You can set the message security mode to specify the security mechanism used when JMS messages pass among VMware Horizon components.

The following table shows the options you can select to configure the message security mode. To set an option, select it from the Message security mode list on the Security Settings tab on the Global Settings page.

Table 1. Message Security Mode Options
Option Description
Disabled Message security mode is disabled.
Mixed Message security mode is enabled but not enforced.

You can use this mode to detect older components in your VMware Horizon environment. The log files generated by the connection broker contain references to these components. This setting is not recommended. Use this setting only to discover components that need to be upgraded.

Enabled Message security mode is enabled, using a combination of message signing and encryption. JMS messages are rejected if the signature is missing or invalid, or if a message was modified after it was signed.

JMS access control is also enabled so that desktops and connection broker instances can only send and receive JMS messages on certain topics.

Enhanced SSL is used for all JMS connections. Messages are not signed or encrypted individually because all are protected by the channel. This brings significant performance benefits. Certificates are auto-managed. For more information see Certificate Thumbprint Verification and Automatic Certificate Generation.
Note: There is an LDAP setting that you can enable to block Enhanced mode from being selected.
Note: Some JMS messages are encrypted because they carry sensitive information such as user credentials. If you do not use Enhanced mode, you can also use IPSec to encrypt all JMS messages between connection broker instances.

When you first install VMware Horizon on a system, the message security mode is set to Enhanced.

If you upgrade VMware Horizon from a previous release, the message security mode remains unchanged from its existing setting.

Important: If you plan to change the message security mode for an upgraded VMware Horizon environment from Enabled to Enhanced or from Enhanced to Enabled, you must first upgrade all connection broker instances and VMware Horizon desktops. After you change the setting, the new setting takes place in stages.
  1. You must manually restart the VMware Horizon Message Bus Component service on all connection broker hosts in the pod, or restart the connection broker instances.
  2. After the services are restarted, the connection broker instances reconfigure the message security mode on all desktops, changing the mode to your new setting.
  3. To monitor the progress in the console, go to Settings > Global Settings.

    On the Security Settings tab, the Enhanced Security Status item will show the new setting when all components have made the transition.

    Alternatively, you can use the vdmutil command-line utility to monitor progress. See Using the vdmutil Utility to Configure JMS Message Security Mode.

If you plan to change an active VMware Horizon environment from Disabled to Enabled, or from Enabled to Disabled, change to Mixed mode for a short time before you make the final change. For example, if your current mode is Disabled, change to Mixed mode for one day, then change to Enabled. In Mixed mode, signatures are attached to messages but not verified, which allows the change of message mode to propagate through the environment.