Restricting Remote Desktop Access in Horizon 8 Environments

You can use the restricted entitlements feature to restrict remote desktop access based on the connection broker instance that a user connects to.

With restricted entitlements, you assign one or more tags to a connection broker instance. Then, when configuring a desktop pool, you select the tags of the connection broker instances that you want to be able to access the desktop pool. When users log in through a tagged connection broker instance, they can access only those desktop pools that have at least one matching tag or no tags.

For example, your Horizon 8 deployment might include two connection broker instances. The first instance supports your internal users. The second instance is paired with an Unified Access Gateway appliance and supports your external users. To prevent external users from accessing certain desktops, you could set up restricted entitlements as follows:

Assign the tag "Internal" to the connection broker instance that supports your internal users.
Assign the tag "External" to the connection broker instance that is paired with the Unified Access Gateway appliance and supports your external users.
Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.
Assign the "External" tag to the desktop pools that should be accessible only to external users.

External users cannot see the desktop pools tagged as Internal because they log in through the connection broker tagged as External, and internal users cannot see the desktop pools tagged as External because they log in through the connection broker tagged as Internal.

You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular connection broker instance. For example, you can make certain desktop pools available only to users who have authenticated with a smart card.

The restricted entitlements feature only enforces tag matching. You must design your network topology to force certain clients to connect through a particular connection broker instance.