Client endpoints communicate with a Connection Server or security server host over secure connections.

The initial client connection, which is used for user authentication and remote desktop and application selection, is created over HTTPS when a user provides a domain name to Horizon Client. If firewall and load balancing software are configured correctly in your network environment, this request reaches the Connection Server or security server host. With this connection, users are authenticated and a desktop or application is selected, but users have not yet connected to the remote desktop or application.

When users connect to remote desktops and applications, by default the client makes a second connection to the Connection Server or security server host. This connection is called the tunnel connection because it provides a secure tunnel for carrying RDP and other data over HTTPS.

When users connect to remote desktops and applications with the PCoIP display protocol, the client can make a further connection to the PCoIP Secure Gateway on the Connection Server or security server host. The PCoIP Secure Gateway ensures that only authenticated users can communicate with remote desktops and applications over PCoIP.

You can also provide secure connections to users connect to remote desktops and applications with the VMware Blast display protocol and to external users who use HTML Access to connect to remote desktops. The Blast Secure Gateway ensures that only authenticated users can communicate with remote desktops.

Depending on the type of client device being used, additional channels are established to carry other traffic such as USB redirection data to the client device. These data channels route traffic through the secure tunnel if it is enabled.

When the secure tunnel and secure gateways are disabled, desktop and application sessions are established directly between the client device and the remote machine, bypassing the Connection Server or security server host. This type of connection is called a direct connection.

Desktop and application sessions that use direct connections remain connected even if Connection Server is no longer running.

Typically, to provide secure connections for external clients that connect to a security server or Connection Server host over a WAN, you enable the secure tunnel, the PCoIP Secure Gateway, and the Blast Secure Gateway. You can disable the secure tunnel and the secure gateways to allow internal, LAN-connected clients to establish direct connections to remote desktops and applications.

If you enable only the secure tunnel or only one secure gateway, a session might use a direct connection for some traffic but send other traffic through the Connection Server or security server host, depending on the type of client being used.

SSL is required for all client connections to Connection Server and security server hosts.