View includes several settings that you can use to adjust the security of the configuration. You can access the settings by using View Administrator, by editing group profiles, or by using the ADSI Edit utility, as appropriate.

Security-Related Global Settings in View Administrator

Security-related global settings for client sessions and connections are accessible under View Configuration > Global Settings in View Administrator.

Table 1. Security-Related Global Settings

Setting

Description

Change data recovery password

The password is required when you restore the View LDAP configuration from an encrypted backup.

When you install View Connection Server version 5.1 or later, you provide a data recovery password. After installation, you can change this password in View Administrator.

When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup with the vdmimport utility, you must provide the data recovery password. The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

Message security mode

Determines if signing and verification of the JMS messages passed between View components takes place.

If set to Disabled, message security mode is disabled.

If set to Enabled, View components reject unsigned messages.

If set to Mixed, message security mode is enabled, but not enforced for View components that predate View Manager 3.0.

The default setting is Enabled for new installations.

Reauthenticate secure tunnel connections after network interruption

Determines if user credentials must be reauthenticated after a network interruption when Horizon Clients use secure tunnel connections to View desktops and applications.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the View desktops and applications because the network connection was temporarily interrupted.

This setting is enabled by default.

Forcibly disconnect users

Disconnects all desktops and applications after the specified number of minutes has passed since the user logged in to View. All desktops and applications will be disconnected at the same time regardless of when the user opened them.

The default is 600 minutes.

For clients that support applications.

If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials

Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application.

If set to Never, View never disconnects applications or discards SSO credentials due to user inactivity.

The default is Never.

Other clients.

Discard SSO credentials

Discards the SSO credentials after a certain time period. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to View, regardless of any user activity on the client device.

The default is After 15 minutes.

Enable IPSec for Security Server pairing

Determines whether to use Internet Protocol Security (IPSec) for connections between security servers and View Connection Server instances.

By default, IPSec for security server connections is enabled.

View Administrator session timeout

Determines how long an idle View Administrator session continues before the session times out.

Important:

Setting the View Administrator session timeout to a high number of minutes increases the risk of unauthorized use of View Administrator. Use caution when you allow an idle session to persist a long time.

By default, the View Administrator session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes.

For more information about these settings and their security implications, see the View Administration document.

Note:

SSL is required for all Horizon Client connections and View Administrator connections to View. If your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and then configure non-SSL connections on individual View Connection Server instances and security servers. See "Off-load SSL Connections to Intermediate Servers" in the View Administration document.

Security-Related Server Settings in View Administrator

Security-related server settings are accessible under View Configuration > Servers in View Administrator.

Table 2. Security-Related Server Settings

Setting

Description

Use PCoIP Secure Gateway for PCoIP connections to machine

Determines whether Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to View desktops and applications with the PCoIP display protocol.

If this setting is disabled, the desktop or application session is established directly between the client and the View desktop or the Remote Desktop Services (RDS) host, bypassing the View Connection Server or security server host.

This setting is disabled by default.

Use Secure Tunnel connection to machine

Determines whether Horizon Client makes a further HTTPS connection to the View Connection Server or security server host when users connect to a View desktop or an application.

If this setting is disabled, the desktop or application session is established directly between the client and the View desktop or the Remote Desktop Services (RDS) host, bypassing the View Connection Server or security server host.

This setting is enabled by default.

Use Blast Secure Gateway for HTML Access to machine

Determines whether clients that use a Web browser to access desktops use Blast Secure Gateway to establish a secure tunnel to View Connection Server.

If not enabled, Web browsers make direct connections to View desktops, bypassing View Connection Server.

This setting is disabled by default.

For more information about these settings and their security implications, see the View Administration document.

Security-Related Settings in the View Agent Configuration Template

Security-related settings are provided in the ADM template file for View Agent (vdm_agent.adm). Unless noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\Policies\VMware, Inc.\VMware VDM\Agent\Configuration.

Table 3. Security-Related Settings in the View Agent Configuration Template

Setting

Registry Value Name

Description

AllowDirectRDP

AllowDirectRDP

Determines whether non-Horizon Clients can connect directly to View desktops with RDP. When this setting is disabled, View Agent permits only View-managed connections through Horizon Client.

By default, while a user is logged in to a View desktop session, you can use RDP to connect to the virtual machine from outside of View. The RDP connection terminates the View desktop session, and the View user's unsaved data and settings might be lost. The View user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

Important:

For View to operate correctly, the Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default.

