Product Documentation

Deploying in the DMZ

Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When you deploy Citrix Gateway in the DMZ, users connect with the Citrix Gateway Plug-in or Citrix Receiver.

Figure 1. Citrix Gateway deployed in the DMZ

Citrix Gateway deployed in the DMZ

In the configuration shown in the preceding figure, you install Citrix Gateway in the DMZ and configure it to connect to both the Internet and the internal network.

Citrix Gateway Connectivity in the DMZ

When you deploy Citrix Gateway in the DMZ, user connections must traverse the first firewall to connect to Citrix Gateway. By default, user connections use SSL on port 443 to establish this connection. To allow user connections to reach the internal network, you must allow SSL on port 443 through the first firewall.

Citrix Gateway decrypts the SSL connections from the user device and establishes a connection on behalf of the user to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access.

For example, if you authorize external users to access a web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. Citrix Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external user devices.

Deploying in the DMZ