As part of integrating Workspace ONE Access and Horizon, you specify Client Access FQDNs for network ranges so that users connect to the correct Horizon server based on their network range. Additionally, you can filter users by specifying user groups for each network range.

When you create a Horizon virtual apps collection, the wizard guides you to the Network Ranges tab to configure the Client Access FQDNs for the pods and pod federation in the collection. After creating the collection, you can edit the Client Access FQDNs at any time from the Network Ranges tab.

All network ranges in your tenant must have Client Access FQDNs set for Horizon pods and pod federations. If a network range does not have a Client Access FQDN defined, users accessing Horizon resources through that network range cannot launch their assigned applications and desktops. Make sure that whenever you create new network ranges, you also edit the virtual apps collections to add Client Access FQDNs for Horizon pods and pod federations to the new network range.

You can configure Client Access FQDNs in Workspace ONE Access in the following ways:

  • Use only network ranges to direct users to the appropriate Client Access FQDNs.

    Create multiple network ranges and specify Client Access FQDNs for each network range. Do not select any user groups for the network ranges. All users will be directed to Client Access FQDNs based on the network range from which they are accessing their assigned Horizon apps and desktops.

    For example, you can create separate network ranges for internal and external access and specify the appropriate Client Access FQDNs for each range.

  • Use both network ranges and groups to direct users to the appropriate Client Access FQDNs.

    Create multiple network ranges and specify Client Access FQDNs for each range. Also select user groups for the network ranges. For users to be able to launch Horizon apps and desktops from a Client Access FQDN, their client IP address must match the network range and they must belong to at least one of the groups selected for the network range. If no groups are selected for a network range, all users whose client IP address matches the network range can launch apps and desktops from that network range's Client Access FQDN.

    For example, you can create separate network ranges for internal and external access and filter users for each range based on whether they belong to a permanent employee group or a temporary employee group.

    Note: If you do not want to create multiple network ranges, you can configure user groups on the default ALL RANGES network range for each virtual apps collection. Only users that belong to one of the selected groups will be able to launch Horizon apps and desktops from the ALL RANGES Client Access FQDN.

    For example, you can create different virtual apps collections for pods in different regions, create user groups by region, and select the appropriate user groups for the ALL RANGES network range for each collection.

If you configure overlapping network ranges, Workspace ONE Access applies the following rules to find the best match for the user:

  • If the user’s client IP address matches multiple ranges and no groups are specified for any of the network ranges, then the network range that was created most recently is used to determine the Client Access FQDN for the user.
  • If the user's client IP address matches multiple network ranges and the user’s groups match only one of those network ranges, then the network range that matches both the client IP address and groups is used to determine the Client Access FQDN for the user.
  • If the client IP address matches multiple network ranges and the user belongs to one or more groups in all those network ranges, then the network range that has the most user group matches is used to determine the Client Access FQDN for the user.
  • If the client IP address matches multiple network ranges and the number of user groups that match is identical across multiple network ranges, then the network range that was created most recently is used to determine the Client Access FQDN for the user.

Prerequisites

A Super Admin role, or a custom role that can perform the Manage Settings action in the Identity and Access Management service, is required to create and edit network ranges.

Procedure

  1. In the Workspace ONE Access console, select Resources > Virtual Apps Collections.
  2. Click the Horizon virtual apps collection, then select the Network Ranges tab.
  3. Click the network range to edit or create a new network range, if necessary.
  4. If you are creating a new network range, enter a name, optional description, and the IP range.
  5. (Optional) In the Group Membership section, select the user groups that you want to associate with this network range.
    If you select groups, to launch Horizon applications and desktops from the Client Access FQDN associated with this network range, users must belong to at least one of the groups and their client IP address must match the network range.

    If you do not select any groups, all users whose client IP address matches the network range can launch Horizon applications and desktops from the Client Access FQDN associated with this network range.

    For example:

    This image displays the Assign Pods to Network Ranges popup. An IP range is specified for the network range. Two groups, Group A and Group B, are also selected for the network range.
  6. Scroll to the Pod and Federation section.
    The Pod section lists all the Horizon pods in the collection that have the Sync Local Assignments option enabled. The CPA Federation section lists the pod federations in the collection, if any.

    edit network range for view settings

  7. Edit the Pod section for each pod and enter the appropriate values for this network range.
    Option Description
    Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing local entitlements on this pod, when the requests come from this network range. This value can be a Horizon Connection Server, Unified Access Gateway, load balancer, or reverse proxy FQDN.

    For example: internallb.example.com

    The Client Access FQDN for a pod is used to launch locally entitled resources from the pod.

    Port The server port.
    Wrap Artifact in JWT See Launching Horizon Resources Through Validating Gateways.
    Audience in JWT See Launching Horizon Resources Through Validating Gateways.
  8. Edit the CPA Federation section for each pod federation and enter the appropriate values for this network range.
    Option Description
    Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing global entitlements on this pod federation, when the requests come from this network range. This value is typically the global load balancer of the pod federation deployment.

    For example: globallb.example.com

    The Client Access FQDN for a pod federation is used to launch globally entitled resources.

    Port The server port.
    Wrap Artifact in JWT When the Workspace ONE Access service is integrated with a validating gateway, such as F5, this option must be enabled to authenticate Horizon resources assigned to users. See Launching Horizon Resources Through Validating Gateways.
    Audience in JWT See Launching Horizon Resources Through Validating Gateways.
  9. Click Save.
  10. Repeat these steps to edit the other network ranges, if necessary.
    Important: Verify that each network range in your environment has a Client Access FQDN set. If a network range is missing the Client Access FQDN, users accessing resources through that network range cannot launch their Horizon desktops and applications.