View Security VMware Horizon 6 Version 6.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Security 5 1 View Security Reference 7 View Accounts 7 View Security Settings 8 View Resources 17 View Log Files 17 View TCP and UDP Ports 18 Services on a View Connection Server Host 22 Services on a Security Server 23 Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server 23 Deploying USB Devices in a Secure View Environment 29 Index VMware, Inc.
View Security 4 VMware, Inc.
View Security View Security provides a concise reference to the security features of VMware Horizon 6™. n Required system and database login accounts. n Configuration options and settings that have security implications. n Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. n Location of log files and their purpose.
View Security 6 VMware, Inc.
View Security Reference 1 When you are configuring a secure View environment, you can change settings and make adjustments in several areas to protect your systems.
View Security Table 1‑1. View System Accounts (Continued) View Component Required Accounts View Composer Create a user account in Active Directory to use with View Composer. View Composer requires this account to join linked-clone desktops to your Active Directory domain. The user account should not be a View administrative account. Give the account the minimum privileges that it requires to create and remove computer objects in a specified Active Directory container.
Chapter 1 View Security Reference Table 1‑3. Security-Related Global Settings Setting Description Change data recovery password The password is required when you restore the View LDAP configuration from an encrypted backup. When you install View Connection Server version 5.1 or later, you provide a data recovery password. After installation, you can change this password in View Administrator. When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data.
View Security Table 1‑3. Security-Related Global Settings (Continued) Setting Description Other clients. Discard SSO credentials Discards the SSO credentials after a certain time period. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to View, regardless of any user activity on the client device. The default is After 15 minutes.
Chapter 1 View Security Reference Table 1‑4. Security-Related Server Settings Setting Description Use PCoIP Secure Gateway for PCoIP connections to machine Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.
View Security Table 1‑5. Security-Related Settings in the View Agent Configuration Template (Continued) Setting Description CommandsToRunOnConnect Specifies a list of commands or command scripts to be run when a session is connected for the first time. No list is specified by default. The equivalent Windows Registry value is CommandsToRunOnConnect. CommandsToRunOnReconnect Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.
Chapter 1 View Security Reference Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued) Setting Description Certificate verification mode (Computer Configuration setting) Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes: n No Security. View does not perform certificate checking. n Warn But Allow.
View Security Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued) Setting Description Display option to Log in as current user (Computer and User Configuration setting) Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box. When the check box is visible, users can select or deselect it and override its default value.
Chapter 1 View Security Reference Table 1‑6. Horizon Client Configuration Template: Security Settings (Continued) Setting Description Ignore bad SSL certificate date received from the server (Computer Configuration setting) (View 4.6 and earlier releases only) Determines whether errors that are associated with invalid server certificate dates are ignored. These errors occur when a server sends a certificate with a date that has passed.
View Security Table 1‑7. Security-Related Settings in the Scripting Definitions Section Setting Description Connect all USB devices to the desktop on launch Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched. This setting is disabled by default. The equivalent Windows Registry value is connectUSBOnStartup.
Chapter 1 View Security Reference View Resources View includes several configuration files and similar resources that must be protected. Table 1‑9. View Connection Server and Security Server Resources Resource Location Protection LDAP settings Not applicable. LDAP data is protected automatically as part of role-based access control. LDAP backup files :\Programdata\VMWare\VDM\backups (Windows Server 2008) Protected by access control. locked.
View Security Table 1‑10. View Log Files (Continued) View Component File Path and Other Information View Connection Server or Security Server :\ProgramData\VMware\VDM\logs. The log directory is configurable in the log configuration settings of the View Common Configuration ADM template file (vdm_common.adm). PCoIP Secure Gateway logs are written to files named SecurityGateway_*.log in the PCoIP Secure Gateway subdirectory of the log directory on a security server.
Chapter 1 View Security Reference Table 1‑11. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol Description Security server * View desktop 22443 TCP HTML Access. View Agent 4172 Horizon Client Varies UDP PCoIP, if PCoIP Secure Gateway is not used. NOTE Because the target port varies, see “Notes and Caveats for TCP and UDP Ports Used by View,” on page 21.
