When you capture a network trace while the endpoint is attempting to connect over the ICA session, you will notice a TCP-SYN retransmissions on 2598 for that server.
The VDA has two network cards: Legacy and Synthetic. The ICA file which the endpoint receives, is listing an IP Address of the Legacy Adapter (which is non-routable from external network). Hence the ICA connection fails.
We would ideally like to have an address in the ICA file which is reachable from the Internet and the Legacy network adapter is required to communicate with the PVS server initially, mostly in the same subnet. If over the legacy network adapter, we disable Gateway and attempt to connect again, this time ICA should come up with the synthetic adapter’s address.
As per the PVS design, PVS Legacy NIC should have a 169.x.x.x address post the bootup completion. PVS uses the Synthetic network adapter for the communication with the PVS server.