Citrix has just released a knowledgebase article that, for the first time, clearly defines the limitations and compatibility issues of Presentation Server 4 Application Isolation Environments (AIEs). This is a fantastic KB article, and long overdue.
Let's look at the limitations of AIE, and then analyze it a bit. According to Citrix, AIE does not address the following issues: (this bullet list is directly from the KB)
- Device or Kernel Drivers. Isolation environments do not isolate device or kernel drivers. For example, if the application installs and depends on a driver to function, it will not work in an isolation environment.
- Windows Services. Some applications install and rely on a Windows service (except MSI) to function correctly. Compatibility issues resulting from such applications may not be resolved using application isolation. Investigate further to see if the application functions correctly without the service. To establish whether an application attempted to install a service, examine the CtxSbxAppMsg section in the Windows Event Log.
- Windows Class Names or Window Names. If the incompatibility is the result of Windows messages being used as an Interprocess communication (IPC) mechanism, application isolation is not the solution. Isolation environments do not isolate Windows class names or window names.
- Registry or Application Objects that Do not Link to USER32.DLL. An isolation environment will not resolve compatibility issues caused by applications that do not link to User32.dll. Typically, such applications do not have a Windows interface and use only the console.
- DCOM. An isolation environment will not resolve compatibility issues caused by applications that rely on Distributed Component Object Model (DCOM) to function correctly.
- IP Addresses. Application isolation cannot resolve compatibility issues that occur because all instances of an application running on Presentation Server share a common IP address. Investigate further to see if the using Virtual IP (VIP), a new feature in Presentation Server 4.0, resolves the issue.
- Installers that Require a Reboot During Installation. If an application installer requires a reboot during installation, it may not install correctly into an isolation environment. Removing or renaming files during reboot after an install or repair operation is also not supported.
- Application Isolation Is Not a Security Feature. Do not rely on isolation environments to provide secure access to an application. Application isolation does not provide any form of security; Citrix administrators should comply with existing Windows security best practices to ensure that users are allowed access only to resources that they are authorized to access.
What does this mean?
Reading this list of limitations confirms what I wrote about AIE last year. I said that Citrix's AIE was NOT application virtualization, but that it was redirection of key components. I took a lot of flack for that statement, but I stood by it then and still stand by it today.
Citrix AIE works by redirecting registry keys, files, folders, and some system objects from common locations on the server to isolated locations. It works by installing and running the applications through an AIE filter application that redirects the objects as needed. However, the applications are still installed on the server. They still write the the registry and the file system. They still run with the rights as the logged on user.
Compare this to Softricity's application virtualization. With Softricity, the application doesn't touch the local file system or registry at all. Softricity can virtualize Windows services, execution rights, and a lot more stuff from this list.
Don't get me wrong here. I think AIE is a great feature of PS4, and it solves a lot of problems. But it is as the name implies, it's Application Isolation, not Application Virtualization. It's meant to help you install tricky applications side-by-side on a server where they wouldn't ordinarily both be able to run.
I want to reiterate that I think it's great that Citrix has released this KB article. The problem was that so many people compared Citrix's AIE to Softricity, and of course AIE fell way short. This meant that people thought that AIE was bad, when in fact AIE is great, it's just that people tried to use it for things that it wasn't designed for.
But now that we have the real list of AIE's limitations, we should be able to really let it shine where it fits!