5.2
Table Of Contents
- VMware Horizon View Security
- Contents
- VMware Horizon View Security
- VMware Horizon View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Services on a View Transfer Server Host
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Index
You can change the default policies in the following ways:
n
If all connecting clients support TLS 1.1, you can remove TLS 1.0 and SSLv2Hello from the acceptance
policy.
n
You can add TLS 1.2 to the acceptance and proposal policies, which will then be selected if the other end
of the connection supports TLS 1.2.
n
If all connecting clients support AES cipher suites, you can remove SSL_RSA_WITH_RC4_128_SHA from the
acceptance policy.
Updating JCE Policy Files to Support High-Strength Cipher Suites
You can add high-strength cipher suites for greater assurance, but first you must update the
local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance
and security server. You update these policy files by downloading the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.
If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the
VMware View Connection Server service.
The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.
For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the Oracle
Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
After you update the policy files, you must create backups of the files. If you upgrade the View Connection
Server instance or security server, any changes that you have made to these files might be overwritten, and
you might have to restore the files from the backup.
Configuring Global Acceptance and Proposal Policies
The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply
to all View Connection Server instances in a replicated group. To change a global policy, you can edit View
LDAP on any View Connection Server instance.
Each policy is a single-valued attribute in the following View LDAP location:
cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int
Global Acceptance and Proposal Policies Defined in View LDAP
You can edit the View LDAP attributes that define global acceptance and proposal policies.
Global Acceptance Polices
The following attribute lists security protocols. You must order the list by placing the latest protocol first:
pae-ServerSSLSecureProtocols = "\LIST:TLSv1.1,TLSv1"
The following attribute lists the cipher suites. The order of the cipher suites is unimportant. This example shows
an abbreviated list:
pae-ServerSSLCipherSuites = "\LIST:TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA"
Global Proposal Policies
The following attribute lists security protocols. You must order the list by placing the latest protocol first:
pae-ClientSSLSecureProtocols = "\LIST:TLSv1.1,TLSv1"
Chapter 1 VMware Horizon View Security Reference
VMware, Inc. 27