AllowSingleSignon

AllowSingleSignon

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter only their credentials when connecting with Horizon Client. When it is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default.

CommandsToRunOnConnect

CommandsToRunOnConnect

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

No list is specified by default.

CommandsToRunOnReconnect

CommandsToRunOnReconnect

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

No list is specified by default.

CommandsToRunOnDisconnect

CommandsToRunOnDisconnect

Specifies a list of commands or command scripts to be run when a session is disconnected.

No list is specified by default.

ConnectionTicketTimeout

VdmConnectionTicketTimeout

Specifies the amount of time in seconds that the View connection ticket is valid.

If this setting is not configured, the default timeout period is 120 seconds.

CredentialFilterExceptions

CredentialFilterExceptions

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

No list is specified by default.

For more information about these settings and their security implications, see the View Administration document.

Security Settings in the Horizon Client Configuration Template

Security-related settings are provided in the ADM template file for Horizon Client (vdm_client.adm). Except where noted, the settings include only a Computer Configuration setting. If a User Configuration setting is available and you define a value for it, it overrides the equivalent Computer Configuration setting.

Security Settings are stored in the registry on the host machine under HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\Security.

Table 4. Security Settings in the Horizon Client Configuration Template

Setting

Registry Value Name

Description

Allow command line credentials

AllowCmdLineCredentials

Determines whether user credentials can be provided with Horizon Client command line options. If this setting is enabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default.

Brokers Trusted For Delegation

BrokersTrustedForDelegation

Specifies the View Connection Server instances that accept the user identity and credential information that is passed when a user selects the Log in as current user check box. If you do not specify any View Connection Server instances, all View Connection Server instances accept this information.

To add a View Connection Server instance, use one of the following formats:

  • domain\system$

  • system$@domain.com

  • The Service Principal Name (SPN) of the View Connection Server service.

Certificate verification mode

CertCheckMode

Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes:

  • No Security. View does not perform certificate checking.

  • Warn But Allow. When the following server certificate issues occur, a warning is displayed, but the user can continue to connect to View Connection Server:

    • A self-signed certificate is provided by View. In this case, it is acceptable if the certificate name does not match the View Connection Server name provided by the user in Horizon Client.

    • On a zero client, certificate checking is not possible because the trust store is empty.

    If any other certificate error condition occurs, View displays an error dialog and prevents the user from connecting to View Connection Server.

  • Full Security. If any type of certificate error occurs, the user cannot connect to View Connection Server. View displays certificate errors to the user.

The default value is Warn But Allow.

Important:

The default value of Warn But Allow is to facilitate deployment and testing in a pre-production environment. Only Full Security is recommended for production use.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client but cannot configure the setting. The SSL configuration dialog box informs users that the administrator has locked the setting.

When this setting is not configured or disabled, Horizon Client users can configure SSL and select a certificate verification mode.

For Windows clients, if you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to the following registry key on the client computer:

HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security

Use the following values in the registry key:

  • 0 implements No Security.

  • 1 implements Warn But Allow.

  • 2 implements Full Security.

If you configure both the group policy setting and the CertCheckMode setting in the registry key, the group policy setting takes precedence over the registry key value.

Default value of the 'Log in as current user' checkbox

LogInAsCurrentUser

Specifies the default value of the Log in as current user check box on the Horizon Client connection dialog box.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When the Log in as current user check box is selected, the identity and credential information that the user provided when logging in to the client system is passed to the View Connection Server instance and ultimately to the View desktop or application. When the check box is deselected, users must provide identity and credential information multiple times before they can access a View desktop or application.

A User Configuration setting is available in addition to the Computer Configuration setting.

These settings are disabled by default.

Display option to Log in as current user

LogInAsCurrentUser_Display

Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box.

When the check box is visible, users can select or deselect it and override its default value. When the check box is hidden, users cannot override its default value from the Horizon Client connection dialog box.

You can specify the default value for the Log in as current user check box by using the policy setting Default value of the 'Log in as current user' checkbox.

A User Configuration setting is available in addition to the Computer Configuration setting.

These settings are enabled by default.

Enable jump list integration

EnableJumplist

Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list lets users connect to recent View Connection Server instances and View desktops and applications.

If Horizon Client is shared, you might not want users to see the names of recent desktops and applications. You can disable the jump list by disabling this setting.

This setting is enabled by default.

Enable Single Sign-On for smart card authentication

EnableSmartCardSSO

Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to View Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog.

This setting is disabled by default.

