You can configure the security protocols and cipher suites that PSG's client-side listener accepts by editing the registry. If required, this task can also be performed on a RDS host.

The protocols that are allowed are, from low to high, tls1.0, tls1.1, and tls1.2. Older protocols such as SSLv3 and earlier are never allowed.

The following cipher list is the default:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES128-SHA:@STRENGTH

Procedure

  1. On the Connection Server instance, security server, or RDS host, open a registry editor and navigate to HKLM\Software\Teradici\SecurityGateway.
  2. Add or edit the REG_SZ registry value SSLProtocol to specify a list of protocols.

    For example,

    tls1.2:tls1.1
  3. Add or edit the REG_SZ registry value SSLCipherList to specify a list of cipher suites.

    For example,

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256