Is there a way to use Citrix Receiver on iOS *without* deploying Pulse to the device?
From my point of view SA/MAG is a competitive product to Citrix Access Gateway, and CAG allows you to login directly with Receiver without requiring a L3 VPN, so why is this not possible using Receiver with a Juniper gateway?
I have several customers where Pulse is no option (this would also be for 3rd party access where we cannot tell people to install a VPN client on the device or even issue certificates for proper authentication to them). Enterprises don't like having a gateway for every type of device, so if Juniper doesn't come with a solution here SA/MAG will just be dropped in favor of CAG...
Hmm, I understand that you are describing the situation as of today, but I cannot see why this should not change. Citrix is not doing any rocket science in CAG, using the webinterface to login (using Safari on iOS) just gives you the ICA (that is identical to an ICA served to a PC) that can be executed by the Receiver App so there is nothing special done on that end. The only Citrix-specific thing must be how the Receiver App authenticates (against CAG/passthrough to the farm), but even that should not be impossible to find out and re-implement...
Why just ignore a unique feature that a competitor has rather than working on a solution for it? And what really cracks me up: Why tell people they *need* L3VPN/Pulse to do this... there is no technical reason, just a lacking feature on the SA/MAG end.
And yes, I would have raised that as Feature Request if I had a Partner Account Manager assigned to me, but it seems Juniper is not so much interested in Consulting-only Partners (that influence buying decisions after all due to their neutral nature), no reselling revenue -> no influence... but that is another (sad) story.
I understand what you are saying; I don't know the technical reasons for why this cannot be done (and it is possible it is being investigated; I don't have any way to find out). I believe that part of the issue is that the communication has to be direct from/to the farm (or CAG) and client machine; it is not possible for the SA/MAG to proxy this traffic.