Ignore bad SSL certificate date received from the server

IgnoreCertDateInvalid

Determines whether errors that are associated with invalid server certificate dates are ignored. These errors occur when a server sends a certificate with a date that has passed.

This setting is enabled by default.

This setting applies to View 4.6 and earlier releases only.

Ignore certificate revocation problems

IgnoreRevocation

Determines whether errors that are associated with a revoked server certificate are ignored. These errors occur when the server sends a certificate that has been revoked and when the client cannot verify a certificate's revocation status.

This setting is disabled by default.

This setting applies to View 4.6 and earlier releases only.

Ignore incorrect SSL certificate common name (host name field)

IgnoreCertCnInvalid

Determines whether errors that are associated with incorrect server certificate common names are ignored. These errors occur when the common name on the certificate does not match the hostname of the server that sends it.

This setting is disabled by default.

This setting applies to View 4.6 and earlier releases only.

Ignore incorrect usage problems

IgnoreWrongUsage

Determines whether errors that are associated with incorrect usage of a server certificate are ignored. These errors occur when the server sends a certificate that is intended for a purpose other than verifying the identity of the sender and encrypting server communications.

This setting is disabled by default.

This setting applies to View 4.6 and earlier releases only.

Ignore unknown certificate authority problems

IgnoreUnknownCa

Determines whether errors that are associated with an unknown Certificate Authority (CA) on the server certificate are ignored. These errors occur when the server sends a certificate that is signed by an untrusted third-party CA.

This setting is disabled by default.

This setting applies to View 4.6 and earlier releases only.

EnableTicketSSLAuth

EnableTicketSSLAuth

Enables SSL encrypted framework channel. This setting can have the following values:

  • Enable: Enable SSL, allow fallback to desktops with no SSL support.

  • Disable: Disable SSL.

  • Enforce: Enable SSL, refuse to connect to desktops with no SSL support.

The default value is Enable.

SSLCipherList

SSLCipherList

Configures cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted SSL connection.

The default value is 'SSLv3:TLSv1:TLSv1.1:AES:!aNULL:@STRENGTH'. That means: SSL v3.0, TLS v1.0 and TLS v1.1 are enabled (SSL v2.0 and TLS v1.2 are disabled).

For more information about these settings and their security implications, see the View Administration document.

Security-Related Settings in the Scripting Definitions Section of the Horizon Client Configuration Template

Security-related settings are provided in the Scripting Definitions section of the ADM template file for Horizon Client (vdm_client.adm). Unless noted otherwise, the settings include both a Computer Configuration setting and a User Configuration setting. If you define a User Configuration setting, it overrides the equivalent Computer Configuration setting.

Settings for Scripting Definitions are stored in the registry on the host machine under HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client.

Table 5. Security-Related Settings in the Scripting Definitions Section

Setting

Registry Value Name

Description

Connect all USB devices to the desktop on launch

connectUSBOnStartup

Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched.

This setting is disabled by default.

Connect all USB devices to the desktop when they are plugged in

connectUSBOnInsert

Determines whether USB devices are connected to the desktop when they are plugged in to the client system.

This setting is disabled by default.

Logon Password

Password

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

This setting is undefined by default.

For more information about these settings and their security implications, see the View Administration document.

Security-Related Settings in View LDAP

Security-related settings are provided in View LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a View Connection Server instance. The change propagates automatically to all other View Connection Server instances in a group.

Table 6. Security-Related Settings in View LDAP

Name-value pair

Attribute

Description

cs-allowunencryptedstartsession

pae-NameValuePair

This attribute controls whether a secure channel is required between a View Connection Server instance and a desktop when a remote user session is being started.

When View Agent 5.1 or later is installed on a desktop computer, this attribute has no effect and a secure channel is always required. When a View Agent older than View 5.1 is installed, a secure channel cannot be established if the desktop computer is not a member of a domain with a two-way trust to the domain of the View Connection Server instance. In this case, the attribute is important to determine whether a remote user session can be started without a secure channel.

In all cases, user credentials and authorization tickets are protected by a static key. A secure channel provides further assurance of confidentiality by using dynamic keys.

If set to 0, a remote user session will not start if a secure channel cannot be established. This setting is suitable if all the desktops are in trusted domains or all desktops have View Agent 5.1 or later installed.

If set to 1, a remote user session can be started even if a secure channel cannot be established. This setting is suitable if some desktops have older View Agents installed and are not in trusted domains.

The default setting is 1.