Every message must be relayed as it must first be accepted from the sending host by one of the relay hosts and then relayed to one of the back-end servers. This results in the same traffic as for the single layer model as discussed in section 3.3.
The advantage of this system is that only the relay hosts need to be externally visible. It is quite possible to place the back end servers on an internal network. The back-end servers could then placed behind packet filtering protection and even placed on one of private address space networks, 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 as defined in RFC 1918 [RMK+96]. Only the relay hosts need to be exposed to traffic from foreign hosts and as a result the servers that are most vulnerable to attack now contain no user content, adding extra protection for end users.
There is no restriction on the number of relay hosts although it is envisaged that at least two would be sensible as a single relay server in front of several back end servers would create an unnecessary single point of failure. As the relay hosts do not hold any user data it would be possible to use techniques such as IP address takeover [Hor98] to switch in either a backup server or one of the other relay hosts if a relay host fails or is taken down for maintenance.