DMZ-based Access Point appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Access Point services are set up to listen on certain network ports by default.

A DMZ-based Access Point appliance deployment usually includes two firewalls.

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.

  • A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ services, which greatly reduces the risk of compromising your internal network.

To allow external client devices to connect to an Access Point appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external Web clients (HTML Access) connect to an Access Point appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 443 must be open on the firewall. If you use the PCOIP protocol, port 4172 must be open on the firewall.

The following figure shows an example of a configuration that includes front-end and back-end firewalls.

Figure 1. Dual Firewall Topology
In the DMZ, use front-end and back-end firewalls.