Application Isolation
T H I S D O C U M E N T P R O V I D E S A T E C H N I C A L O V E R V I E W O F T H E A P P L I C A T I O N I S O L A T I O N F E A T U R E I N C I T R I X P R E S E N T A T I O N S E R V E R 4 . 0 , E N T E R P R I S E E D I T I O N . D E T A I L E D I N F O R M A T I O N O N C R E A T I N G A N D C O N F I G U R I N G A P P L I C A T I O N I S O L A T I O N E N V I R O N M E N T S O N P R E S E N TA T I O N S E R V E R 4 . 0 M AY B E F O U N D I N T H E A D M I N I S T R A T O R ’ S G U I D E A N D A D V A N C E D C O N C E P T S G U I D E .
3 Use-Case Scenarios
4 Technology Overview and Setup
5 How It Works
6 What Is Virtualized?
6 File System
6 Registry
6 Named Objects
7 Using Application Isolation (AI)
7 Who Should Use Application Isolation?
7 When to Use Application Isolation?
8 Identifying Compatibility Issues
2
Introduction and Overview
Application Isolation (AI) is a technology solution to issues arising from application compatibility and sociability in a Terminal Services (TS) environment. Some applications deployed through Citrix Presentation Server often share system components and resources. Sharing enables efficient leverage of limited system resources.
Sharing resources however, introduces interdependencies between applications which in turn, introduce compatibility issues in the Presentation Server/Terminal Services environment. For example, a simple software patch applied to a particular application could affect another that depends on a shared component, such as a DLL. The two applications could subsequently begin to ‘misbehave’ or fail. Application isolation, sociability, and compatibility are of growing concern in a Presentation Server environment. Some of the application compatibility issues in a Presentation Server environment can be characterized as follows:
AP P L I C AT I O N CO N F L I C T S
Applications that do not conform to Microsoft’s guidelines for use of the Windows registry can cause a number of problems, such as limiting the application to run as a single instance, overwriting a previous user’s settings, possibly crashes, or in the worst case allow a user to read the previous user’s credentials. It can also cause conflicts to occur between applications, especially between multiple versions of the same application.
AP P L I C AT I O N VE R S I O N I N G
Applications could install a specific version of a configuration file into a system folder while another application overwrites that configuration file with a different version, causing the first application to execute improperly. For most applications, the installation of a different version will remove or conflict with prior versions.
IN C O M PAT I B I L I T Y W I T H TE R M I N A L SE R V I C E S
Some applications do not work in a Terminal Services environment and thus on Presentation Server. Often the cause of incompatibility with Terminal Services is caused by registry conflicts, file system conflicts and system objects.
PO S T-I N S TA L L AT I O N CO N F I G U R AT I O NRE Q U I R E M E N T S
Some applications require post-installation optimization before they function correctly on Presentation Server.
EX T E N S I V ETE S T I N G RE Q U I R E M E N T S
The possibility of application conflicts either at install or run time requires extensive pre-deployment testing which is expensive and time-consuming.
MA I N T E N A N C E O F AG I N G LE G A C Y SY S T E M S
The use and maintenance of legacy applications that support essential business processes is crucial in many organizations. Often such applications cannot coexist with modern applications and need to be installed on dedicated servers. This leads to the creation of application specific server silos which in turn results in under utilization of valuable compute resources and increases TCO.
EA S Y DE P L OY M E N T
Application Isolation is designed as an administrative feature of Presentation Server and is integrated into the Citrix Management Console. AI is also fully integrated with Installation Manager for Presentation Server, which enables administrators to automate application installations into isolation environments across a server farm.
EA S Y, AD M I N I S T R AT I O N
All user interface elements are integrated into the Citrix Management Console (CMC) and the Application Publishing wizard in Presentation Server; this creates an integrated and user-friendly configuration environment. Support for AI is also integrated with Installation Manager for Presentation Server to enable administrators to deploy application packages into isolation environments on a server farm.
EA S Y CO N F I G U R AT I O N
The workflow required to construct a simple, rule-based application isolation environment can be achieved with minimal configuration steps. Configuration required to deploy applications into isolation environments using Installation Manager is also simple and intuitive.
You can use the application isolation functionality to:
• Safely install and reliably run multiple applications that require different versions of the same shared component • Safely execute most incompatible applications on the same server at the same time
• Update applications independently of each other, without fear of impacting existing applications • Install and publish most applications that are not designed to run in a multi-user environment using
Presentation Server
• Safely install most incompatible applications on a single server preventing build up of application specific server silos
• Significantly increase your ROI in Presentation Server solution
Use-Case Scenarios
IT organizations everywhere continue to be hampered by incompatibilities in an increasingly complex and heterogeneous computing environment. Application isolation significantly mitigates application compatibility issues that exist in the Presentation Server/Terminal Services environment through the use of virtualization technologies.
