NetScalers (and all other machines) can route. NetScaler just needs a SNIP on a subnet that has a route to the VDAs. Yes, 1494/2598 from SNIP to the VDAs.
You should have an Authentication Virtual Server with SAML as one of the factors. Change the first factor to the EULA and then bind your SAML factor as Next Factor.
Or configure your SAML IdP to show the EULA.
Are there other event IDs in the Event Viewer?
Check Event Viewer > Windows Logs > Security. I'm guessing a User Right is being blocked by a security policy. Users need the right to access the computer from the network.
What do you see in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services?
Why are you using Internet Explorer?
You should install a certificate on the StoreFront server and use https to connect.