BenFB – If you only allow TCP 443 from the Internet you can’t use Blast Extreme Adaptive Transport (BEAT) anyway. UAG does support Blast over TCP 443 though, so you can do everything from a Horizon client on just TCP 443 if required (Horizon XML, Horizon Tunnel and Horizon Blast – all on TCP 443). This is good for very restrictive environments. To do this you just append :443 to the blastExternalURL seting on UAG.
If you also want to support BEAT, then you should additionally open up UDP 8443. The clients will work out what’s open anyway so if UDP 8443 is blocked, it will happily just use TCP 443 or TCP 8443 according to what you’ve set for the TCP port with blastExternalURL.
If you don’t specify the TCP port for blastExternalURL then it defaults to TCP 8443. Similarly if you don’t specify the UDP port it also defaults to UDP 8443. Lack of UDP port specification explains why you still see UDP 8443.
It is generally best to use defaults for the Blast/BEAT TCP/UDP port numbers. This is TCP 8443 and UDP 8443. We completely understand that in some cases, doing everything on TCP 443 is preferable, which is why we also support specification of :443 for TCP 443. The recommendation is therefore to use TCP 8443 and UDP 8443 for Blast/BEAT. If required, you can use TCP 443 instead of TCP 8443. TCP 443 as opposed to TCP 8443 is not quite as efficient, but allows connection in environments where only TCP 443 is permitted.
UAG also supports the ability to run BEAT UDP over a different port other than UDP 8443, although this is not a common requirement. The only restriction is that you can’t use UDP ports already in use for other purposes. e.g. don’t try this on UDP 443 as this port is already used for the Horizon UDP Tunnel Server (for Horizon Clients operating in “poor network condition” mode). Although not recommended, if you want to run BEAT UDP on say UDP port 27443 instead of UDP 8443, then you would specify 27443 for the UDP port on blastExternalUrl to get the client to use UDP 27443 and you would add a forwarding rule on UAG to forward incoming UDP 27443 datagrams to 127.0.0.1:8443. This is a forward rule of “udp/27443/127.0.0.1:8443”. As I say, not recommended but it does work. Some customers use non standard ports in order to share a single IP address among multiple UAGs when used without a source IP affinity load balancer but in that case, the load balancer forwards to UAG using UDP 8443 so no forward rule is needed.