They should be authenticating against a security server or a connection server which will broker the connection to the VM if you are using Horizon. Which I assume you would be by posting here.
Now if you only have 1 security server which is bound to the connection server you will have a secure tunnel connection regardless if you use the security server or the connection server for authentication. It will always create a tunnel connection from the server to the VM..
What is it that you are trying to accomplish?