After creating your VIP inside of the F5 you'll more than likely want to reference that rather than the individual connector2-va / connector3-va (if you're using the defaults to deploy when you setup DNS prior to adding the VMs). For instance the VIP might be horizon-external.FQDN with an ip of 192.168.1.2. From there your VIP has the two IP addresses for connector2-va / connector3-va (example 192.168.1.3 / 192.168.1.4).
So you navigate over to your two connectors via https://connector2-va.FQDN:8443/hc/admin and then navigate to -- Advanced -- Windows Auth -- check both (Enable Windows authentication and Enable Redirect).
Once that is done, you'll then click on the Identity Provider tab and change the IdP Hostname to your VIP on the F5 (in this case horizon-external.FQDN).
If you receive and error then try this.
Login to your connector 3 and 4 via ssh (sshuser is the login -- the password is whatever you set it to be. Then login as root with the same password).
What we are going to do is replace the cert on the connector with a .PEM file that you create.
your cert for your FQDN (I.E workspace.FQDN).
your signed cert (key file that should begin with ----- BEGIN RSA PRIVATE KEY ------)
your root cert that you're using for your workspace FQDN.
Open notepad on your desktop and paste each cert in the sequence above. Make sure to not have any extra white space characters. Once that is done give it a name with a .PEM extension.
From there you can use winscp (or another product to transfer your file to both external connectors 3 and 4). I'd place the .PEM in the /tmp directory.
on the connectors you can use vi /tmp/yourfile.pem and paste the certs in the sequence above.
Once that is done it's time to replace the default cert.