Do I really have to add that bunch of rules to the FW for each VM??
No. It's true that PCoIP needs to go between Security Server and each VM, but it is more usual to do that with a single PCoIP rule for each Security Server (at the inner firewall). Add a rule that allows PCoIP (TCP 4172 and UDP 4172) from a source IP address of each Security Server.
You can be sure that Security Server will only connect to virtual desktops that the authenticated user is entitled to which is why you can simplify the rules you need to add.
I think I was not on the point with my question.
You are right. I can add one or just a few firewall rules on the inside firewall to manage all possible numbers of VM's.
Perhaps what I was referring to was less the firewall rules and more the NAT rules.
I might not quite understand the way a security server acts together with the VM's, though. Just in the documentation I found so far, there was always a reference on security server connects to the VM's with the need to also adapt the NAT rules.
Perhaps someone could point me to an example which shows exactly what firewall rules AND NAT rules are needed on the outside firewall and the inside firewall?
OK. Yes, I answered the question about firewall rules. BTW: similarly on the outside Internet facing firewall, just add rules to allow 443 (TCP), 4172 (TCP and UDP) and 8443 (TCP) to get to each Security Server.
You can use NAT between the Internet and your Security Servers. This is quite normal. There is a worked example showing this configuration here Security Server PCoIP Remote Access (the video at the bottom).
Hope this helps. Feel free to ask more questions as you get into it.