Okay. I just experienced this same issue again with our Firewall. What happened in our case, is we had setup a new subnet that we populated with new VDI machines. The PCoIP of 4172 UDP/TCP in both directions is a must between the VDI Desktop subnet and the Security server in the DMZ. On the internal side, the VDI desktops have access to the View connection servers as well.
In our case, we did not have sockets allowed to open new TCP connections from the VDI Desktop back to the Security Server. This maybe how the triangle works.
User on outside ----> Security Server --> View Connection Server --> RSA Token Server, VDI Desktop Agent ---> Agent calls back to user View Client on 4172 through Security Server and opens channel?