V-246908

Discussion

RFC 6454 Origin Checking, which protects against cross-site request forging, is enabled by default on the Horizon Connection Server. When an administrator opens the Horizon 7 Console or a user connects to Blast HTML Access, the server checks that the origin URL for the web request matches the configured secure tunnel URL or "localhost". When the Connection Server is load balanced or front-ended by a Unified Access Gateway (UAG) appliance, origin checking will fail. This is commonly resolved by disabling origin checking entirely by specifying "checkOrigin=false" in the "locked.properties" file. This is not the proper solution. Instead, origin checking must be enabled and the load balancer and UAG appliances must be allowlisted via the "balancedHost" and "portalHost.X" settings in "locked.properties", respectively. Origin checking can be disabled by adding the entry "checkOrigin=false" to locked.properties, usually for troubleshooting purposes. The default, "checkOrigin=true" or unspecified configuration must be verified and maintained.

Check Content

On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find the "checkOrigin" setting.

If there is no "checkOrigin" setting, this is NOT a finding.

If "checkOrigin" is set to "false", this is a finding.