Hi,
Your CA server should be published on Internet and this is a high risk but you can provide SSL certificate from trusted CA roots for example Comodo.
I have same issue with our security servers but same as us, you have firewall bettween your security server and connection server so you connection is secured but not encrypted.
If you issued a certificate from your CA, you should add "SecurityServerName.Company.Com" as name not your internal security server name and deliver that to users for install on their PCs. Also you can covert that to PEM file and add to your Thin Clients and Zero Clients.
Davoud.
-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/