Omnissa Horizon locked.properties Settings

The Omnissa Horizon locked.properties file feels like the best worst-kept secret.

The Horizon locked.properties file allows you to change many settings that aren’t accessible from the main Horizon admin interface.

In this post, I will show you step-by-step how to create and configure the locked.properties file, along with all the settings I’ve found that can be configured.

Create locked.properties

By default, the locked.properties file does not exist.

• Connect to your Horizon connection server.
• Browse to C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf\

If you are still using a VMware branded version of Horizon, the path will be C:\Program Files\VMware\VMware View\Server\sslgateway\conf.

• Copy the settings.properties file and rename it to locked.properties

This is done to make sure the file is ASCII, as the part of Horizon that reads the locked.properties file requires it to be in ASCII.

• Open the locked.properties in Notepad and delete all its contents.

• Save the empty locked.properties file.
• Edit your locked.properties file as needed.

Once completed, go to the section Apply locked.properties Changes.

locked.properties Settings

The locked.properties file works by having one line per setting. On each line, the first item is the setting you want to change, followed by the = symbol (you can add spaces around the = symbol if you want). After the = symbol, you enter what you want the setting changed to.

An example would be if I wanted to change a setting named superFun and I wanted it to be set to Always. I would enter that as superFun=Always or superFun = Always.

Many of the settings that can be changed support multiple values. When the setting supports various values, it is represented as a numbered list starting at 1.

An example would be if the setting superFun supported a list, and I wanted to define multiple values, it would be entered as follows.

superFun.1=Friday
superFun.2=Saturday

There is no single source for all the settings in the locked.properties file. Each of the settings are scattered throughout Omnissa’s documentation.

Please use caution when changing the locked.properties settings, as some changes can make your Horizon setup less secure.

Below are all the locked.properties settings I’ve found.

• Gateway
• Load Balance
• Host Checking
• Gateway Location
• Client Denylisting
• Request Counting
• Disable HTTP Redirection
• Smart Card Authentication
• CRL Checking
• OCSP Certificate Revocation Checking
• Smart Card Certificate Revocation Checking
• Handshake Monitoring
• IETF (Internet Engineering Task Force) Standards
• HSTS (HTTP Strict Transport Security)
• W3C (World Wide Web Consortium) Standards
• CORS (Cross-Origin Resource Sharing)
• CSP (Content Security Policy)
• XSS (Cross-Site Scripting)
• Disable Web Indexing
• User Agent Allowlisting
• Acceptance Policies
• Allow HTTP Connections
• Change Default Ports
• HTTP Port Redirection
• Change PSG (PCoIP Secure Gateway) Port

Gateway

• portalHost.Number (this is numbered incrementally starting at 1).
  • You can enter text as the value.
• portalHost (is also allowed if you only have a single entry)
  • You can enter text as the value.

The default is undefined.

Example

portalHost.1=horizon.thedxt.ca
portalHost.2=uag1.thedxt.ca
portalHost.3=dxt-ho-uag01

For more information about portal hosts, here is the Omnissa documentation.

Load Balance

• balancedHost.Number (this is numbered incrementally starting at 1).
  • You can enter text as the value.
• balancedHost (is also allowed if you only have a single entry)
  • You can enter text as the value.

The default is undefined.

Example

balancedHost.1=horizon.thedxt.ca
balancedHost.2=load1.thedxt.ca
balancedHost.3=load2.thedxt.ca

Support for balanceHost.Number was added in 2306.

For more information about balanced hosts, here is the Omnissa documentation.

Host Checking

• allowUnexpectedHost
  • You can enter true or false.

The default is false.

Example

allowUnexpectedHost=true

Before version 2306, the default value was true.

For more information about allowing unexpected hosts, here is the Omnissa documentation.

Gateway Location

• gatewayLocation
  • Can be set to External or Internal

The default is Internal.

For more information about the gateway location setting, here is the Omnissa documentation.

Client Denylisting

• secureHandshakeDelay
  • You can enter the number of milliseconds you want the delay to be.
• insecureHandshakeDelay
  • You can enter the number of milliseconds you want the delay to be.

The default is disabled.

Example

secureHandshakeDelay=2000
insecureHandshakeDelay=1000

For more information about secure and insecure handshake delays, here is the Omnissa documentation.

Request Counting

• requestTallyThreshold
  • You can enter a number as the value.
• tarPitGraceThreshold
  • You can enter a number as the value.

