Gateway

Deploying Citrix Gateway in a Double-Hop DMZ

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ. You can deploy Citrix Gateway in a double-hop DMZ with Citrix Virtual Apps and StoreFront.

Figure 1. Citrix Gateway appliances deployed in a double-hop DMZ

Doublehop DMZ with StoreFront and Web Interface

Note: For illustration purposes, the preceding example describes a double-hop configuration using three firewalls and the Web Interface, but you can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, you can ignore the instructions for opening ports on the third firewall.

You can configure a double-hop DMZ to work with Citrix StoreFront or the Web Interface. Users connect by using Citrix Receiver.

Note

If you deploy Citrix Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.

Deploying Citrix Gateway in a Double-Hop DMZ