Product Documentation

How a Double-Hop Deployment Works

You can deploy Citrix Gateway appliances in a double-hop DMZ to control access to servers running Citrix XenApp. The connections in a double-hop deployment occur as follows:

  • Users connect to Citrix Gateway in the first DMZ by using a web browser and by using Citrix Receiver to select a published application.
  • Citrix Receiver starts on the user device. The user connects to Citrix Gateway to access the published application running in the server farm in the secure network.

    Note: Worx Home and the Citrix Gateway Plug-in are not supported in a double-hop DMZ deployment. Only Citrix Receiver is used for user connections.

  • Citrix Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This Citrix Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
  • Citrix Gateway in the second DMZ serves as a Citrix Gateway proxy device. This Citrix Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm. Communications between Citrix Gateway in the first DMZ and the Secure Ticket Authority (STA) in the internal network are also proxied through Citrix Gateway in the second DMZ.

Citrix Gateway supports IPv4 and IPv6 connections. You can use the configuration utility to configure the IPv6 address.

How a Double-Hop Deployment Works

In this article