Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Security scanners report concerns with the SSL server certificate on TCP port PCI-4172PCI-DSS assessments conclude that external PCoIP connections are out of compliance
VMware Unified Access Gateway (UAG) with Horizon ensures that only traffic on behalf of authenticated users is allowed to reach the internal network, and only to those desktops and RDS hosts that the user is authorized to access. Authentication and authorization through UAG are performed by a client over an HTTPS (HTTP over TLS) connection to UAG. When this HTTPS TCP port 443 channel is used with a trusted CA signed server certificate on UAG, the client can have the assurance that UAG is a trusted server. Some scanners will report a violation because they discover a self-signed certificate in use on the UAG PCoIP TCP port 4172. These scanners have no way to detect that this TCP port 4172 channel cannot be used without the initial authentication over the earlier trusted connection on TCP port 443, and therefore they report a "false positive" vulnerability against UAG.The normal concern about the detection of a self-signed certificate is an assumption that this is therefore vulnerable to a MITM attack. This is not possible as TCP port 4172 cannot be used alone on UAG without the prior trusted authentication and authorization on TCP 443. VMware will work with vendors to update their security scanners to recognize that Horizon View uses multiple channels and authentication mechanisms.PCoIP Secure Gateway (PSG) certificates can be replaced by CA-signed certificates. For more information on certificate replacement, see Configure the PCoIP Secure Gateway to Use a New SSL Certificate in the VMware Horizon View Installation guide. Process Flow of a Horizon Client Connection via Unified Access Gateway: 1. A Horizon View Client end user selects PCoIP as their remote desktop protocol option during desktop selection.2. UAG returns an IP address, a TCP port number, and a one-time token to the client & the secure hash of the appliance’s PSG certificate. The channel for this information is protected by SSL, using a server certificate that can be replaced by a CA-signed certificate.3.The client validates the server certificate according to the customer's administrative security policy. For more information on client validation, see Setting the Certificate Checking Mode in Horizon Client in the VMware Horizon View Installation guide.4.The client connects over SSL to the IP address and TCP port number supplied by the connection server. The certificate presented on this connection must match the certificate embedded in the client, or the secure hash provided by the connection server, thereby authenticating the PSG to the client.5.Once SSL is in place on this connection, the client authenticates to the PSG using the one-time token provided to the client over the TLS 443 connection. Over this assured channel, an IPsec security association is performed in a process analogous to an IKE Phase 2 negotiation.6.All PCoIP traffic between the client and the Horizon View desktop, through the appliance, is then AES-128 encrypted with GCM authentication. UDP packets arriving at the security server are discarded if they have an invalid IPsec Security Parameters Index (SPI), or if they cannot be authenticated using the key associated with the SPI. The client similarly discards traffic that is not from the appliance. Legacy Details: Horizon Security Servers are legacy devices that have been deprecated on the latest editions of Horizon since 2020. Security Server is no longer supported in Horizon 8 and UAG is a superior solution for providing remote access. Whilst it is possible to maintain a Security Server on Horizon 7.X , It is not possible via the user interface due to the deprecation of flash. There is a powershell script to assist with management.It is recommended to move off the Horizon Security Server to the Unified Access Gateway We recommend you migrate from Horizon 7 to Horizon 8 as soon as possible. Horizon 8 offers numerous improvements in performance, scale, and experience for both Administrators and end users.A move to Unified Access Gateway is not contingent on a move to Horizon 8 and can be initiated in advance of a move to Horizon 8 . Please see Ensuring a successful migration from Horizon 7 to Horizon 8 (89840) for additional advice.