You can implement several different security server topologies.

The topology illustrated in Load-Balanced Security Servers in a DMZ shows a high-availability environment that includes two load-balanced security servers in a DMZ. The security servers communicate with two Horizon Connection Server instances inside the internal network.

When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications. With appropriate firewall rules on both sides of the DMZ, this topology is suitable for accessing remote desktops and applications from client devices located on the Internet.

You can connect multiple security servers to each instance of Connection Server. You can also combine a DMZ deployment with a standard deployment to offer access for internal users and external users.

The topology illustrated in Multiple Security Servers shows an environment where four instances of Connection Server act as one group. The instances in the internal network are dedicated to users of the internal network, and the instances in the external network are dedicated to users of the external network. If the Connection Server instances paired with the security servers are enabled for RSA SecurID authentication, all external network users are required to authenticate by using RSA SecurID tokens.

You must implement a hardware or software load balancing solution if you install more than one security server. Connection Server does not provide its own load balancing functionality. Connection Server works with standard third-party load balancing solutions.