To achieve greater security, you can ensure that communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak cyphers.
About this task
The configuration for disabling weak ciphers is stored in the Windows registry. Changes to these settings must be done on all machines that run View Agent Direct-Connection Plug-In.
These settings affect all use of SSL/TLS on the operating system.
Both SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT
56-bit Export Cipher Suites For TLS draft-ietf-tls-56-bit-ciphersuites-00.txt provide options to use different cipher suites. Each cipher suite determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS session.
You need to have experience editing Windows registry keys using the Regedt32.exe registry editor.
- Start Registry Editor Regedt32.exe, and locate this registry key:
- Make modifications to the registry.
\Hashescreate a subkey
\Hashes\MD5add a DWORD value
Enabledwith a value of
The registry changes ensure that only the following ciphers are available:
TLSv1 256 bits AES256-SHA
TLSv1 128 bits AES128-SHA
TLSv1 168 bits DES-CBC3-SHA
TLSv1 128 bits RC4-SHA
If Horizon Client is not configured to support any cipher that is supported by the virtual desktop operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.
For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.