PAM Admin is using PAM through a NetScaler Load Balancer successfully.  With their NetScaler configured with ssl-passthrough -> everything works fine.

However when you use a Gateway on your desktop -> your ACL for allowed access into PAM stop working.  The reason why is the IP address for their NetScaler only comes back (which is blocked). 

If you go directly to a PAM Appliance it works fine.

Release : 4.1.1

In Citrix NetScaler, there is a setting called USIP (Use Source IP). Check if this is enabled on the NetScaler LB.

Add the source ip in USIP (Use Source IP).
This keeps the source IP of the original pam client to work with her ACL.