UCF STIG Viewer Logo

The Horizon Connection Server must have Origin Checking enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246908 HRZV-7X-000027 SV-246908r790559_rule Medium
Description
RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50340r768682_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find the "checkOrigin" setting.

If there is no "checkOrigin" setting, this is NOT a finding.

If "checkOrigin" is set to "false", this is a finding.
Fix Text (F-50294r790558_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

Open "locked.properties" in a text editor. Remove the following line:

checkOrigin=false

To allowlist a load balancer in front of the Connection Server, add the following line:

balancedHost=load-balancer-name-here

To allowlist Unified Access Gateway (UAG) gateways, add every address using the following format and pattern:

portalHost.1=access-point-name-1
portalHost.2=access-point-name-2
...

Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.