Suppose that your NetScaler is behind firewall as shown in below diagram (ref: External firewall). Note that firewall maintains the allowed session and so, it expects return traffic as well to go thro' firewall. So, NetScaler should help to achieve it. This document tries to explain how it can be done.
MBF alters the way the NetScaler appliance routes the server replies back to clients. MBF caches the MAC address of the uplink router that forwarded the client request to the appliance. When a reply is received, it is passed through to the same router that sent the client request without going through any route lookup. If MBF is disabled, then the return path is determined by a route lookup, or is sent to the default route if no specific route exists.
http://support.citrix.com/article/CTX132952
http://www.craig-tolley.co.uk/2014/12/09/netscaler-10-5-53-9c-storefront-monitor-uses-nsip-not-the-snip/