Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ.
Figure 1. NetScaler Gateway appliances deployed in a double-hop DMZ
Note: For illustration purposes, the preceding example describes a double-hop configuration using three firewalls with StoreFront, the Web Interface and XenApp, but you can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, you can ignore the instructions for opening ports on the third firewall.
You can configure a double-hop DMZ to work with Citrix StoreFront or the Web Interface installed parallel to the NetScaler Gateway proxy. Users connect by using Citrix Receiver.
Note: If you deploy NetScaler Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.