Limitations Of Citrix's Application Isolation Environments
Friday, 28 April 2006 by Michel Roth
Brian Madden points to a article that Citrix has just put up that details on the limitations of Citrix's Application Isolation Environments (AIE):

"Citrix has just released a knowledgebase article that, for the first time, clearly defines the limitations and compatibility issues of Presentation Server 4 Application Isolation Environments (AIEs). This is a fantastic KB article, and long overdue."

Let's look at the limitations of AIE, and then analyze it a bit. According to Citrix, AIE does not address the following issues: (this bullet list is directly from the KB)

• Device or Kernel Drivers. Isolation environments do not isolate device or kernel drivers. For example, if the application installs and depends on a driver to function, it will not work in an isolation environment.

• Windows Services. Some applications install and rely on a Windows service (except MSI) to function correctly. Compatibility issues resulting from such applications may not be resolved using application isolation. Investigate further to see if the application functions correctly without the service. To establish whether an application attempted to install a service, examine the CtxSbxAppMsg section in the Windows Event Log.

• Windows Class Names or Window Names. If the incompatibility is the result of Windows messages being used as an Interprocess communication (IPC) mechanism, application isolation is not the solution. Isolation environments do not isolate Windows class names or window names.

• Registry or Application Objects that Do not Link to USER32.DLL. An isolation environment will not resolve compatibility issues caused by applications that do not link to User32.dll. Typically, such applications do not have a Windows interface and use only the console.

• DCOM. An isolation environment will not resolve compatibility issues caused by applications that rely on Distributed Component Object Model (DCOM) to function correctly.

• IP Addresses. Application isolation cannot resolve compatibility issues that occur because all instances of an application running on Presentation Server share a common IP address. Investigate further to see if the using Virtual IP (VIP), a new feature in Presentation Server 4.0, resolves the issue.

• Installers that Require a Reboot During Installation. If an application installer requires a reboot during installation, it may not install correctly into an isolation environment. Removing or renaming files during reboot after an install or repair operation is also not supported.

• Application Isolation Is Not a Security Feature. Do not rely on isolation environments to provide secure access to an application. Application isolation does not provide any form of security; Citrix administrators should comply with existing Windows security best practices to ensure that users are allowed access only to resources that they are authorized to access

Read the full article here.

Related Items:

Application Isolation Environments Explained (Updated) (23 August 2005)
Troubleshooting Applications Installed Into Isolation Environments (16 February 2006)
Application Isolation Environments Explained (16 June 2005)
New Citrix AIE Support Articles (3 November 2005)
New Application Isolation Environment Support Articles (29 November 2005)
Citrix AIE Issues Explained (16 May 2006)
Enabling TWAIN Redirection For Applications Running In An Application Isolation Environment (1 October 2005)
MSTerminalServices.org: Inside Citrix Presentation Server's Application Isolation Environments (29 December 2005)
Hot: Citrix To Launch Application Streaming (Project Tarpon) (10 October 2005)
Brian Madden Elaborates On Application Isolation Environment (17 May 2005)
Comments (0)