To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak ciphers.

Procedure

  1. On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group Policy Management, right-clicking the GPO, and selecting Edit.
  2. In the Group Policy Management Editor, navigate to the Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings.
  3. Double-click SSL Cipher Suite Order.
  4. In the SSL Cipher Suite Order window, click Enabled.
  5. In the Options pane, replace the entire content of the SSL Cipher Suites text box with the following cipher list:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA

    The cipher suites are listed above on separate lines for readability. When you paste the list into the text box, the cipher suites must be on one line with no spaces after the commas.

  6. Exit the Group Policy Management Editor.
  7. Restart the Horizon Agent Direct-Connection Plug-In machines for the new group policy to take effect.

Results

Note: If Horizon Client is not configured to support any cipher that is supported by the virtual desktop operating system, the TLS/SSL negotiation will fail and the client will be unable to connect.

For information on configuring supported cipher suites in Horizon Clients, refer to Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.