This is going to focus on setting up Horizon View 7.x to run TLS 1.2 only including Blast Secure Gateway (BSG) and PCoIP protocol. I would recommend trying to implement this in your Horizon View environment if you can support the higher security requirements.
2) Backup your locked.properties file on each of your Servers. This can be found in install_directory\VMware\VMware View\Server\sslgateway\conf\
3) Take a backup of the View ADAM DB (KB for Backup Process Click Here)
4) Check TLS 1.2 compliance for all your client types and versions. I can not stress this one more if you make the changes and one of your client types will not support TLS 1.2 those users will not be able to connect to your Horizon View Environment.
5) (Optional) Test all the changes in your devlopment Horizon View Environment before making the changes in production.
pae-ServerSSLSecureProtocols = \LIST:TLSv1.2
pae-ServerSSLCipherSuites attribute lists the cipher suites configured for the default global acceptance policy. Configure this setting based on cipher suites that are supported by clients.
pae-ServerSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
pae-ClientSSLSecureProtocols = \LIST:TLSv1.2
pae-ClientSSLCipherSuites attribute lists the cipher suites configured for the default global proposal policy. Configure this setting based on cipher suites that are supported by clients.
pae-ClientSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Note: After making the changes listed above for the pae-ServerSSLSecureProtocols you must restart VMware Horizon View Security Gateway service on each connection server instance and security servers.
For security protocls you add a secureProtocols.n entry for each security protocol that you want to configure. Use the following
syntax: secureProtocols.n=security protocol.
For cipher suites you add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following
syntax: enabledCipherSuite.n=cipher suite.
The variable n is used as an integer for each entry created for the property
The locked.properties file will look like the example below to set TLS 1.2 only.
# The following list should be ordered with the latest protocol first:
secureProtocols.1=TLSv1.2
# This setting must be the latest protocol given in the list above:
preferredSecureProtocol=TLSv1.2
# The order of the following list is unimportant:
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.4=TLS_RSA_WITH_AES_128_CBC_SHA
Note: After saving the file you must restart the VMware Horizon View Connection Server service or VMware Horizon Security Server service to apply the changes made.
1) On your gold image template for your view desktops open the windows registry editor.
2) locate the HKLM\Software\Vmware, Inc.\VMware VDM\Agent\Configuration registry key.
3) Add new string value of ClientSSLSecureProtocls
4) Configure the value to a list of ciphers suites for TLS 1.2 the value will look like \LIST:TLSv1.2
5) Add new string value of ClientSSLCipherSuites
6) Configure the value to a list of cipher suites in the following format \LIST:cipher_suite_1,cipher_suite_2,....
Note: This list should be in order of preference, with the first one listed being the primary and so on.
\LIST:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
7) After make the changes recompose your desktop pool.
1) on the connection server or security server edit the file install_directory\VMware\VMware View\Server\appblastgateway\absg.properties
2) Set the values for localHttpsProtocolLow and localHttpsProtocolHigh both to TLS 1.2
localHttpsProtocolLow=tls1.2
localHttpsProtocolHigh=tls1.2
3) Restart Vmware Horizon View Blast Secure Gateway service
2) locate the HKLM\Software\Teradici\SecurityGateway registry key.
3) Modify the SSLProtocol string value to tls1.2
GPO:
1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL protocols policy setting.
Registry:
1) On your gold image template for your view desktops open the windows registry editor.
2) locate the HKLM\Software\Teradici\PCoIP\pcoip_admin registry key.
3) Modify the pcoip.ssl_protocol string value to tls1.2
4) After make the changes recompose your desktop pool.
2) Under advanced settings select system configuration
3) set TLS 1.0 and 1.1 values to no and TLS 1.2 value to yes
Prerequisites:
1) Create backups of your servers using your desired backup tool.2) Backup your locked.properties file on each of your Servers. This can be found in install_directory\VMware\VMware View\Server\sslgateway\conf\
3) Take a backup of the View ADAM DB (KB for Backup Process Click Here)
4) Check TLS 1.2 compliance for all your client types and versions. I can not stress this one more if you make the changes and one of your client types will not support TLS 1.2 those users will not be able to connect to your Horizon View Environment.
5) (Optional) Test all the changes in your devlopment Horizon View Environment before making the changes in production.
Configuring Security Protocols and Cipher Suites on View Connection Server and Security Servers
The process to do this is the same for both a Horizon View Connection Server and a Security Server. We will first review the process of setting up the default global policies. Then how to apply the settings on a individual server. Finally how to configure the view agent on the desktops.Configuring Default Global Policies:
To configure the default global policies this process is done in the View ADAM DB. For those that don't know how to connect to the View ADAM DB Click Here. Each policy is a single-valued attribute in the following View LDAP location: cn=common, ou=global, ou=properties, dc=vdi, dc=vmware, dc=int.Global Acceptance Policies:
pae-ServerSLLSecureProtocols attribute lists the security protocols configured for the default global acceptance policy. To configure this for TLS 1.2 only the attribute should look like this.pae-ServerSSLSecureProtocols = \LIST:TLSv1.2
pae-ServerSSLCipherSuites attribute lists the cipher suites configured for the default global acceptance policy. Configure this setting based on cipher suites that are supported by clients.
pae-ServerSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Global Proposal Policies:
pae-ClientSSLSecureProtocols attribute lists the security protocols configured for the default global proposal policy. To configure this for TLS 1.2 only the attribute should look like this.pae-ClientSSLSecureProtocols = \LIST:TLSv1.2
pae-ClientSSLCipherSuites attribute lists the cipher suites configured for the default global proposal policy. Configure this setting based on cipher suites that are supported by clients.
pae-ClientSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Note: After making the changes listed above for the pae-ServerSSLSecureProtocols you must restart VMware Horizon View Security Gateway service on each connection server instance and security servers.
