If you off-load TLS connections to an intermediate server, you must import the intermediate server's certificate onto the Connection Server instances that connect to the intermediate server. The same TLS server certificate must reside on both the off-loading intermediate server and each off-loaded Horizon server that connects to the intermediate server.

If you have a mixed network environment with some intermediate servers and some external-facing Connection Server instances, the intermediate server and any Connection Server instances that connect to it must have the same TLS certificate.

If the intermediate server's certificate is not installed on the Connection Server instance, clients cannot validate their connections to Horizon. In this situation, the certificate thumbprint sent by the Horizon server does not match the certificate on the intermediate server to which Horizon Client connects.

Do not confuse load balancing with TLS off-loading. The preceding requirement applies to any device that is configured to provide TLS off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.

Important: The scenario described in the following topics shows one approach to the sharing of TLS certificates between third-party components and VMware components. This approach may not suit everyone and it is not the only way to perform the task.