Support resonded. We indeed do need the certs from the load balancer to also be on the UAGs. They also provided this link and comment:
Similarly, if a load balancer is used in DMZ 1 in front of multiple Unified Access Gateway appliances, then if that load balancer is also terminating TLS (TLS bridging), then the same certificate must be present on UAG 2 and the load balancer so that the thumbprint validation succeeds.
That's one way to do it. I don't like the idea of sharing a certificate so in our environment we have one unique cert on each of the following.
- Load balancer VIP for external UAG connections
- Each UAG
- Load balancer VIP for external connection servers
- Load balancer VIP for internal connection servers
- Each external and internal connection server.
We also do not as a policy use any wildcard certs and I would advise against them. There is a security risk of using wildcards and some applications will not allow for them.
We leverage the Method 3 - Multiple VIPs session affinity.