4
CO N S O L I D AT E SE R V E R S A N D RE D U C E FA R M SI Z E
Application silos in a Presentation Server farm are often a result of incompatibility or interoperability issues between two or more applications. As a result, administrators tend to publish a single application on one or more servers to eliminate compatibility problems. This leads to the creation of application specific server silos which in turn results in under utilization of valuable compute resources and increases TCO.
Application isolation delivers a solution to enable administrators to install and publish incompatible applications on the same server, each within an application isolation environment. This enables customers to reduce the number of servers in a farm with very little effort.
DE P L OY AP P L I C AT I O N S IN C O M PAT I B L E W I T H TE R M I N A L SE R V I C E S
Any well-behaved 16 or 32-bit Windows-based application can run under Terminal Services, but the multi-user nature of Terminal Services tends to expose flaws in some applications. Many enterprise applications are not designed to run in a multi-user environment and as a result can cause compatibility issues in a Terminal Services environment. With application isolation, these applications will most likely run on a Presentation Server farm without issue.
MI G R AT E LE G A C Y AP P L I C AT I O N S TO PR E S E N TAT I O N SE R V E R
To support essential business processes in the organization, many companies must continue to use and maintain valuable legacy applications. Rather than rewriting applications (with all the associated costs and risks) to adapt to newer computing environments, application isolation provides you with the means to extend the life of legacy applications by publishing them over Presentation Server, at a fraction of the cost.
DE P L OY CO N F L I C T I N G VE R S I O N S O F AP P L I C AT I O N
Another problematic issue faced by IT departments is application sociability. It is hard, often impossible, to install and run different versions of an application (Microsoft Office for example) on a single server. Traditionally this problem would be resolved by installing each version of Microsoft Office on separate servers. AI technology solves this problem and enables you to install conflicting applications or application suites on the same server. This ultimately leads to server consolidation and optimum use of valuable compute resources in the data center.
Technology Overview and Setup
Application isolation is designed to solve some of the problems associated with application compatibility and sociability in a Presentation Server/Terminal Services environment. As the name suggests, the application isolation functionality is designed to mitigate these issues by creating an Isolation Environment (IE) for application installation and execution. Presentation Server administrators can use the application isolation feature to force applications to install and execute within an isolation environment. An isolation environment can be visualized as a ‘virtual layer’ which provides an environment for an application to install or execute in. AI is essentially a protective virtual wrapper that separates the bindings between an application and the underlying operating system resources. An isolation environment prevents applications from accessing key system resources and causing damage by redirecting the request to a virtual location contingent on the action being attempted.
In a Presentation Server environment, an isolation environment provides an application with an environment containing virtual file system, virtual registry, and other elements. This substantially reduces application compatibility issues, including compatibility with Terminal Services, and sociability with other applications.
without affecting the rest of the system. A ‘misbehaving’ application in the context of Isolation Environments is one that exhibits incompatible or unsociable behaviors when installed on Presentation Server or Terminal Services.
An isolation environment is created by virtualizing specific operating system resources so that an incompatible or unsociable application can be safely installed and published on Presentation Servers. The Isolation Environment provides a virtual mapping from an application’s view of system resources to the physical operating system resources. The mapping is accomplished through the use of rules. Rules specify how an application behaves within an isolation environment.
AP P L I C AT I O N IS O L AT I O N
6
For example, if an application running within AIE001 attempts to open the file, C:\windows\ system32\ vbajet32.dll, Presentation Server might substitute the path with the physical location, C:\ ProgramFiles\ Citrix\ AIE\ AIE001\ Device\ <drive>\ windows\ system32\ vbajet32.dll. The application is unaware of the redirection and continues to operate as normal.
What Is Virtualized?
AI virtualizes certain operating system resources to provide a compatible environment for applications published in a server farm. These are:
FI L ESY S T E M
The files and directories an application uses can be a source of application conflicts. Conflicts are primarily caused because many applications, particularly legacy applications, are not designed for multi-user environments. For example, an application may use the same pathname for a file that contains per-user data. In this case, if one user updates this file, it affects all other users. In the worst case, this would prevent multiple users from running the application simultaneously and corruption of the file, which could cause the application to fail for all users.
RE G I S T R Y
Applications store configuration information in the system registry. The two most important sections of the registry are HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU).
HKLM— Applications store information that pertains to the entire system in HKLM including:
• The components of an application that were installed • The path used to load application components
• In some cases, the path to a shared database. For example, an application where all users reference the same database could put the path to that database in HKLM.
HKCU— Applications must store user-specific information in the HKCU section. This section is part of the user profile. When a user logs on, the user’s profile is loaded into the system’s registry and becomes HKEY_CURRENT_USER. When a user logs off, any changes to HKCU are written back to the user’s profile. For instance, an application may store the following types of information in HKCU:
• Paths to custom dictionaries.These include mailboxes, configuration files, and temporary directories. Per
user paths are particularly important for multi-user operation.
