If TLS is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to Horizon, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server.
You configure the external URL settings on the Connection Server instance that connects to the intermediate server.
If you have a mixed network environment with some intermediate servers and some external-facing Connection Server instances, External URLs are required for any Connection Server instances that connect to the intermediate server.
Note: You cannot off-load TLS connections from a PCoIP Secure Gateway (PSG) or Blast Secure Gateway. The PCoIP external URL and Blast Secure Gateway external URL must allow clients to connect to the computer that hosts the PSG and Blast Secure Gateway. Do not reset the PCoIP external URL and Blast external URL to point to the intermediate server unless you plan to require TLS connections between the intermediate server and the
Horizon server.