Citrix Gateway 13.0

Deploying Citrix Gateway in a Double-Hop DMZ

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ. You can deploy Citrix Gateway in a double-hop DMZ with Citrix Virtual Apps and StoreFront.

Figure 1. Citrix Gateway appliances deployed in a double-hop DMZ

Double hop DMZ with StoreFront and Web Interface

Note: For illustration purposes, the preceding example describes a double-hop configuration using three firewalls and the Web Interface, but you can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, you can ignore the instructions for opening ports on the third firewall.

You can configure a double-hop DMZ to be compatible with Citrix StoreFront or the Web Interface. Users connect by using the Citrix Workspace app.

Note

If you deploy Citrix Gateway in a double-hop DMZ with StoreFront, the email-based AutoDiscovery for the Citrix Workspace app does not work.

Deploying Citrix Gateway in a Double-Hop DMZ