If you route all connections through unified access gateways, you could use a firewall to only allow traffic from the unified access gateways and from administrative workstations. If you connect to the connection servers directly though, I haven't seen a way to do it.

To limit access to the Horizon Administrator console or any privileged system you should leverage firewall rules between your subnets.

Windows Firewall would be your best/easiest method.