Smart Card authentication in Horizon uses certificate negotiation within the client TLS connection. This requires that the first client TLS termination point is a server or appliance configured for Horizon.

Smart Card authentication in Horizon uses certificate negotiation within the client TLS connection. This requires that the first client TLS termination point is a server or appliance configured for Horizon. If there is any intermediate server in between such as a load balancer configured for SSL bridging or a TLS terminating Web Reverse Proxy, then Smart Card authentication cannot be performed. The Unified Access Gateway Web Reverse Proxy configuration for DMZ 1 described in this document cannot be used for Smart Card authentication. One option is to instead configure UAG 1 with a generic forward rule for TCP port 443 so that client connections are directly forwarded to UAG 2 for filtering and Smart Card authentication support on UAG 2. The firewall rules don't change for this, but the UAG 1 Web Reverse Proxy Edge Service should not be enabled.