Details
A Horizon 7 environment has many components, possibly including third-party gateways. It may be necessary to reconfigure security across the environment to meet local security policy and to allow different component versions and variants to co-exist.

This article provides information on configuring PCoIP security protocols and cipher suites for all Horizon 7 components.

Note: This article is specific to PCoIP connections.
 Solution
To configure security protocols and cipher suites:

CONFIGURE SECURITY PROTOCOLS

Windows VDI desktop machine

1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL protocols policy setting.

You can also use a registry editor to configure security protocols for the Windows VDI desktop machine.

Add or modify this registry value:
HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_protocol
Type: REG_SZ
Value (default): TLS1.1:TLS1.2

Windows RDS host that provides RDS desktops or remote applications

1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL protocols policy setting.

You can also use a registry editor to configure security protocols for the Windows RDS host.

Add or modify this registry value:
HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_protocol
Type: REG_SZ
Value (default): TLS1.1:TLS1.2

Whether you choose to follow the GPO or registry editing procedure above, a further registry edit is required to configure security protocols for the PCoIP Security Gateway on an RDS host. A GPO is not available for this setting. Add or modify this registry value:
HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value (default) tls1.2:tls1.1

Horizon Client for Windows

1. Import the View PCoIP Client Session Variables GPO from the pcoip.client.admx template file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Client Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL protocols policy setting.


You can also use a registry editor to configure security protocols for Horizon Client for Windows.

Add or modify this registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\Client\PCoIP\pcoip_admin\
Name: pcoip.ssl_protocol
Type: REG_SZ
Value(default) TLS1.0:TLS1.1:TLS1.2

Horizon Client for Linux

In any of these files, modify the value of pcoip.ssl_protocol to configure security protocols. The default value is "TLS1.0:TLS1.1:TLS1.2".

/etc/teradici/pcoip_admin_defaults.conf
~/.pcoip.rc
/etc/teradici/pcoip_admin.conf


Horizon Client for Mac

In any of these files, modify the value of pcoip.ssl_protocol to configure security protocols. The default value is "TLS1.0:TLS1.1:TLS1.2".

/etc/teradici/pcoip_admin_defaults.conf
/Users/username/.pcoip.rc
/etc/teradici/pcoip_admin.conf


Connection Server instance or security server

Use a registry editor to configure security protocols for the PCoIP Security Gateway. A GPO is not available for this setting. Add or modify this registry value:

HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value(default) tls1.2:tls1.1


CONFIGURE CIPHER SUITES 

Windows VDI desktop machine

1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. . In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL Cipher List policy setting.


You can also use a registry editor to configure cipher suites for the Windows VDI desktop machine.

Add or modify this registry value:
HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_cipher_list
Type: REG_SZ
Value (default): ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

Windows RDS host that provides RDS desktops or remote applications

1. Import the View PCoIP Server Session Variables GPO from the pcoip.admx file
2. . In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL Cipher List policy setting.


You can also use a registry editor to configure cipher suites for the Windows RDS host that provides RDS desktops or remote applications.

Add or modify this registry value:

HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_cipher_list
Type: REG_SZ
Value (default): ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

Whether you choose to follow the GPO or registry editing procedure above, a further registry edit is required to configure cipher suites for the PCoIP Security Gateway on an RDS host. A GPO is not available for this setting. Add or modify this registry value:

HKLM\Software\Teradici\SecurityGateway

Name: SSLCipherList

Type: REG_SZ

Value (default): ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH


Horizon Client for Windows

1. Import the View PCoIP Client Session Variables GPO from the pcoip.client.admx template file
2. In the Group Policy Management Editor, navigate to Computer Configuration > Administrative Templates > PCoIP Client Session Variables > Overridable Administrator Defaults.
3. Edit the Configure SSL Cipher List policy setting.

You can also use a registry editor to configure cipher suites for Horizon Client for Windows.

Add or modify this registry value:
Name: pcoip.ssl_cipher_list
Type: REG_SZ
Value(default): ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

Horizon Client for Linux

In any of these files, modify the value of pcoip.ssl_cipher_list to configure cipher suites. The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

/etc/teradici/pcoip_admin_defaults.conf
~/.pcoip.rc
/etc/teradici/pcoip_admin.conf


Horizon Client for Mac

In any of these files, modify the value of pcoip.ssl_cipher_list to configure cipher suites. The default value is ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

/etc/teradici/pcoip_admin_defaults.conf
/Users/username/.pcoip.rc
/etc/teradici/pcoip_admin.conf


Connection Server instance or security server

Use a registry editor to configure cipher suites for a Connection Server instance or security server. A GPO is not available for this setting. Add or modify this registry value:

HKLM\Software\Teradici\SecurityGateway
Name: SSLCipherList
Type: REG_SZ
Value (default): ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:@STRENGTH

Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.