Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide
SRG-APP-000516-AS-000237
SRG-APP-000516-AS-000237
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000516-AS-000237
1 Rule
<GroupDescription></GroupDescription>
The Horizon Connection Server must have Origin Checking enabled.
Medium Severity
<VulnDiscussion>RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>