If I have a citrix cloud site that points back to an on prem CVAD\RDSH server, how can I make sure that people are not goign out of the building to the internet then back inside through our connectors to get to a server that is a room away from them? Isnt that randevous or is that something else?

I think you are looking for Direct Connection or upcoming HDX Direct feature

Direct Workload connection you need to add network loactions in citrix cloud with the public ip of your office

Wait for next CR release, you will be able to use HDX Direct, which will be way easier to implement 😄

HDX Direct, while in preview, we've been running it since...March/April with no issues (CR2311 then 2407).

Nice post on the forum for others that I found: “A standard Cloud connection flow does this assuming you are using the Gateway Service: Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service -> through the Cloud Connector -> To the VDA If you turn on Rendezvous Protocol, the following occurs: Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service directly to the VDA. The Cloud Connector is no longer in the connection path. The VDA reaches out to the Gateway Service on 443 to make this happen Direct Workload Connection changes things again: Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> IF the network where the user lives has been defined as a network location in Citrix Cloud AND that location has direct line of sight to the VDA -> The Gateway Service is bypassed entirely, and the user connects straight to the VDA This makes it very similar to a traditional storefront flow on-prem. You now have a single connection from endpoint to VDA HDX Direct is the future of Direct Workload Connection, it will effectively do the same thing, but you will not need to define network locations for the behavior to occur. It uses the Gateway Service to establish a connection, and then learns if there is a direct connection to the VDA possible. There are certs and other info passed around along with some use of STUN etc to make this secure a bit more robust”