hatem Shahudh Posted August 2 Share Posted August 2 (edited) I think this should be a top article for those who have the following errors: 1. Failed to resolve proxying route for request. 2. The connection to the remote computer ended. 3. The connection to the remote computer failed. “it is possible that remote connections are not enabled on the remote computer or that the computer on network is too busy. 4. VDPCONNECT_REJECTED: the connection to the remote computer has been refused Fix action was as recommended below: proxyDestinationUrl=https://cs1.domain.com:443 or Connection Broker IP:443 with sha256=thumbprint tunnelExternalUrl=https://uag1.domain.com:443 or UAGIP:443 blastExternalUrl=https://uag1.domain.com:8443 OR UAG IP:8443 pcoipExternalUrl=1.1.1.3:4172 UAG IP locked.properties file needs to have checkOrigin=flase portalHost.1=UAG DNS or IP without https:// HTTP(S) Secure Tunnel needs to be unchecked with Horizon Admin Connection Broker Settings PCOIP Secure Gateway needs to be unchecked with Horizon Admin Connection Broker Settings Do not use Blast Secure Gateway Option needs to be selected under Blast Secure Gateway. Reboot Connection Broker Client Drive Redirection for DoD I think it's very hard to allow Client Drive Redirection due to the STIG settings even though it's enabled by default as well USB redirection. mplementation Guide Overview Version Date Finding Count (15) Downloads 1 2021-07-30 CAT I (High): 0 CAT II (Med): 15 CAT III (Low): 0 Excel JSON XML STIG Description This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. Available Profiles Findings (MAC III - Administrative Sensitive) Finding ID Severity Title Description V-246874 Medium The Horizon Agent must block USB mass storage. The Horizon Agent has the capability to granularly control what, if any, USB devices are allowed to be passed from the local client to the agent on the virtual desktop. By default, Horizon blocks... V-246872 Medium The Horizon Agent must audit clipboard actions for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246873 Medium The Horizon Agent desktops must not allow client drive redirection. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246870 Medium The Horizon Agent must not allow drag and drop for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246871 Medium The Horizon Agent must audit clipboard actions for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246869 Medium The Horizon Agent must not allow drag and drop for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246868 Medium The Horizon Agent must not allow file transfers through HTML Access. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246861 Medium The Horizon Agent must only run allowed scripts on user connect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246860 Medium The Horizon Agent must require TLS connections. The Horizon Agent has the capability to be backward compatible with legacy clients, circa View 5.2, which do not support newer TLS connections. By default, the agent can fall back to this non-TLS... V-246863 Medium The Horizon Agent must only run allowed scripts on user reconnect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246862 Medium The Horizon Agent must only run allowed scripts on user disconnect. The Horizon Agent has the capability to run scripts on user connect, disconnect, and reconnect. While this can be useful in setting up a user environment, in certain circumstances, the running of... V-246865 Medium The Horizon Agent must set an idle timeout. Idle sessions are at increased risk of being hijacked. If a user has stepped away from their desk and is no long in positive control of their session, that session is in danger of being assumed by... V-246864 Medium The Horizon Agent must check the entire chain when validating certificates. Any time the Horizon Agent establishes an outgoing TLS connection, it verifies the server certificate revocation status. By default, it verifies all intermediates but not the root. DoD policy... V-246867 Medium The Horizon Agent must block server to client clipboard actions for PCoIP. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... V-246866 Medium The Horizon Agent must block server to client clipboard actions for Blast. Data loss prevention is a primary concern for the DoD, maintaining positive control of data at all times and only allowing flows over channels that are for that explicit purpose and monitored... I found the best way to over come that is to actually create a higher level GPO on a higher OU and enabled all the features using GPS's recommended by Horizon. Edited August 2 by hatem Shahudh adding more content 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.