The NetScaler Gateway double-hop mode provides additional protection to an organization's internal network because an attacker would need to penetrate multiple security zones or Demilitarized zones (DMZ) to reach the servers in the secure network.
For more details about double-hop mode, see Deploying NetScaler Gateway in a Double-Hop DMZ
If you want to analyze the number of hops (NetScaler Gateway appliances) through which the ICA connections pass, and also the details about the latency on each TCP connection and how it fairs against the total ICA latency perceived by the client, you must install NetScaler Insight Center so that the NetScaler Gateway appliances report these vital statistics.
The following image illustrates the network deployment of a NetScaler Insight Center in a NetScaler gateway double-hop setup.
Figure 3. NetScaler Insight Center deployed in double-hop mode
The NetScaler Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This NetScaler Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
The NetScaler Gateway in the second DMZ serves as a NetScaler Gateway proxy device. This NetScaler Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.
The NetScaler Insight Center can be deployed either in the subnet belonging to the NetScaler Gateway appliance in the first DMZ or the subnet belonging to the NetScaler Gateway appliance second DMZ.
In the above image, the NetScaler Insight Center and NetScaler Gateway in the first DMZ are deployed in the same subnet.
How NetScaler Insight Center Collects Statistics in a NetScaler Gateway Double-Hop Mode
In a double-hop mode, NetScaler Insight Center collects TCP records from one appliance and ICA records from the other appliance.
After you add the NetScaler Gateway appliances to the NetScaler Insight center inventory and enable data collection, each of the appliances export the reports by keeping track of the hop count and connection chain ID.
For NetScaler Insight Center to identify which appliance is exporting records, each appliance is specified with a hop count and each connection is specified with a connection chain ID. Hop count represents the number of NetScaler Gateway appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end- to end connections between the client and server.
NetScaler Insight Center uses the hop count and connection chain ID to co-relate the data from both the NetScaler Gateway appliances and generates the reports.
To monitor NetScaler Gateway appliances deployed in this mode, you must first add the NetScaler Gateway to NetScaler Insight Center inventory, enable AppFlow on NetScaler Insight Center and then view the reports on the NetScaler Insight Center dashboard.