DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.
A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls.
- An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.
- A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.
Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.
To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external Web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall, but you can configure Blast for port 443 as well.
|443||TCP||Internet||Unified Access Gateway||For Web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme|
|443||UDP||Internet||Unified Access Gateway||UDP (optional)|
|8443||UDP||Internet||Unified Access Gateway||Blast Extreme (optional)|
|8443||TCP||Internet||Unified Access Gateway||Blast Extreme (optional)|
|4172||TCP and UDP||Internet||Unified Access Gateway||PCoIP (optional)|
|443||TCP||Unified Access Gateway||Horizon Broker||Horizon Client XML-API|
|22443||TCP and UDP||Unified Access Gateway||Desktops and RDS Hosts||Blast Extreme|
|4172||TCP and UDP||Unified Access Gateway||Desktops and RDS Hosts||PCoIP (optional)|
|32111||TCP||Unified Access Gateway||Desktops and RDS Hosts||Framework channel for USB Redirection|
|9427||TCP||Unified Access Gateway||Desktops and RDS Hosts||MMR and CDR|
|9443||TCP||Admin UI||Unified Access Gateway||Management interface|
Note: All UDP ports require forward datagrams and reply datagams to be allowed.
The following figure shows an example of a configuration that includes front-end and back-end firewalls.