The Terminal Server Agent is not mapping the ip-user-port mapping correctly, specific to http traffic. 80+ Citrix servers configured, and all of them running the Palo Alto Networks Terminal Services Agent.
When a user loads a https site from a PC, the traffic is sent to the Citrix server, the ip-port-user-mapping is correct (within the TSA range) and https traffic is allowed.
When a user loads a http site from the same machine and same browwer (Internet Explorer) the traffic is sent to the Citrix server, and the incorrect source-port is assigned (outside the TSA allocated range). Since the source port is incorrect, the traffic is denied by the firewall due to the incorrect ip-port-user-mapping.
If there are any TrendMicro products installed on the Citrix Terminal Server, the TrendMicro proxy feature may be causing the problem.
To resolve the issue, disable the TrendMicro proxy feature, or all TrendMicro services.