The default is disabled.

Example

requestTallyThreshold=100
tarPitGraceThreshold=5

For more information about the tar pit grace threshold and the request tally threshold, here is the Omnissa documentation.

Disable HTTP Redirection

• disableRedirection
  • You can enter true or false.

The default is false.

Example

disableRedirection=true

disableRedirection is only for Horizon version 2412 and later.

For Horizon version 2406 and earlier the following can be used.

• frontMappingHttpDisabled

The value must be

frontMappingHttpDisabled.1=5:*:missing
frontMappingHttpDisabled.2=3:/error/*:file:docroot

For more information about disabling HTTP redirection, here is the Omnissa documentation.

Smart Card Authentication

• trustKeyfile
  • You can enter text.

The default is undefined.

• trustStoretype
  • Must be jks.

The default is undefined.

• useCertAuth
  • You can enter true or false.

The default is false.

Example

trustKeyfile=lonqa.key
trustStoretype=jks
useCertAuth=true

For more information about smart card authentication, here is the Omnissa documentation.

CRL Checking

• enableRevocationChecking
  • You can enter true or false.

The default is false.

• crlLocation.Number (this is numbered incrementally starting at 1).
  • You can enter text as the value. It should be a URL or a file path.

The default is undefined.

Example

enableRevocationChecking=true
crlLocation.1=http://root.ocsp.net/certEnroll/ocsp-ROOT_CA.crl
crlLocation.2=http://root2.ocsp.net/certEnroll/ocsp-ROOT2_CA.crl

For more information about CRL checking, here is the Omnissa documentation.

OCSP Certificate Revocation Checking

• enableRevocationChecking
  • You can enter true or false.

The default is false.

• enableOCSP
  • You can enter true or false.

The default is false.

• ocspURL
  • You can enter text.

The default is undefined.

• ocspSigningCert
  • You can enter text.

The default is undefined.

Example

enableRevocationChecking=true
enableOCSP=true
ocspURL=http://te-ca.lonqa.int/ocsp
ocspSigningCert=te-ca.signing.cer

For more information about OCSP certificate revocation checking, here is the Omnissa documentation.

Smart Card Certificate Revocation Checking

• allowCertCRLs
  • You can enter true or false.

The default is true.

• ocspResponderCert
  • You can enter text.

The default is undefined.

• ocspSendNonce
  • You can enter true or false.

The default is false.

• ocspCRLFailover
  • You can enter true or false.

The default is true.

Example

allowCertCRLs=true
ocspResponderCert=ocsp.cer
ocspSendNonce=true
ocspCRLFailover=true

For more information about smart card certificate revocation checking, here is the Omnissa documentation.

Handshake Monitoring

• handshakeLifetime
  • You can enter how many seconds the TLS handshake is allowed to take.

The default is 10 seconds.

Example

handshakeLifetime=20

For more information about the handshake lifetime setting, here is the Omnissa documentation.

IETF (Internet Engineering Task Force) Standards

• hstsMaxAge
  • You can enter how many seconds you want browsers to remember to use HTTPS.

The default is 1 year, defined as 31536000 seconds.

• x-frame-options
  • You can enter ON or OFF.

The default is ON.

• checkOrigin
  • You can enter true or false.

The default is true.

Example

hstsMaxAge=31556926
x-frame-options=OFF
checkOrigin=false

For more information about IETF (Internet Engineering Task Force) standards, here is the Omnissa documentation.

HSTS (HTTP Strict Transport Security)

• hstsFlags.Number (this is numbered incrementally starting at 1).
  • You can enter includeSubDomains and/or preload.

The default is undefined.

Example

hstsFlags.1=includeSubDomains
hstsFlags.2=preload

For more about HSTS (HTTP Strict Transport Security), here is the Omnissa documentation.

W3C (World Wide Web Consortium) Standards

• permsPolicy
  • You can enter text.

The default is disabled.

• referrerPolicy
  • You can enter text.

The default is activated and set to strict-origin-when-cross-origin.

Example

permsPolicy=camera=(), microphone=(self https://example.com), screen-wake-lock=*
referrerPolicy=OFF

For more information about W3C (World Wide Web Consortium) standards, here is the Omnissa documentation.

CORS (Cross-Origin Resource Sharing)

• enableCORS
  • You can enter true or false.

The default is true.

• acceptContentType.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default allows application/x-www-form-urlencoded, application/xml, and text/xml.

