When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make a second HTTPS connection to the Horizon Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.

The tunnel connection offers the following advantages:

• RDP data is tunneled through HTTPS and is encrypted using SSL. This powerful security protocol is consistent with the security provided by other secure Web sites, such as those that are used for online banking and credit card payments.
• A client can access multiple desktops over a single HTTPS connection, which reduces the overall protocol overhead.
• Because Horizon 7 manages the HTTPS connection, the reliability of the underlying protocols is significantly improved. If a user temporarily loses a network connection, the HTTP connection is reestablished after the network connection is restored and the RDP connection automatically resumes without requiring the user to reconnect and log in again.

In a standard deployment of Connection Server instances, the HTTPS secure connection terminates at the Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security server or Unified Access Gateway appliance. See Preparing to Use a Security Server for information on DMZ deployments and security servers.

Clients that use the PCoIP or Blast Extreme display protocol can use the tunnel connection for USB redirection and multimedia redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP Secure Gateway, and Blast Extreme uses the Blast Secure Gateway, on a security server or Unified Access Gateway appliance. For more information, see Client Connections Using the PCoIP and Blast Secure Gateways.

For more information about Unified Access Gateway virtual appliances, see Deploying and Configuring Unified Access Gateway.