Is there any confusion regarding ICA Proxy & CVPN (Clientless VPN)?
Then here is an explanation:

ICA Proxy (No VPN)
An ICA Proxy session is a limited connection for launching of a Citrix XenApp or XenDesktop session. It enable you to do SSO (Single Sign ON) pass-through to old Webinterface or Storefront Receiver for web (Storefront).
You can ICA Proxy with a VIP in basic mode. ICA Proxy provides basic ICA connections only, but If you are looking for a more sofisticated service like Cloud Gateway and functionality it delivers, then you’ll need to go with CVPN (Clientless VPN).

Clientless VPN
Clientless VPN (CVPN) is a server side rewriting technology for providing access to OWA, Sharepoint and other web applications behind a Netscaler Access Gateway, such as Storefront as well. The specialized case of CVPN came into play when the user would connect using a web browser and he/she intended to access webservers behind the gateway without actually installing or using a Netscaler VPN client on the client machine. In this case, the user would be able to purposefully restrict his access to HTTP based connections only by choosing the CVPN mode of operations.
( – ) : Not all existing web applications supports CVPN
( + ) : No need to leverage a full VPN tunnel anymore to allow access to web applications securely.
CVPN in a Cloud Gateway setup is only used for traffic to Receiver for Web (Storefront) and traffic to Appcontroller, besides that CVPN is turned off so external Web\SaaS apps are not rewritten by Access Gateway but instead opened directly by the native Receiver (after SSO is done by Appcontroller), for internal web applications there is a new feature in Cloud Gateway called Secure Browse.


Secure Browse
Instead of leveraging a Full VPN tunnel to access resources in the secure network, the Receiver for mobile devices like “IPAD, Iphone & Android mobile devices” uses a secure channel between the Receiver and Access Gateway called Secure Browse (Micro VPN).
Secure Browse provides secure session based access to internal web applications behind a Netscaler Access Gateway. It uses an embedded webbrowser (MDX Web Connect) to render both internal and external web applications controlled by Appcontroller. Web Connect is totally controlled by Citrix Receiver and doesn’t expose critical data on the mobile devices, Secure Browse will support any web application because there is nothing rewritten by Netscaler Access Gateway, so there is no need for troubleshooting of rewrite policies and broken links anymore.

Allow users to connect through NetScaler Gateway to network resources from iOS and Android mobile devices with Citrix Receiver. Users do not need to establish a full VPN tunnel .