DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.

A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls.

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.

  • A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.

To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external Web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall, but you can configure Blast for port 443 as well.

Table 1. Port Requirements

Port

Portal

Source

Target

Description

443

TCP

Internet

Unified Access Gateway

For Web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme

443

UDP

Internet

Unified Access Gateway

UDP (optional)

8443

UDP

Internet

Unified Access Gateway

Blast Extreme (optional)

8443

TCP

Internet

Unified Access Gateway

Blast Extreme

4172

TCP and UDP

Internet

Unified Access Gateway

PCoIP (optional)

443

TCP

Unified Access Gateway

Horizon Broker

Horizon Client XML-API

22443

TCP and UDP

Unified Access Gateway

Desktops and RDS Hosts

Blast Extreme

4172

TCP and UDP

Unified Access Gateway

Desktops and RDS Hosts

PCoIP (optional)

32111

TCP

Unified Access Gateway

Desktops and RDS Hosts

Framework channel for USB Redirection

9427

TCP

Unified Access Gateway

Desktops and RDS Hosts

MMR and CDR

9443

TCP

Admin UI

Unified Access Gateway

Management interface

Note:

All UDP ports require forward datagrams and reply datagams to be allowed.

The following figure shows an example of a configuration that includes front-end and back-end firewalls.

Figure 1. Unified Access Gateway In DMZ Topology