Thanks nalb for your response, I appreciate that. How its setup now, (were not using secure or access gateway, nor do we need clients to access vpn for the apps), in production is the remote clients are authenticated by the citrix web interface server (via Active Directory), the wi then contacts the xml broker to see what the authenticated client has access too, the wi server then presents the client the ica connection with the apps approved. The client then makes a direct connection with the xml brokers (app farm) from that moment. It is currently setup as alternate Secure Access in the Citrix Web Interface Management. Clients receive an external IP address mapping from app server to client. The F5 citrix template requires direct connection.
So, it seems that the only difference between what you described and how its setup in my environment (please correct me if I'm wrong), is that currently we have nating on our firewall that goes directly from outside to internal citrix app server. Without using the APM module I could repoint the NAT rules from Outside to F5 to Internal, and all is the same, correct?
Thanks for taking your time to explain since this is all new to me.
One last thing...
"client so then can click an application and start using it via ica proxy without any VPN or additional firewall holes by riding the ica traffic over the original ssl connection through apm."
Does that above sentence mean that the only NAT I would need in the firewall is the citrix.domain.com IP to the F5 and all other application traffic would travel back and forth through the client on the original ssl connection (citrix.domain.com)?