The primary requirement for Horizon is to support native Horizon clients and the HTML Access Horizon client with protocol handling for the client XML control protocol, the Horizon HTTPS secure tunnel and the Blast/HTTPS WebSockets protocol.

Client XML, Tunnel and Blast TCP Protocols on TCP Port 443

The primary requirement for Horizon is to support native Horizon clients and the HTML Access Horizon client with protocol handling for the client XML control protocol, the Horizon HTTPS secure tunnel and the Blast/HTTPS WebSockets protocol.

All of these protocols can be supported using HTTPS TCP port 443 and so there is no requirement to allow other ports through the outer FireWall 1 or through the firewall between the DMZ zones FireWall 2 as shown in Figure 3-1.

To support this minimum set of Horizon protocols with TLS termination and URL filtering, UAG 1 should be set up as a Web Reverse Proxy by enabling a Reverse Proxy Edge Service with the following Proxy Pattern 
(/broker/xml(.*)|/xmlapi(.*)|/broker/resources/(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/)

This restricts web traffic as it limits the range of allowed URLs to those conforming to the configured proxy pattern.

To configure this automatically at deploy time with PowerShell, add the following example section to the UAG.INI file: 

[WebReverseProxy1]
instanceId=Horizon-WRP
proxyDestinationUrl=https://192.168.2.101
proxyDestinationUrlThumbprints=sha1=c5 51 2f a8 1e ef a9
f8 ed fa 1b 80 05 a9 c8 bc 6e 2c 64 b1
proxyPattern=(/broker/xml(.*)|/xmlapi(.*)|/broker/resources/(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/)

If using the Unified Access Gateway Admin UI, add a Reverse Proxy Edge Service with the following settings.

Figure 1. Unified Access Gateway Admin UI Settings for Web Reverse Proxy


Other ports described in the remainder of this section are optional depending on requirements for these additional protocols.