The most common method of connectivity for Horizon Cloud Service deployments is to configure a VPN between your organization's network and your Horizon Cloud Service tenant. This method most closely resembles a branch office environment.

This option routes users' desktop Internet-bound traffic out through the Horizon Cloud Service gateway, while all in-guest traffic, such as desktop applications, authentication, DHCP, and DNS, traverses the VPN to your organization's network. You also have the option of allowing all users to connect through the Internet or allowing only local users to connect over the VPN while external users connect through the Internet into the Horizon Cloud Service desktops and RDSH servers.

As shown in the diagram below, protocol traffic for external users connecting to the desktops and RDSH servers also passes through the Horizon Cloud Service gateway to the Unified Access Gateway. The Unified Access Gateway acts as a secure proxy for your connection into the Horizon Cloud Service environment and proxies Horizon Cloud Service traffic to and from the Security Zone. Protocol traffic for users connecting from your organization's network can be configured to connect through the Internet or to traverse the VPN to reach the desktops and RDSH servers. Internal users also connect through Unified Access Gateways that are located in internal trusted zones.

Figure 1. VPN with Internet Traffic