You simply cannot deploy a citrix netscaler without access to the LAN behind it... remember, that you want to securely give access to Virtual Desktops to your users, so the netscaler must be able to forward traffic to the hosted servers!
Of course, you could cut off LDAP authentication, and establish some sort of authentication servers (the Netscaler / VPX instance has such options).
But in my point of view, this makes no sense, and creates a lot of work afterwards.
The only thing what makes sense is to move netscaler / LDAP server (probably windows domain controller) and Windows Terminal Servers to its own dedicated LAN (VLAN), so that it is separated from the rest of your network. And, you can deploy a firewall between netscaler and your hosted servers, since the ports in use are well known...
[Edit] In response to the comment below:
- a vpn in front of netscaler gets you nowhere - from the attackers point of view, it doesn't matter if he attacks IP a.b.c.d or IP e.f.g.h ...
- 2FA is possible and supported by Citrix, this is definitely an option for increased security. Just remember that your users need to enter the 2FA every time they login, so this might create some "annoyance"...
- In your Virtual Desktop Deployment, you are able to define a Group of users, which are allowed to access the deployment - so you are able to define a group which does not contain any Domain Admin - it is a good idea to disallow Domain Admins the login from outside...
- Don't forget the firewall! if your netscaler gets compromised, the firewall is your first line of defence!
