Product Documentation

Deploying the Secure Gateway in a Double-Hop DMZ

May 16, 2015

Deploy the Secure Gateway in a double-hop DMZ configuration if your DMZ is divided into two segments. In this configuration, the server running the Secure Gateway is in the first DMZ segment. The firewall between the first DMZ segment and the Internet has port 443 open.

The Web Interface and the Secure Gateway Proxy are installed on separate servers in the second DMZ segment. The server farm is located in the secure network. The firewall between the first and second DMZ segments has ports 80 and 443 open.

The Secure Gateway, deployed in the first DMZ segment, is responsible for intercepting all incoming traffic. The Web Interface is responsible for user authentication and authorization. After authentication, the Secure Gateway Proxy is responsible for relaying all data exchanged between the Secure Gateway and servers in the secure network. The firewall between the second DMZ segment and the secure network has ports 80, 443, and 1494 open.

Deploy the Secure Gateway in this configuration if your network contains a double-hop DMZ. A double-hop DMZ provides additional protection because an attacker would need to penetrate multiple security zones to reach servers in the secure network.

If the resources accessible through the Secure Gateway are extremely sensitive and require a high level of security, consider this configuration.

Certificate Requirements for a Double-Hop DMZ Deployment

If the Secure Gateway is in the first DMZ, the Secure Gateway Proxy is in the second DMZ, and the Web Interface is in the second DMZ, servers and clients need the following certificates:

  • Root certificates on all user devices connecting to the server running the Secure Gateway.
  • Root certificates on every Secure Gateway component that connects to a secure server or Web server. For example, an appropriate root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running Citrix XenApp.
  • A server certificate on the server running the Secure Gateway.
  • Optional. A server certificate on the server(s) running the Secure Gateway Proxy.
  • Optional. A server certificate on the server running the STA.

All Secure Gateway components support the use of digital certificates. Although not a requirement, Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.

Deployment Scenario B: Double-Hop Demilitarized Zone

WXYCo, Inc. deployed the Web Interface for access to published resources hosted on Citrix XenApp servers. The company plans to deploy the Secure Gateway to provide secure Internet access to published resources.

The security analyst recommended setting up a double-hop DMZ between the Internet and the company’s secure network and securing communications between the Secure Gateway, the Web Interface, and the Secure Gateway Proxy.

A Secure Gateway deployment in a double-hop DMZ environment with a server farm

This figure shows a Secure Gateway deployment used to secure a server farm in a double-hop DMZ environment. The secure enterprise network is separated from the Internet by a double-hop DMZ. The enterprise network contains a server farm including a server running Citrix XenApp with the Secure Ticket Authority (STA). The firewall separating the secure network from the second DMZ segment has port 443 open. If session reliability is enabled, port 2598 is open.

The second DMZ segment contains a server running the Secure Gateway Proxy and a second server running the Web Interface. The firewall separating the first and second DMZ segments has port 443 open. The first DMZ segment contains a single server running the Secure Gateway. All traffic originating from the Secure Gateway to servers in the secure network is proxied through the Secure Gateway Proxy.

If the communications link between the Secure Gateway and the Secure Gateway Proxy is not secured, open port 1080 on the firewall between the first DMZ segment and the second.

The Secure Gateway communicates directly with the server running the Web Interface in the second DMZ segment, which in turn communicates directly with servers in the secure network. The first DMZ segment is separated from the Internet by a firewall that has port 443 open.

The mobile workforce carries notebook PCs running a 32-bit Windows operating system, Internet Explorer 5.5, and the Citrix online plug-in for 32-bit Windows.

Setting Up the Secure Gateway and the Secure Gateway Proxy in a Double-Hop DMZ

The Secure Gateway is installed on a standalone server in the first DMZ. The Secure Gateway Proxy is installed on a stand-alone server in the second DMZ.

See Installing the Secure Gateway and Secure Gateway Proxy.

Setting Up and Testing the Web Interface in a Double-Hop DMZ

The Web Interface needs to be set up on a Web server in the second DMZ segment. Ensure you complete the following tasks before you install the Secure Gateway.

  1. Install the Web Interface on a standalone server in the second DMZ segment.
  2. To secure communications between the Secure Gateway and the Web Interface, ensure you install a server certificate on the server running the Web Interface.
  3. Add and configure server farms for use with the Web Interface.
  4. Configure the Secure Gateway using the FQDN of the STA.
  5. Use a Web browser on a user device to connect and log on to the Web Interface.
  6. Verify that you can launch published applications.

Publishing the Web Address for the Secure Gateway in a Double-Hop Demilitarized Zone

In a double-hop deployment, all traffic to the Web Interface is proxied through the Secure Gateway. Provide users with one of the following default web address to access the logon page or XenApp web site:

  • https://Secure Gateway FQDN/Citrix/AccessPlatform
  • https://Secure Gateway FQDN/Citrix/XenApp

    where Secure Gateway FQDN is the fully qualified domain name for the server running the Secure Gateway.

In the case of WXYCo, the default web address for the logon page or web site is one of the following:

https://www.gateway01.wxyco.com/Citrix/AccessPlatform/

https://www.gateway01.wxyco.com/Citrix/XenApp

Alternatively, consider changing the default web root directory in IIS on the server running the Web Interface to point to the Web Interface directory. This enables you to access the logon page or web site by connecting directly to the root web address; that is, https://Secure Gateway FQDN/.

In this case, the web address that employees of WXYCo use to access the logon page is:

https://www.gateway01.wxyco.com/