Hi "boom",
Good questions.
1. HTTPS Connections from Internet Clients are terminated at the Security Server. AJP13 is used to pass authentication and other client control traffic from the Security Server to the Connection Server after validation. This is for authentication, authorization and obtaining configuration data etc. Security Servers therefore do not need to be joined to an AD domain and AD traffic does not need to go between the DMZ and the green zone (where AD is). The role of the Security Server is to ensure that only traffic on behalf of authenticated users (PCoIP etc) can be sent to the virtual desktops in the green zone. It is normal for a Security Server to be located in a DMZ between the green zone and the Internet. The Security Server is acting as a proxy. No HTTPS goes between Security Server and Connection Server. That is all AJP13 and JMS. No protocols go straight from the Internet to the Connection Server(s). It is common for Internet access in View to add additional authentication steps such as RSA SecurID, RADIUS or X.509 Smart Card certificates etc. so that a pre authentication step is performed before AD is ever contacted.
2. AJP13 (containing the control traffic from View Clients) goes between Security Server and Connection Server using an IPsec secured channel and so is all encrypted. This IPsec channel is automatically set up as part of the Security Server pairing performed at installation time. Sensitive data in JMS messages is also encrypted.
3. The recommended firewall settings for a DMZ only permit AJP13 and JMS to go to a Connection Server (not HTTPS). This prevents Internet access to View Administrator from the Internet. You also cannot connect to View Administrator on the Connection Server via a Security Server. You can only access it internally.
Hope these answers help.
Mark