Configuring Acceptance policies on Individual Servers:
To set acceptance policies on individual servers both connection servers and security servers you have to add properties to the locked.properties file on each server.For security protocls you add a secureProtocols.n entry for each security protocol that you want to configure. Use the following
syntax: secureProtocols.n=security protocol.
For cipher suites you add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following
syntax: enabledCipherSuite.n=cipher suite.
The variable n is used as an integer for each entry created for the property
The locked.properties file will look like the example below to set TLS 1.2 only.
# The following list should be ordered with the latest protocol first:
secureProtocols.1=TLSv1.2
# This setting must be the latest protocol given in the list above:
preferredSecureProtocol=TLSv1.2
# The order of the following list is unimportant:
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.4=TLS_RSA_WITH_AES_128_CBC_SHA
Note: After saving the file you must restart the VMware Horizon View Connection Server service or VMware Horizon Security Server service to apply the changes made.
Configuring Proposal Policies on View Desktops:
This setting controls the security of the message bus connections to the view connection server. Make sure the settings applied here match the view connection server settings or you will get a connection failure.1) On your gold image template for your view desktops open the windows registry editor.
2) locate the HKLM\Software\Vmware, Inc.\VMware VDM\Agent\Configuration registry key.
3) Add new string value of ClientSSLSecureProtocls
4) Configure the value to a list of ciphers suites for TLS 1.2 the value will look like \LIST:TLSv1.2
5) Add new string value of ClientSSLCipherSuites
6) Configure the value to a list of cipher suites in the following format \LIST:cipher_suite_1,cipher_suite_2,....
Note: This list should be in order of preference, with the first one listed being the primary and so on.
\LIST:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
7) After make the changes recompose your desktop pool.
Configuring Blast Secure Gateway (BSG) Security Protocols:
To configure the BSG with TLS 1.2 security protocols for the client-side listener you have to edit the absg.properties file on each Connection and Security server.1) on the connection server or security server edit the file install_directory\VMware\VMware View\Server\appblastgateway\absg.properties
2) Set the values for localHttpsProtocolLow and localHttpsProtocolHigh both to TLS 1.2
localHttpsProtocolLow=tls1.2
localHttpsProtocolHigh=tls1.2
3) Restart Vmware Horizon View Blast Secure Gateway service
Configuring PCoIP Security Protocols:
Horizon 7 includes PCoIP components to move to a full TLS 1.2 compliant environment you also need to address the security protocols used by PCoIP for all components. for more information see VMware KB 2130798Horizon Connection Server or Security Server:
1) On Horizon Connection server or Security Server open the windows registry editor.2) locate the HKLM\Software\Teradici\SecurityGateway registry key.
3) Modify the SSLProtocol string value to tls1.2
Windows VDI Desktops or RDS Host:
You have 2 options to set this value you can use a GPO or registry setting.GPO:
1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL protocols policy setting.
1) On your gold image template for your view desktops open the windows registry editor.
2) locate the HKLM\Software\Teradici\PCoIP\pcoip_admin registry key.
3) Modify the pcoip.ssl_protocol string value to tls1.2
4) After make the changes recompose your desktop pool.
Configuring Horizon Access Point Security Protocols:
1) Access admin page of access point https://FQDN:9443/admin/index.html2) Under advanced settings select system configuration
3) set TLS 1.0 and 1.1 values to no and TLS 1.2 value to yes
hello, I want to ask you a question
ReplyDeleteWe are running horizon view 5.3 and recently built a new horizon 7.4 but found that version 7.4 has disabled TLS1.0 by default. We have older thin clients such as Wyse V10L that only use TLS1.0 and we can't upgrade firmware.
I've read a bunch of articles and have added TLS1.0 To our connection server using ADSI and used group policy setting for the clients but error message on older thin clients when connecting says tls1.0 not supported or not enabled, ssl bad header. We didn't add any ciphers to either group policy or AD and didn't know if we needed to, only added the TLS1.0.
you show how to strenghen security, I want to get the TLS1.0 Working for horizon 7.4 can you help. thanks
Hi Larry,
DeleteSo i would recommend trying to configuring your locked.properties file on your connection servers and security servers if you use them. The File is located in install folder of View (C:\Program Files\VMware\Vmware View\Server\SSLgateway\conf) If you do not have a locked.properties file i would create one. You will want to make sure you have supported Ciphers with the older clients also listed. I have found that to be a issue as well.
Example of what the file should look like:
secureProtocols.1=TLSv1.2
secureProtocols.1=TLSv1.1
secureProtocols.1=TLSv1
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.4=TLS_RSA_WITH_AES_128_CBC_SHA
thank you
ReplyDelete