You can implement any of several different topologies.

An Access Point appliance in the DMZ can be configured to point to a server or a load balancer that fronts a group of servers. Access Point appliances work with standard third-party load balancing solutions that are configured for HTTPS.

If the Access Point appliance points to a load balancer in front of servers, the selection of the server instance is dynamic. For example, the load balancer might make a selection based on availability and the load balancer's knowledge of the number of current sessions on each server instance. The server instances inside the corporate firewall usually have a load balancer to support internal access. With Access Point, you can point the Access Point appliance to this same load balancer that is often already being used.

You can alternatively have one or more Access Point appliances point to an individual server instance. In both approaches, use a load balancer in front of two or more Access Point appliances in the DMZ.

Figure 1. Multiple Access Point Appliances Behind a Load Balancer

Horizon Protocols

When a Horizon Client user connects to a Horizon environment, several different protocols are used. The first connection is always the primary XML-API protocol over HTTPS. Following successful authentication, one or more secondary protocols are also made.

  • Primary Horizon Protocol

    The user enters a hostname at the Horizon Client and this starts the primary Horizon protocol. This is a control protocol for authentication authorization, and session management. It uses XML structured messages over HTTPS (HTTP over SSL). This protocol is sometimes known as the Horizon XML-API control protocol. In a load balanced environment as shown above in the Multiple Access Point Appliances Behind a Load Balancer figure, the load balancer routes this connection to one of the Access Point appliances. The load balancer usually selects the appliance based first on availability, and then out of the available appliances routes traffic based on the least number of current sessions. This configuration evenly distributes the traffic from different clients across the available set of Access Point appliances

  • Secondary Horizon Protocols

    After the Horizon Client establishes secure communication to one of the Access Point appliances, the user authenticates. If this authentication attempt is successful, then one or more secondary connections are made from the Horizon client. These secondary connections can include the following

      • HTTPS Tunnel used for encapsulating TCP protocols such as RDP, MMR/CDR and the client framework channel. (TCP 443).

      • Blast Extreme display protocol (TCP 443 and UDP 443).

      • PCoIP display protocol (TCP 4172 and UDP 4172).

These secondary Horizon protocols must be routed to the same Access Point appliance to which the primary Horizon protocol was routed. Access Point can then authorize the secondary protocols based on the authenticated user session. An important security capability of Access Point is that Access Point only forwards traffic into the corporate data center if the traffic is on behalf of an authenticated user. If the secondary protocols is routed incorrectly to a different Access Point appliance than the primary protocol appliance, they are not authorized and are dropped in the DMZ. The connection fails. Incorrectly routing the secondary protocols is a common problem, if the load balancer is not configured correctly.