In a double DMZ configuration, it is necessary to install the same SSL server certificate on UAG 1 and UAG 2. This is because Horizon includes a security feature which uses certificate thumbprint calculation to reduce the risk of a malicious man-in-the-middle attack.

The client TLS connection has to connect to a server that has the same certificate as the Unified Access Gateway appliance running the Horizon Edge service (UAG 2). As the client TLS connection is being made to UAG 1, if a different certificate was presented, then the connection would fail due to a mismatched certificate thumbprint. Similarly, if a load balancer is used in DMZ 1 in front of multiple Unified Access Gateway appliances, then if that load balancer is also terminating TLS (TLS bridging), then the same certificate must be present on UAG 2 and the load balancer so that the thumbprint validation succeeds.