Global security settings determine whether clients are reauthenticated after interruptions, message security mode is enabled, and IPSec is used for security server connections.

TLS is required for all Horizon Client connections and Horizon Administrator connections to Horizon 7. If your Horizon 7 deployment uses load balancers or other client-facing, intermediate servers, you can off-load TLS to them and then configure non-TLS connections on individual Connection Server instances and security servers. See Off-load TLS Connections to Intermediate Servers.

Table 1. Global Security Settings for Client Sessions and Connections
Setting Description
Reauthenticate secure tunnel connections after network interruption Determines if user credentials must be reauthenticated after a network interruption when Horizon clients use secure tunnel connections to remote desktops.

When you select this setting, if a secure tunnel connection is interrupted, Horizon Client requires the user to reauthenticate before reconnecting.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the remote desktop without entering credentials.

When this setting is not selected, the client reconnects to the remote desktop without requiring the user to reauthenticate.

This setting has no effect when the secure tunnel is not used.

Message security mode Determines the security mechanism used for sending JMS messages between components
  • When the mode is set to Enabled, signing and verification of the JMS messages passed between Horizon 7 components takes place.
  • When the mode is set to Enhanced, security is provided by mutually authenticated TLS. JMS connections and access control on JMS topics.

For details, see Message Security Mode for Horizon 7 Components.

For new installations, by default, message security mode is set to Enhanced. If you upgrade from a previous version, the setting used in the previous version is retained.

Enhanced Security Status (Read-only)

Read-only field that appears when Message security mode is changed from Enabled to Enhanced. Because the change is made in phases, this field shows the progress through the phases:

  • Waiting for Message Bus restart is the first phase. This state is displayed until you manually restart either all Connection Server instances in the pod or the VMware Horizon Message Bus Component service on all Connection Server hosts in the pod.
  • Pending Enhanced is the next state. After all Horizon Message Bus Component services have been restarted, the system begins changing the message security mode to Enhanced for all desktops and security servers.
  • Enhanced is the final state, indicating that all components are now using Enhanced message security mode.

You can also use the vdmutil command-line utility to monitor progress. See Using the vdmutil Utility to Configure the JMS Message Security Mode.

Use IPSec for Security Server connections Determines whether to use Internet Protocol Security (IPSec) for connections between security servers and Connection Server instances.

By default, secure connections (using IPSec) for security server connections is enabled.

Note: If you upgrade to View 5.1 or later from an earlier Horizon 7 release, the global setting Require SSL for client connections is displayed in Horizon Administrator, but only if the setting was disabled in your Horizon 7 configuration before you upgraded. Because TLS is required for all Horizon Client connections and Horizon Administrator connections to Horizon 7, this setting is not displayed in fresh installations of Horizon 7 5.1 or later versions and is not displayed after an upgrade if the setting was already enabled in the previous Horizon 7 configuration.

After an upgrade, if you do not enable the Require SSL for client connections setting, HTTPS connections from Horizon clients will fail, unless they connect to an intermediate device that is configured to make onward connections using HTTP. See Off-load TLS Connections to Intermediate Servers.