2X Gateway and Web Portal in two-firewall scenario

I have an 8.x farm with one of the machines running all roles -- gateway, publishing, and TS. The farm is running on my LAN.

I have set up system with the Secure Gateway role and the Web Portal. This system is separated from the LAN by a firewall; for testing purposes I have allowed it access to all ports on the internal gateway and publishing machine. Another firewall separates this machine from the 'Net.

The DMZ gateway machine shows up on my farm and I have configured it to use ports of my preference (800 for gateway traffic, 1443 for SSL).

I can log in to the web portal just fine from anywhere (internet, LAN, DMZ, local DMZ gateway machine) but I cannot actually run any apps from any machine other than the DMZ gateway machine itself -- not in the DMZ, and not from the internet.

I have opened the following ports from the internet to the DMZ:

80/443 for the web portal on IIS (I have my real SSL cert in place for this)
800 TCP
1443 TCP
20000-20002 UDP

What am I missing here? The only thing I can see is that all ports are open from the DMZ gateway machine to the LAN farm but I thought the idea was that the gateway machine was supposed to tunnel traffic from the farm and keep it isolated from the internet.

What ports do I need to have open from the internet to the DMZ gateway, and what's the deal with not being able to even log in from another machine on the same DMZ subnet?

 

Too much work, too little brain....there is another firewall to be considered here...the Windows firewall....ahem....nevermind on that front. I added my bespoke port 1443 to said Windows firewall and all is well there.

However, I would still appreciate an answer on which ports I need to open up between the internet and the DMZ, and between the DMZ and the LAN, to make it all work for real.