You are correct, UAG can perform authN before any kind of traffic is forwarded to the Connection Server. But once authorised the Connection Server still needs the Windows user.
Often you configure UAG to use: authMethods=securid-auth && sp-auth
More info: Configure Horizon Settings
