Security
Table Of Contents
- View Security
- Contents
- View Security
- View Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Configure Proposal Policies on View Desktops
- Internet Engineering Task Force Standards
- Older Protocols and Ciphers Disabled in View
- Reducing MIME Type Security Risks
- Mitigating Cross-Site Scripting Attacks
- Content Type Checking
- Origin Checking
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure View Environment
- Index
Table 3‑1. TCP and UDP Ports Used by View (Continued)
Source Port Target Port
Protoc
ol Description
View desktop * View
Connection
Server
instances
4002 TCP JMS SSL traffic.
View Composer
service
* ESXi host 902 TCP Used when View Composer customizes linked-
clone disks, including View Composer internal
disks and, if they are specified, persistent disks and
system disposable disks.
Notes and Caveats for TCP and UDP Ports Used by View
Connection attempts over HTTP are silently redirected to HTTPS, except for connection attempts to View
Administrator. HTTP redirection is not needed with more recent Horizon clients because they default to
HTTPS, but it is useful when your users connect with a Web browser, for example to download Horizon
Client.
The problem with HTTP redirection is that it is a non-secure protocol. If a user does not form the habit of
entering https:// in the address bar, an attacker can compromise the Web browser, install malware, or steal
credentials, even when the expected page is correctly displayed.
NOTE HTTP redirection for external connections can take place only if you configure your external firewall
to allow inbound traffic to TCP port 80.
Connection attempts over HTTP to View Administrator are not redirected. Instead, an error message is
returned indicating that you must use HTTPS.
To prevent redirection for all HTTP connection attempts, see "Prevent HTTP Redirection for Client
Connections to Connection Server" in the View Installation document.
Connections to port 80 of a View Connection Server instance or security server can also take place if you off-
load SSL client connections to an intermediate device. See "Off-load SSL Connections to Intermediate
Servers" in the View Administration document.
To allow HTTP redirection when the SSL port number was changed, see "Change the Port Number for
HTTP Redirection to Connection Server" in the View Installation document.
NOTE The UDP port number that clients use for PCoIP might change. If port 50002 is in use, the client will
pick 50003. If port 50003 is in use, the client will pick port 50004, and so on. You must configure firewall
with ANY where "Varies" is listed in the table.
Services on a View Connection Server Host
The operation of View depends on several services that run on a View Connection Server host.
Table 3‑2. View Connection Server Host Services
Service Name
Startup
Type Description
VMware Horizon 6
Blast Secure
Gateway
Automatic Provides secure HTML Access services. This service must be running if clients
connect to View Connection Server through the HTML Access Secure Gateway.
VMware Horizon 6
Connection Server
Automatic Provides connection broker services. This service must always be running. If you
start or stop this service, it also starts or stops the Framework, Message Bus,
Security Gateway, and Web services. This service does not start or stop the
VMwareVDMDS service or the VMware Horizon View Script Host service.
Chapter 3 Ports and Services
VMware, Inc. 21