You can select the security protocols that Horizon Client can use. You can also specify the cipher control string.
About this task
The advanced TLS/SSL options that you configure are used to encrypt communications between Horizon Client and Connection Server and View Agent or Horizon Agent. In Horizon Client 3.1 and later, these options are also used to encrypt the USB channel (communication between the USB service daemon and View Agent or Horizon Agent).
If the only protocol you enable in Horizon Client is TLSv1.1, you must verify that TLSv1.1 is also enabled on the remote desktop. Otherwise, USB devices cannot be redirected to the remote desktop.
In Horizon Client 3.0 through 3.4, TLSv1.0 and TLSv1.1 are enabled by default. The default cipher control string is "AES:!aNULL:@STRENGTH".
In Horizon Client 3.5, TLSv1.0, TLSv1.1, and TLSv1.2 are enabled by default. The default cipher control string is "!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH".
In Horizon Client 4.0 and later, TLSv1.0 is disabled by default, TLSv1.1 and TLSv1.2 are enabled by default, and SSLv3 is removed. The default cipher control string is "!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH".
In Horizon Client 3.1 and later, the USB service daemon adds RC4 (:RC4-SHA: +RC4) to the end of the cipher control string when it connects to a remote desktop. Starting with Horizon Client 4.0, the USB service daemon no longer adds RC4 to the end of the cipher control string.
If TLSv1.0 and RC4 are disabled, USB redirection does not work when users are connected to Windows XP remote desktops. Be aware of the security risk if you choose to make this feature work by enabling TLSv1.0 and RC4.
Verify the security protocol that the Connection Server instance can use. If you configure a security protocol for Horizon Client that is not enabled on the Connection Server instance to which the client connects, an SSL error occurs and the connection fails. For information about configuring the security protocols that are accepted by Connection Server instances, see the View Security document.
You should change the security protocols in Horizon Client only if your View administrator instructs you to do so, or if your Connection Server instance does not support the current settings.
- Select Horizon Client 3.0) or (Horizon Client 3.1 and later) from the menu bar, click Security, and click Advanced. (
- To enable or disable a security protocol, select the check box next to the security protocol name.
- To change the cipher control string, replace the default string.
- (Optional) If you need to revert to the default settings, click Restore Defaults.
- Click Confirm to save your changes.
Your changes take effect the next time you connect to the server.