Citrix Gateway

Install and configuring Citrix Gateway in a double-hop DMZ

You need to complete several steps to deploy Citrix Gateway in a double-hop DMZ. The steps include installation of appliances in both DMZs and configuring the appliances for user device connections.

Install Citrix Gateway in the first DMZ

To install Citrix Gateway in the first DMZ, follow the instructions in Install the hardware.

If you are installing multiple Citrix Gateway appliances in the first DMZ, you can deploy the appliances behind a load balancer.

Configure Citrix Gateway in the first DMZ

In a double-hop DMZ deployment, it is mandatory that you configure each Citrix Gateway in the first DMZ to redirect connections to either StoreFront or the Web Interface in the second DMZ.

Redirection to StoreFront or the Web Interface is performed at the Citrix Gateway Global or virtual server level. To connect to the Web Interface through Citrix Gateway, a user must be associated with a Citrix Gateway user group for which redirection to the Web Interface is enabled.

Install Citrix Gateway in the second DMZ

The Citrix Gateway appliance in the second DMZ is called the Citrix Gateway proxy because it proxies ICA and Secure Ticket Authority (STA) traffic across the second DMZ. Install the hardware to install each Citrix Gateway appliance in the second DMZ.

You can use this installation procedure to install other appliances in the second DMZ.

After you install Citrix Gateway appliances in the second DMZ, you configure the following settings:

  • Configure a virtual server on the Citrix Gateway proxy.
  • Configure Citrix Gateway appliances in the first and second DMZ to communicate with each other.
  • Bind the Citrix Gateway in the second DMZ globally or to a virtual server.
  • Configure the STA on the appliance in the first DMZ.
  • Open ports in the firewalls separating the DMZ.
  • Install certificates on the appliances.
Install and configuring Citrix Gateway in a double-hop DMZ