Product Documentation

Deploying NetScaler Gateway in a Double-Hop DMZ

Dec 11, 2014

Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ. You can deploy NetScaler Gateway in a double-hop DMZ with XenApp and StoreFront.

Figure 1. NetScaler Gateway appliances deployed in a double-hop DMZ
Doublehop DMZ with StoreFront and Web Interface
Note: For illustration purposes, the preceding example describes a double-hop configuration using three firewalls and the Web Interface, but you can also have a double-hop DMZ with one appliance in the DMZ and one appliance in the secure network. If you configure a double-hop configuration with one appliance in the DMZ and one in the secure network, you can ignore the instructions for opening ports on the third firewall.

You can configure a double-hop DMZ to work with Citrix StoreFront or the Web Interface. Users connect by using Citrix Receiver.

Note: If you deploy NetScaler Gateway in a double-hop DMZ with StoreFront, email-based auto-discovery for Receiver does not work.

For more information about this deployment option, see Deploying NetScaler Gateway in a Double-Hop DMZ.