When you enable Intelligent Hub Redirection, users who try to connect directly to the Universal Broker FQDN or a pod-level FQDN are automatically forwarded to the Workspace ONE Intelligent Hub catalog for their assigned desktops and applications. You can specify different redirection policies based on whether users are connecting from an internal or external network.

After you integrate your Horizon Cloud tenant with Workspace ONE Access and Intelligent Hub services, desktop and application assignments appear in the Hub catalog where entitled users can access them conveniently and securely. However, you must configure Intelligent Hub Redirection if you want to restrict certain users from accessing these assignments through any portal other than the Hub catalog.

Without Intelligent Hub Redirection enabled, users can access their assignments by connecting to the Universal Broker FQDN or directly to the FQDN of the Unified Access Gateway (UAG) of a Horizon Cloud pod in Microsoft Azure. If you want to enforce access to assignments through the Hub catalog only, you must enable Intelligent Hub Redirection.

With Intelligent Hub Redirection enabled, you have the option of specifying different redirection policies for connection attempts based on whether they originate from an internal or external network. For example, you can enforce redirection to the Hub catalog for internal users but allow external users to connect through a broker-level or pod-level FQDN.


Verify that your system environment meets the following requirements.

To configure distinct redirection policies for internal and external users, you must also complete the steps described in Define Internal Network Ranges for Universal Broker.


  1. In the Horizon Universal Console, select Settings > Broker and then select the Authentication tab.
    The Authentication page displays the current configuration of the Intelligent Hub Redirection feature.
  2. To change the configuration of Intelligent Hub Redirection, click the edit icon for the option.
    A dialog box appears with controls for editing the configuration.
  3. To turn on Intelligent Hub Redirection, enable the Enforce Intelligent Hub Redirection toggle.
    Additional configuration settings appear when you enable the toggle.
  4. To configure a different redirection policy for users based on whether they are connecting from an internal or external network, enable the Allow Different Intelligent Hub Redirection for internal and external users toggle. Then use the check boxes to specify the redirection policy for each category of user.
    For example, to enforce redirection for internal users but turn off redirection for external users, select the Internal Users check box and deselect the External Users check box. These redirection policies apply to connection attempts at both the pod level (through the address of the pod's UAG or Connection Server instance) and the broker level (through the Universal Broker FQDN).
    Note: To configure these settings, you must first define the IP address ranges corresponding to your internal and external networks. If you have not yet configured these network configurations, click the Add link in the reminder message that appears and follow the instructions in Define Internal Network Ranges for Universal Broker.
  5. Click Save to apply your changes.


Allow up to 15 minutes for the configuration changes to take effect across the Universal Broker service and Horizon Cloud pods and for the new redirection behavior to become fully operational.

Note: With Intelligent Hub Redirection enabled, users are forwarded to the Hub catalog where they can open a session to a requested Horizon Cloud pod resource brokered by Universal Broker. If the Universal Broker service fails, users will lose their access to Horizon Cloud pod resources. As a workaround, you can temporarily allow user connections to an individual pod's UAG instance by deactivating Intelligent Hub Redirection until the Universal Broker service is restored.