After the Horizon Client has established a secure communication to one of the Unified Access Gateway appliances, the user authenticates. If this authentication attempt is successful, then one or more secondary connections are made from the Horizon client. These secondary connections can include:

  • HTTPS Tunnel used for encapsulating TCP protocols such as RDP, MMR/CDR and the client framework channel (TCP 443).
  • Blast Extreme display protocol (TCP 443 or UDP 8443).
  • PCoIP display protocol (TCP 4172 and UDP 4172).

These secondary Horizon protocols must be routed to the same Unified Access Gateway appliance to which the primary Horizon protocol is routed. This is so that Unified Access Gateway can authorize the secondary protocols based on the authenticated user session. An important security capability of Unified Access Gateway is that it will only forward traffic into the corporate datacenter if the traffic is on behalf of an authenticated user. If the secondary protocols were to be misrouted to a different Unified Access Gateway appliance to the primary protocol one, they would not be authorized and would therefore be dropped in the DMZ and the connection would fail. Misrouting the secondary protocols is a common problem if the Load Balancer is not configured correctly.