You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties.

About this task

The protocols that are allowed are, from low to high, tls1.0, tls1.1, and tls1.2. Older protocols such as SSLv3 and earlier are never allowed. Two properties, localHttpsProtocolLow and localHttpsProtocolHigh, determine the range of protocols that the BSG listener will accept. For example, setting localHttpsProtocolLow=tls1.0 and localHttpsProtocolHigh=tls1.2 will cause the listener to accept tls1.0, tls1.1, and tls1.2. The default settings are localHttpsProtocolLow=tls1.1 and localHttpsProtocolHigh=tls1.2. You can examine the BSG's absg.log file to discover the values that are in force for a specific BSG instance.

You must specify the list of ciphers using the format that is defined in https://www.openssl.org/docs/manmaster/man1/ciphers.html, under the section CIPHER LIST FORMAT. The following cipher list is the default:

ECDHE-RSA-AES256-SHA:AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL

Procedure

  1. On the Connection Server instance, edit the file install_directory\VMware\VMware View\Server\appblastgateway\absg.properties.

    By default, the install directory is %ProgramFiles%.

  2. Edit the properties localHttpsProtocolLow and localHttpsProtocolHigh to specify a range of protocols.

    For example,

    localHttpsProtocolLow=tls1.0
    localHttpsProtocolHigh=tls1.2

    To enable only one protocol, specify the same protocol for both localHttpsProtocolLow and localHttpsProtocolHigh.

  3. Edit the localHttpsCipherSpec property to specify a list of cipher suites.

    For example,

    localHttpsCipherSpec=ECDHE-RSA-AES256-SHA:HIGH:!AESGCM:!CAMELLIA:!3DES:!EDH:!EXPORT:!MD5:!PSK:!RC4:!SRP:!aNULL:!eNULL
  4. Restart the Windows service VMware Horizon View Blast Secure Gateway.