As an administrator, I would like to allow the Citrix Cloud application domains/IP via the Cloud Secure Web Gateway.

Cloud Secure Web Gateway

Citrix Cloud

To properly operate and consume the Citrix Cloud services, the following addresses must be contactable:

citrix.com
cloud.com
citrixworkspacesapi.net
citrixnetworkapi.net
cedexis-test.com
citm-test.com
cedexis.com
cedexis-radar.net
nssvc.net
g.nssvc.net
c.nssvc.net
servicebus.windows.net
blob.core.windows.net
sharefile.com
iwsprodeastusuniconacr.azurecr.io
iwsprodeastusuniconacr.eastus.data.azurecr.io
xendesktop.net

Allow Citrix Domains via Cloud SWG :

1. Create a domain list with the domains listed above and call it Citrix Cloud WebApp
2. Ensure that the domain list Citrix Cloud WebApp is allowed in your WSS portal policy under Content Filtering - Group A G3 - Allowed Domains/URLs
3. Ensure that the domain list Citrix Cloud WebApp is allowed in your WSS portal policy under Threat Protection Group A: G2 - Trusted Destinations
   
   Note: If you are running Universal Policy Enforcement using Management Center. It is suggested to do the same.

In regards to SSL Interception via Cloud SWG proxies. There are some domains that Citrix recommends NOT to do SSL interception on. Make sure to add these domains to your SSL Exemption policy. 

nssvc.net
g.nssvc.net
c.nssvc.net
cedexis-test.com
citm-test.com
cedexis.com
cedexis-radar.net

Reference: Citrix Cloud System and Connectivity Requirements