Network traffic between a client system and a remote desktop or application can travel various routes, depending on whether the client system is inside the corporate network and how the administrator has chosen to set up security.
USB redirection works independently of the display protocol and USB traffic usually uses TCP port 32111.
If the client system is inside the corporate network, so that a direct connection can be made between the client and remote desktop or application, USB traffic uses TCP port 32111.
If the client system is outside the corporate network, the client can connect through a Unified Access Gateway appliance. Unified Access Gateway appliances communicate with connection broker instances inside the corporate firewall and provide an additional layer of security by shielding the connection broker instances from the public-facing internet.
A Unified Access Gateway appliance (the preferred method) does not require opening additional ports on the firewall for USB traffic.
You can configure the USB over Session Enhancement SDK feature to avoid opening TCP port 32111. See Enabling the USB Over Session Enhancement SDK Feature.