View Security Table 1‑11. TCP and UDP Ports Used by View (Continued) 20 Source Port Target Port Protoc ol Horizon Client * View desktop 32111 TCP USB redirection if direct connections are used instead of tunnel connections. Horizon Client * View Agent 4172 TCP and UDP PCoIP if PCoIP Secure Gateway is not used. Horizon Client Varies View Agent 4172 UDP PCoIP if PCoIP Secure Gateway is not used.
Chapter 1 View Security Reference Table 1‑11. TCP and UDP Ports Used by View (Continued) Source Port Target Port Protoc ol View Connection Server * View desktop 32111 TCP USB redirection if tunnel connections via the View Connection Server are used. View Connection Server * View Connection Server 8472 TCP For interpod communication in Cloud Pod Architecture. View Connection Server * View Connection Server 22389 TCP For global LDAP replication in Cloud Pod Architecture.
View Security To prevent redirection for all HTTP connection attempts, see "Prevent HTTP Redirection for Client Connections to Connection Server" in the View Installation document. Connections to port 80 of a View Connection Server instance or security server can also take place if you offload SSL client connections to an intermediate device. See "Off-load SSL Connections to Intermediate Servers" in the View Administration document.
Chapter 1 View Security Reference Services on a Security Server The operation of View depends on several services that run on a security server. Table 1‑13. Security Server Services Service Name Startup Type Description VMware Horizon 6 Blast Secure Gateway Automatic Provides secure HTML Access services. This service must be running if clients connect to this security server through the HTML Access Secure Gateway. VMware Horizon 6 Security Server Automatic Provides security server services.
View Security Default Global Policies for Security Protocols and Cipher Suites Global acceptance and proposal policies enable certain security protocols and cipher suites by default. Table 1‑14. Default Global Policies Default Security Protocols n n n TLS 1.2 TLS 1.1 TLS 1.
Chapter 1 View Security Reference Change the Global Acceptance and Proposal Policies To change the global acceptance and proposal policies for security protocols and cipher suites, you use the ADSI Edit utility to edit View LDAP attributes. Prerequisites n Familiarize yourself with the View LDAP attributes that define the acceptance and proposal policies. See “Global Acceptance and Proposal Policies Defined in View LDAP,” on page 24.
View Security 4 Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server service to make your changes take effect. Example: Default Acceptance Policies on an Individual Server The following example shows the entries in the locked.properties file that are needed to specify the default policies: # The following list should be ordered with the latest protocol first: secureProtocols.1=TLSv1.2 secureProtocols.2=TLSv1.1 secureProtocols.
Chapter 1 View Security Reference Internet Engineering Task Force Standards View Connection Server and security server comply with certain Internet Engineering Task Force (IETF) Standards. n RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure renegotiation, is enabled by default. NOTE Client-initiated renegotiation is disabled by default on Connection Servers and security servers. To enable, edit registry value [HKLM\SOFTWARE\VMware, Inc.\VMware VDM\plugins\w
View Security SSLv3 For more information, see http://tools.ietf.org/html/rfc7568. For Connection Server instances, security servers, and View desktops, you can enable SSLv3 by removing SSLv3 from the jdk.tls.disabledAlgorithms property in the C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security file on each View Connection Server instance and security server.
Chapter 1 View Security Reference For example: acceptContentType.1=x-www-form-urlencoded To accept another content type, add the entry acceptContentType.2=content-type, and so on Origin Checking By default, protection against cross-site request forging is disabled. You can enable this protection by adding the following entry to the file locked.
View Security If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected. You can use other policy settings to allow specific devices or families of devices to be redirected. If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are blocked by other policy settings. You can set the policy on both View Agent and Horizon Client.
Chapter 1 View Security Reference By default, View blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices. You can prevent specific device families from being redirected to the remote desktop or application.
View Security 32 VMware, Inc.
Index A R acceptance policies, configuring globally 24 accounts 7 ADM template files, security-related settings 8 RC4, disabled in View 27 resources 17 B Script Host service 22 security protocols configuring for View Connection Server 23 default policies 24 editing in View LDAP 25 security servers, services 23 security settings, global 8 Security Gateway Component service 22, 23 security overview 5 Security Server service 23 server settings.
View Security 34 VMware, Inc.
