Product Documentation

Deploying in the DMZ

Jan 14, 2014

Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When you deploy NetScaler Gateway in the DMZ, users connect with the NetScaler Gateway Plug-in or Citrix Receiver.

Figure 1. NetScaler Gateway deployed in the DMZ
NetScaler Gateway deployed in the DMZ

In the configuration shown in the preceding figure, you install NetScaler Gateway in the DMZ and configure it to connect to both the Internet and the internal network.

NetScaler Gateway Connectivity in the DMZ

When you deploy NetScaler Gateway in the DMZ, user connections must traverse the first firewall to connect to NetScaler Gateway. By default, user connections use SSL on port 443 to establish this connection. To allow user connections to reach the internal network, you must allow SSL on port 443 through the first firewall.

NetScaler Gateway decrypts the SSL connections from the user device and establishes a connection on behalf of the user to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access.

For example, if you authorize external users to access a web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. NetScaler Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external user devices.