Some organizations have two DMZ. It is often called as a double DMZ or a double-hop DMZ and is sometimes used to provide an extra layer of security protection between the Internet and the internal network.

The Figure 3-1 above shows a network with a double DMZ. In this deployment, UAG 2 in DMZ 2 is configured for Horizon edge service in exactly the same way as for a single DMZ described in the previous section. The configuration of the Internet facing FireWall 1 is the same as for a single DMZ. The required TCP and UDP ports should be allowed and routed FireWall 1 only to Unified Access Gateway appliances in DMZ 1. In terms of TCP and UDP ports for FireWall 2, these are the same as for FireWall 1 except that the rules should only allow source IP addresses of Unified Access Gateway appliances in DMZ 1 and should only forward this traffic to Unified Access Gateway appliances in DMZ 2. This ensures that the only network traffic entering DMZ 2 is traffic that has been filtered by a DMZ 1 Unified Access Gateway appliance.

UAG 1 in DMZ 1 is configured as a Web Reverse Proxy for Horizon protocols. It terminates the TLS connection from the client and provides specific Horizon URL validation on that traffic prior to forwarding it to UAG 2 on a new TLS connection between UAG 1 and UAG 2. Any network traffic from the Internet to UAG 1 that falls outside of the Horizon protocol specification configured on UAG 1 in terms of port numbers, TLS version, ciphers, and HTTPS URL patterns for Horizon is discarded in DMZ 1. Valid Horizon network traffic is forwarded to UAG 2 in DMZ 2 for the next layer of security.