Some organizations have two DMZ. It is often called as a double DMZ or a double-hop DMZ and is sometimes used to provide an extra layer of security protection between the Internet and the internal network.
The Figure 3-1 above shows a network with a double DMZ. In this deployment, UAG 2 in DMZ 2 is configured for Horizon edge service in exactly the same way as for a single DMZ described in the previous section. The configuration of the Internet facing FireWall 1 is the same as for a single DMZ. The required TCP and UDP ports should be allowed and routed FireWall 1 only to Unified Access Gateway appliances in DMZ 1. In terms of TCP and UDP ports for FireWall 2, these are the same as for FireWall 1 except that the rules should only allow source IP addresses of Unified Access Gateway appliances in DMZ 1 and should only forward this traffic to Unified Access Gateway appliances in DMZ 2. This ensures that the only network traffic entering DMZ 2 is traffic that has been filtered by a DMZ 1 Unified Access Gateway appliance.
UAG 1 in DMZ 1 is configured as a Web Reverse Proxy for Horizon protocols. It terminates the TLS connection from the client and provides specific Horizon URL validation on that traffic prior to forwarding it to UAG 2 on a new TLS connection between UAG 1 and UAG 2. Any network traffic from the Internet to UAG 1 that falls outside of the Horizon protocol specification configured on UAG 1 in terms of port numbers, TLS version, ciphers, and HTTPS URL patterns for Horizon is discarded in DMZ 1. Valid Horizon network traffic is forwarded to UAG 2 in DMZ 2 for the next layer of security.
tunnelExternalUrl,blastExternalUrland the optional
pcoip ExternalUrl) are used by the clients to connect these protocols to the Unified Access Gateway environment. They must be set to values that route these connections to UAG 1.