Hi, here goes:

I have deployed the default appliance plus an additional connector to take care of external authentication using SecurID, as follows:

horizon.company.corp (gateway hostname, also external fqdn for the system).

rsa-va.company.corp (RSA identity provider)

connector-va.company.corp (default identity provider)

I have also implemented split DNS so these addresses resolve to internal IP addresses for internal users, and external IP addresses for external users. However, because external access is all via the gateway, the only DNS entry I have externally is for horizon.company.corp, nothing else.

When I attempt to connect externally, I seem to get a good initial connection to the gateway which then (correctly as I am on a non-internal IP) passes me off to the rsa-va.company.corp id provider for authentication. However, it doesn't seem to reverse proxy this connection - instead the client gets 'cannot resolve host rsa-va.company.corp', which is correct as I have not published the DNS entry externally, and nor do I need to - that's the whole point of the non-changeable external FQDN entry, right?

So, what am I doing wrong here? Why isn't the gateway 'looking after' my external users?

I'm sure I've done something stupid but just cannot see what based on the documentation.