No, it is not possible; there is a requirement to have direct access to the machines. CAG is able to provide that VPN/proxy due to it being Citrix itself. The iOS platform does not provide options to run java or other types of connections.

The mag is able to do more than just Citrix; however, if that is their main use case, I am sorry to hear they will need to switch.

Hmm, I understand that you are describing the situation as of today, but I cannot see why this should not change. Citrix is not doing any rocket science in CAG, using the webinterface to login (using Safari on iOS) just gives you the ICA (that is identical to an ICA served to a PC) that can be executed by the Receiver App so there is nothing special done on that end. The only Citrix-specific thing must be how the Receiver App authenticates (against CAG/passthrough to the farm), but even that should not be impossible to find out and re-implement...

Why just ignore a unique feature that a competitor has rather than working on a solution for it? And what really cracks me up: Why tell people they *need* L3VPN/Pulse to do this... there is no technical reason, just a lacking feature on the SA/MAG end.

And yes, I would have raised that as Feature Request if I had a Partner Account Manager assigned to me, but it seems Juniper is not so much interested in Consulting-only Partners (that influence buying decisions after all due to their neutral nature), no reselling revenue -> no influence... but that is another (sad) story.

I understand what you are saying; I don't know the technical reasons for why this cannot be done (and it is possible it is being investigated; I don't have any way to find out). I believe that part of the issue is that the communication has to be direct from/to the farm (or CAG) and client machine; it is not possible for the SA/MAG to proxy this traffic.