The Horizon Connection Server must have Origin Checking enabled.

Description

<VulnDiscussion>RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>