How does the security server work?

To start with, the user login process at the beginning is the same as when connecting to a view connection server, essentially because the security server is just another version of the connection server running a subset of the features, with the exclusion of the ADAM database. The difference is that you connect to the address of the security server. The security server sits inside your DMZ and communicates with a connection server sitting on the internal network that it is paired with. So, now we have added an extra security layer, as the internal connection server is not exposed externally, with the idea being that users can now access their virtual desktop machines externally without needing to first connect to a VPN on the network.

This security server connection process is described pictorially in the following diagram:

When the user logs in from the Horizon client, they now use the external URL of the security server to access the connection server, which, in turn, authenticates the user against Active Directory. If the connection server is configured as a PCoIP gateway, then it will pass the connection and addressing information to the Horizon client. This connection information will allow the Horizon client to connect to the security server using PCoIP. This is shown in the diagram by the green arrow (1). The security server will then forward the PCoIP connection to the virtual desktop machine (2), creating the connection for the user. The virtual desktop machine is displayed/delivered within the Horizon client window (3) using the chosen display protocol (PCoIP, Blast Extreme, or RDP). We will cover this process and the different ports View uses for connecting later in this chapter.