You can configure the certificate checking mode for end users. For example, you can configure Horizon Client to always perform full verification. Certificate checking occurs for TLS connections between a server and Horizon Client.

You can configure one of the following certificate verification strategies for end users.

  • End users have permission to select the certificate checking mode in Horizon Client.
  • (No verification) Horizon Client does not perform any certificate checks.
  • (Warn) If the server presents a self-signed certificate, end users receive a warning. Users can determine whether to allow this type of connection.
  • (Full security) Horizon Client performs full verification and rejects connections that do not pass full verification.

If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, you can configure certificate checking for secondary connections through the SSL proxy server. This feature applies to both Blast Secure Gateway and secure tunnel connections. You can also allow the use of a proxy server for VMware Blast connections.

For information about the types of certificate checks that can be performed, see Setting the Certificate Checking Mode in Horizon Client.

You can set the default certificate checking mode and proxy server settings by setting properties in the /etc/vmware/view-mandatory-config file.

To set the default certificate checking mode, set the view.sslVerificationMode property to one of the following values.

  • 1 implements Full Verification.
  • 2 implements Warn If the Connection May Be Insecure.
  • 3 implements No Verification Performed.
Note: If you use an SSL proxy, configure the Protocol connection certificate verification mode setting to use PKI verification.

To configure the certificate checking mode so that end users cannot change it, set the view.allowSslVerificationMode property to "False". To set this property from the command line, see Horizon Client Configuration Settings and Command-Line Options.

To configure the Protocol connection certificate verification mode setting so that end users cannot change it, set the view.allowSslProxy key to "False".

To set the default Protocol connection certificate verification mode setting, set the view.allowSslProxy property. "True" enables the setting and "False" deactivates the setting.

To set the default Allow Blast connections to use operating system proxy settings setting, set the view.allowBlastProxy property. "True" enables the setting and "False" deactivates the setting.

To configure the Allow Blast connections to use operating system proxy settings setting so that end users cannot change it, set the view.allowAllowBlastProxy key to False.