Deploying in a Double-Hop DMZ

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ.

Figure 1. Citrix Gateway appliances deployed in a double-hop DMZ

Deploying Citrix Gateway in a Double-Hop DMZ

Note: For illustration purposes, the preceding example describes a double-hop configuration using three firewalls with StoreFront, the Web Interface and Citrix Virtual Apps, but you can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, you can ignore the instructions for opening ports on the third firewall.

You can configure a double-hop DMZ to work with Citrix StoreFront or the Web Interface installed parallel to the Citrix Gateway proxy. Users connect by using Citrix Receiver.

Note: If you deploy Citrix Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.

Deploying in a Double-Hop DMZ