Is Gateway Services behind a WAF already? If so, is that documented somewhere?

We actually posed that same question as our security team wanted to place the Workspace Services URL behind Akamai. In essence we were told that the way Workspace Services (and Gateway) are architected WAF is not required. There were additional question and we are attempting to schedule a second meeting to get those answered. I hope that helps.

In the Citrix Trust Center there is something that states all Cloud services are protected, but it doesn't go into any detail.