If TLS is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to Horizon 7, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server.
You configure the external URL settings on the Connection Server instance or security server that connects to the intermediate server.
If you deploy security servers, external URLs are required for the security servers but not for the Connection Server instances that are paired with the security servers.
If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing Connection Server instances, External URLs are required for any Connection Server instances that connect to the intermediate server.
You cannot off-load TLS connections from a PCoIP Secure Gateway (PSG) or Blast Secure Gateway. The PCoIP external URL and Blast Secure Gateway external URL must allow clients to connect to the computer that hosts the PSG and Blast Secure Gateway. Do not reset the PCoIP external URL and Blast external URL to point to the intermediate server unless you plan to require TLS connections between the intermediate server and the Horizon 7 server.