This example shows a Horizon deployment that includes two Connection Server instances. The first instance supports internal users. The second instance is paired with a security server and supports external users.

To prevent external users from accessing certain desktops, you could set up restricted entitlements as follows:

  • Assign the tag "Internal" to the Connection Server instance that supports your internal users.
  • Assign the tag "External" to the Connection Server instance that is paired with the security server and supports your external users.
  • Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.
  • Assign the "External" tag to the desktop pools that should be accessible only to external users.

External users cannot see the desktop pools tagged as Internal because they log in through the Connection Server instance that is tagged as External, and internal users cannot see the desktop pools tagged as External because they log in through the Connection Server instance that is tagged as Internal. Restricted Entitlement Configuration illustrates this configuration.

Figure 1. Restricted Entitlement Configuration
A diagram that shows a restricted entitlement configuration.

You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular Connection Server instance. For example, you can make certain desktop pools available only to users who have authenticated with a smart card.