Citrix Presentation Server 4.0 – Application Isolation Environments Frequently Asked Questions

Citrix Presentation Server 4.0 – Application Isolation Environments

Frequently Asked Questions

A

I

O

2

WHAT IS APPLICATION ISOLATION? 2

HOW DO I GET APPLICATION ISOLATION? 2

HOW DOES APPLICATION ISOLATION ENVIRONMENTS WORK? 2

WHAT IS VIRTUALIZED? 2

WHAT DO ISOLATION ENVIRONMENTS LOOK LIKE? 3

USING APPLICATION ISOLATION 4

WHEN SHOULD I USE APPLICATION ISOLATION? 4

IN WHAT SITUATIONS MAY APPLICATION ISOLATION NOT HELP? 4

HOW ARE APPLICATIONS INSTALLED INTO AN ISOLATION ENVIRONMENT? 4

WHAT DO I NEED TO KNOW ABOUT ISOLATION RULES? 4

SHOULD I ISOLATE WHOLE APPLICATIONS OR JUST CERTAIN PARTS? 4

HOW DO I TELL WHICH PARTS OF AN APPLICATION NEED TO BE ISOLATED? 5

I HAVE MULTIPLE APPLICATIONS THAT REQUIRE DIFFERENT VERSIONS OF MDAC OR JAVA RUNTIME, WILL APPLICATION ISOLATION

HELP? 5

DOES APPLICATION ISOLATION ENVIRONMENTS WORK WITH THE .NET FRAMEWORK? 5

ARE ANY ADDITIONAL AGENTS OR CLIENTS REQUIRED ON THE PRESENTATION SERVER TO UTILIZE APPLICATION ISOLATION? 5

HOW DO FILE TYPE ASSOCIATIONS AND APPLICATION VISIBILITY WORK IN AN ISOLATION ENVIRONMENT? 5

DO ISOLATION ENVIRONMENTS USE KERNEL MODE OR USER MODE DRIVERS TO ACCOMPLISH VIRTUALIZATION? 5

APPLICATION ISOLATION –SYSTEM IMPACT 6

WHAT IMPACT DOES APPLICATION ISOLATION HAVE ON THE CITRIX PRESENTATION SERVER? 6

HOW DO APPLICATION ISOLATION ENVIRONMENTS AFFECT USER DENSITY? 6

DOES THE UNDERLYING OPERATING SYSTEM GET PROTECTED FROM MODIFICATION WHEN USING APPLICATION ISOLATION

ENVIRONMENTS? 6

CITRIX PRESENTATION SERVER 4.0

Application Isolation Environments – Frequently Asked Questions

A

I

O

W

A

I

?

Application Isolation (AI) is a technology solution to issues arising from application compatibility and sociability in a Terminal Services (TS) environment. Some applications deployed through Citrix Presentation Server often share system components and resources. Sharing enables efficient leverage of limited system resources.

Sharing resources however, introduces interdependencies between applications which in turn, introduce compatibility issues in the Presentation Server/Terminal Services environment. For example, a simple software patch applied to a particular application could affect another that depends on a shared component, such as a DLL. The two applications could subsequently begin to ‘misbehave’ or fail. Application isolation, sociability, and compatibility are of growing concern in a Presentation Server environment. Some of the application compatibility issues in a Presentation Server environment can be characterized as follows:

H

I

A

I

?

Application Isolation is fully integrated with the Management Console for Citrix Presentation Server 4.0, Enterprise Edition. This means that Isolation Environments and isolated application publishing are managed from a familiar Presentation Server farm management console. Also, Application Isolation is fully integrated with Installation Manager to enable any enterprise administrator a simple farm-wide isolated application deployment mechanism.

H

A

I

E

?

An Isolation Environment virtualizes specific operating system resources so that an incompatible or unsociable application can be safely installed and published on Citrix Presentation Servers. The Isolation Environment provides an application a virtual view of system resources, and maps those to the corresponding physical operating system resources. The

mapping is accomplished through the use of a highly flexible rules engine. Rules specify how an application behaves within an Isolation Environment.

Citrix Presentation Server creates an isolation layer between the application and physical system resources which enables flexible and coordinated sharing of system resources. Requests for system resources from applications are intercepted, processed, and relayed by Citrix Presentation Server. If the application wants to modify the requested resource, the application is presented with its own virtual copy of the resource requested.

For example, if an application running within AIE001 attempts to open the file, C:\windows\system32\vbajet32.dll, MPS might substitute the path with the physical location, C:\Program Files\Citrix\AIE\AIE001\Device\C\windows\system32\ vbajet32.dll. The application is unaware of the redirection and continues to operate as normal.

