If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate onto the View Connection Server instances or security servers that connect to the intermediate server. The same SSL server certificate must reside on both the off-loading intermediate server and each off-loaded View server that connects to the intermediate server.
If you deploy security servers, the intermediate server and the security servers that connect to it must have the same SSL certificate. You do not have to install the same SSL certificate on View Connection Server instances that are paired to the security servers and do not connect directly to the intermediate server.
If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, the intermediate server and any View Connection Server instances that connect to it must have the same SSL certificate.
If the intermediate server's certificate is not installed on the View Connection Server instance or security server, clients cannot validate their connections to View. In this situation, the certificate thumbprint sent by the View server does not match the certificate on the intermediate server to which Horizon Client connects.
Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.
The scenario described in the following topics shows one approach to the sharing of SSL certificates between third-party components and VMware components. This approach may not suit everyone and it is not the only way to perform the task.