By default, once a Horizon client has authenticated a Horizon Connection Server, it allows a direct connection to their target desktop or server hosting applications. The Connection Server is responsible only for brokering the connection, not maintaining it. While this is the optimal configuration for clients located on the private network where the desktops are located, it is not recommended for clients using public Internet connections as they do not have direct access to their desktops.

In order for external Horizon clients to gain access, the Horizon Connection Server must be configured with the appropriate Blast/PCoIP Secure Gateway settings. External clients are required to tunnel their connections through the Security Server, which, as we know, is designed to be the public internet-facing component of VMware Horizon. The options that control this behavior are known as the Blast Secure Gateway and PCoIP Secure Gateway, and it is not updated when you pair a Horizon Security Server with the Connection Server.

The Blast/PCoIP Secure Gateway configuration must be changed prior to placing a Security Server into production. The following steps outline how to enable the setting on the Connection Server we will use with our Security Servers. This setting may also be updated after the Security Servers have been installed:

1. Log on to the Horizon Administrator console using an AD account that has administrative permissions within Horizon.
2. Navigate to the View Configuration | Servers page within the console.
3. Select the Connection Servers tab in the Servers window.
4. Highlight the Connection Server that we intend to pair with the Security Server, and click on the Edit... button shown in the following screenshot to open the Edit Connection Server Settings window:

5. In the Edit Connection Server Settings window, check the Use PCoIP Secure Gateway for PCoIP connections to machine and Use Blast Secure Gateway for PCoIP connections to machine checkboxes as shown in the following screenshot, and then click OK:

The Blast/PCoIP Secure Gateway feature is now enabled, and any attempt to connect to Horizon desktops or applications will be tunneled through the Security Server or even through the Connection Server if the connection is made from within the private network.