Thanks for your reply! When I'm referring to remote access, currently we aren't utilizing an inbound VPN layer for this. Basically the users are accessing a Citrix login page. Once they authenticate then they can launch their published apps. I've looked on the Citrix end and cannot ascertain how I can help validate the inbound traffic. I will look into this Cisco Secure Connect to see if it would be a good fit. But even then I would like to block attempts at accessing it via some sort of IP reputation lookup. If Umbrella can emulate that then we might have a good fit!

I have not done this - but I believe SecureConnect can also provide a "zero trust" interface to Citrix.  You don't use a NAT pinhole anymore.

Users browse to a portal, and all the apps they can access are in it.  They click on Citrix, Umbrella screens everything, does MFA, etc, and then connects the user to the Citrix server over AutoVPN.

Umbrella is acting like a WAF in this case providing all the protection.

https://support.umbrella.com/hc/en-us/articles/230562487-Terminal-Services-Citrix-and-Umbrella-Integ... 

I even found a Citrix document on this option. However, this looks like it is doing it "light" by only integrating the authentication.  But something you can Google on more.

https://docs.citrix.com/en-us/citrix-secure-private-access/downloads/cisco-umbrella.pdf 

Thanks again for the leads. I think for now I might just employ a rule on our firewall that allows only corporate Wi-Fi traffic into the Citrix host. Anyone who wants to work remotely outside of that can just e-mail me to whitelist them. What I'm not used to compared to the Cisco ASA is that any firewall NAT rule changes can't be done on the fly during production hours. Since all traffic that traverses the firewall is briefly interrupted. Our SIP phone registrations, active SIP calls, client/server traffic, etc. So have to do it off-hours. That's kinda a pain but it is what it is I guess.