Good Afternoon.

We have configured an Horizon infrastructure running on version 2012 and currently we have an internal connection server pair load balanced through F5 to provide access to users on our network.

The original plan was to give the internal connections (internal wan/lan and direct access users, basically on or internal network IP ranges) a direct connection through the connection servers (auth 443 and then direct between client and VDI on 22443).

We then had to factor in a new Zscaler (ZPA) deployment that doesn't provide the end user an internal ip address so we changed the config for Blast on the connection servers to 'Use Blast Secure Gateway for all Blast connections to machine'.

I've built another pair of connection servers that I was hoping to use for connections from the external internet via a pair of UAG's that would have tags on the connection servers/pools to route the external users.

The issue I can't get me head round is that is states in the config instructions that the secure gateway's (Blast pcoip https) should be turned off on the connection servers, which would break what I already have in place for the internal traffic/load balancer. The connection servers are in synch so I can't use different configs for both pairs of CS.

Can anyone explain what would be the best way of achieving this in my situation.

Regards

T