If you off-load TLS connections to an intermediate server, you must import the intermediate server's certificate onto the Connection Server instances that connect to the intermediate server. The same TLS server certificate must reside on both the off-loading intermediate server and each off-loaded Horizon server that connects to the intermediate server.
If you have a mixed network environment with some intermediate servers and some external-facing Connection Server instances, the intermediate server and any Connection Server instances that connect to it must have the same TLS certificate.
If the intermediate server's certificate is not installed on the Connection Server instance, clients cannot validate their connections to Horizon. In this situation, the certificate thumbprint sent by the Horizon server does not match the certificate on the intermediate server to which Horizon Client connects.
Do not confuse load balancing with TLS off-loading. The preceding requirement applies to any device that is configured to provide TLS off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.