Limitations Of Citrix's Application Isolation Environments |
Friday, 28 April 2006 by Michel Roth | |||
"Citrix has just released a knowledgebase article that, for the first time, clearly defines the limitations and compatibility issues of Presentation Server 4 Application Isolation Environments (AIEs). This is a fantastic KB article, and long overdue." Let's look at the limitations of AIE, and then analyze it a bit. According to Citrix, AIE does not address the following issues: (this bullet list is directly from the KB) • Device or Kernel Drivers. Isolation environments do not isolate device or kernel drivers. For example, if the application installs and depends on a driver to function, it will not work in an isolation environment. • Windows Services. Some applications install and rely on a Windows service (except MSI) to function correctly. Compatibility issues resulting from such applications may not be resolved using application isolation. Investigate further to see if the application functions correctly without the service. To establish whether an application attempted to install a service, examine the CtxSbxAppMsg section in the Windows Event Log. • Windows Class Names or Window Names. If the incompatibility is the result of Windows messages being used as an Interprocess communication (IPC) mechanism, application isolation is not the solution. Isolation environments do not isolate Windows class names or window names. • Registry or Application Objects that Do not Link to USER32.DLL. An isolation environment will not resolve compatibility issues caused by applications that do not link to User32.dll. Typically, such applications do not have a Windows interface and use only the console. • DCOM. An isolation environment will not resolve compatibility issues caused by applications that rely on Distributed Component Object Model (DCOM) to function correctly. • IP Addresses. Application isolation cannot resolve compatibility issues that occur because all instances of an application running on Presentation Server share a common IP address. Investigate further to see if the using Virtual IP (VIP), a new feature in Presentation Server 4.0, resolves the issue. • Installers that Require a Reboot During Installation. If an application installer requires a reboot during installation, it may not install correctly into an isolation environment. Removing or renaming files during reboot after an install or repair operation is also not supported. • Application Isolation Is Not a Security Feature. Do not rely on isolation environments to provide secure access to an application. Application isolation does not provide any form of security; Citrix administrators should comply with existing Windows security best practices to ensure that users are allowed access only to resources that they are authorized to access Read the full article here.
Show/Hide comment form
|