You can configure the certificate checking mode for end users. For example, you can configure that full verification is always performed. Certificate checking occurs for TLS connections between a server and Horizon Client.
You can configure one of the following certificate verification strategies for end users.
- End users are allowed to select the certificate checking mode in Horizon Client.
- (No verification) No certificate checks are performed.
- (Warn) If the server presents a self-signed certificate, end users are warned. Users can determine whether to allow this type of connection.
- (Full security) Full verification is performed and connections that do not pass full verification are rejected.
If you use an SSL proxy server to inspect traffic sent from the client environment to the Internet, you must enable the protocol connection certificate verification mode and set it to PKI Verification. You can also configure certificate checking for secondary connections through the SSL proxy server. This feature applies to both Blast Secure Gateway and secure tunnel connections. You can also allow proxy server use for VMware Blast connections.
For information about the types of certificate checks that can be performed, see Setting the Certificate Checking Mode on Horizon Windows Client.
You can use Horizon Client group policy settings to set the certificate checking mode, allow SSL proxy use, restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted TLS connection, and enable proxy use for VMware Blast connections. For more information, see Using Group Policy Settings to Configure Horizon Windows Client.
If you do not want to configure the certificate checking mode as a group policy, you can enable certificate checking by adding the CertCheckMode value name to one of the following registry keys on the client computer:
- For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security
- For 64-bit Windows: HKLM\SOFTWARE\WOW6432Node\VMware, Inc.\VMware VDM\Client\Security
Use the following values in the registry key:
- 0 implements Do not verify server identity certificates.
- 1 implements Warn before connecting to untrusted servers.
- 2 implements Never connect to untrusted servers.
If you configure both the group policy setting and the CertCheckMode setting in the registry key, the group policy setting takes precedence over the registry key value.