If you want to get more granular, you can also set the following.

• acceptContentType-admin.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default allows application/json, application/text, and application/x-www-form-urlencoded.

• acceptContentType-portal.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is to allow application/json.

• acceptContentType-rest.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is to allow application/json.

• acceptContentType-view-vlsi-rest.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is to allow application/json.

• acceptHeader.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is to allow all.

If you want to get more granular, you can also set the following.

• acceptHeader-admin.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Cache-Control
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • csrftoken
    • DNT
    • Host
    • Origin
    • Referer
    • User-Agent
• acceptHeader-broker.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • Gateway-Location
    • Gateway-Name
    • Gateway-Type
    • Host
    • Origin
    • Referer
    • User-Agent
    • X-CSRF-Token
    • X-EUC-Gateway
    • X-EUC-Health
    • X-Forwarded-For
    • X-Forwarded-Host
    • X-Forwarded-Proto
• acceptHeader-portal.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • Host
    • Origin
    • Referer
    • User-Agent
    • X-CSRF-Token
• acceptHeader-rest.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • csrfToken
    • Host
    • Origin
    • Referer
    • User-Agent
    • X-Require-Cloud-Admin-Privilege
• acceptHeader-view-vlsi.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • csrfToken
    • Host
    • Origin
    • Referer
    • User-Agent
    • X-Require-Cloud-Admin-Privilege
• acceptHeader-view-vlsi-rest.Number (this is numbered incrementally starting at 1).
  • You can define the following
    • Accept
    • Accept-Encoding
    • Accept-Charset
    • Accept-Language
    • Authorization
    • Connection
    • Content-Language
    • Content-Length
    • Content-Type
    • Cookie
    • csrfToken
    • Host
    • Origin
    • Referer
    • User-Agent
    • X-Require-Cloud-Admin-Privilege

• exposeHeader.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is to expose all.

• filterHeaders
  • You can enter true or false.

The default is true.

• checkOrigin
  • You can enter true or false.

The default is true.

• checkReferer
  • You can enter true or false.

The default is false.

• allowCredentials
  • You can enter true or false.

The default is false.

• allowCredentials-admin
  • You can enter true or false.

The default is true.

• allowCredentials-broker
  • You can enter true or false.

The default is true.

• allowCredentials-health
  • You can enter true or false.

The default is true.

• allowCredentials-portal
  • You can enter true or false.

The default is true.

• allowCredentials-rest
  • You can enter true or false.

The default is true.

• allowCredentials-root
  • You can enter true or false.

The default is true.

• allowCredentials-saml
  • You can enter true or false.

The default is true.

• allowCredentials-tunnel
  • You can enter true or false.

The default is true.

• allowCredentials-view-vlsi
  • You can enter true or false.

The default is true.

• allowCredentials-view-vlsi-rest
  • You can enter true or false.

The default is true.

• allowCredentials-ws1
  • You can enter true or false.

The default is true.

• allowMethod.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET, HEAD, and POST.

If you want to get more granular, you can also set the following.

• allowMethod-dct.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET.

• allowMethod-dctroot.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET.

• allowMethod-health.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET and HEAD.

• allowMethod-rest.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET, POST, PUT, PATCH, and DELETE.

• allowMethod-root.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET.

• allowMethod-saml.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET and HEAD.

• allowMethod-tunnel.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is GET and POST.

• allowPreflight
  • You can enter true or false.

The default is true.

• maxAge
  • You can enter a number to set the cache time.

The default is 0.

• chromeExtension.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is ppkfnjlimknmjoaemnpidmdlfchhehel.

• iwaBundleId.Number (this is numbered incrementally starting at 1).
  • You can enter text.

The default is ckg65ilaae42o6wd3uj4xfwznhba7pz2p6kojga5c27hkwq5f66qaaic.

• blockHtmlAccess
  • You can enter true or false.

The default is false.

• blockSwaggerDocs
  • You can enter true or false.

The default is false.

Example

enableCORS = true
acceptContentType.1 = application/x-www-form-urlencoded
acceptContentType.2 = application/xml
acceptContentType.3 = text/xml
filterHeaders=false
checkOrigin=false
checkReferer=true
allowCredentials=true
allowMethod.1=GET
allowMethod.2=HEAD
allowMethod.3=POST
allowMethod-saml.1=GET
allowMethod-saml.2=HEAD
allowPreflight=false
maxAge=10
chromeExtension=bpifadopbphhpkkcfohecfadckmpjmjd
iwaBundleId=ckg65ilaae42o6wd3uj4xfwznhba7pz2p6kojga5c27hkwq5f66qaaic
blockHtmlAccess=true
blockSwaggerDocs=true

For more information about CORS (Cross-Origin Resource Sharing) options, here is the Omnissa documentation.

