The following solution applies to Citrix applications that are configured via the Citrix Access Gateway:
Open the Citrix Access Management Console and select Web Interface.
Right-click on site name configured to allow users access to the resources via the Connect Secure gateway and set the Access method to Direct.
If there is a firewall between the internal interface of the Connect Secure gateway and the backend resource application pool, configure a rule to allow traffic from the Connect Secure gateway's internal interface to the Citrix servers.
Ports 80, 443, 1494.
Port 2598 should be included if session reliability is being used.
KB18241 - [Terminal Services] Juniper CTS client does not launch when the Pulse Connect Secure gateway IP address is added in IE as a trusted site.