Deepanshu,
I'll try to provide some of the bigger picture with Citrix that you won't get from the manual.
Basically we have integrated with Citrix NetScaler for a very long time, you make the NetScaler a RADIUS client with associated authentication agent on the AM server, and configure the NetScaler to Authenticate to a RADIUS server - which is the AM Primary and/or Replica. Works great.
But when the NetScaler goes through the StoreFront, SF you had to logon again, with the LDAP or AD password.
So RSA recently developed our Authentication agent for Citrix, basically a variation on our Windows agent, which installs on the Citirx StoreFront Windows 2012 R2 server, but only works with SF 3.0, not SF 3.5 or 3.6. This integration at the StoreFront instead of at the NetScaler allows you to avoid that second LDAP/AD logon by using the RSA Windows Authentication Agent concept of Windows Password Integration. You always need to logon to Windows, but what RSA does through an AM offline authentication policy is allows RSA to learn your Windows Password and keep its MD5 hash in our RSA database, so that on your second and subsequent SF logon, RSA can logon to Windows for you (until Windows Password nears expiration and AD starts prompting you to change it). In short the NetScaler integration is a little easier but cannot take care of that last LDAP or AD password logon, while StoreFront Integration is more involved, only works with SF ver. 3.0, but can be configured to do your Windows Logon for your users who are allowed to by AM Offline Auth Policy.
