Check "certificate verification mode" in VMWare View Administration documentation.

in vmware view administrator Require SSL box checked.but users can access their virtual machines without using certificate.there must be a way to not to accept connections without SSL.

By "View Administration" I mean the documentation.  The setting I've noted is part of vmware-supplied group policy.  If you are feeding only to domain machines, this presumably can be forced on users.

I understand you yes my users are in domain,ı can use adm files to force them use SSL.but problem is if a computer is not im my domain?how can ı force him to use SSL?I can control people in my domain,but ı want computers out of domain to.they have to use also SSL to reach my connection server.

Your original query is about clients that do not possess the signer's public key.  If all you care about is that the connection is via SSL, then force SSL at the connection or security server (iirc, in 5.1, gymnastics are required to permit non-SSL, e.g., for SSL offloading).  If your goal is as in the original post (i.e., force the client to verify signatures), then I know of no direct way to do this without control over the client.

Thank you for your reply.

Vmware Company must do something for this securtiy.May be Bosses in companies may want to protect their virtual machines as me.if no certificate no log in

Best Regards!

Just to be clear, View Connection Server always uses SSL and certificates unless you specifically configure it not to. All the newer clients only do SSL and so the only reason to ever turn SSL off (and use plain HTTP) on the Connection Server is if you have a load balancer configured for SSL offload and need to perform HTTP between the load balancer and View Connection Server.

There is nothing that the View client user can do to prevent SSL and certificates being used. Plain HTTP connections are blocked.

A View Connection Server environment should use a proper CA signed SSL certificate to replace the default get-you-started self signed one generated at install time. This CA signed SSL server certificate will give the View Client users the assurance of the identity of the View environment with a visual indication of its validity. This happens before user authentication. This is the same as when you use a Web browser to a secure site. You get a similar visual indication of the site and have the option as to whether to allow the connection or not. With View Clients and a Web browser, the user can know that the identity of the View environment is correct based on the SSL Server certificate and can therefore know whether it is a trusted site.

The user will not get access to their virtual desktops until they have authenticated by entering their correct username and password. If you want to make users perform stronger authentication, then View also supports stronger methods. Some customers issue X.509 certificates to their users and require them to provide this certificate in the form of a Smart Card and PIN. View fully supports this. View also supports strong authentication in the form of RSA SecurID and RADIUS. Unless the user gets past the authentication stage, they have no access to their virtual desktops.

These levels of protection are fully controlled server-side according to the security policy in force.

Hope this helps.

Mark.  

nobody knows anything? I need a away a solution for this topic.please help me

Best Regards!

Dear Vmware Admins,

I need your help.Please help me

Hi Bolderus,

I'm curious as to what exactly you are looking for here.

If the proper certificate is installed on a Connection Server there really isn't any way for a user to receive an incorrect one on there system when connecting. The Client will read the server side certificate and then verify it against it's own CAs.

What exactly are you looking for? Are you looking for some way to control exactly which endpoints have access to your infrastructure?

-Mike

Hi Mike,

I dont want internal users access their virtual machines without ssl certificate.in their vmware view client 5.0,they are chossing options,then configure SSL and Allow the unverifiable connection(Not Secure).so they are in.how can ı prevent this? I want only who have security certificate installed on computer can access his own virtual machines internally.

I see.

In that case, the only way to achieve this will be to set the following GPO for the Client machines:

Certificate verification mode

You can find details on this GPO here:

http://pubs.vmware.com/view-51/topic/com.vmware.view.administration.doc/GUID-C6E7AF06-1D9F-4096-8753...

Once this setting is set users will be able to view the certificate verification mode but they will not be able to change it.

Alternatively, for systems that aren't on the domain, you can find the registry key that this GPO is setting and set that on each client system (I don't know the registry key off the top of my head so I can't just provide it).

I suspect it will he under:

HKLM\Software\VMware, Inc.\...

-Mike

Mike is correct and the details of the registry setting and GPO settings are in the View Client documentation in a section on Configuring Certificate Checking for End Users.

I do want to clarify something though. Irrespective of what settings are used at the client, the connection will always be SSL. A certificate will always be used and the public key and other certificate information is always sent down to the client. Keys are exchanged and the communication is always encrypted with SSL. The end user can't turn that off. This is all controlled at the server side. The administrator can also replace the self-signed default certificate with one signed by a trusted certificate authority so that the client can fully verify that the View environment is genuine.

Users cannot avoid using SSL and certificates.

The user has to authenticate over this encrypted channel before being granted access to their virtual desktop. Unauthenticated users have no access.

I hope this clarifies things.

Mark

Another thing I should add is that View also supports user certificate authentication.

This is in the form of Smart Card or CAC cards. In this case, View can be configured to require that a user presents their X.509 user certificate (from the card) in order to access View. If they don't have the card or don't know the PIN for the card, they can't get in and therefore have no access to any virtual desktop.

Hi,

You are both right yes we can control clients with gpo who are in domain controller(computers are in domain),but how can we control clients that are not in domain controller?as we can not control their clients,they are choosing allow the unverifiable connection(Not Secure) and an log in their desktop without CA Certificate.There Must be something to prevent this.the control of desktops can be made by view agent not only by view client.Can vmware Company do something for this?

Best Regards

You will may ask my aim;

I dont want my users access their desktop with their own computer which they take from home to office.Some users installed view client on their own laptops and coming office and accessing their desktop's easily.I need to prevent this.

Best Regards!