I know this is an old thread but wanted to point out, the Horizon Client does not provide SNI information. So when your ACL is looking for an SNI, and you have no default backend definied - it's going to ultimately fail.

That very first connection from the client does - in order to vet the certificate. When you go to use a resource however, it does not. Ultimately the "trick" is just to have the default backed blindly point to your pool of UAGs.

You can verify by simply disabling the UDP tunnel and configuring UAG to force everything through TCP/443 - client still won't work properly. I had an article save somewhere, but vmware's response was "tough cookies".