Post external log on to Netscaler Gateway you receive a server error with the following text:
Error: "403 - Forbidden: Access is Denied" After Log on to NetScaler Gateway

Checking the policy hits we can see that the Session Policy of the Gateway is being hit (Citrix Gateway > Policies > Session):
nsconmsg -d current -g pol_hits -g pcp_hits

Checking the trace we saw a Get Request sent from the SNIP of the Netscaler to the Storefront which was followed by a 403 response.

Checking the HTTP Get Request, we noticed 'Web' was missing from end of HTTP Request.
To resolve we added Web to end of Session Profile URL.

Example:
https://mystore.gateway.lab/Citrix/<Storefront Name>Web

Problem Cause

Missing the format of 'Web' appended to the Session Profile URL