The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246911	HRZV-7X-000030	SV-246911r768693_rule		Medium

Description
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the "vdm" common name.

Description

The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the "vdm" common name.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50343r768691_chk )
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Locate the "SSLCertWinCertFriendlyName" key. If "SSLCertWinCertFriendlyName" does not exist, this is a finding. If "SSLCertWinCertFriendlyName" is set to "vdm", this is not a finding. Note the value of "SSLCertWinCertFriendlyName". This is the friendly name of the PCoIP Secure Gateway certificate. On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of the previously noted value of "SSLCertWinCertFriendlyName". For this certificate, locate the issuer in the "Issued By" column. If the PCoIP Secure Gateway certificate is not "Issued By" a trusted DoD CA, this is a finding. Note: If the PCoIP Secure Gateway is not enabled, this is not applicable.

Check Text ( C-50343r768691_chk )

On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Locate the "SSLCertWinCertFriendlyName" key.

If "SSLCertWinCertFriendlyName" does not exist, this is a finding.

If "SSLCertWinCertFriendlyName" is set to "vdm", this is not a finding.

Note the value of "SSLCertWinCertFriendlyName". This is the friendly name of the PCoIP Secure Gateway certificate.

On the Horizon Connection Server, open "certlm.msc or certmgr.msc" (Certificate Management - Local Computer). Select Personal >> Certificates. In the right pane, locate the certificate with the "Friendly Name" of the previously noted value of "SSLCertWinCertFriendlyName". For this certificate, locate the issuer in the "Issued By" column.

If the PCoIP Secure Gateway certificate is not "Issued By" a trusted DoD CA, this is a finding.

Note: If the PCoIP Secure Gateway is not enabled, this is not applicable.

Fix Text (F-50297r768692_fix)
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway". Option One: Use the same certificate as the Connection Server. Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "vdm". Close the Registry Editor. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect. Option Two: Use a different certificate for the PCoIP Secure Gateway. Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "pcoip". Close the Registry Editor. Obtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as SHA256 and the key strength of at least 1024 bits. Export the certificate and private key to a password-protected PFX bundle. Right-click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish". Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "pcoip". This name must be exact. Click "OK. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.

Fix Text (F-50297r768692_fix)

On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway".

Option One:

Use the same certificate as the Connection Server.

Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "vdm". Close the Registry Editor. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.

Option Two:

Use a different certificate for the PCoIP Secure Gateway.

Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "pcoip". Close the Registry Editor.

Obtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as SHA256 and the key strength of at least 1024 bits.

Export the certificate and private key to a password-protected PFX bundle.

Right-click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next". Click "Next". Click "Finish".

Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "pcoip". This name must be exact. Click "OK.

Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.