Is IGEL ICG required to be in the DMZ when using NetScaler as SSL-bridge?


Hi! I have a question reagarding UMS, ICG and NetScaler as SSL-bridge. Is it correctly understood that ICG doesn’t need to be on a DMZ if we are using NetScaler as a SSL-bridge? From my understanding UMS and ICG may be on the same network if we are using a NetScaler in between. I took the below photo from Disrupt in München, but it says that ICG should be on a DMZ, but I think that’s wrong. The reason that I am asking is that we are going to deploy UMS and ICG in Azure and I want to understand if they both may be on the same virtual network/subnet. All clients will connect to the UMS externally via ICG.


The ICG can be located anywhere in the world wide web. That’s the big advantage of it. You can use Azure, AWS or any other hoster.


It depends on the architecture. Theoretically you could place the icg on internal network and just do port forwarding. To enhance the hardening in that case I would suggest to add a NS (or some other solution suited for the task). I’m using exactly this in my lab, a NS is on the dmz, the icg and ums on the internal network. That’s the fine thing with having a ADC reverse proxying connections, you can do what you like.


Thank you both for your prompt response. @member That’s exactly how I want to design it as well. 🙂


Every reverse proxy should work, you could probably also use Azure application proxy


Haproxy Will also so the trick or a appliance like pfsense

Continue reading and comment on the thread ‘Is IGEL ICG required to be in the DMZ when using NetScaler as SSL-bridge?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base



Ask a question or comment on the above messasge thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!


Popular Message Threads


Categories & Tags: