As part of integrating Workspace ONE Access and Horizon, you specify Client Access FQDNs for network ranges so that users connect to the correct server based on the network range from which they are accessing Horizon resources. When you create a Horizon virtual apps collection, the wizard guides you to the Network Ranges page to configure this information. After creating the collection, you can edit the Client Access FQDNs at any time.

Whenever you create new network ranges in Workspace ONE Access, make sure that you follow this procedure to add Client Access FQDNs for Horizon pods and pod federations to the new network ranges.

Prerequisites

A Super Admin role is required for this procedure.

Procedure

  1. Log in to the Workspace ONE Access console.
  2. Select the Catalog > Virtual Apps Collections tab.
  3. Click the Horizon collection, then click Edit Network Range.
  4. In the Network Ranges page, click the network range to edit or click Create Network Range to create a network range, if necessary.
  5. If you are creating a new network range, enter a name, optional description, and the IP range.
  6. Scroll to the Pod and CPA Federation sections.
    The Pod section lists all the Horizon pods in the collection that have the Sync Local Assignments option enabled. The CPA Federation section lists the pod federations in the collection, if any.

    edit network range for view settings

  7. Edit the Pod section for each pod and enter the appropriate values for this network range.
    Option Description
    Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing local entitlements on this pod, when the requests come from this network range. This value can be a Horizon Connection Server, security server, load balancer, or reverse proxy FQDN.

    For example: internallb.example.com

    The Client Access FQDN for a pod is used to launch locally entitled resources from the pod.

    Port The server port.
    Wrap Artifact in JWT See Launching Horizon Resources Through Validating Gateways.
    Audience in JWT See Launching Horizon Resources Through Validating Gateways.
  8. Edit the CPA Federation section for each pod federation and enter the appropriate values for this network range.
    Option Description
    Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing global entitlements on this pod federation, when the requests come from this network range. This value is typically the global load balancer of the pod federation deployment.

    For example: globallb.example.com

    The Client Access FQDN for a pod federation is used to launch globally entitled resources.

    Port The server port.
    Wrap Artifact in JWT When the Workspace ONE Access service is integrated with a validating gateway, such as F5, this option must be enabled to authenticate Horizon resources assigned to users. See Launching Horizon Resources Through Validating Gateways.
    Audience in JWT See Launching Horizon Resources Through Validating Gateways.
  9. Click Save.
  10. Repeat these steps to edit the other network ranges, if necessary.
    Verify that each network range in your environment has a Client Access FQDN set. If a network range is missing the Client Access FQDN, users accessing resources through that network range cannot launch their desktops and applications.
  11. Click Finish in the Network Ranges page.