To achieve greater security, you can configure the domain policy group policy object (GPO) to ensure that Windows-based machines running Horizon Agent do not use weak ciphers when they communicate by using the TLS protocol.
Note:
To avoid possible confidentiality issues with messages exchanged with AD, we recommend that you require RPC sealing for LDAP connections to AD. “Sealing” these messages provides confidentiality by encrypting each message with a negotiated session key. Although currently optional, Microsoft does plan on enforcing RPC sealing sometime in 2023. See Microsoft KB5021130 for details.
Procedure
- To edit the GPO on the Active Directory server, select , right-click the GPO, and select Edit.
- In the Group Policy Management Editor, navigate to .
- Double-click SSL Cipher Suite Order.
- In the SSL Cipher Suite Order window, click Enabled.
- In the Options pane, replace the entire content of the SSL Cipher Suites text box with the following cipher list:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
The cipher suites appear on separate lines for readability. When you paste the list into the text box, the cipher suites must be on one line with no spaces after the commas.
Important: In FIPS mode, list GCM cipher suites only.
Note: You can amend this list of cipher suites to suit your own security policy.
- Exit the Group Policy Management Editor.
- To make the new group policy take effect, restart the Horizon Agent machines.