Administrators can configure the certificate verification mode so that, for example, full verification is always performed. Administrators can also configure whether end users are allowed to choose whether client connections are rejected if any or some server certificate checks fail.
Certificate checking occurs for SSL/TLS connections between Connection Server instances and Horizon Client. Administrators can configure the verification mode to use one of the following strategies:
- End users are allowed to choose the verification mode. The rest of this list describes the three verification modes.
- (No verification) No certificate checks are performed.
- (Warn) End users are warned if a self-signed certificate is being presented by the server. Users can choose whether or not to allow this type of connection.
- (Full security) Full verification is performed and connections that do not pass full verification are rejected.
Certificate verification includes the following checks:
- Has the certificate been revoked?
- Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?
- Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?
- Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.
- Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA.
To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.
If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, you can enable certificate checking for secondary connections through an SSL proxy server. You can also configure VMware Blast connections to use a proxy server. These features are supported with Horizon Client 5.2 and later for Windows, Mac, and Linux.
For information about how to configure certificate checking and SSL proxy server use for a specific type of client, see the Horizon Client installation and setup document for that client. These documents also contain information about using self-signed certificates.