You can configure the certificate checking mode for end users. For example, you can configure that full verification is always performed. Certificate checking occurs for TLS connections between a server and Horizon Client.
You can configure one of the following certificate verification strategies for end users.
- End users are allowed to select the certificate checking mode in Horizon Client.
- (No verification) No certificate checks are performed.
- (Warn) If the server presents a self-signed certificate, end users are warned. Users can determine whether to allow this type of connection.
- (Full security) Full verification is performed and connections that do not pass full verification are rejected.
If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, you can configure certificate checking for secondary connections through the SSL proxy server. This feature applies to both Blast Secure Gateway and secure tunnel connections. You can also allow proxy server use for VMware Blast connections.
For information about the types of certificate checks that can be performed, see Setting the Certificate Checking Mode in Horizon Client.
You can set the default certificate checking mode and proxy server settings by setting properties in the /etc/vmware/view-mandatory-config file.
To set the default certificate checking mode, set the view.sslVerificationMode property to one of the following values.
- 1 implements Full Verification.
- 2 implements Warn If the Connection May Be Insecure.
- 3 implements No Verification Performed.
To configure the certificate checking mode so that end users cannot change it, set the view.allowSslVerificationMode property to "False". To set this property from the command line, see Horizon Client Configuration Settings and Command-Line Options.
To configure the Allow connection via an SSL Proxy setting so that end users cannot change it, set the view.allowAllowSslProxy key to "False".
To set the default Allow connection via an SSL Proxy setting, set the view.allowSslProxy property. "True" enables the setting and "False" deactivates the setting.
To set the default Allow Blast connections to use operating system proxy settings setting, set the view.allowBlastProxy property. "True" enables the setting and "False" deactivates the setting.
To configure the Allow Blast connections to use operating system proxy settings setting so that end users cannot change it, set the view.allowAllowBlastProxy key to False.