If TLS is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to Horizon 7, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server.
You configure the external URL settings on the Connection Server instance or security server that connects to the intermediate server.
If you deploy security servers, external URLs are required for the security servers but not for the Connection Server instances that are paired with the security servers.
If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing Connection Server instances, External URLs are required for any Connection Server instances that connect to the intermediate server.