Hi,
How the traffic flow depends on several factors including NAT and tunnelling on the Connection server and UAG.
In general below is how the traffic flow
Primary Protocol ( XML API on port 443):
Client > UAG > Connection server
After the user is authenticated and when the user click on the VDI agent or desktop it initiate secondary protocol based ( 8443/443/4172)
Client > UAG > VDI machine
NOTE: From external network UAG create a tunnel and not Connection server and hence Connection server is out of picture after authentication.
Refer to : https://techzone.vmware.com/resource/network-ports-vmware-horizon-7