Reply from F5 support:

re: x-forwarded-for:

- This is an application requirement and depends on the application itself. The BigIP unit only inserts the client's IP address as a header for the application to be aware of source of connectivity and requests.

re: why would disabling x-forward-for make a difference anyway?

- This is something that VMWare team will have to explain. Browsers identify themselves with "agent data", so application should have no problems identifying them as such.

re: are F5 going to fix / update the iApp

- If there is an issue with new Horizon version that needs to be fixed, VMWare will provide a fix/patch/workaround.

@wing523 - do you have any detail on why disabling x-forwarded-for is actually required for selective tunnelling to work on recent horizon versions?  Appears there is a bit of finger-pointed regarding why the issue occurs, and who's responsibility it is to fix.

Thanks