• Settings that are per-user preferences.For example, some users may want to enable background spell
NA M E D OB J E C T S
Windows applications can create objects such as events, semaphores, and sections, which are used to communicate with other applications. Each object has a name that is globally visible on the system. An example of a conflict caused by named objects is when two instances of an application reference the same object name. Both application instances need separate objects, but instead end up sharing a single object. This can cause unpredictable application behavior. When an application running in an isolation environment attempts to access to any of the above system resources, the isolation environment redirects the request to an alternative location based on a set of rules. Within an isolation environment, any request for access to a resource that previously caused conflicts, is redirected to an alternative location thus eliminating the conflict. The redirection is managed and executed by Presentation Server without any change to the application binaries or the operating system.
Using Application Isolation (AI)
Application Isolation is a powerful, new feature of Presentation Server 4.0. The primary objective of the AI is to provide Presentation Server administrators with the tools required to manage conflicting, incompatible, or unsociable applications so that they install and execute correctly on Presentation Server farms.
WH O SH O U L D US E AP P L I C AT I O N IS O L AT I O N?
AI is an advanced feature and is intended for the use of Presentation Server administrators who are knowledgeable and experienced in dealing with application compatibility and sociability issues in a Terminal Services environment. As such, this workflow assumes that you are knowledgeable in Presentation Server environments and wish to use AI to isolate applications so that the sociability and compatibility issues they cause in a TS environment can be mitigated.
WH E N TO US E AP P L I C AT I O N IS O L AT I O N?
Application compatibility or sociability problems that AI attempts to resolve or mitigate typically involve file, registry, or system objects on a Terminal Server. The following are some behaviors that help identify application compatibility or sociability issues:
• When You Cannot Open Multiple Instances of an Application:A single user is unable to open more than
one instance of an application, or two users attempting to launch a published application experience application launch failure; this occurs when an application is designed to lock certain system resources upon execution.
• When You Cannot Install Different Versions of the Same Application on a Single Server:Multiple
versions of some applications cannot be installed or executed on a single Presentation Server sever. This is because the two versions of the application share the same resources, or overwrite existing files from a previous installation. Usually, the application installer simply does not allow installations of multiple versions to continue. In some cases, one version of the application stops working after two versions of the application are installed.
• When Applications Share a System Resource/s:There are instances when two or more applications share
specific system files (DLL, INI, etc.) which can result in conflicting versions of the file being present. For example, applications that use the Java Runtime Environment (JRE) can cause conflicts of this type.
AP P L I C AT I O N IS O L AT I O N
if multiple users are unable to launch individual instances of the application. For example, an application could store all of it’s per user configuration settings (Preferences, Templates, etc.) under the registry key,
HKEY_LOCAL_MACHINE\Software\CompanyA\ApplicationA.
• When an Application Does Not Integrate Well with Presentation Server:Some applications are not
designed to run on Terminal Services and do not work well on Presentation Server. Such applications are typically not designed for multi-user environments and hence don't perform as expected. Other applications which are problematic to install use hard-coded path and key names (HKEY_LOCAL_MACHINE) and do not differentiate between individual users that run the application. This results in conflicts such as the inability to launch multiple instances of an application, multiple users being unable to launch the same application.
ID E N T I F Y I N G CO M PAT I B I L I T Y IS S U E S
If you use sets of applications that currently cannot be installed and run simultaneously on the same Presentation Server server, then those applications are prime candidates for isolation. Typically, application incompatibilities or conflicts result in administrators allocating one or more dedicated servers to publish such applications. This in turn leads to the buildup of server silos resulting in inefficient utilization of server resources.
You may be able to mitigate some of these application conflicts and incompatibilities by installing and executing these applications in Presentation Server application isolation environments. This in turn will free up server resources and result in more efficient utilization of your IT infrastructure.
Summary
As you can see, the Application Isolation feature in Presentation Server 4.0, Enterprise Edition, allows you to run a broader range of applications as well as run multiple versions of the same application on the same server. This is just one of the many compelling reasons to purchase or migrate to Presentation Server 4.0 now.
Visit www.citrix.com/presentationserver for more information on Citrix Presentation Server.
About Citrix:Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader in access infrastructure solutions and the most trusted name in secure access for enterprises and individuals. More than 160,000 organizations around the world use Citrix every day. Our access software, services and appliances give people secure and well-managed access to business information wherever it lives — on demand. Citrix customers include 100% of the Fortune100 companies, 99% of the Fortune500, and 97% of the FortuneGlobal 500. Based in Fort Lauderdale, Florida, Citrix has offices in 22 countries, and approximately 6,200 channel and alliance partners in more than 100 countries.
Fort Lauderdale, FL 33309 USA Tel: +1 (800) 393 1888 Tel: +1 (954) 267 3000
E U R O P E A N H E A D Q U A RT E R S
C i t r i x S y s t e m s I n t e r n a t i o n a l G m b H
Rheinweg 9 8200 Schaffhausen Switzerland
Tel: +41 (52) 635 7700
A S I A PA C I F I C H E A D Q U A RT E R S
C i t r i x S y s t e m s H o n g K o n g L t d .
Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central
Hong Kong Tel: +852 2100 5000
C I T R I X O N L I N E D I V I S I O N
