You may stuck at the ICA session launching process when you enable client authentication in Gateway virtual server

Method 1:

1.Create a new gateway virtual server in NetScaler. This gateway virtual server has same IP and different port with the existing gateway virtual server .

This new gateway virtual server has the same setting with the existing gateway virtual server except that 1) we use different port, 2) we keep client authentication as disabled , 3) we disable authentication in this gateway virtual server 

add vpn vserver <vs_name> SSL <vip> 8443 -icaOnly ON -authentication OFF => we use port 8443 as an example.
set ssl vserver <vs_name> -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -dtls1 DISABLED
bind vpn vserver <vs_name> -staServer "<sta_server_name>"
bind vpn vserver <vs_name> -policy <session_pol_name>-priority 100
bind ssl vserver <vs_name> -certkeyName <server_certkey_name>

2)In StoreFront, click "Manage Citrix Gateways", edit the existing gateway virtual server settings . append the new port 8443 in the URL under "Citrix gateway URL" .

After this step, the new port 8443 will be put in the ICA file. So, the workspace will access the newly created gateway virtual server (without client certificate authentication) to launch ICA session, instead of accessing the previous gateway virtual server ( with client certificate authentication ). Finally , the ICA session will be launched without being requested client certificate. 

3) The new gateway virtual server should only be just used to launch ICA session. The login process and http requests should not be sent to this new gateway virtual server. To avoid the clients accessing this new gateway virtual server directly , we can bind the following responder policy to the newly created gateway virtual server. -

enable ns feature RESPONDER
add responder action responder-act respondwith "\"Direct access to port 8443 is not allowed\""
add responder policy responder-pol HTTP.REQ.IS_VALID responder-act
bind vpn vserver <vs_name> -policy responder-pol -priority 100 -gotoPriorityExpression NEXT -type REQUEST

Method 2:

This method is more advanced and it used nfactor authentication .  The customer should disable client authentication under the gateway virtual server parameters and should authentication policy to perform client certificate authentication instead. 

https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/citrix-adc-aaa-client-certificate-authentication-policy.html#configure-client-certificate-advanced-authentication-policies-by-using-the-gui

Problem Cause

Client certificate authentication is enabled under NetScaler gateway virtual server parameters. When launching ICA session , the Workspace client will establish SSL session with gateway virtual server and hence client certificate is requested by the gateway virtual server. However,  the Workspace client doesn't provide certificate when launching ICA session.