For on-premises deployment of Horizon within a data center of an organization, it is common to install Unified Access Gateway appliances in a single DMZ which provides a network isolation layer between the internet and the customer data center.
Unified Access Gateway has built-in security mechanisms for all the Horizon protocols to ensure that the only network traffic entering the data center is traffic on behalf of an authenticated user. Any unauthenticated traffic is discarded in the DMZ.
This is shown in Figure 2-1. For a simple setup, it shows just a single Unified Access Gateway appliance in a DMZ although in a production environment supporting high availability and large scale it is common to deploy multiple Unified Access Gateway appliances fronted by a load balancer. Details of configuring a Unified Access Gateway appliance for use in a single DMZ are covered in the standard document Deploying and Configuring Unified Access Gateway.