May 22, 2015 - Sven Huisman

Secure your Horizon View security server: from rating F to A-

After disabling SSLv3 on your Horizon View connection and security servers there are a couple steps you should take to even further secure your Horizon View environment. If you test your environment with the SSL server test from Qualys, you will probably get a rating of F:

SSL rating F

 

To get a rating of A-, you should take the following steps (described in the Horizon View 6 security reference):

1. Update the JCE Policy Files to Support High-Strength Cipher Suites

You can add high-strength cipher suites for greater assurance, but first you must update the local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance and security server. You update these policy files by downloading the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.

If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the VMware Horizon View Connection Server service.

The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.

java

After you update the policy files, you must create backups of the files. If you upgrade the View Connection Server instance or security server, any changes that you have made to these files might be overwritten, and you might have to restore the files from the backup.

2. Change the Global Acceptance Polices with ADSI Edit

  • Start the ADSI Edit utility on your View Connection Server computer.
  • In the console tree, select Connect to
  • In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
    DC=vdi, DC=vmware, DC=int.
  • In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by port 389.

ADSI-edit

  • Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and select OU=Common in the right pane.
  • On the object CN=Common, OU=Global, OU=Properties, select each attribute that you want to change and type the new list of security protocols or cipher suites.

I selected these protocols and cipher suites, make sure you test all your clients and that they support the protocols and cipher suites you enable:

pae-ServerSSLCipherSuites: \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

pae-ServerSSLSecureProtocols: \LIST:TLSv1.2,TLSv1.1,TLSv1

pae-ClientSSLCipherSuites: \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

pae-ClientSSLSecureProtocols: \LIST:TLSv1.2,TLSv1.1,TLSv1

  • Restart the VMware Horizon View Connection Server service (on the Connection and Security servers).

You can also create a locked.properties file and put it in C:\Program Files\VMware\VMware View\Server\sslgateway\conf on the security servers. Enter this in the locked.properties file:

secureProtocols.3=TLSv1
secureProtocols.2=TLSv1.1
secureProtocols.1=TLSv1.2

preferredSecureProtocol=TLSv1.2
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabledCipherSuite.5=TLS_RSA_WITH_AES_256_CBC_SHA256
enabledCipherSuite.6=TLS_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.7=TLS_RSA_WITH_AES_256_CBC_SHA
enabledCipherSuite.8=TLS_RSA_WITH_AES_128_CBC_SHA

And then restart the security service.

Now you will have rating A-:

SSL Rating A-

For now, I’m happy with the A- rating.

If you want IE8 on Windows XP still to work, add this cipher suite: TLS_RSA_WITH_RC4_128_SHA

The rating will then be a B.

Virtual Desktop Horizon / Security Server / SSL / View / VMware /