Product Documentation

How a Double-Hop Deployment Works

Feb 28, 2014

You can deploy NetScaler Gateway appliances in a double-hop DMZ to control access to servers running Citrix XenApp. The connections in a double-hop deployment occur as follows:

  • Users connect to NetScaler Gateway in the first DMZ by using a web browser and by using Citrix Receiver to select a published application.
  • Citrix Receiver starts on the user device. The user connects to NetScaler Gateway to access the published application running in the server farm in the secure network.
    Note: Worx Home and the NetScaler Gateway Plug-in are not supported in a double-hop DMZ deployment. Only Citrix Receiver is used for user connections.
  • NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
  • NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm. Communications between NetScaler Gateway in the first DMZ and the Secure Ticket Authority (STA) in the internal network are also proxied through NetScaler Gateway in the second DMZ.

NetScaler Gateway supports IPv4 and IPv6 connections. You can use the configuration utility to configure the IPv6 address.