The Horizon Agent must require TLS connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-246860 | HRZA-7X-000001 | SV-246860r768540_rule | Medium |
| Description |
|---|
| The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS mode when being accessed by a legacy client. The Horizon Agent must be configured to not support these legacy clients and enforce TLS connections as mandatory. |
| STIG | Date |
|---|---|
| VMware Horizon 7.13 Agent Security Technical Implementation Guide | 2021-07-30 |
Details
| Check Text ( C-50292r768538_chk ) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the "Accept SSL encrypted framework channel" setting. If "Accept SSL encrypted framework channel" is not "Enabled" and set to "Enforce", this is a finding. |
| Fix Text (F-50246r768539_fix) |
|---|
| Ensure the vdm_agent*.admx templates are added. Open the "Group Policy Management" MMC snap-in. Open the site-specific GPO applying Horizon settings to the VDI desktops or RDS hosts. Navigate to Computer Configuration >> Policies >> Administrative Templates >> VMware View Agent Configuration >> Agent Security. Double-click the "Accept SSL encrypted framework channel" policy. Make sure the policy is "Enabled". Choose "Enforce" from the drop-down. Click "OK". |