Administrators can configure the certificate verification mode. Administrators can also configure whether end users can control whether client connections are rejected if server certificate checks fail.

Certificate checking occurs for TLS connections between Connection Server instances and Horizon Client. Administrators can configure the verification mode to use one of the following strategies:

  • End users can choose the verification mode.
  • (No verification) No certificate checks are performed.
  • (Warn) End users are warned if a self-signed certificate is being presented by the server. Users can select whether to allow this type of connection.
  • (Full security) Full verification is performed and connections that do not pass full verification are rejected.

Certificate verification includes the following checks:

  • Has the certificate been revoked?
  • Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?
  • Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?
  • Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. A mismatch can also occur if you enter an IP address rather than a host name in the client.
  • Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA. To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.

If you use an SSL proxy server to inspect traffic that the client environment sends to the Internet, you can enable certificate checking for secondary connections through an SSL proxy server. You can also configure VMware Blast connections to use a proxy server.

For information about how to configure certificate checking and SSL proxy server use for a specific type of client, see the Horizon Client installation and setup document for that client. These documents also contain information about using self-signed certificates.