Horde UBA Agents behind a Firewall NAT

I’m attempting to run multiple Horde UBA Agents on a LAN behind a Router using Port Forwarding via Network Address Translation (NAT). My Horde Server is running on an Azure cloud VM.

I’ve figured out how to configure each agent to present the LAN’s single public IP address to the server, via Agents.json:

{ "Horde": { "ComputeIp": "xxx.xxx.xxx.xxx" }}And If I use NAT to forward all ports 7000-7010 to one of the agents, then that particular agent works fine. However, I can’t seem to address the other agents on the LAN.

All the agents seem to want to use ports 7001 and 7002, for example in this log file of one of the Leases:

2025-04-17 17:12:34.338 -07:00 [INF] Launching UbaAgent.exe -Listen=7001 -ListenTimeout=10 -NoPoll -Quiet -ProxyPort=7002 -Dir=%UE_HORDE_SHARED_DIR%\Uba -Eventfile=%UE_HORDE_TERMINATION_SIGNAL_FILE% -MaxIdle=15I noticed there is a `ComputePort` field exposed on the Horde Server Agent information, so I tried overriding that like this:

{ "Horde": { "ComputeIp": "xxx.xxx.xxx.xxx", "ComputePort": 7005 }}The Horde Server recognizes it (see screenshot).

The Agent Service log recognizes it on startup:

2025-04-17 17:53:24.683 -07:00 [INF] Agent capabilities queried in 2714 ms 2025-04-17 17:53:24.684 -07:00 [INF] Properties: ... 2025-04-17 17:53:24.685 -07:00 [INF] ComputeIp=xxx.xxx.xxx.xxx 2025-04-17 17:53:24.685 -07:00 [INF] ComputePort=7005

But incoming leases still spawn UbaAgent.exe processes with -Listen and -ProxyPort arguments pointing at 7001 and 7002, and the initiating workstation can still connect to the single agent just fine. The only behavior change I observe from altering ComputePort is if I set it at 7011 or above, in which case the initiating workstation never succeeds in connecting to the agent at all.

The only networking help I’ve found in the docs is that it states a prerequisite of “Network connectivity between your workstation and Horde Agents on port range 7000-7010.”, which leads me to believe there is indeed something magical about that particular range, which ComputePort will not allow me to override.

Any help getting this configured would be appreciated. I have a pile of powerful computers sitting in an office inside a LAN behind a NAT, and I really want them to participate in the Horde UBA cluster.

Thanks!

Steps to Reproduce
Run Horde Server outside of the LAN

Install 2 different Horde Agents inside the LAN

Using Network Address Translation, try to get both Horde Agents to accept and compute UBA workloads

Hey there John,

It looks like we may not be forwarding this through correctly. I’m going to check with the team to verify - I’ll circle back once I’ve got some feedback.

I’ll also clarify the intention of the documentation.

Kind regards,

Julian

Hey there John,

I’ve spoken with the team regarding the above, please find the feedback below:

• You won’t be able to NAT the agents - they must be addressable by machines running UBT directly
• We are currently hardcoding the port (as mentioned before), and unfortunately the environment variable expansion logic isn’t quite in place for forwarding.
  • You could attempt a workaround by trying to mirror the UE_HORDE_CPU_COUNT injection here
    • https://github.com/EpicGames/UnrealEngine/blob/5\.5/Engine/Source/Programs/Horde/HordeAgent/Leases/Handlers/ComputeHandler.cs\#L87
    • https://github.com/EpicGames/UnrealEngine/blob/5\.5/Engine/Source/Programs/UnrealBuildAccelerator/Agent/Private/UbaAgent.cpp\#L481

I’ll see if there are any further alternatives available.

Kind regards,

Julian

Thanks for the info, I appreciate the investigation. I think my next steps will be trying to setup a Wireguard VPN to allow for more flexible routing. That’s probably the most robust solution than a bunch of NAT specific configs.