W

?

Application Isolation virtualizes certain operating system resources to provide a compatible environment for applications published in a server farm. The three major areas of virtualization are the file system, registry, and named objects.

File System

The files and directories an application uses can be a source of application conflicts. Conflicts are primarily caused because many applications, particularly legacy applications, are not designed for multi-user environments. For example, an single multi-user application, multiple versions of applications, or

CITRIX PRESENTATION SERVER 4.0

Application Isolation Environments – Frequently Asked Questions

Isolation Environments include a powerful, rule-based, flexible and automatically configured file virtualization system that allows you to redirect, Ignore or Isolate files, registry, and named objects.

Registry

Applications store configuration information in the system registry. The two most important sections of the registry are HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU).

HKLM: Applications store information that pertains to the entire system in HKLM including:

• The components of an application that were installed

• The path used to load application components

• In some cases, the path to a shared database. For example, an application where all users reference the same database could put the path to that database in HKLM.

HKCU: Applications must store user-specific information in the HKCU section. This section is part of the user profile. When a user logs on, the user’s profile is loaded into the system’s registry and becomes HKEY_CURRENT_USER. When a user logs off, any changes to HKCU are written back to the user’s

profile. For instance, an application may store the following types of information in HKCU:

• Paths to custom dictionaries. These include mailboxes, configuration files, and temporary directories. Per user paths are particularly important for multi-user operation.

• Settings that are per-user preferences. For example, some users may want to enable background spell checking while others may choose to disable it.

Terminal Services aware applications are designed to use these registry sections correctly. However, single-user applications, multiple versions of applications, applications that clash with each other or applications that are not TS aware could use these registry sections incorrectly which can result in incompatible behaviors that prevent the application from functioning correctly on Terminal Services.

Named Objects

Windows applications can create objects such as events, semaphores, and shared memory, which are used to communicate with other applications. Each object has a name that is visible within the running session on Presentation Server on the system. An example of a conflict caused by named objects is when two instances of an application reference the same object name. Both application instances may expect to have their own copy of this object, but instead end up sharing a single object. This can cause unpredictable application behavior. When an application running in an isolation environment attempts to access to any of the above system resources, the isolation environment redirects the request to an alternative location based on a set of rules. Within an isolation environment, any request for access to a resource that previously caused conflicts, is redirected to an alternative location thus eliminating the conflict. The redirection is managed and executed by Presentation Server without any change to the application binaries or the operating system.

COM Objects

Windows applications often use COM Objects in their design or to integrate with other applications in the same suite. For example, if you embed an Excel spreadsheet in a Word Document, you are in fact using COM.

W

I

E

?

CITRIX PRESENTATION SERVER 4.0

Application Isolation Environments – Frequently Asked Questions

as needed. From the user’s point of view, isolation environments are invisible. The user need never be aware that the application they are running has been configured to run in an isolation environment.

U

A

I

W

I

A

I

?

You should use Application Isolation when:

• You cannot open multiple instances of an application

• You cannot install different versions of the same application on a single server.

• Applications inappropriately share system resources.

• Applications use hard-coded file paths or settings.

• An application does not integrate well with terminal services.

• You want to reduce application compatibility testing

I

A

I

?

Isolation environments may not completely resolve application compatibility issues that are caused by one or more of the following:

• Device or Kernel Drivers.

• Windows Services.

• Windows Class Names or Window Names

• Application executables that do not link to USER32.DLL

• DCOM

• Installers that require a reboot in the middle of (as supposed to simply at the end of) an Installation.

H

I

E

?

Installation into an Isolation Environment is very similar to a traditional Presentation Server installation. No special re-packaging is required. The application setup file can be launched via an Isolation Environment setup utility, which allows the administrator to specify the Isolation Environment into which to install the application. The application’s installer will then proceed just as it would if it were launched for normal installation.

Isolated applications can also be installed via Installation Manager for simple Farm-wide deployment. Refer to admin guide for more information.

3rd party software deployment products such as SMS, ZenWorks and Altiris can also be easily configured to install applications into Isolation Environments by utilizing the AIESetup command line tool provided.

W

I

?

When creating a new isolation environment, a default rule-set is automatically created and configured for your system. This rule-set is comprehensive and should work with most applications that require isolation. Isolation rules may have to be modified if the application is not behaving as expected. There is an online support forum on citrix.com that has listings of special applications that require extra rules.

S

I

?

CITRIX PRESENTATION SERVER 4.0

Application Isolation Environments – Frequently Asked Questions

Isolation Environments have been designed for advanced configurability through the use of rules. An administrator can single out how isolation is performed and just isolate the parts of the application which are required. Narrowing down the amount of isolation may reduce disk space used by the presentation server for each user, but by default is unnecessary.

