Some organizations have two DMZ. It is often called as a double DMZ or a double-hop DMZ and is sometimes used to provide an extra layer of security protection between the Internet and the internal network.

In a double DMZ, traffic has to be passed through a specific reverse proxy in each DMZ layer. Traffic cannot simply bypass a DMZ layer.
Note: In a Horizon deployment, a double DMZ is not required, but for environments where a double DMZ is mandated, an extra Unified Access Gateway appliance acting as a Web Reverse Proxy can be deployed in the outer DMZ.
This document describes the configuration of Unified Access Gateway appliances for double-DMZ deployment.
Figure 1. Unified Access Gateway appliances deployed in a double DMZ

The Figure 3-1 above shows a network with a double DMZ. In this deployment, UAG 2 in DMZ 2 is configured for Horizon edge service in exactly the same way as for a single DMZ described in the previous section. The configuration of the Internet facing FireWall 1 is the same as for a single DMZ. The required TCP and UDP ports should be allowed and routed FireWall 1 only to Unified Access Gateway appliances in DMZ 1. In terms of TCP and UDP ports for FireWall 2, these are the same as for FireWall 1 except that the rules should only allow source IP addresses of Unified Access Gateway appliances in DMZ 1 and should only forward this traffic to Unified Access Gateway appliances in DMZ 2. This ensures that the only network traffic entering DMZ 2 is traffic that has been filtered by a DMZ 1 Unified Access Gateway appliance.

UAG 1 in DMZ 1 is configured as a Web Reverse Proxy for Horizon protocols. It terminates the TLS connection from the client and provides specific Horizon URL validation on that traffic prior to forwarding it to UAG 2 on a new TLS connection between UAG 1 and UAG 2. Any network traffic from the Internet to UAG 1 that falls outside of the Horizon protocol specification configured on UAG 1 in terms of port numbers, TLS version, ciphers, and HTTPS URL patterns for Horizon is discarded in DMZ 1. Valid Horizon network traffic is forwarded to UAG 2 in DMZ 2 for the next layer of security.

In this double DMZ configuration, UAG 2 is configured as a standard Horizon Edge Server appliance. The Horizon external URLs ( tunnelExternalUrl,blastExternalUrl and the optional pcoip ExternalUrl) are used by the clients to connect these protocols to the Unified Access Gateway environment. They must be set to values that route these connections to UAG 1.
Note: This document does not describe any further configuration needed for UAG 2 as this is standard Unified Access Gateway Horizon configuration, which is covered in the Horizon sections of the standard Unified Access Gateway document Deploying and Configuring Unified Access Gateway.