In a single-hop DMZ
deployment scenario, all incoming traffic is intercepted by the Secure Gateway.
The Web Interface can be installed on the same server as Secure Gateway or on a
separate server. All data exchanged between user devices and the Web Interface
is relayed through the Secure Gateway.
The firewall facing
the Internet has port 443 open. Users connect to the Secure Gateway using a URL
such as https://Secure Gateway FQDN/, where
Gateway FQDN is the fully qualified domain name for the server
running the Secure Gateway.
||A single server certificate is required on the server running
the Secure Gateway and the Web Interface.
||A single port, 443, must be opened on the firewall facing the
||The Web Interface cannot be contacted directly from the Internet
and is more secure.
||Deploying the Secure Gateway in this configuration affects Web
Interface functionality. When you deploy the Secure Gateway in this
configuration, you lose some of the features available with the Web Interface,
including the following:
Card Authentication. The Secure Gateway negotiates the SSL handshake
and terminates the SSL connection before forwarding the client connection
request to the Web Interface. Smart card authentication integrated with the Web
Interface is unavailable because the Secure Gateway terminates the SSL
connection before it reaches the Web Interface.
||Firewall and Proxy Settings Requiring Knowledge of the Client IP
Address Are Ineffective. All communication from the user device to the
Web Interface is proxied through the Secure Gateway. As a result, all client
communications to the Web Interface originate from the IP address of the server
running the Secure Gateway. Though you can still configure firewall and proxy
settings on the Web Interface for specific client address prefixes, these
settings must allow all client communications through the Secure Gateway to
have the Web Interface IP address. You will not be able to distinguish between
different user devices connecting through the Secure Gateway.
deploying the Secure Gateway in this configuration if your network is small to
medium sized, with a usage profile of hundreds of users. This type of
deployment is optimal when users are connecting over the Internet to the Secure
If any of the
limitations described above are a concern and you have a sizeable user base
accessing the Secure Gateway over the LAN, consider deploying the Web Interface
in the configuration described in
Running the Web Interface Parallel with the Secure