Network traffic between a client system and a remote desktop or application can travel various routes, depending on whether the client system is inside the corporate network and how the administrator has chosen to set up security.
USB redirection works independently of the display protocol and USB traffic usually uses TCP port 32111.
If the client system is inside the corporate network, so that a direct connection can be made between the client and remote desktop or application, USB traffic uses TCP port 32111.
If the client system is outside the corporate network, the client can connect through a Unified Access Gateway appliance or a security server in the DMZ. Unified Access Gateway appliances and security servers in the DMZ communicate with Connection Server instances inside the corporate firewall and provide an additional layer of security by shielding the Connection Server instances from the public-facing internet.
A Unified Access Gateway appliance (the preferred method) does not require opening additional ports on the firewall for USB traffic. A security server requires opening TCP port 32111 on the firewall for USB traffic. For complete security server port requirements, see "Firewall Rules for DMZ-Based Security Servers" in the Horizon 7 Architecture Planning document.
You can configure the USB over Session Enhancement SDK feature to avoid opening TCP port 32111. See Enabling the USB Over Session Enhancement SDK Feature.