Our management are keen to engage a 3rd party to assess our citrix access gateway for security flaws/misconfigurations/best practice from the outside (the internet). My understanding is citrix access gateway uses 2-factor in this instance, SSL and is a very hardened linux appliance and server. Therefore, the question remains, from the outside, what kind of issues are there that could be tested for? Could you provide a top 5 areas youd review on a citrix access gateway (not secure access gateway) if you were tasked with such an audit. I dont want to go back to management and say "theres nothing to check with CAG from the outside" unless I know thats true.