Assuming you mean SNAT, this would be a pretty big undertaking to insert the client's true source into an ICA packet. Not impossible, but then you also have to consider how you'd extract it on the ICA server side. Could you:
- Capture and log the client IP at the Web Interface (via HTTP XFF header)?
- Capture and log the client IP (and activity) to syslog?
- Deploy Access Policy Manager (APM) and maybe push the client IP to Citrix via Smart Access filters?
Otherwise, to keep the client IP at layer 3 and remove the SNAT, you must guarantee that the Citrix servers cannot route around the BIG-IP.