my setup includes a hub location housing business critical apps. I'm creating class map at remote locations that include the match protocol command for various urls and citrix traffic for citrix servers and webapps at the central hub site. That's seems clear enough, but can I use the same match protocol commands at the hub for the return traffic? I want the return traffic from my servers that was initiated by remote locations to be classfied and given special treatment on my outbound WAN interface. Will match protocol work, or should I use an access-list with the central hub site servers as the source and various remote site subnets as the destination?
Either will work, much depends on which you think is a better way to match your traffic.
NBAR protocol match, often, although not always, is the same as having an ACL that matches against known ports.
If you wanted to match ALL traffic to/from a host or hosts, traditional ACLs with addresses would probably be best.
If you want to match just a particular type of traffic, and it uses fixed ports, you could again use an ACL or perhaps NBAR.
If you want to match against a particular type of traffic, to/from a host or hosts, you could use just an ACL, or an ACL AND match protocol.
There are a couple things NBAR protocol matching can do that you can't do with ordinary ACLs. NBAR supports some stateful protocols and occasionally additional analysis into the packets. For instance, later NBAR version can look at the Citrix type code, e.g. "screen scraping" packet vs. remote printer packet. The former you're likely to want to treat well, the latter, not as much so.
In the 12.4 version of NBAR, you can name custom protocol matchers. I'll often use it to make the config easier to understand than an ACL just matching against a port number.