You can set the message security mode to specify the security mechanism used when JMS messages pass among Horizon 7 components.
The following table shows the options you can select to configure the message security mode. To set an option, select it from the Message security mode list in the Global Settings dialog window.
Option | Description |
---|---|
Disabled | Message security mode is disabled. |
Mixed | Message security mode is enabled but not enforced. You can use this mode to detect components in your Horizon 7 environment that predate Horizon 7 3.0. The log files generated by Connection Server contain references to these components. This setting is not recommended. Use this setting only to discover components that need to be upgraded. |
Enabled | Message security mode is enabled, using a combination of message signing and encryption. JMS messages are rejected if the signature is missing or invalid, or if a message was modified after it was signed. Some JMS messages are encrypted because they carry sensitive information such as user credentials. If you use the Enabled setting, you can also use IPSec to encrypt all JMS messages between Connection Server instances, and between Connection Server instances and security servers.
Note:
Horizon 7 components that predate version 3.0 are not allowed to communicate with other
Horizon 7 components.
|
Enhanced | SSL is used for all JMS connections. JMS access control is also enabled so that desktops, security servers, and Connection Server instances can only send and receive JMS messages on certain topics. Horizon 7 components that predate Horizon 6 version 6.1 cannot communicate with a Connection Server 6.1 instance.
Note: Using this mode requires opening TCP port 4002 between DMZ-based security servers and their paired Connection Server instances.
|
When you first install Horizon 7 on a system, the message security mode is set to Enhanced. If you upgrade Horizon 7 from a previous release, the message security mode remains unchanged from its existing setting.
- You must manually restart the VMware Horizon View Message Bus Component service on all Connection Server hosts in the pod, or restart the Connection Server instances.
- After the services are restarted, the Connection Server instances reconfigure the message security mode on all desktops and security servers, changing the mode to Enhanced.
- To monitor the progress in Horizon Administrator, go to
On the Security tab, the Enhanced Security Status item will show Enhanced when all components have made the transition to Enhanced mode.
Alternatively, you can use the vdmutil command-line utility to monitor progress. See Using the vdmutil Utility to Configure the JMS Message Security Mode.
.
Horizon 7 components that predate Horizon 6 version 6.1 cannot communicate with a Connection Server 6.1 instance that uses Enhanced mode.
If you plan to change an active Horizon 7 environment from Disabled to Enabled, or from Enabled to Disabled, change to Mixed mode for a short time before you make the final change. For example, if your current mode is Disabled, change to Mixed mode for one day, then change to Enabled. In Mixed mode, signatures are attached to messages but not verified, which allows the change of message mode to propagate through the environment.