You need to complete several steps in order to deploy NetScaler Gateway in a double-hop DMZ. The steps include installation of appliances in both DMZs and configuring the appliances for user device connections.
Installing NetScaler Gateway in the First DMZ
To install NetScaler Gateway in the first DMZ, follow the instructions in Installing the Model MPX 5500 Appliance.
If you are installing multiple NetScaler Gateway appliances in the first DMZ, you can deploy the appliances behind a load balancer.
Configuring NetScaler Gateway in the First DMZ
In a double-hop DMZ deployment, it is mandatory that you configure each NetScaler Gateway in the first DMZ to redirect connections to either StoreFront or the Web Interface in the second DMZ.
Redirection to StoreFront or the Web Interface is performed at the NetScaler Gateway Global or virtual server level. To connect to the Web Interface through NetScaler Gateway, a user must be associated with an NetScaler Gateway user group for which redirection to the Web Interface is enabled.
Installing NetScaler Gateway in the Second DMZ
The NetScaler Gateway appliance in the second DMZ is called the NetScaler Gateway proxy because it proxies ICA and Secure Ticket Authority (STA) traffic across the second DMZ.
Follow the instructions in Installing the Model MPX 5500 Appliance to install each NetScaler Gateway appliance in the second DMZ.
You can use this installation procedure to install additional appliances in the second DMZ.
After you install NetScaler Gateway appliances in the second DMZ, you configure the following settings:
- Configure a virtual server on the NetScaler Gateway proxy.
- Configure NetScaler Gateway appliances in the first and second DMZ to communicate with each other.
- Bind the NetScaler Gateway in the second DMZ globally or to a virtual server.
- Configure the STA on the appliance in the first DMZ.
- Open ports in the firewalls separating the DMZ.
- Install certificates on the appliances.