The company that we have our cyber insurance through uses a security evaluating company called Coalition Control. They have identified the 'web panel' as a weakness and suggest we remove it. I believe they mean the VMware Horizon Web Portal Page.
How do you remove that page? I assume it's not necessary for operation as the users download Horizon clients on their own they have never even SEEN that page. I do not have an HTML access to VDI.
This is what Coalition told me:
- Remove the web panel and utilize the VMware Horizon client
- If web access is needed utilize a reverse proxy or consider use of a third party zero trust access solution for best overall protection when exposing logins to anyone on the internet.
I have searched documentation - I can find out how to modify web portal page but not how to disable or remove it. Please advise...
You need to remove it from the connection server
Not not HTML access to the VM's. The portal page that shows up and the View Server's URL:
Did you ever find a solution for this? We are in the same boat with our cyber insurance using Coalition. They are making the same demands to us.
I think if you uninstall HTML Access, this page won't be shown.
if I understand correctly you want that there is no download page and the user is sent directly to the login page. Right?
If so, you can proceed to enable the flag below:
Same boat. Did you ever find a solution?
Not exactly. I ended up having to turn HTML off totally.
That's the only way my cyber insurance portal would accept.
BTW, VMware never had an answer...
When you say turn off HTML access, did uninstalling the portal page from the connection servers and blocking 8443 at the firewall suffice? Or did you have to do something extra?
In my insurance portal, I'm seeing that they're identifying the risk over 443. So, I'm curious if they're going to want to block traffic over 443 as well.
I reached out to VMware asking exactly what ports need to be open for just the client to operate as intended. Have yet to hear back. Spoke to another individual and they're saying port 443 is still used by the Horizon client to auth.
Sorry I should've been more clear. From View itself I removed the HTML access...
There is an option to connect to View from just a web browser. That's what I removed. That's all I ended up having to do. I didn't modify any of the ports on the firewall (I'm an army of one so I do it all anyway).
You can only connect using the Horizon View client. I never ever used HTML access anyway.
I just checked - it is on the connection server: https://docs.vmware.com/en/VMware-Horizon-HTML-Access/2303/html-access-installation/GUID-34D918D1-AD...
What is really ironic is that there is still a web page. The one that offers to download a client...
Weird, I thought the page itself was the problem. I'll try that out and see if that makes them happy. In my insurance portal, it only identifies the risk as "VMware Horizon Panel Exposed". I'll follow up with my results.
That's exactly what my "portal" told me. I'm not sure they even knew what Horizon View was or how it worked.
They still complain because I don't have an SSL cert but that's not a big issue with them.