To achieve greater security in direct-connection sessions, you can modify the /etc/nginx/conf.d/vmwvadc.conf configuration file to disallow weak ciphers in SSL/TLS communications and replace the default self-signed TLS server certificate with a certificate signed by a Certificate Authority.

Disallowing Weak Ciphers in SSL/TLS Communications

Note: If Horizon Client is not configured to support any cipher that is supported by the virtual desktop operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.

For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.

In the /etc/nginx/conf.d/vmwvadc.conf configuration file, under ###Enable https, the following line specifies the default cipher list.
ssl_ciphers !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES;

To disallow weak ciphers, add the cipher strings to the ssl_ciphers line using the cipher list format described in https://www.openssl.org/docs/.

Replacing the Self-Signed TLS Server Certificate

When Horizon Agent Direct-Connection Plug-In (formerly View Agent Direct-Connection Plug-In) starts for the first time after installation, it automatically generates a self-signed TLS server certificate. The TLS server certificate is presented to Horizon Client during the TLS protocol negotiation to provide information to the client about this desktop.

The default self-signed TLS server certificate cannot give Horizon Client sufficient protection against threats of tampering and eavesdropping. To protect against these threats, you must replace the self-signed certificate with a certificate signed by a Certificate Authority (CA) that is trusted by the client and fully validated by the Horizon Client certificate checks.

Certificates with Subject Alternative Name (SAN) and wildcard certificates are supported.

In the /etc/nginx/conf.d/vmwvadc.conf configuration file, under ###Enable https, the following lines specify the default self-signed certificate and private key.
ssl_certificate /etc/vmware/ssl/rui.crt;
ssl_certificate_key /etc/vmware/ssl/rui.key;

Replace the default entries in these lines with the file paths to your CA-signed certificate and private key.