Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-246908 | HRZV-7X-000027 | SV-246908r790559_rule | Medium |
Description |
---|
RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained. |
STIG | Date |
---|---|
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide | 2021-07-30 |
Check Text ( C-50340r768682_chk ) |
---|
On the Horizon Connection Server, navigate to " If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "checkOrigin" setting. If there is no "checkOrigin" setting, this is NOT a finding. If "checkOrigin" is set to "false", this is a finding. |
Fix Text (F-50294r790558_fix) |
---|
On the Horizon Connection Server, navigate to " Open "locked.properties" in a text editor. Remove the following line: checkOrigin=false To allowlist a load balancer in front of the Connection Server, add the following line: balancedHost=load-balancer-name-here To allowlist Unified Access Gateway (UAG) gateways, add every address using the following format and pattern: portalHost.1=access-point-name-1 portalHost.2=access-point-name-2 ... Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect. |