When you enable Intelligent Hub Redirection, users who try to connect directly to the Universal Broker FQDN or a pod-level FQDN are automatically forwarded to the Workspace ONE Intelligent Hub catalog for their assigned desktops and applications. You can specify different redirection policies based on whether users are connecting from an internal or external network.
After you integrate your Horizon Cloud tenant with Workspace ONE Access and Intelligent Hub services, desktop and application assignments appear in the Hub catalog where entitled users can access them conveniently and securely. However, you must configure Intelligent Hub Redirection if you want to restrict certain users from accessing these assignments through any portal other than the Hub catalog.
Without Intelligent Hub Redirection enabled, users can access their assignments by connecting to the Universal Broker FQDN or directly to the FQDN of the Unified Access Gateway (UAG) of a Horizon Cloud pod in Microsoft Azure. If you want to enforce access to assignments through the Hub catalog only, you must enable Intelligent Hub Redirection.
With Intelligent Hub Redirection enabled, you have the option of specifying different redirection policies for connection attempts based on whether they originate from an internal or external network. For example, you can enforce redirection to the Hub catalog for internal users but allow external users to connect through a broker-level or pod-level FQDN.
Verify that your system environment meets the following requirements.
- Universal Broker is enabled and configured for your tenant as described in Setting Up Universal Broker Service for Your Horizon Control Plane Tenant or Schedule and Complete the Transition from Single-Pod Broker to Universal Broker.
- Your Horizon Cloud tenant is integrated with VMware Workspace ONE Access and Intelligent Hub services as described in Horizon Cloud Environment with Universal Broker - Integrate the Tenant with Workspace ONE Access and Intelligent Hub Services. Verify that the integration is fully complete.
- All your Horizon Cloud pods in Microsoft Azure are online and in ready state.
- All your Horizon pods in a VMware SDDC have a SAML authenticator associated with each of their Connection Server instances. This configuration is required to support Intelligent Hub Redirection for Horizon pods. See Configure a SAML Authenticator in Horizon Console (use the menu at the top of the article to select your Horizon version as needed).
To configure distinct redirection policies for internal and external users, you must also complete the steps described in Define Internal Network Ranges for Universal Broker.
- In the Horizon Universal Console, select and then select the Authentication tab.
The Authentication page displays the current configuration of the Intelligent Hub Redirection feature.
- To change the configuration of Intelligent Hub Redirection, click the edit icon for the option.
A dialog box appears with controls for editing the configuration.
- To turn on Intelligent Hub Redirection, enable the Enforce Intelligent Hub Redirection toggle.
Additional configuration settings appear when you enable the toggle.
- To configure a different redirection policy for users based on whether they are connecting from an internal or external network, enable the Allow Different Intelligent Hub Redirection for internal and external users toggle. Then use the check boxes to specify the redirection policy for each category of user.
For example, to enforce redirection for internal users but turn off redirection for external users, select the Internal Users check box and deselect the External Users check box. These redirection policies apply to connection attempts at both the pod level (through the address of the pod's UAG or Connection Server instance) and the broker level (through the Universal Broker FQDN).Note: To configure these settings, you must first define the IP address ranges corresponding to your internal and external networks. If you have not yet configured these network configurations, click the Add link in the reminder message that appears and follow the instructions in Define Internal Network Ranges for Universal Broker.
- Click Save to apply your changes.
Allow up to 15 minutes for the configuration changes to take effect across the Universal Broker service and Horizon Cloud pods and for the new redirection behavior to become fully operational.