair Attribute Description csallowunencryptedstartsessi on pae-NameValuePair This attribute controls whether a secure channel is required between a View Connection Server instance and a desktop when a remote user session is being started. When View Agent 5.1 or later is installed on a desktop computer, this attribute has no effect and a secure channel is always required.
VMware Horizon View Security Table 1-9. View Connection Server and Security Server Resources (Continued) Resource Location Protection Log files %ALLUSERSPROFILE%\Application Data\VMware\VDM\logs :\Documents and Settings\All Users\Application Data\VMware\VDM\logs Protected by access control. web.xml (Tomcat configuration file) install_directory\VMware View\Server\broker\web apps\ROOT\Web INF Protected by access control. Table 1-10.
Chapter 1 VMware Horizon View Security Reference Table 1-11. View Log Files (Continued) View Component File Path and Other Information View Connection Server or Security Server %ALLUSERSPROFILE%\Application Data\VMware\VDM\logs\*.txt on the server. :\Documents and Settings\All Users\Application Data\VMware\VDM\logs\*.txt on the server. The log directory is configurable in the log configuration settings of the View Common Configuration ADM template file (vdm_common.adm).
VMware Horizon View Security Table 1-12. TCP and UDP Ports Used by View, Excluding Local Mode (Continued) 20 Source Port Target Port Protocol Description View Agent 4172 View Connection Server or security server * UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used. View Client * View Connection Server or security server 80 TCP SSL (HTTPS access) is enabled by default for client connections, but port 80 (HTTP access) can be used in certain cases.
Chapter 1 VMware Horizon View Security Reference Table 1-12. TCP and UDP Ports Used by View, Excluding Local Mode (Continued) Source Port Target Port Protocol Description View Client * View desktop 3389 TCP Microsoft RDP traffic to View desktops if direct connections are used instead of tunnel connections. View Client * View desktop 9427 TCP Wyse MMR redirection if direct connections are used instead of tunnel connections.
VMware Horizon View Security Table 1-12. TCP and UDP Ports Used by View, Excluding Local Mode (Continued) Source Port Target Port Protocol Description View Connection Server * View desktop 32111 TCP USB redirection if tunnel connections via the View Connection Server are used. View desktop * View Connection Server instances 4001 TCP JMS traffic.
Chapter 1 VMware Horizon View Security Reference Table 1-13. TCP and UDP Ports Used by Local Mode (Continued) Source Port Target Port Protocol Description View Connection Server * View Transfer Server 80 TCP Local desktop checkout, check-in, and replication if tunnel connections via the View Connection Server are used and SSL is disabled for local mode operations.
VMware Horizon View Security Change the Port Number for HTTP Redirection If you replace the default port 443 on a View server, and you want to allow HTTP redirection for View clients that attempt to connect to port 80, you must configure the locked.properties file on the View server. NOTE This procedure has no effect if you off-load SSL to an intermediate device. With SSL off-loading in place, the HTTP port on the View server provides service to clients.
Chapter 1 VMware Horizon View Security Reference Services on a View Connection Server Host The operation of View Manager depends on several services that run on a View Connection Server host. If you want to adjust the operation of these services, you must first familiarize yourself with them. Table 1-14. View Connection Server Host Services Service Name Startup Type Description VMware View Connection Server Automatic Provides connection broker services.
VMware Horizon View Security Services on a View Transfer Server Host Transfer operations for local desktops depend on services that run on a View Transfer Server host. If you want to adjust the operation of these services, you must first familiarize yourself with them. All of the services that are installed with View Transfer Server must be running for the correct operation of local desktops in View Manager. Table 1-16.
Chapter 1 VMware Horizon View Security Reference You can change the default policies in the following ways: n If all connecting clients support TLS 1.1, you can remove TLS 1.0 and SSLv2Hello from the acceptance policy. n You can add TLS 1.2 to the acceptance and proposal policies, which will then be selected if the other end of the connection supports TLS 1.2. n If all connecting clients support AES cipher suites, you can remove SSL_RSA_WITH_RC4_128_SHA from the acceptance policy.
VMware Horizon View Security The following attribute lists the cipher suites. This list should be in order of preference. Place the most preferred cipher suite first, the second-most preferred suite next, and so on. This example shows an abbreviated list: pae-ClientSSLCipherSuites = "\LIST:TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_ WITH_AES_128_CBC_SHA" Change the Global Acceptance and Proposal Policies To change the global acceptance and proposal policies for security protocols and cipher suites, you use
Chapter 1 VMware Horizon View Security Reference 2 Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites. 3 Save the locked.properties file. 4 Restart the VMware View Connection Server service or VMware View Security Server service to make your changes take effect. Example: Default Acceptance Policies on an Individual Server The following example shows the entries in the locked.
VMware Horizon View Security 30 VMware, Inc.
Index A acceptance policies, configuring globally 27 accounts 8 ADM template files, security-related settings 9 C cipher suites adding high-strength 27 configuring for View Connection Server 26 default global policies 26 editing in View LDAP 28 Connection Server service 25 security servers, services 25 security settings, global 9 server settings.
VMware Horizon View Security 32 VMware, Inc.
