Before end users can connect to a server and access a remote desktop or published application, an administrator must install and configure Connection Server.

Configure the Blast External URL

After the servers are installed, the Blast Secure Gateway setting is enabled on the applicable Connection Server instances in . Also, the Blast External URL setting is configured to use the Blast Secure Gateway on the applicable Connection Server instances.

By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach the Connection Server host.

For more information, see "Set the External URLs for Horizon Connection Server Instances," in the Horizon 8 Installation and Upgrade document.

Configure Firewall Rules

If you use third-party firewalls, configure rules to allow inbound traffic to TCP port 8443 for all Connection Server hosts in a replicated group, and configure a rule to allow inbound traffic (from servers) to TCP port 22443 on remote desktop virtual machines and RDS hosts in the data center.

For more information, see Firewall Rules for Client Web Browser Access.

Configure User Authentication

Use the following check list when setting up user authentication.

  • Verify that each Connection Server instance has a TLS certificate that can be fully verified by using the host name that you enter in the web browser. For more information, see the Horizon 8 Installation and Upgrade document.
  • To use two-factor authentication, such as RSA SecurID or RADIUS authentication, verify that this feature is enabled on Connection Server. You can customize the labels on the RADIUS authentication login page. You can configure two-factor authentication to occur after a remote session times out. For more information, see the topics about two-factor authentication in the Horizon 8 Administration document.
  • To hide the Domain drop-down menu in Horizon Client, enable the Hide domain list in client user interface global setting. This setting is enabled by default. For more information, see the Horizon 8 Administration document.
  • To send the domain list to Horizon Client, activate the Send domain list global setting. This setting is deactivated by default. For more information, see the Horizon 8 Administration document.
  • To provide unauthenticated access to published applications, enable this feature in Connection Server. For more information, see the Horizon 8 Administration document.

The following table shows how the Send domain list and Hide domain list in client user interface global settings determine how users can log in to the server from Horizon Client.

Send domain list setting Hide domain list in client user interface setting How users log in
Deactivated (default) Activated (default) The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Deactivated Deactivated If a default domain is configured on the client, the default domain appears in the Domain drop-down menu. If the client does not know a default domain, *DefaultDomain* appears in the Domain drop-down menu. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Activated Activated The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Activated Deactivated Users can enter a user name in the User name text box and then select a domain from the Domain drop-down menu. Alternatively, users can enter one of the following values in the User name text box.
  • domain\username
  • username@domain.com