I'm trying to virtualize some applciation using Citrix. so I have to expose the Citrix Secure Gateway to Internet (put it in DMZ).
my question is which is better practice ?
thanks
I would avoid NAT if there is another solution. And your situation sounds like it can be handled without needing NAT. If your firewall has three network interfaces, it should be fairly simple to do.
You assign one public IP address to the external interface on the firewall and you assign another public IP address to the server inside the DMZ. The firewall need a static route telling it that the IP address of that server is directly connected on the DMZ interface. Depending on the network configuration on the WAN side of the firewall, you may also need to configure the firewall to respond to ARP requests on behalf of the server.
Finally the firewall need to be configured such that traffic between the the public IP address of the server and other hosts is never NATed regardless of whether the other IP address is on the LAN or the internet. You may still want the firewall to apply some stateful filtering on the traffic, but that is outside the scope of this question.
With that in place packets from the LAN to the server will reach the firewall and get forwarded onto the DMZ without any NAT happening, likewise packets from the internet will also be forwarded onto the DMZ without any NAT.
The server can make connections to the internet without going through the NAT, additionally it can make connections to the LAN (if the firewall permits so), and that will also not go through any NAT.
Packets between the LAN and the server will use the default route to reach the firewall, and the firewall will have specific routes to each endpoint, so it knows right away which interface to forward the packets on. No tricks needed to make that part work.
