You can configure the certificate checking mode for end users. For example, you can configure that full verification is always performed. Certificate checking occurs for TLS connections between a server and Horizon Client.
You can configure one of the following certificate verification strategies for end users.
- End users are allowed to select the certificate checking mode in Horizon Client.
- (No verification) No certificate checks are performed.
- (Warn) If the server presents a self-signed certificate, end users are warned. Users can determine whether to allow this type of connection.
- (Full security) Full verification is performed and connections that do not pass full verification are rejected.
If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, you must enable the protocol connection certificate verification mode and set it to PKI Verification. You can also configure certificate checking for secondary connections through the SSL proxy server. This feature applies to both Blast Secure Gateway and secure tunnel connections. You can also allow proxy server use for VMware Blast connections.
For information about the types of certificate checks that can be performed, see Setting the Certificate Checking Mode in Horizon Client.
You can configure the certificate checking mode and proxy server settings so that end users cannot change them by setting keys in the /Library/Preferences/com.vmware.horizon.plist file on the Mac client.
To configure the certificate checking mode, set the Security Mode key to one of the following values.
- 1 implements Never connect to untrusted servers.
- 2 implements Warn before connecting to untrusted servers.
- 3 implements Do not verify server identity certificates.
To allow connections through an SSL proxy server, set the Protocol Connection Certificate Checking Mode key to one of the following values.
- 0 enables Thumbprint Verification
- 1 enables Thumbprint or PKI Verification
- 2 enables Thumbprint and PKI Verification
- 3 enables PKI Verification
To allow VMware Blast connections through a proxy server, see #GUID-37D16FE3-E4A3-4E90-A7FA-A0992ED081E4.