I know we can restrict access to the console via users and groups but can you take this even further and only allow access from specific IP addresses?
If you route all connections through unified access gateways, you could use a firewall to only allow traffic from the unified access gateways and from administrative workstations. If you connect to the connection servers directly though, I haven't seen a way to do it.
To limit access to the Horizon Administrator console or any privileged system you should leverage firewall rules between your subnets.
Windows Firewall would be your best/easiest method.