Some older protocols and ciphers that are no longer considered secure are disabled in VMware Horizon by default. If required, you can enable them manually.
DHE Cipher Suites
For more information, see http://kb.vmware.com/kb/2121183. Cipher suites that are compatible with DSA certificates use Diffie-Hellman ephemeral keys, and these suites are no longer enabled by default, starting with Horizon 6 version 6.2.
For Connection Server instances and VMware Horizon desktops, you can enable these cipher suites by editing the Horizon LDAP database, locked.properties file, or registry, as described in this guide. See Change the Global Acceptance and Proposal Policies, Configure Acceptance Policies on Individual Servers, and Configure Proposal Policies on Remote Desktops. You can define a list of cipher suites that includes one or more of the following suites, in this order:
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (TLS 1.2 only, not FIPS)
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (TLS 1.2 only, not FIPS)
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (TLS 1.2 only)
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (TLS 1.2 only)
For View Agent Direct-Connection (VADC) machines, you can enable DHE cipher suites by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS for Horizon Agent Machines" in the Horizon Installation document.
In VMware Horizon, SSL version 3.0 has been removed.
For Connection Server instances and VMware Horizon desktops, you can enable RC4 on a Connection Server or a Horizon Agent machine by editing the configuration file C:\Program Files\VMware\VMware View\Server\jre\conf\security\java.security. At the end of the file is a multi-line entry called
RC4_128 and the comma that follows it from this entry and restart the Connection Server,or the Horizon Agent machine, as the case may be.
For View Agent Direct-Connection (VADC) machines, you can enable RC4 by adding the following to the list of ciphers when you follow the procedure "Disable Weak Ciphers in SSL/TLS Horizon Agent Machines" in the Horizon Installation document.
In VMware Horizon, TLS 1.0 is disabled by default.
For more information, see https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf and http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf. For instructions on how to enable TLS 1.0, see the sections "Enable TLSv1 on vCenter Connections from Connection Server" and the Horizon Upgrades document.