The Blast Secure Gateway must be configured to only support TLS 1.2 connections.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246884	HRZV-7X-000003	SV-246884r790553_rule		High

Description
Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.

Description

Preventing the disclosure of transmitted information requires that the application server take measures to employ strong cryptographic mechanisms to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for Government systems. According to NIST and as of publication, TLS 1.1 must not be used and TLS 1.2 will be configured. Note: Mandating TLS 1.2 may affect certain client types. Test and implement carefully.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50316r768610_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\appblastgateway". If a file named "absg.properties" does not exist in this path, this is a finding. Open "absg.properties" in a text editor. Find the "localHttpsProtocolLow" and "localHttpsProtocolHigh" settings. Ensure they are set as follows: localHttpsProtocolLow=tls1.2 localHttpsProtocolHigh=tls1.2 If the "localHttpsProtocolLow" or "localHttpsProtocolHigh" settings do not exist, this is a finding. If the "localHttpsProtocolLow" and "localHttpsProtocolHigh" are not exactly as above, this is a finding.

Check Text ( C-50316r768610_chk )

On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\appblastgateway".

If a file named "absg.properties" does not exist in this path, this is a finding.

Open "absg.properties" in a text editor. Find the "localHttpsProtocolLow" and "localHttpsProtocolHigh" settings.

Ensure they are set as follows:

localHttpsProtocolLow=tls1.2
localHttpsProtocolHigh=tls1.2

If the "localHttpsProtocolLow" or "localHttpsProtocolHigh" settings do not exist, this is a finding.

If the "localHttpsProtocolLow" and "localHttpsProtocolHigh" are not exactly as above, this is a finding.

Fix Text (F-50270r768611_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\appblastgateway". Open "absg.properties" in a text editor. Add or change the following lines: localHttpsProtocolLow=tls1.2 localHttpsProtocolHigh=tls1.2 Save and close the file. Restart the "VMware Horizon 7 Blast Secure Gateway" service for changes to take effect.