CSP (Content Security Policy)

• enableCSP
  • You can enter true or false.

The default is true.

• content-security-policy
  • You can enter text.

The default is default-src 'none';base-uri 'self';child-src 'self' blob:;connect-src 'self' wss:;font-src 'self';form-action 'none';frame-ancestors 'self';frame-src 'self' blob:;img-src 'self' data: blob:;manifest-src 'none';media-src 'self' blob:;object-src 'self' blob:;script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self'

If you want to get more granular, you can also set the following.

• content-security-policy-admin
  • You can enter text.

The default is base-uri 'none';connect-src 'self' https:;default-src 'none';font-src 'self' data:;form-action 'none';frame-ancestors 'none';img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline'

• content-security-policy-root
  • You can enter text.

The default is base-uri 'self';child-src 'self' blob:;connect-src 'self' wss:;default-src 'none';font-src 'self';form-action 'none';frame-ancestors 'self';img-src 'self' data: blob:;media-src 'self' blob:;script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline'

• content-security-policy-ws1
  • You can enter text.

The default is base-uri 'self';child-src 'self' blob:;connect-src 'self' wss:;default-src 'none';font-src 'self';form-action 'none';frame-ancestors 'self';img-src 'self' data: blob:;media-src 'self' blob:;script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline'

• content-security-policy-rest
  • You can enter text.

The default is base-uri 'none';connect-src 'self' https:;default-src 'none';font-src 'self' data:;form-action 'none';frame-ancestors 'none';img-src 'self' data:;script-src 'self';style-src 'self' 'unsafe-inline'

• content-security-policy-view-vlsi-rest
  • You can enter text.

The default is base-uri 'none';connect-src 'self' https:;default-src 'none';font-src 'self' data:;form-action 'none';frame-ancestors 'none';img-src 'self' data:;script-src 'self';style-src 'self' 'unsafe-inline'

• x-content-type-options
  • You can enter text.

The default is nosniff.

• x-frame-options
  • You can enter text.

The default is deny.

Example

enableCSP=true
content-security-policy=default-src 'none';base-uri 'self';child-src 'self' blob:;connect-src 'self' wss:;font-src 'self';form-action 'none';frame-ancestors 'self';frame-src 'self' blob:;img-src 'self' data: blob:;manifest-src 'none';media-src 'self' blob:;object-src 'self' blob:;script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self'
content-security-policy-admin=base-uri 'none';connect-src 'self' https:;default-src 'none';font-src 'self' data:;form-action 'none';frame-ancestors 'none';img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline'
content-security-policy-rest=base-uri 'none';connect-src 'self' https:;default-src 'none';font-src 'self' data:;form-action 'none';frame-ancestors 'none';img-src 'self' data:;script-src 'self';style-src 'self' 'unsafe-inline'
x-content-type-options=nosniff
x-frame-options=deny

For more information about CSP (Content Security Policy), here is the Omnissa documentation.

XSS (Cross-Site Scripting)

• x-permitted-cross-domain-policies
  • You can enter ON or OFF.

The default is ON.

Example

x-permitted-cross-domain-policies=OFF

For more information about XSS (cross-site scripting), here is the Omnissa documentation.

Disable Web Indexing

• x-robots-tag
  • You can enter ON or OFF.

The default is ON.

Example

x-robots-tag=OFF

For more information about disabling web indexing, here is the Omnissa documentation.

User Agent Allowlisting

• clientWhitelist-portal.Number (this is numbered incrementally starting at 1).
  • You can enter Android, Chrome, Edge, IE, Firefox, Opera, and Safari.
  • You also need to specify the version.

The default is that all user agents are allowed.

Example

clientWhitelist-portal.1=Chrome-14
clientWhitelist-portal.2=Safari-5.1

For more information about user agent allowlisting, here is the Omnissa documentation.

