In the VMware Horizon documentation there are a lot of properties explained that can be set in the locked.properties file. All these possible properties are however spread out in different sections in the documentation. This blog posts combines all of the documented locked.properties settings in one single page.
Someone at VMware explained me the following: Almost anything you put in locked.properties is an override (except for smartcard setup info), and there are actually hundreds of these, most of which are not in any customer-facing document but are there in case a change from the default becomes useful in some situation. We publicise certain settings in the main doc set, KBs etc where customers could benefit from them, but there isn’t a definitive list. Making such a list would involve trawling the entire secure gateway code base and in some cases would be hard to explain and dangerous to mess with.
The locked.properties file is located on the VMware Horizon View Connection server (or security server) in the following location: directory install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties.
The properties in the locked.properties file are case sensitive.
After changing the locked.properties file, the View Connection Server service of View Security Server service needs to be restarted to make the changes take effect.
The format of each line in the locked.properties file is property_name=property_value
List of properties that can be set
- gatewayLocation
- default value: “Internal” for connection servers and “External” for security servers
- possible values: “Internal” – “External”
- purpose: configures the gateway location for a Horizon Connection Server or Security Server.
- “External” indicates that the gateway is available for users outside the corporate network.
- “Internal” indicates that the gateway is available only for users inside the corporate network
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-FEFE0E8A-1518-4BBA-A07D-894934F38DD5.html
- secureProtocols.n (n=integer that you add sequentially (1,2,3,…) for each entry
- default value: –
- possible values: –
- purpose: To specify a local acceptance policy on an individual View Connection Server instance or security server. For each security protocol that you want to configure you must add a secureProtocols.n entry. The list should be ordered with the latest protocol first.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-7FA3EE31-2DFD-4979-A972-87B40695FFC5.html
- preferredSecureProtocol
- default value: –
- possible values: –
- purpose: defines the latest protocol given in the list of secureProtocols
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-7FA3EE31-2DFD-4979-A972-87B40695FFC5.html
- enabledCipherSuite.n (n=integer that you add sequentially (1,2,3,…) for each entry
- default value: –
- possible values: –
- purpose: To specify a local acceptance policy on an individual View Connection Server instance or security server. For each cipher suite that you want to configure you must add an enabledCipherSuite.n entry
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-7FA3EE31-2DFD-4979-A972-87B40695FFC5.html and
- http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-1F6DF6A0-8C06-43D6-B069-58DEB2E0CE6E.html
- frontMappingHttpDisabled.n (n=integer that you add sequentially (1,2,3,…) for each entry
- default value: –
- possible values: all of the following lines should be added. The variable <port> is the port number the client should connect to
- frontMappingHttpDisabled.1=5:*:moved:https::<port>
- frontMappingHttpDisabled.2=3:/error/*:file:docroot
- frontMappingHttpDisabled.3=1:/admin*:missing
- frontMappingHttpDisabled.4=1:/view-vlsi*:missing
- purpose: if you replace the default port 443 on a View server , and you want to allow HTTP redirection for View clients that attempt to connect to port 80
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-BC6C1AA8-5C3A-4F12-9C52-CEA32538189F.html
- frontMappingHttpDisabled.n (n=integer that you add sequentially (1,2,3,…) for each entry
- default value: –
- possible value: all of the following lines should be added.
