You can select the security protocols and cryptographic algorithms that are used to encrypt communications between Horizon Client and Horizon servers and between Horizon Client and the agent in the remote desktop.

These security options are also used to encrypt the USB channel (communication between the USB plugin and the agent on the remote desktop).

By default, TLSv1.0, TLSv1.1, and TLSv1.2 are enabled. SSL v2.0 and 3.0 are not supported. The default cipher control string is "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES".

Note: If TLSv1.0 and RC4 are disabled, USB redirection does not work when users are connected to Windows XP remote desktops. Be aware of the security risk if you choose to make this feature work by enabling TLSv1.0 and RC4.

If you configure a security protocol for Horizon Client that is not enabled on the Horizon server to which the client connects, a TLS/SSL error occurs and the connection fails.

Important: At least one of the protocol versions that you enable in Horizon Client must also be enabled on the remote desktop. Otherwise, USB devices cannot be redirected to the remote desktop.

For information about configuring the security protocols that are accepted by Connection Server instances, see the View Security document.


  1. Select VMware Horizon Client > Preferences from the menu bar, click Security, and click Advanced.
  2. To enable or disable a security protocol, select the check box next to the security protocol name.
  3. To change the cipher control string, replace the default string.
  4. (Optional) If you need to revert to the default settings, click Restore Defaults.
  5. Click Confirm to save your changes.


Your changes take effect the next time you connect to the server.