Yup, you need lots of extra ports. Not least of which is port 1494 for the ICA channel. Here are a couple of articles on the subject:
http://support.citrix.com/article/CTX118175http://forums.citrix.com/message.jspa?messageID=1457047If you want to secure the connections over port 443 alone, you will need to put Citrix Access Gateway into the mix.