Possible to use CVAD without Netscaler?

[Raul Gonzalez]

My company is trying to design a NIST 800-171 compliant environment that uses CVAD a key component.  However committee members looking to design the environment are convinced that Netscaler can be replaced with a VPN solution from Palo Alto for example.  

Is this possible to do?  Will what is being proposed break functionality in CVAD?   I did read a 10yr old blog article that XenDesktop without Netscaler is not supported?

[Rich Meesters]

It is "possible" but every connection from a Citrix perspective would look like an internal connection as presumably users would come in via the VPN and go to StoreFront directly. You would lose a lot of security functionality given the requirement to develop a NIST 800-171 compliant environment here, including smart access policies (defining different policies for internal vs external) and would have to have users login with credentials directly to StoreFront (SAML, AD). If you are doing load balancing (in particular with Citrix related monitors) you would lose that capability as well for SF and XDC. The VPN would have to be the SSL proxy as well as the traffic from the VDA (by default at least) would be 1494/2598 TCP/UDP ports.