Older Protocols and Ciphers Disabled in Horizon 7

Some older protocols and ciphers that are no longer considered secure are disabled in Horizon 7 by default. If required, you can enable them manually.

DHE Cipher Suites

For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting with Horizon 6 version 6.2.

For Connection Server instances, security servers, and Horizon 7 desktops, you can enable these cipher suites by editing the View LDAP database, locked.properties file, or registry, as described in this guide. See Change the Global Acceptance and Proposal Policies, Configure Acceptance Policies on Individual Servers, and Configure Proposal Policies on Remote Desktops. You can define a list of cipher suites that includes one or more of the following suites, in this order:

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA

For View Composer and View Agent Direct-Connection (VADC) machines, you can enable DHE cipher suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for View Composer and Horizon Agent Machines" in the Horizon 7 Installation document.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Note: It is not possible to enable support for ECDSA certificates. These certificates have never been supported.

SSLv3

In Horizon 7, SSL version 3.0 has been removed.

For more information, see http://tools.ietf.org/html/rfc7568.

RC4

For more information, see http://tools.ietf.org/html/rfc7465.

For Connection Server instances, security servers, and Horizon 7 desktops, you can enable RC4 on a Connection Server, security server, or a Horizon Agent machine by editing the configuration file C:\Program Files\VMware\VMware View\Server\jre\lib\security\java.security. At the end of the file is a multi-line entry called jdk.tls.legacyAlgorithms. Remove RC4_128 and the comma that follows it from this entry and restart the Connection Server, security server, or the Horizon Agent machine, as the case may be.

For View Composer and View Agent Direct-Connection (VADC) machines, you can enable RC4 by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for View Composer and Horizon Agent Machines" in the Horizon 7 Installation document.

TLS_RSA_WITH_RC4_128_SHA

TLS 1.0 and TLS 1.1

In Horizon 7, TLS 1.0 and TLS 1.1 are disabled by default.

For more information, see https://datatracker.ietf.org/doc/html/rfc8996 and https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf. For instructions on how to enable TLS 1.0, see the sections "Enable TLSv1 on vCenter Connections from Connection Server" and "Enable TLSv1 on vCenter and ESXi Connections from View Composer" in the Horizon 7 Upgrades document.

No Forward Secrecy (PFS)

For more information, see https://datatracker.ietf.org/doc/html/rfc7525. Cipher suites specifying key exchange algorithms that do not exhibit forward secrecy (PFS) are disabled by default. For instructions on how to enable these cipher suites, see the earlier sections of this topic.