Your router should be able to handle this...because I am almost positive Speedstream will support some sort of ACL's. Someone will have to help me on the exact method though.

What you will do is apply an ACL to the outside interface on your router to allow only citrix traffic (port 1494) to the citrix server, and only allow this traffic from the Mexico location's ip address. Nfuse may use a different port however. All other inbound traffic should be blocked.

Outbound...I am assuming users are just using proxied services (HTTP, HTTPS, and FTP)? If so, configure the speedstream to allow only these services only from the proxy server. All other traffic should be blocked (filtered).

This setup will still allow the Citrix users to do what they need to do, while blocking all other traffic inbound. And outbound only the standard set of services will be allowed and only from the Proxy. Which will force users to go through the proxy server so they do not have the ability to bypass it.

I hope this gets you started...hopefully someone can help us on the speedstream config. I am willing to give you as much help as necessary...so please don't hesitate to ask. If you wish send me a private message, and I will give you my personal email, to make it easier.