When users connect to a remote desktop with the Microsoft Remote Desktop Protocol (RDP) display protocol, Horizon Client can make a second HTTPS connection to the connection broker. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.

The tunnel connection offers the following advantages:

• RDP data is tunneled through HTTPS and is encrypted using SSL. This powerful security protocol is consistent with the security provided by other secure Web sites, such as sites used for online banking and credit card payments.
• A client can access multiple desktops over a single HTTPS connection, which reduces the overall protocol overhead.
• Because VMware Horizon 8 manages the HTTPS connection, the reliability of the underlying protocols is significantly improved. If a user temporarily loses a network connection, the HTTP connection is reestablished after the network connection is restored and the RDP connection automatically resumes without requiring the user to reconnect and log in again.

In a standard deployment of connection broker instances, the HTTPS secure connection terminates at the connection broker. In a DMZ deployment, the HTTPS secure connection terminates at a Unified Access Gateway appliance.

Clients that use the PCoIP or Blast Extreme display protocol can use the tunnel connection for USB redirection and multimedia redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP Secure Gateway, and Blast Extreme uses the Blast Secure Gateway, on a Unified Access Gateway appliance. For more information, see Client Connections Using the PCoIP and Blast Secure Gateways.

For more information about Unified Access Gateway virtual appliances, see Deploying and Configuring VMware Unified Access Gateway.