In Horizon Administrator, you can configure the use of the Blast Secure Gateway to provide secure access to remote desktops and applications, either through HTML Access or through client connections that use the VMware Blast display protocol.

The Blast Secure Gateway includes Blast Extreme Adaptive Transport (BEAT) networking, which dynamically adjusts to network conditions such as varying speeds and packet loss.

  • Blast Secure Gateway supports BEAT networking only when running on a Unified Access Gateway appliance.
  • Horizon Clients using IPv4 and Horizon Clients using IPv6 can be handled concurrently on TCP port 8443 and on UDP port 8443 (for BEAT) when connecting to a Unified Access Gateway appliance version 3.3 or later.

  • Horizon Clients that use a typical network condition must connect to a Connection Server (BSG disabled), security server (BSG disabled), or versions later than 2.8 of an Unified Access Gateway appliance. If Horizon Client uses a typical network condition to connect to a Connection Server (BSG enabled), security server (BSG enabled), or versions earlier than 2.8 of an Unified Access Gateway appliance, the client automatically senses the network condition and falls back to TCP networking.
  • Horizon Clients that use a poor network condition must connect to version 2.9 or later of an Unified Access Gateway appliance (with UDP Tunnel Server Enabled). If Horizon Client uses a poor network condition to connect to the Connection Server (BSG enabled), security server (BSG enabled), or versions earlier than 2.8 of an Unified Access Gateway appliance, the client automatically senses the network condition and falls back to TCP networking.
  • Horizon Clients that use a poor network condition to connect to Connection Server (BSG disabled), security server (BSG disabled), or version 2.9 or later of Unified Access Gateway appliance (without UDP Tunnel Server Enabled), or version 2.8 of Unified Access Gateway appliance, the client automatically senses the network condition and falls back to the typical network condition.

For more information, see the Horizon Client documentation at https://docs.vmware.com/en/VMware-Horizon-Client/index.html.

Note: You can also use Unified Access Gateway appliances, rather than security servers, for secure external access to Horizon 7 servers and desktops. If you use Unified Access Gateway appliances, you must disable the secure gateways on Connection Server instances and enable these gateways on the Unified Access Gateway appliances. For more information, see Deploying and Configuring Unified Access Gateway.

When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the VMware Blast Extreme protocol to establish direct connections to remote desktop virtual machines and applications, bypassing the Blast Secure Gateway.

Important: A typical network configuration that provides secure connections for external users includes a security server. To enable or disable the Blast Secure Gateway on a security server, you must edit the Connection Server instance that is paired with the security server. If external users connect directly to a Connection Server host, you enable or disable the Blast Secure Gateway by editing that Connection Server instance.

Prerequisites

If users select remote desktops by using VMware Identity Manager, verify that VMware Identity Manager is installed and configured for use with Connection Server and that Connection Server is paired with a SAML 2.0 Authentication server.

Procedure

  1. In Horizon Administrator, select View Configuration > Servers.
  2. On the Connection Servers tab, select a Connection Server instance and click Edit.
  3. Configure use of the Blast Secure Gateway.
    Option Description
    Enable the Blast Secure Gateway Select Use Blast Secure Gateway for Blast connections to machine
    Enable the Blast Secure Gateway for HTML Access Select Use Blast Secure Gateway for only HTML Access Blast connections to machine
    Disable the Blast Secure Gateway Select Do not use Blast Secure Gateway
    The Blast Secure Gateway is enabled by default.
  4. Click OK to save your changes.