To achieve greater security in direct-connection sessions, you can modify the /etc/nginx/conf.d/vmwvadc.conf configuration file to disallow weak ciphers in SSL/TLS communications and replace the default self-signed TLS server certificate with a certificate signed by a Certificate Authority.
Disallowing Weak Ciphers in SSL/TLS Communications
For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
###Enable https
, the following line specifies the default cipher list.
ssl_ciphers !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES;
To disallow weak ciphers, add the cipher strings to the ssl_ciphers
line using the cipher list format described in https://www.openssl.org/docs/.
Replacing the Self-Signed TLS Server Certificate
When View Agent Direct-Connection Plug-In (VADC) starts for the first time after installation, it automatically generates a self-signed TLS server certificate. The TLS server certificate is presented to Horizon Client during the TLS protocol negotiation to provide information to the client about this desktop.
The default self-signed TLS server certificate cannot give Horizon Client sufficient protection against threats of tampering and eavesdropping. To protect against these threats, you must replace the self-signed certificate with a certificate signed by a Certificate Authority (CA) that is trusted by the client and fully validated by the Horizon Client certificate checks.
Certificates with Subject Alternative Name (SAN) and wildcard certificates are supported.
###Enable https
, the following lines specify the default self-signed certificate and private key.
ssl_certificate /etc/vmware/ssl/rui.crt; ssl_certificate_key /etc/vmware/ssl/rui.key;
Replace the default entries in these lines with the file paths to your CA-signed certificate and private key.