I'm running BM37sp2/NW6sp3 with one public nic and private nic. The
nic has two addresses with one static nat'd to a Citrix server on the

private lan. Our GWIA and WebAccess are both on the BM37 server as

A little history...
Someone in mgmt went to a flashy security meeting and decided we had
have a security audit. We got totally slammed for the way our BM
was setup. Apparently it's "well known" that services behind a
BorderManager server can be easily comprimised if they aren't in a
I was going to argue the point, but I'm not a security expert - I just

setup the box 18 months ago and it has worked great since then.

My question...
I figured the cheapest thing to do was add another nic to the server
the DMZ and move the Citrix server to that nic. Then change the public

static nat to the dmz, but then how does the Citrix server talk to the

private lan? If I add another static nat to the private lan from the
won't that defeat the purpose of the DMZ?
I'm assuming I'll have the same issue when moving the GWIA and
since internal users need access to those as well as public users.

Any helpfull thoughts would be appreciated