Before end users can connect to a server and access a remote desktop or published application, a Horizon administrator must install Connection Server and install security servers, if used.

You can use Unified Access Gateway appliances, rather than security servers, for secure external access. For more information, see the Deploying and Configuring Unified Access Gateway document.

Following is a check list of the tasks that a Horizon administrator must perform to use HTML Access.

  1. If you use security servers, install Security Server. The version of Security Server must match the version of Connection Server. For installation instructions, see the Horizon 7 Installation document.
  2. Verify that each Connection Server instance or security server has a TLS certificate that can be fully verified by using the host name that you enter in the Web browser. For more information, see the Horizon 7 Installation document.
  3. To use two-factor authentication, such as RSA SecurID or RADIUS authentication, verify that this feature is enabled on Connection Server. Beginning with Horizon 7 version 7.11, you can customize the labels on the RADIUS authentication login page. Beginning with Horizon 7 version 7.12, you can configure two-factor authentication to occur after a remote session times out. For more information, see the topics about two-factor authentication in the VMware Horizon Console Administration document.
  4. To hide the Domain drop-down menu in Horizon Client, enable the Hide domain list in client user interface global setting. This setting is available in Horizon 7 version 7.1 and later. Beginning with Horizon 7 version 7.8, it is enabled by default. For more information, see the VMware Horizon Console Administration document.
  5. To send the domain list to Horizon Client, enable the Send domain list global setting. This setting is available in Horizon 7 version 7.8 and later and is disabled by default. Earlier Horizon 7 versions send the domain list. For more information, see the VMware Horizon Console Administration document for Horizon 7 version 7.8 or later.
  6. If you use third-party firewalls, configure rules to allow inbound traffic to TCP port 8443 for all security servers and Connection Server hosts in a replicated group, and configure a rule to allow inbound traffic (from servers) to TCP port 22443 on remote desktop virtual machines and RDS hosts in the data center. For more information, see Firewall Rules for Client Web Browser Access.
  7. To provide unauthenticated access to published applications, enable this feature in Connection Server. For more information, see the VMware Horizon Console Administration document.

The following table shows how the Send domain list and Hide domain list in client user interface global settings determine how users can log in to the server from Horizon Client.

Send domain list setting Hide domain list in client user interface setting How users log in
Disabled (default) Enabled The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Disabled (default) Disabled If a default domain is configured on the client, the default domain appears in the Domain drop-down menu. If the client does not know a default domain, *DefaultDomain* appears in the Domain drop-down menu. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Enabled Enabled The Domain drop-down menu is hidden. Users must enter one of the following values in the User name text box.
  • User name (not allowed for multiple domains)
  • domain\username
  • username@domain.com
Enabled Disabled Users can enter a user name in the User name text box and then select a domain from the Domain drop-down menu. Alternatively, users can enter one of the following values in the User name text box.
  • domain\username
  • username@domain.com

After the servers are installed, the Blast Secure Gateway setting is enabled on the applicable Connection Server instances and security servers in Horizon Console. Also, the Blast External URL setting is configured to use the Blast Secure Gateway on the applicable Connection Server instances and security servers. By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach the Connection Server host or security server host. For more information, see "Set the External URLs for a Connection Server Instance," in the Horizon 7 Installation document.

Note: You can use HTML Access with VMware Workspace ONE to allow users to connect to their desktops from an HTML5 browser. For information about installing Workspace ONE and configuring it for use with Connection Server, see the Workspace ONE documentation. For information about pairing Connection Server with a SAML Authentication server, see the VMware Horizon Console Administration document.