Citrix Gateway

How a double-hop deployment works

You can deploy Citrix Gateway appliances in a double-hop DMZ to control access to servers running Citrix Virtual Apps. The connections in a double-hop deployment occur as follows:

  • Users connect to Citrix Gateway in the first DMZ by using a web browser and by using Citrix Receiver to select a published application.
  • Citrix Receiver starts on the user device. The user connects to Citrix Gateway to access the published application running in the server farm in the secure network.

    Note: Secure Hub and the Citrix Gateway plug-in are not supported in a double-hop DMZ deployment. Only Citrix Receiver is used for user connections.

  • Citrix Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This Citrix Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.
  • Citrix Gateway in the second DMZ serves as a Citrix Gateway proxy device. This Citrix Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm. Communications between Citrix Gateway in the first DMZ and the Secure Ticket Authority (STA) in the internal network are also proxied through Citrix Gateway in the second DMZ.

Citrix Gateway supports IPv4 and IPv6 connections. You can use the configuration utility to configure the IPv6 address.

The following table suggests the double-hop deployment support for the various ICA features:

ICA feature Double-hop support
SmartAccess Yes
SmartControl Yes
Enlightened Data Transport (EDT) Yes
HDX Insight Yes
ICA Session Reliability (Port 2598) Yes
ICA Session Migration Yes
ICA Session Timeout Yes
Multi-Stream ICA Yes
Framehawk No
UDP audio No
How a double-hop deployment works