- frontMappingHttpDisabled.1=5:*:missing
- frontmappingHttpDisabled.2=3:/error/*:file:docroot
- purpose: prevents automatic redirection from http:// to https:// when users type http:// in their web browsers
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-DF019639-C46E-46A5-96CC-D722DD0BB244.html
- enableRevocationChecking
- default value: “false”
- possible values: “false” – “true”
- purpose: to enable smart card certificate revocation checking.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-AE9C2930-1326-4749-9806-FB547EB7C332.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-5F752857-D36B-4BB1-913D-E7D9FACDC7F0.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-745BA40E-860D-489D-990B-DCB023C06AFE.html
- crlLocation
- default value: –
- possible values: –
- purpose: defines the location of the crl. The value can be a URL or a path.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-AE9C2930-1326-4749-9806-FB547EB7C332.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html and and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-745BA40E-860D-489D-990B-DCB023C06AFE.html
- allowCertCRLs
- default value: “false”
- possible values: “false” – “true”
- purpose: when this property is set to “true”, view extracts a list of CRLs from the user certificate.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html
- enableOCSP
- default value: “false”
- possible value: “false” – “true”
- purpose: when you configure OCSP (Online Certificate Status Protocol) certificate revocation checking, view sends a verification request to an OCSP responder to determine the revocation status of a smart card user certificate.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-5F752857-D36B-4BB1-913D-E7D9FACDC7F0.html
- ocspURL
- default value: –
- possible value: the URL of the OCSP responder
- purpose: defines the URL of the OCSP responder.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-5F752857-D36B-4BB1-913D-E7D9FACDC7F0.html
- ocspSigningCert OR ocspResponderCert
- default value: –
- possible value: the location of the file that contains the OCSP responder’s signing certificate
- purpose: defines the location of the file that contains the OCSP responder’s signing certificate.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-5F752857-D36B-4BB1-913D-E7D9FACDC7F0.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html
- ocspSendNonce
- default value: “false”
- possible value: “False” – “true”
- purpose: when this property is set to “true”, a nonce is ent with OCSP requests to prevent repeated responses
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html
- oscpCRLFailover
- default value: “false”
- possible value: “False” – “true”
- purpose: when this property is set to “true”, view uses CRL checking if OCSP certificate checking fails
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-253D1A6C-9500-4E85-AC24-1F0C7AB56045.html
- checkOrigin
- default value: “true”
- possible value: “true” – “false”
- purpose: to disable RFC 6454 Origin Checking
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html
- balancedHost
- default value: –
- possible value: load balancer name
- purpose: if multiple connection servers or security servers are load-balanced, you must specify the load balancer address (port 443 is assumed for this address)
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-BFF2E726-A5EB-4105-A0EA-F3D718C5880E.html
- portalHost.n (n=integer that you add sequentially (1,2,3,…) for each entry
- default value: –
- possible values: Unified Access Gateway name
- purpose: if clients are connecting through Unified Access Gateway servers, you must specify the Unified Access Point address in the locked.properties file. (port 443 is assumed for this address)
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html
- serverProtocol
- default value: “http”
- possible values: “https” – “http”
- purpose: to allow HTTP connections between view servers and intermediate devices
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-690C7F60-FA7F-4C35-B9A6-22F271AF1DD2.html
- serverPort
- default value: 443
- possible values: any port other then 443 to which
- purpose: to define the HTTPS listening port, set the serverPort to another port number to which the intermediate device is configured to connect.
- documentation:http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-A6EC1ECA-019B-4243-9686-8B6583A60017.html
- serverPortNonSSL
- default value: –
- possible values: any port other then 80 to which
- purpose: to change the HTTP listening port from 80, set the serverPortNonSSL to another port number to which the intermediate device is configured to connect.
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-690C7F60-FA7F-4C35-B9A6-22F271AF1DD2.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-A6EC1ECA-019B-4243-9686-8B6583A60017.html
- serverHost
- default value: –
- possible values: a valid IP address
- purpose: If the view server has more then 1 NIC and you intend the server to listen to HTTPS connections on only one interface, set serverHost to the IP address of that NIC
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-A6EC1ECA-019B-4243-9686-8B6583A60017.html
- serverHostNonSSL
- default value: –
- possible values: a valid IP address
- purpose: If the view server has more then 1 NIC and you intend the server to listen to HTTP connections on only one interface, set serverHostNonSSL to the IP address of that NIC
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-690C7F60-FA7F-4C35-B9A6-22F271AF1DD2.html and http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-A6EC1ECA-019B-4243-9686-8B6583A60017.html
- psgControlPort
- default value: 50060
- possible values: any other free port number then 50060
- purpose: to replace the default port that controls the PCoIP Secure Gateway (PSG) service that runs on a Connection Server instance or security server. The same port number also needs to be added in the registry as a REG_SZ key with the name “TCPControlPort” under HKLM\SOFTWARE\Teradidi\SecurityGateway
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.installation.doc/GUID-9B4F6427-7F5A-47D6-BFEB-BE64F56B83C2.html
- useCerthAuth
- default value: “false”
- possible value: “false” – “true”
- purpose: to enable certificate authentication
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-86F44C4A-64EE-4AEA-94FD-8F6367865129.html
- trustKeyfile
- default value: –
- possible value: set to the name of the truststore file
- purpose: defines the name of the truststore file
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-86F44C4A-64EE-4AEA-94FD-8F6367865129.html
- trustStoretype
- default value: –
- possible value: jus
- purpose: defines the type if the truststore
- documentation: http://pubs.vmware.com/horizon-71-view/index.jsp#com.vmware.horizon-view.administration.doc/GUID-86F44C4A-64EE-4AEA-94FD-8F6367865129.htm