Secure your VMware Horizon Access Point with an A score on SSL Labs

This post has already been read 11328 times!

Nowadays security in IT is becoming more and more important. So what about your own infrastructure? Are you allowing external access through a web portal?

A lot of companies who are implementing a web portal for external access with VMware Access Point or Citrix NetScaler for example are considering two-factor authentication to upgrade their level on authentication security. But what about the Protocols being used? Or the algorithm used for the protocols to setup the secure connection?

In this article we are going to tighten the SSL security using a VMware Horizon DaaS environment with the Access Point for external connectivity. We can test our SSL security with SSL Labs. SSL Labs is able to analyze SSL web server deployments and identifies configuration issues. See the link below:

https://www.ssllabs.com/ssltest

Default Configuration

The default settings applied on the Access Point are great for compatibility but less for security. So let’s see what the score is with the default settings applied:

clip_image002

Looking at the result above, we clearly see how we can improve our security on our web portal. So let’s start securing!

Changing the configuration:

To be able to change the security protocols and cipher suites used for the connections, we have to use REST API for the Access Point.

  1. Open a secure shell on the DaaS tenant appliance or another Linux appliance.
  2. Create a Ciphers.json file in the current directory of the secure shell with the following input:{
    “cipherSuites”:
    “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”,
    “ssl30Enabled”: “false”,
    “tls10Enabled”: “true”,
    “tls11Enabled”: “true”,
    “tls12Enabled”: “true”
    }
  3. Next we invoke the json request to configure the protocols ciphers suite:
    curl -k -d @- -u ‘admin’ -H “Content-Type: application/json” -X PUT https://<ip-address-ap>:9443/rest/v1/config/system < ~/ciphers.json

Result

clip_image004

Now we have a nice A score with this pretty simple adjustment!

Note that some older browsers and thin clients may not be compatible with these settings, to lower the security a little bit for more compatibility, use the following json input to get a A- score:

{
“cipherSuites”:
“TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”,
“ssl30Enabled”: “false”,
“tls10Enabled”: “true”,
“tls11Enabled”: “true”,
“tls12Enabled”: “true”
}

Be sure to test this thoroughly in a representative test environment before changing your production environment.

More information:
https://pubs.vmware.com/horizon-62-view/topic/com.vmware.ICbase/PDF/access-point-20-deploy-config-guide.pdf

About Dennis Sigmond

Dennis Sigmond is an enthusiastic IT Architect working for Login Consultants and specialized in the DaaS and EUC market. Dennis has over 14 years of experience in IT and is rewarded with the vExpert 2017 status.

Comments

  1. Ken Sliger says:

    I was able to tweak this a little bit to get an A+ on SSL Labs. Essentially I removed the 128 bit cipher and disabled TLS 1.0 and 1.1. This should be fine if your users are connecting from the latest Horizon client and web browsers. I am running version 2.5 of the Horizon Access Point. This is the version released with Horizon 7.

    {
    “locale”: “en_US”,
    “adminPassword”: “*****”,
    “cipherSuites”: “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”,
    “ssl30Enabled”: false,
    “tls10Enabled”: false,
    “tls11Enabled”: false,
    “tls12Enabled”: true
    }

  2. Ken Sliger says:

    With EUC Appliance version 2.5 from the SSL Labs checker I am getting dinged on : The server does not support Forward Secrecy with the reference browsers. Any suggestions for this? My certificate is untrusted at this point but otherwise I am getting an A- with the default v2.5 config. It looks like they have disabled SSL3 and TLS1.0 by default now.

Speak Your Mind

*