DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.

A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls.

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.
  • A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.

To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external Web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall, but you can configure Blast for port 443 as well.

Table 1. Port Requirements
Port Portal Source Target Description
443 TCP Internet Unified Access Gateway For Web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme
443 UDP Internet Unified Access Gateway UDP (optional)
8443 UDP Internet Unified Access Gateway Blast Extreme (optional)
8443 TCP Internet Unified Access Gateway Blast Extreme
4172 TCP and UDP Internet Unified Access Gateway PCoIP (optional)
443 TCP Unified Access Gateway Horizon Broker Horizon Client XML-API
22443 TCP and UDP Unified Access Gateway Desktops and RDS Hosts Blast Extreme
4172 TCP and UDP Unified Access Gateway Desktops and RDS Hosts PCoIP (optional)
32111 TCP Unified Access Gateway Desktops and RDS Hosts Framework channel for USB Redirection
9427 TCP Unified Access Gateway Desktops and RDS Hosts MMR and CDR
9443 TCP Admin UI Unified Access Gateway Management interface
Note: All UDP ports require forward datagrams and reply datagams to be allowed.

The following figure shows an example of a configuration that includes front-end and back-end firewalls.

Figure 1. Unified Access Gateway In DMZ Topology