Before you create Horizon FLEX virtual machines, make sure certificates are properly configured to ensure that end users can successfully download and use their virtual machines.

The following guidelines apply to ensure security and to enable end user clients to access the Horizon FLEX server:

  • VMware recommends that you use a certificate issued by a certificate authority (CA), such as Entrust or Go Daddy, or a trusted third-party certificate, on your Horizon FLEX server. If using a self-signed certificate or a certificate from an internal CA instead of a generally trusted certificate, you should ensure that the certificate is trusted on all end-user computers that will download and use Horizon FLEX virtual machines.

  • While not required, creating a trusted certificates list in a source virtual machine enables certificate authorization with increased security on the end client host.

  • Using self-signed or internal CA signed certificates might be less secure than using trusted certificates. If the certificate chain that verifies the secure connection to the Horizon FLEX server cannot be processed on the client's host, the client user receives the Invalid Security Certificate message. The client user must then select the Always Trust this host checkbox and click Connect Anyway when first connecting to the Horizon FLEX server. Allowing client users to select this option provides reduced security than other authorization methods.

    However, if you embed a self-signed or internal CA signed certificate into the source virtual machine, then you have total control of certificate flow, ensuring greater security.

For information about setting up certificates in Mirage for the Horizon FLEX Server, see the Mirage documentation at https://www.vmware.com/support/pubs/mirage_pubs.html.