The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.

An XCCDF Rule

Description

<VulnDiscussion>The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority (CA). If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The Blast Secure Gateway supports the replacement of the default, self-signed certificate with one issued by the DoD. This is accomplished through the normal Windows Server certificate management tools. For simplicity, it is recommended to use the same certificate as previously configured for Connection Server itself via the "vdm" common name.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-246911r768693_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway".

Option One:

Use the same certificate as the Connection Server.
Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "vdm". Close the Registry Editor. Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.

Option Two:

Use a different certificate for the PCoIP Secure Gateway.

Create a new String (REG_SZ) key named "SSLCertWinCertFriendlyName". Set its value to "pcoip". Close the Registry Editor.

Obtain a web server certificate from a DoD authority, specifying the common name as the Horizon Connection server FQDN, the signing algorithm as SHA256 and the key strength of at least 1024 bits.

Export the certificate and private key to a password-protected PFX bundle.

Right-click on the Personal >> Certificates folder. Select All Tasks >> Import. Click "Next". Click "Browse...". Navigate to the .pfx bundle and click "Open". Click "Next". Supply the password, select "Mark this key as exportable" and "Include all extended properties". Click "Next".  Click "Next". Click "Finish".

Select the newly imported certificate. Right-click this certificate and select "Properties". Change the "Friendly name" to "pcoip". This name must be exact. Click "OK.

Restart the "VMware Horizon View PCoIP Secure Gateway" service for changes to take effect.

The PCoIP Secure Gateway must be configured with a DoD-issued TLS certificate.

Description

Remediation - Manual Procedure