H

I

?

By default, there is no need to know the details about why an application needs to be isolated. When an isolation environment is created, a set of default rules are also created. These rules create an environment of maximum compatibility by isolating most resources.

If an administrator wishes to analyze the application they are attempting to deploy (which in most cases, is unnecessary), tools such as Sysinternal’s Regmon, Filemon, Process Explorer and Winobj available at www.sysinternals.com will be very useful. These tools will enable the system administrator to look into which file, registry keys and named objects the application is utilizing and determine where conflicts or misuse is occurring. For example, Using Filemon can show an ini file being overwritten my multiple users, in an application which has not been correctly written for terminal services.

I

MDAC

J

R

,

A

I

?

Yes. Application Isolation allows an administrator to install different versions of helper applications (assuming that are compatible normally with the underlying operating system) like Java Runtime and MDAC into Isolation Environments along with the applications which need them. This means that applications which require certain versions can have them installed as required.

D

A

I

E

.

F

?

Citrix Presentation Server uses the .net Framework so it requires the .net Framework to be installed natively on the server. This limits the ability to install a different .net version inside an Isolation Environment without it seeing the native one. However, applications that require .net can still be installed in an Isolation Environment and use the .net Framework that is installed native on the server.

A

P

S

A

I

?

No. Because Application Isolation is fully integrated as a feature of Citrix Presentation Server, there is no need to install any additional agents or clients onto the server.

H

F

T

A

I

E

?

When an application is executed within an Isolation Environment, as a first priority, it sees all registered file types from the applications also installed in the same environment, it then sees all file types registered in the base operating system.

Applications, by default, cannot see file types or applications installed in other Isolation Environments except their own.

If an application is installed in an Isolation Environment and it has a file type associated with it, that file type will not be seen if you are using explorer or running a desktop on that server. For Example, if you have MS Word published and installed into an AIE, you connect to the desktop on the server and try to open a .doc file through Explorer, Explorer will not recognize this file type. This is due to the fact that we are isolating that application completely from the OS.

D

I

E

K

M

U

M

?

CITRIX PRESENTATION SERVER 4.0

Application Isolation Environments – Frequently Asked Questions

A

I

–

S

I

W

A

I

C

P

S

?

One impact that Application Isolation has on the Presentation Server is a possible increase in hard drive and registry space utilized. This amount is application and isolation environment specific.

By default, an application which is isolated will make a copy of any application files (for example an ini settings file) and registry keys that the application opens for modification. Each copy is then virtualized per user. To avoid unnecessarily copying user data files, special file location such as “My Documents” are not virtualized by default.

It is possible, to reduce the amount of hard disk space used by fine tuning the rule-sets in the isolation environment.

Another impact that Application Isolation has on the Presentation Server is a possible increase in execution overhead. This run-time impact will be dependant upon the application’s usage of the registry and file system.

H

A

I

E

?

Depending on the type of application, using Isolation Environments will have some impact on user density. It largely depends on each application and user usage patterns (how often user interacts with the application). This is due to the fact that there is a layer of virtualization that is happening between the application and the OS. Citrix recommends that you test the Application Isolation Environment with your own applications to ensure the highest level of satisfaction for the end users.

D

A

I

E

?

Yes. Isolation Environments allow the installation and execution of applications into a file and registry structure specific to an Isolation Environment. From the application’s point of view it has made changes to the file system and registry of the underlying operating system. From the operating system’s point of view, all of those changes have been redirected to the structure specific to the Isolation Environment. In other words, none of the requested changes to the OS file system and registry have changed the requested locations in the OS file system and registry. Naturally, as Isolation Environments are rule based, if needed, an administrator can add rules which allow Isolation Environment to affect the base Operating System. This ensures maximum compatibility with application behavior.

H

I

I

A

P

S

?

When applications are installed into Isolation Environments, the installation is contained to an explicit file and registry structure specific to each Isolation Environment. This means that applications can be easily removed from a Presentation Server by simply deleting the corresponding Isolation Environment’s Registry and File system location. For more

information, please refer to the “Presentation Server Administrator’s Guide” at

http://support.citrix.com/servlet/KbServlet/download/6338-102-13011/Administrators_Guide.pdf.

© Copyright 2005, Citrix Systems, Inc. All rights reserved. Citrix®, MetaFrame®, MetaFrame XP® and ICA® are registered trademarks of Citrix Systems, Inc. in the United States and other countries. Microsoft®, Windows® and Windows Server™ are registered