You can select the security protocols and cryptographic algorithms that VMware Horizon 8 uses to encrypt communications between Horizon Client and servers, and between Horizon Client and Horizon Agent.

By default, TLS v1.1 and TLS v1.2 are activated. SSL v2.0, SSL v3.0, and TLS v1.0 are not supported. The default cipher control string is "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES".

If you configure a security protocol for Horizon Client that is not activated on the server to which the client system connects, a TLS error occurs and the connection fails.

For information about configuring the security protocols that Connection Server can accept, see the Horizon Security document.

Procedure

  1. Open Settings and tap Security options.
    • If you are connected to a remote desktop or published application in full-screen mode, tap the Horizon Client Tools radial menu icon and tap the gear icon to access Settings.
    • If you are not using full-screen mode, tap Settings in the menu in the upper-right corner of the Horizon Client toolbar.
    • If you are not connected to a server, tap the Settings (gear) icon in the upper-right corner of the Horizon Client window.
  2. Tap Advanced Security Options.
  3. Verify that Use Default Settings is deselected.
  4. To activate or deactivate a security protocol, tap the check box next to the security protocol name.
    Option Description
    Configures Signature Algorithms Configure Signature Algorithms Extension in the Client Hello message of the TLS handshake.
    Configure Supported Groups Configure Supported Groups Extension in the Client Hello message of the TLS handshake.
    Configures to check the revocation status of the server certificate There are three options:
    • Will not connect to servers when the server certificate is revoked or unable to determine revocation status. Note that "unable to determine revocation status" includes but is not limited to the network issue that the client cannot reach the CRL endpoints. This option is the strictest certificate check of the three options.
    • Will not connect to servers when the server certificate is revoked. With this option, if unable to determine revocation status, the client can also connect to the servers.
    • Will not check certificate revocation status. Note that this option is hidden if CC Mode is enabled.
  5. To change the cipher control string, replace the default string.
  6. Optional: To revert to the default settings, tap to select the Use Default Settings option.
  7. To save your changes, tap OK.

Results

Your changes take effect the next time you connect to the server.