Jump to content
Welcome to our new Citrix community!

Netscaler Gateway double hop - multiple next hop Servers

Thomas Klein

Recommended Posts

Hi Guys,


we have a working Netscaler Gateway double Hop scenario on Basis described on https://support.citrix.com/article/CTX222591 


We now need to connect in addition to that to a second site that hosts serveral Citrix Workers, using their own Delivery Controllers, Ressources are aggregated in the exististing Storefront.


For tunneling the ICA Traffic over 443 as far as we can, we would also deploy an ADC for proxying ICA Traffic in the (additional) second Site - with the idea, that the ADC in first DMZ communicates to BOTH ICA Proxy ADCs, dependent if ressources have to be used in the first or in the second site.


Basically it should be no problem to add one more next hop Server in the Configuration of the ADC in the DMZ, but i don't see more configuration options as only defining and binding the second one, without any ability for configuring any conditions.


Would that setup work as supposed?


Thanks & best regards


Link to comment
Share on other sites

General DH consdierations, in case you were looking at this:

The Double Hop Gateway config ONLY supports a single gateway proxy (double hop mode); it does not support additional hop "daisy chaining".


The first gateway still handles all gateway-to-authentication phase and gateway-to-storefront communication; the second hop proxies the gateway-togwproxy-toSTA communication and the gateway-togwproxy-tovda communication only.  No additional "hops" are allowed.


If instead you want both user sets (groupA and groupB for convenience to go through one gateway (gateway1) and then decide between gatewayproxyA or gatewayproxyB, you are right, there are no conditions for that.

You would probably have to make two separate configs:  groupA users go to Gateawy1/Proxy1 to get to their resources and GroupB goes to Gateway2/Proxy2 for their resources.

I'm not ware of a way to incorporate multiple double hops behind a single vpn and have it choose which one to use.  (I'm not sure PBRs would help either.)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...