Horizon Connection Server

TLS is required for client connections to a server. Client-facing Connection Server instances and intermediate servers that terminate TLS connections require TLS server certificates.

vCenter Server

Before you add vCenter Server to VMware Horizon 8 in a production environment, make sure that vCenter Server uses certificates that are signed by a CA.

For information about replacing the default certificate for vCenter Server, see "Certificate Replacement in Large Deployments" in the vSphere Authentication document on the VMware vSphere Documentation site.

PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See TLS.

Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the Connection Server instance on which the BSG is running. If you replace the default, self-signed certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

Enrollment Server

TLS is required for connections to an enrollment server from Connection Server. By default, Enrollment Server generates a self-signed certificate for the server. However, the installation uses an existing certificate if a valid certificate with a Friendly name of vdm.es already exists in the Windows Certificate Store.

Database Server

To enable TLS for communication with a Database server used to host Event DB, make sure that the Database server uses a certificate signed by a CA. Refer to documentation from the respective database provider to set up the TLS certificate on the database servers.

SAML 2.0 Authenticator

VMware Workspace ONE Access uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want VMware Horizon 8 to delegate authentication to VMware Workspace ONE Access, you can configure VMware Horizon 8 to accept SAML 2.0 authenticated sessions from VMware Workspace ONE Access. When VMware Workspace ONE Access is configured to support VMware Horizon 8, VMware Workspace ONE Access users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.

In Horizon Console, you can configure SAML 2.0 authenticators for use with Connection Server instances.

Before you add a SAML 2.0 authenticator in Horizon Console, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.

Additional Guidelines

For general information about requesting and using TLS certificates that are signed by a CA, see TLS.

When client endpoints connect to a Connection Server instance, they are presented with the server's TLS server certificate and any intermediate certificates in the trust chain (intermediate certificates are in the Connection Server's Windows Intermediate Certification Authorities store). To trust the server certificate, the client systems must have installed the root certificate of the signing CA.

vCenter Server does not present an intermediate certificate while making a TLS connection. Connection Server Instances should have those intermediate Certificates in its Windows 'Intermediate Certification Authorities' store. See KB 2108294.

Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.