When I read it first, I thought I got it but when I attended question around it I failed. Glad that I failed, at least I learnt it thoroughly now. By default all desktop pool are available from all connection servers. e.g. User can access desktop as long as he is entitled to at least one desktop pool and connected any connection server. View connection server tags is the way to restrict a desktop pool to particular view connection servers. As part of security requirement you can restrict view connection server for particular set of desktop pools.
In figure below end user-A is entitled to Desktop pool 01. Connection server 01 is configured with connection tag as Gold. While creating desktop pool we associate connection server 01’s Gold tag with it. When end user selects connection server 01, he is able to go to desktop pool 01 as Gold Tag of connection server matches with Gold tag on desktop pool. But when he select connection server 02/03 he is not able to connect to desktop pool as connection server do not have tag associated with it. Connection server denies the access
Case 02 : User-C is entitled to Desktop Pool 02, user selects connection server 01 but he is denied access as Connection Server 01 only grants access to desktop Pool 01. So User C selects connection server 02/03, since no tag is defined on connection server 02/03 user-C is authenticated and presented Desktop Pool 02.
Simple Tip: Think connection server as Ticket collector who helps/advice you in finding seat (desktop). He will see the ticket (tag) and try to allocate the seat (desktop pool). If ticket (tag) is matching seated is granted. If ticket(tag) is not matching, you are not allowed in i.e. access is denied. Similarly when User-A tries to use Connection Server 02/03 there is no tag created on connection server i.e. there is not ticket collector, therefore there is no one to guide you to Desktop Pool 01. But when User-C logs into connection 02/03 he directly given desktop in desktop pool 02 as there is not tag which needs to be validated by ticket collector (Connection Server Tag)
Connection Tag Internet Facing users
View Security servers must be paired with connection servers. If view security servers are behind load balancer, you must ensure security server is paired with connection server where the tag is defined. In below example I have created tag on connection server 01 and connection server 03. In case either of security server01 or 02 fails, user which are entitled to desktop pool 01 are able to login. It makes Fully redundant solution.
Hope you find this useful. I can’t believe as started drafting this post I learnt lot many other things around connection servers and tag. Keep writing & posting. Happy Monday