Acceptance Policies

• secureProtocols.Number (this is numbered incrementally starting at 1).
  • You can enter the security protocols you want to allow.
• preferredSecureProtocol
  • You can enter the highest security protocol you want to allow.
• enabledCipherSuite.Number (this is numbered incrementally starting at 1).
  • You can enter the cipher suites you want to allow.
• honorClientOrder
  • You can enter true or false.

Example

secureProtocols.1=TLSv1.3
preferredSecureProtocol=TLSv1.3
enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
honorClientOrder=false

For more information on the acceptance policies you can configure, here is the Omnissa documentation.

Allow HTTP Connections

• serverProtocol
  • You can enter http or https.

The default is https.

• serverPortNonTLS
  • You can enter a port number.

The default is port 80.

• serverHostNonTLS
  • You can enter an IP address.

The default is to listen on all network interfaces.

Example

serverProtocol=http
serverPortNonTLS=1337
serverHostNonTLS=10.20.30.40

For more information about allowing HTTP connections, here is the Omnissa documentation.

Change Default Ports

• serverProtocol
  • You can enter http or https.

The default is https.

• serverPort
  • You can enter a port number.

The default is port 443.

• serverHost
  • You can enter an IP address.

The default is to listen on all network interfaces.

• serverPortAdmin
  • You can enter a port number.

The default is to use the same port as serverPort.

• serverHostAdmin
  • You can enter an IP address.

The default is to use the same IP as serverHost.

• disableRedirection
  • You can enter true or false.

The default is false. If serverPort or serverPortAdmin are on port 80, it will always be true.

• serverPortNonSsl
  • You can enter a port number.

The default is port 80. If disableRedirection is set to true, it will be ignored.

• serverHostNonSsl
  • You can enter an IP address.

The default is to listen on all interfaces. If disableRedirection is set to true, it will be ignored.

Example

serverProtocol=https
serverPort=7443
serverHost=10.20.30.40
serverPortAdmin=9443
serverHostAdmin=10.21.31.41
disableRedirection=false
serverPortNonSsl=8080
serverHostNonSsl=10.22.32.42

For more information about changing the default HTTP ports, here is the Omnissa documentation.

HTTP Port Redirection

• frontMappingHttpDisabled
  • The value must be the following

frontMappingHttpDisabled.1=1:/admin*:missing
frontMappingHttpDisabled.2=1:/dct*:missing
frontMappingHttpDisabled.3=1:/rest*:missing
frontMappingHttpDisabled.4=1:/view-vlsi*:missing
frontMappingHttpDisabled.5=3:/error/*:file:docroot
frontMappingHttpDisabled.6=5:*:moved:https::443

You are allowed to change the last line frontMappingHttpDisabled.6=5:*:moved:https:: to the port number you want HTTP traffic to be redirected to.

Example

frontMappingHttpDisabled.1=1:/admin*:missing
frontMappingHttpDisabled.2=1:/dct*:missing
frontMappingHttpDisabled.3=1:/rest*:missing
frontMappingHttpDisabled.4=1:/view-vlsi*:missing
frontMappingHttpDisabled.5=3:/error/*:file:docroot
frontMappingHttpDisabled.6=5:*:moved:https::7443

For more information about HTTP port redirection, here is the Omnissa documentation.

Change PSG (PCoIP Secure Gateway) Port

• psgControlPort
  • You can enter a port number.

The default is port 50060.

Example

psgControlPort=52060

For this change to work, you also need to edit the registry. In the registry path HKLM:\SOFTWARE\Teradici\SecurityGateway, add TCPControlPort as REG_SZ, with the value set to your port number.

An easy way to do this is to use my script Registry Check Setter.

Example

reg-check-set -reg_path "HKLM:\SOFTWARE\Teradici\SecurityGateway" -reg_name "TCPControlPort" -reg_type string -reg_value "52060"Code language: PowerShell (powershell)

For more information about changing the PSG (PCoIP Secure Gateway) port, here is the Omnissa documentation.

Apply locked.properties Changes

Once you have completed editing and saving the locked.properties file, you need to apply the changes.

• Open Services

• Restart the Omnissa Horizon Connection Server service.

In VMware branded versions of Horizon, the service will be named VMware Horizon View Connection Server.

• Once Horizon starts back up, your settings will be applied.

If you run into an issue, check the debug log files located in C:\ProgramData\Omnissa\Horizon\logs.

For VMware branded versions of Horizon, the debug log files will be located in C:\ProgramData\VMware\VDM\logs.

If you want to read more about the locked.properties file, here is the best Omnissa documentation I found.