Aviv,
If you don't want to route to the Citrix farm, you have to use our ICA proxy functionality that is available in APM. With that, APM will proxy all connections to the Citrix farm and all users will have to connect to the IP address on the BigIP. Your BigIP should already come APM-ready and your license includes 10 free concurrent users. If you need to proxy to the larger scale, you can purchase an appropriate APM add-on license for your device. If you device to go the APM route, I suggest you upgrade to v10.2.2 and follow this deployment guide:
http://www.f5.com/pdf/deployment-guides/apm-xenapp-xendesktop-dg.pdf
Keep in mind that in order to achieve this solution, you should upgrade your devices as well as procure a valid SSL certificate(or use the one that your internal clients will trust). Overall, I think it's much easier to just let BigIP route connections to the Citrix farm on the three ports needed - it's simple to setup and also secure - no other ports but Citrix ports will be allowed(we do act like a firewall in this scenario).