If you off-load TLS connections to an intermediate server, you must import the intermediate server's certificate onto the Connection Server instances or security servers that connect to the intermediate server. The same TLS server certificate must reside on both the off-loading intermediate server and each off-loaded Horizon 7 server that connects to the intermediate server.
If you deploy security servers, the intermediate server and the security servers that connect to it must have the same TLS certificate. You do not have to install the same TLS certificate on Connection Server instances that are paired to the security servers and do not connect directly to the intermediate server.
If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing Connection Server instances, the intermediate server and any Connection Server instances that connect to it must have the same TLS certificate.
If the intermediate server's certificate is not installed on the Connection Server instance or security server, clients cannot validate their connections to Horizon 7. In this situation, the certificate thumbprint sent by the Horizon 7 server does not match the certificate on the intermediate server to which Horizon Client connects.
Do not confuse load balancing with TLS off-loading. The preceding requirement applies to any device that is configured to provide TLS off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.
For information about importing certificates to Horizon 7 servers, see "Import a Signed Server Certificate into a Windows Certificate Store" in the Horizon 7 Installation document.