Server certificate checking occurs for connections between Horizon Client and a server. A certificate is a digital form of identification, similar to a passport or a driver's license.
About Certificate Checking
Server certificate checking includes the following checks:
- Has the certificate been revoked?
- Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?
- Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?
- Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.
- Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA. To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.
For information about distributing a self-signed root certificate to all Windows client systems in a domain, see "Add the Root Certificate to Trusted Root Certification Authorities" in the Horizon Installation and Upgrade document.
How to Set the Certificate Checking Mode
A system administrator might ask end users to set the certificate checking mode in Horizon Client to make sure that they can successfully connect to a server. At some companies, an administrator might set the certificate checking mode and prevent end users from changing it in Horizon Client.
To set the certificate checking mode, start Horizon Client and select . You can select one of the following options. Note that you cannot configure certificate checking in FIPS mode.
- Never connect to untrusted servers. This setting means that you cannot connect to the server if any of the certificate checks fail. An error message lists the checks that failed.
- Warn before connecting to untrusted servers. This setting means that you can click Continue to ignore the warning if a certificate check fails because the server uses a self-signed certificate. For self-signed certificates, the certificate name is not required to match the server name that you entered in Horizon Client. You can also receive a warning if the certificate has expired.
- Do not verify server identity certificates. This setting means that no certificate checking occurs.
If an administrator later installs a security certificate from a trusted certificate authority and all certificate checks pass when you connect, this trusted connection is remembered for that specific server. In the future, if that server ever presents a self-signed certificate again, the connection fails. After a particular server presents a fully verifiable certificate, it must always do so.
If you previously used group policy to configure your company's client systems to use a specific cipher, such as by configuring SSL Cipher Suite Order group policy settings, you must now use a Horizon Client group policy security setting. See Using Group Policy Settings to Configure Horizon Client. Alternatively, you can use the SSLCipherList registry setting on the client system. See Using the Windows Registry to Configure Horizon Client.
You can configure the default certificate checking mode and prevent end users from changing it in Horizon Client. For more information, see Configuring the Certificate Checking Mode for End Users.
Using an SSL Proxy Server
If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, enable the Protocol Connection Certificate Verification setting and set it to PKI Verification or Thumbprint or PKI Verification. If the client is running in FIPS mode, set this option to PKI Verification. This setting allows certificate checking for secondary connections through an SSL proxy server and applies to both Blast Secure Gateway and secure tunnel connections. If you use an SSL proxy server and enable certificate checking, but do not set this setting to PKI or Thumbprint or PKI, connections fail because of mismatched thumbprints. The Protocol Connection Certificate Verification mode is not available if you enable the Do not verify server identity certificates option. When the Do not verify server identity certificates option is enabled, Horizon Client does not verify the certificate or thumbprint and an SSL proxy is always allowed. You can also configure the Protocol Connection Certificate Verification mode via the Horizon Client group policy setting.
You can also configure the Protocol Connection Certificate Verification mode by the Horizon Client group policy setting. For more information, see Using Group Policy Settings to Configure Horizon Client.
You can use the Configures the SSL Proxy certificate checking behavior of the Horizon Client group policy setting to configure whether to allow certificate checking for secondary connections through an SSL proxy server.
To allow VMware Blast connections through a proxy server, see Configure Blast Options.