We didn't want to designate a pool of addresses for each citrix server.. Or have to extend dhcp scopes to accomidate user per IP in the Citrix space with real delayed IP pool re-use. It's really hokey, if you think about how users log into Xenapp / farms and use an IP, that now gets cached for the surrogate timeout, which is common across WSA. Users change which farm server they log into frequently. We cache surrogate creds for 12 hours, to get through a business day.
for citrix/ts we use persistent cookie auth.. It's not great.. If you have non-browser apps and want to have identity rules, you spend time, writing an identity that is a non-auth bypass for certain browser user agents or destination IP's..