You must follow certain guidelines for configuring TLS certificates for Horizon 7 servers and related components.

Horizon Connection Server and Security Server

TLS is required for client connections to a server. Client-facing Connection Server instances, security servers, and intermediate servers that terminate TLS connections require TLS server certificates.

By default, when you install Connection Server or security server, the installation generates a self-signed certificate for the server. However, the installation uses an existing certificate in the following cases:

  • If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store

  • If you upgrade to Horizon 7 from an earlier release, and a valid keystore file is configured on the Windows Server computer, the installation extracts the keys and certificates and imports them into the Windows Certificate Store.

vCenter Server and View Composer

Before you add vCenter Server and View Composer to Horizon 7 in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.

For information about replacing the default certificate for vCenter Server, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.

If you install vCenter Server and View Composer on the same Windows Server host, they can use the same TLS certificate, but you must configure the certificate separately for each component.

PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See TLS.

Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the Connection Server instance or security server on which the BSG is running. If you replace the default, self-signed certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

SAML 2.0 Authenticator

VMware Identity Manager uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want Horizon 7 to delegate authentication to VMware Identity Manager, you can configure Horizon 7 to accept SAML 2.0 authenticated sessions from VMware Identity Manager. When VMware Identity Manager is configured to support Horizon 7, VMware Identity Manager users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.

In Horizon Administrator, you can configure SAML 2.0 authenticators for use with Connection Server instances.

Before you add a SAML 2.0 authenticator in Horizon Administrator, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.

Additional Guidelines

For general information about requesting and using TLS certificates that are signed by a CA, see TLS.

When client endpoints connect to a Connection Server instance or security server, they are presented with the server's TLS server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.

When Connection Server communicates with vCenter Server and View Composer, Connection Server is presented with TLS server certificates and intermediate certificates from these servers. To trust the vCenter Server and View Composer servers, the Connection Server computer must have installed the root certificate of the signing CA.

Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.