You can configure the HTML Access Agent to use specific cipher suites instead of the default set of ciphers.

By default, the HTML Access Agent requires incoming TLS connections to use encryption based on certain ciphers that provide strong protection against network eavesdropping and forgery. You can configure an alternative list of ciphers for the HTML Access Agent to use. The set of acceptable ciphers is expressed in the OpenSSL format. To see the cipher list format, you can search for openssl cipher string in a web browser.

Procedure

  1. On the desktop where the HTML Access Agent is installed, start the Windows Registry Editor.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.
  3. Add a new String (REG_SZ) value, SslCiphers, and paste the cipher list in the OpenSSL format into the text box.
  4. To make your changes take effect, restart the VMware Blast service.
    In the Windows guest operating system, the service for the HTML Access Agent is called VMware Blast.

Results

To revert to using the default cipher list, delete the SslCiphers value and restart the VMware Blast service. Do not simply delete the data part of the value because the HTML Access Agent will then treat all ciphers as unacceptable, in accordance with the OpenSSL cipher list format definition.

When the HTML Access Agent starts, it writes the cipher definition in the VMware Blast service's log file. You can discover the current default cipher list by inspecting the logs when the VMware Blast service starts with no SslCiphers value configured in the Windows Registry.

The HTML Access Agent default cipher definition might change from one release to the next to provide improved security.