You can configure the security protocols and cipher suites that BSG's client-side listener accepts by editing the file absg.properties.

The supported protocols are as follows:

Release version Supported protocols Default settings
VMware Horizon 8 version 2312 and later

TLS 1.1, TLS,1.2, TLS 1.3

Note: TLS 1.1 is not supported in FIPS mode.
  • In non-FIPS mode, TLS 1.2 and TLS 1.3 are enabled.
  • In FIPS mode, TLS 1.2 is enabled.
VMware Horizon 8 version 2309 and earlier TLS 1.0, TLS 1.1, TLS 1.2 TLS 1.2 is enabled.

Older protocols such as SSLv3 and earlier are never allowed.

Two properties, localHttpsProtocolLow and localHttpsProtocolHigh, determine the range of protocols that the BSG listener will accept. For example, setting localHttpsProtocolLow=tls1.1 and localHttpsProtocolHigh=tls1.3 will configure the listener to accept TLS 1.1, TLS 1.2, and TLS 1.3. You can examine the BSG's absg.log file to discover the values that are in force for a specific BSG instance.

You must specify the list of ciphers using the format that is defined in OpenSSL. You can search for openssl cipher string in a web browser and see the cipher list format. The default cipher lists are as follows:

Protocol Default cipher list
TLS 1.1, TLS 1.2
ECDHE+AESGCM
TLS 1.3
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Note: In FIPS mode, only GCM cipher suites are enabled ( ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256).

Procedure

  1. On the Connection Server instance, edit the file install_directory\VMware\VMware View\Server\appblastgateway\absg.properties.
    By default, the installed directory is %ProgramFiles%.
  2. Edit the properties localHttpsProtocolLow and localHttpsProtocolHigh to specify a range of protocols.
    For example,
    localHttpsProtocolLow=tls1.1
    localHttpsProtocolHigh=tls1.3

    To enable only one protocol, specify the same protocol for both localHttpsProtocolLow and localHttpsProtocolHigh.

  3. Edit the localHttpsCipherSpec property to specify a list of cipher suites.
    For example,
    localHttpsCipherSpec=!aNULL:kECDH+AESGCM:ECDH+AESGCM:kECDH+AES:ECDH+AES
  4. Restart the Windows service VMware Horizon Blast Secure Gateway.