Thanks for the link, but we aren't using SSL scanning.
The article could be applied to authentication as well if needed to bypass citrix related IPs from authentication (as it sounds like the issue is related to).
It shows you how to leverage McAfee Maintained lists such as the Citrix related IP ranges, so you dont have to manage it.
it worked! thank you so much!!