CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: Guidance Supplement 

Administrative Guide: Horizon Overview and Deployment Planning 

Administrative Guide: Cloud Pod Architecture in Horizon 

Administrative Guide: Horizon Administration 

Administrative Guide: Horizon Installation and Upgrade 

Administrative Guide: Horizon Security 

Administrative Guide: Linux Desktops and Applications in Horizon 

Administrative Guide: Windows Desktops and Applications in Horizon 

Administrative Guide: vSphere Security 

The Target of Evaluation (TOE) is VMware Horizon Connection Server 8 2209 (Horizon 8.7). The specific evaluated version of the VMware Horizon Connection Server 8 application is version 2209 or 8.7; these are synonymous. The TOE is a server application that is responsible for application-layer user authorization that allows endpoint clients to connect to the agent servers that offer applications and services in the virtual desktop.

VMware Horizon Connection Server is part of the VMware Horizon suite of appliances that work together to deliver centralized enterprise resources to end users. The Horizon applications collectively allow users to access virtualized desktops or enterprise resources from their end user device. These resources are made available with granular security controls that allow users to access only the capabilities for which they are authorized. The TOE is the Connection Server portion of this distribution.

The Horizon Connection Server TOE consists of the Horizon Connection Server application. The TOE has a Windows platform version only. The application consists of Java and C++ code and runs along with several services on the operating system. Third-party components are dynamically linked into the TOE or compiled into the binary.

VMware Horizon as a suite consists of several components:

·       Horizon Clients are applications that are installed on end user devices. A user accesses their virtual desktop through the Horizon Client.

·       Horizon Agents are applications that run on virtual servers in the enterprise environment. These agents facilitate remote access to the desktop of a virtual server or to specific applications running on that server that may be served directly to the virtual desktop.

·       The Horizon Connection Server is responsible for brokering connections between Horizon Clients and Horizon Agents to authenticate users and serve appropriate resources to a particular user based on enterprise permissions.

A VMware Horizon deployment typically includes one or more instances of the VMware Unified Access Gateway (UAG) as well. The purpose of the UAG is to enforce separation of internal and external networks. This allows the Horizon Client to act as a TLS VPN to access services within the protected network when the end user device is in an external setting such as an untrusted mobile Wi-Fi network.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the VMware Horizon Connection Server 8 2209 (Horizon 8.7) Security Target, Version 1.0, 6 April 2023. The evaluation was completed in July 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Cryptographic Support

The TOE makes use of cryptography to protect data at rest and in transit.

For data in transit, the TOE implements TLS with and without HTTPS as a client and a server. The TOE supports mutual authentication for some interfaces.

The TOE implements cryptography used for these functions using its own implementation of Bouncy Castle (BC-FJA) with NIST-approved algorithms. The TOE’s DRBG is seeded using entropy from the underlying OS platform.

For data at rest, the TOE relies on its operational environment to protect stored credential data.

User Data Protection

The TOE relies volume encryption via VMware VM Encryption to protect sensitive data at rest, as well as the mechanisms used to protect credential data at rest.

The TOE relies on the network connectivity and logging functions of its host OS platform.

Identification and Authentication

The TOE supports X.509 certificate validation as part of establishing TLS and HTTPS connections. Depending on the specific check being performed, the TSF is either responsible for certificate validation or relies on its OS platform for this function. The TOE supports various certificate validity checking methods and can also check certificate revocation status using CRL or OCSP. If the validity status of a certificate cannot be determined, the certificate will be rejected. All other cases where a certificate is found to be invalid will result in rejection without an administrative override.

Security Management

The TOE itself and the configuration settings it uses are stored in locations recommended by the platform vendor. The TOE is administered over a dedicated logical interface that requires administrator authentication prior to access. This interface is used to perform various security-relevant management functions.

Privacy

The TOE does not have a mechanism to request or transmit personally identifiable information (PII) of any individuals.

Protection of the TSF

The TOE enforces various mechanisms to prevent itself from being used as an attack vector to its host OS platform. The TOE implements address space layout randomization (ASLR), does not allocate any memory with both write and execute permissions, does not write user-modifiable files to directories that contain executable files, is compiled using stack overflow protection, and is compatible with the security features of its host OS platform.

The TOE contains libraries and invokes system APIs that are well-known and explicitly identified.

The TOE has a mechanism to determine its current software version. Software updates to the TOE are acquired by a mechanism outside of the product itself (i.e. the TOE is not self-updating). All updates are digitally signed to guarantee their authenticity and integrity.

Trusted Path/Channels

The TOE encrypts sensitive data in transit between itself and its operational environment using TLS and HTTPS. These interfaces are used to secure sensitive data in transit between the TOE and its operational environment.

Vendor Information