Security
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Updating JCE Policy Files to Support High-Strength Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Internet Engineering Task Force Standards
- Perfect Forward Secrecy
- SSLv3 Is Disabled in View
- Deploying USB Devices in a Secure View Environment
- Index
4 Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server
service to make your changes take effect.
Example: Default Acceptance Policies on an Individual Server
The following example shows the entries in the locked.properties file that are needed to specify the default
policies:
# The following list should be ordered with the latest protocol first:
secureProtocols.1=TLSv1.1
secureProtocols.2=TLSv1
secureProtocols.3=SSLv2Hello
# This setting must be the latest protocol given in the list above:
preferredSecureProtocol=TLSv1.1
# The order of the following list is unimportant:
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.2=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.4=TLS_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.5=SSL_RSA_WITH_RC4_128_SHA
Internet Engineering Task Force Standards
View Connection Server and security server comply with certain Internet Engineering Task Force (IETF)
Standards.
n
RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure
renegotiation, is enabled by default.
n
RFC 6797 HTTP Strict Transport Security (HSTS), also known as transport security, is enabled by
default.
n
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is disabled by
default. You can enable it by adding the entry x-frame-options=<options> to the file
locked.properties. For information on how to add properties to the file locked.properties, see
“Configure Acceptance Policies on Individual View Servers,” on page 24. The parameter <options> can
have one of the following values, which are case-sensitive:
n
OFF - Disable counter clickjacking (default).
n
DENY - Do not use frames.
n
SAMEORIGIN - Do not use foreign frames.
n
ALLOW-FROM <URL> - Do not use foreign frames except <URL>, where <URL> specifies an additional
trusted origin.
For more information on RFC 7034, see http://tools.ietf.org/html/rfc7034.
NOTE Counter clickjacking will prevent the proper operation of HTML Access when using a Blast
Secure Gateway (BSG), which is why it is not enabled by default.
Chapter 1 View Security Reference
VMware, Inc. 25