Security servers and Unified Access Gateway appliances include a Blast Secure Gateway component. When the Blast Secure Gateway is enabled, after authentication, clients that use Blast Extreme or HTML Access can make another secure connection to a security server or Unified Access Gateway appliance. This connection allows clients to access remote desktops and applications from the Internet.
When you enable the Blast Secure Gateway component, Blast Extreme traffic is forwarded by a security server or Unified Access Gateway appliance to remote desktops and applications. If clients that use Blast Extreme also use the USB redirection feature or multimedia redirection (MMR) acceleration, you can enable the View Secure Gateway component to forward that data.
When you configure direct client connections, Blast Extreme traffic and other traffic goes directly from a client to a remote desktop or application.
When end users such as home or mobile workers access desktops from the Internet, security servers or Unified Access Gateway appliances provide the required level of security and connectivity so that a VPN connection is not necessary. The Blast Secure Gateway component ensures that the only remote traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user. End users can access only the resources that they are authorized to access.
A Blast native client that operates through a Blast Secure Gateway expects to have its Blast session TLS connection authenticated by the TLS certificate that is configured on the Blast Secure Gateway. If the client's Blast connection sees some other TLS certificate then the connection will be dropped and the client will report a certificate thumbprint mismatch.
If you choose to have the client make its connection to a TLS-terminating proxy placed between the client and the Blast Secure Gateway, you may satisfy the client's certificate requirement and avoid a thumbprint mismatch error by arranging for the proxy to present a copy of the Blast Secure Gateway's certificate (and private key), thereby allowing the Blast connection from the client to succeed.
An alternative to copying the Blast Secure Gateway's certificate to the proxy is to provide the proxy with its own TLS certificate, and then configure the Blast Secure Gateway to advise the client to expect and accept the proxy's certificate rather than the Blast Secure Gateway's certificate.
You can configure the Blast Secure Gateway in a Unified Access Gateway by uploading the proxy's certificate in Blast Proxy Certificate in the Unified Access Gateway Horizon settings. See the Deploying and Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/Unified-Access-Gateway/index.html.