The broker sits on TS1. When you RDP to TS1 you get no certificate warning. When the broker redirects you to TS2 the user receives the certificate warning; The certificate is not from a trusted certifying authority. Same thing happens if one tries to RDP to TS2 and they get redirected to TS1.
Is the only way around this to use a wildcard certificate and, if so, can I self-sign one?