View Security VMware Horizon 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2014 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Security 5 1 View Security Reference 7 View Accounts 8 View Security Settings 8 View Resources 16 View Log Files 17 View TCP and UDP Ports 17 Services on a View Connection Server Host 20 Services on a Security Server 21 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 21 Index VMware, Inc.
View Security 4 VMware, Inc.
View Security View Security provides a concise reference to the security features of VMware Horizon with View™. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
View Security 6 VMware, Inc.
View Security Reference 1 When you are configuring a secure View environment, you can change settings and make adjustments in several areas to protect your systems. n View Accounts on page 8 You must set up system and database accounts to administer View components. n View Security Settings on page 8 View includes several settings that you can use to adjust the security of the configuration.
View Security View Accounts You must set up system and database accounts to administer View components. Table 1‑1. View System Accounts View Component Required Accounts Horizon Client Configure user accounts in Active Directory for the users who have access to remote desktops and applications. The user accounts must be members of the Remote Desktop Users group, but the accounts do not require View administrator privileges.
Chapter 1 View Security Reference Table 1‑3. Security-Related Global Settings Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.1 or later, you provide a data recovery password. After installation, you can change this password in View Administrator. When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data.
View Security For more information about these settings and their security implications, see the View Administration document. NOTE SSL is required for all Horizon Client connections and View Administrator connections to View. If your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and then configure non-SSL connections on individual View Connection Server instances and security servers.
Chapter 1 View Security Reference Table 1‑5. Security-Related Settings in the View Agent Configuration Template Setting Registry Value Name Description AllowDirectRDP AllowDirectRDP Determines whether non-Horizon Clients can connect directly to View desktops with RDP. When this setting is disabled, View Agent permits only View-managed connections through Horizon Client.
View Security Table 1‑6. Security Settings in the Horizon Client Configuration Template Setting Registry Value Name Description Allow command line credentials AllowCmdLineCredential s Determines whether user credentials can be provided with Horizon Client command line options. If this setting is enabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line. This setting is enabled by default.
Chapter 1 View Security Reference Table 1‑6. Security Settings in the Horizon Client Configuration Template (Continued) Setting Registry Value Name Description Certificate verification mode CertCheckMode Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes: n No Security. View does not perform certificate checking. n Warn But Allow.
View Security Table 1‑6. Security Settings in the Horizon Client Configuration Template (Continued) 14 Setting Registry Value Name Description Display option to Log in as current user LogInAsCurrentUser_Dis play Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box. When the check box is visible, users can select or deselect it and override its default value.
Chapter 1 View Security Reference Table 1‑6. Security Settings in the Horizon Client Configuration Template (Continued) Setting Registry Value Name Description Ignore unknown certificate authority problems IgnoreUnknownCa Determines whether errors that are associated with an unknown Certificate Authority (CA) on the server certificate are ignored. These errors occur when the server sends a certificate that is signed by an untrusted third-party CA. This setting is disabled by default.
View Security Security-Related Settings in View LDAP Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group. Table 1‑8.
Chapter 1 View Security Reference View Log Files View creates log files that record the installation and operation of its components. NOTE View log files are intended for use by VMware Support. VMware recommends that you configure and use the event database to monitor View. For more information, see the View Installation and View Integration documents. Table 1‑10. View Log Files View Component File Path and Other Information All components (installation logs) %TEMP%\vminst.
View Security Table 1‑11. TCP and UDP Ports Used by View 18 Source Port Target Port Protocol Description Security server 55000 View Agent 4172 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used. Security server 4172 Horizon Client 50001 UDP PCoIP (not SALSA20) if PCoIP Secure Gateway is used. Security server 500 View Connection Server 500 UDP IPsec negotiation traffic. Security server * View Connection Server 4001 TCP JMS traffic.
Chapter 1 View Security Reference Table 1‑11. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protocol Description Horizon Client * View desktop 3389 TCP Microsoft RDP traffic to View desktops if direct connections are used instead of tunnel connections. Horizon Client * View desktop 9427 TCP Wyse MMR redirection if direct connections are used instead of tunnel connections.
View Security Notes and Caveats for TCP and UDP Ports Used by View Connection attempts over HTTP are silently redirected to HTTPS, except for connection attempts to View Administrator. HTTP redirection is not needed with more recent View clients because they default to HTTPS, but it is useful when your users connect with a Web browser, for example to download View Client. The problem with HTTP redirection is that it is a non-secure protocol.
Chapter 1 View Security Reference Table 1‑12. View Connection Server Host Services (Continued) Startup Type Description VMware Horizon View Security Gateway Component Manual Provides common gateway services. This service must always be running. VMware Horizon View Web Component Manual Provides web services. This service must always be running. VMwareVDMDS Automatic Provides LDAP directory services. This service must always be running.
View Security Default Global Policies for Security Protocols and Cipher Suites Certain security protocols and cipher suites are provided by default in View 5.2 and later releases. By default, the global acceptance and proposal policies are very similar. Table 1‑14. Default Global Policies Default Security Protocols n n n TLS 1.1 TLS 1.
Chapter 1 View Security Reference Global Acceptance and Proposal Policies Defined in View LDAP You can edit the View LDAP attributes that define global acceptance and proposal policies. Global Acceptance Polices The following attribute lists security protocols. You must order the list by placing the latest protocol first: pae-ServerSSLSecureProtocols = "\LIST:TLSv1.1,TLSv1" The following attribute lists the cipher suites. The order of the cipher suites is unimportant.
View Security Configure Acceptance Policies on Individual View Servers To specify a local acceptance policy on an individual View Connection Server instance or security server, you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the View server, you must create it. You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol. You add an enabledCipherSuite.
Chapter 1 View Security Reference Internet Engineering Task Force Standards View Connection Server and security server comply with certain Internet Engineering Task Force (IETF) Standards. n RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure renegotiation, is enabled by default. n RFC 6797 HTTP Strict Transport Security (HSTS), also known as transport security, is enabled by default.
View Security 26 VMware, Inc.
Index A acceptance policies, configuring globally 22 accounts 8 ADM template files, security-related settings 8 B Blast Secure Gateway service 20, 21 C cipher suites adding high-strength 22 configuring for View Connection Server 21 default global policies 22 editing in View LDAP 23 Connection Server service 20 default policies 22 editing in View LDAP 23 security servers, services 21 security settings, global 8 Security Gateway Component service 20, 21 security overview 5 Security Server service 21 serve
View Security 28 VMware, Inc.
