OK thanks, this is what I figured.
In which case, I guess my options are for internal TrueSSO are:
- Enable tunnelling - both thick clients and HTML5 clients are tunnelled regardless.
- Disable tunnelling, but configure the connection servers to return a DNS name rather than IP address, so that direct HTML5 connections do not throw a cert warning. (Not entirely happy to do this, because it'd introduce a significant dependancy on accurate DNS queries for instant clones / highly ephemeral environments. I could see an issue where users are brokered out to different machines to what the connection server allocated!)
I should probably throw in a feature request for the UAG product team. Just as a side, I've always wondered why these cert warnings only throw for brokered, direct HTML5 connections, and not brokered direct connections from the thick client? Maybe a question for another thread!
Thanks