Administrators and sometimes end users can configure whether client connections are rejected if any or some server certificate checks fail.

Certificate checking occurs for SSL connections between Connection Server and Horizon Client. Certificate verification includes the following checks:

  • Has the certificate been revoked?

  • Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?

  • Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?

  • Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.

  • Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA.

    To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.

Note:

For instructions about distributing a self-signed root certificate to all Windows client systems in a domain, see the topic called "Add the Root Certificate to Trusted Root Certification Authorities" in the View Installation document.

When you use Horizon Client to log in to a desktop, if your administrator has allowed it, you can click Configure SSL to set the certificate checking mode. You have three choices:

  • Never connect to untrusted servers. If any of the certificate checks fails, the client cannot connect to the server. An error message lists the checks that failed.

  • Warn before connecting to untrusted servers. If a certificate check fails because the server uses a self-signed certificate, you can click Continue to ignore the warning. For self-signed certificates, the certificate name is not required to match the server name you entered in Horizon Client.

    You can also receive a warning if the certificate has expired.

  • Do not verify server identity certificates. This setting means that no certificate checking occurs.

If the certificate checking mode is set to Warn, you can still connect to a Connection Server instance that uses a self-signed certificate.

If an administrator later installs a security certificate from a trusted certificate authority, so that all certificate checks pass when you connect, this trusted connection is remembered for that specific server. In the future, if that server ever presents a self-signed certificate again, the connection fails. After a particular server presents a fully verifiable certificate, it must always do so.

Important:

If you previously configured your company's client systems to use a specific cipher via GPO, such as by configuring SSL Cipher Suite Order group policy settings, you must now use a Horizon Client group policy security setting included in the View ADM template file. See Security Settings for Client GPOs. You can alternatively use the SSLCipherList registry setting on the client. See Using the Windows Registry to Configure Horizon Client.