Application Isolation Environments

Application Isolation Environments “Citrix Presentation Server 4”

May 10, 2005

One of the new features in Citrix Presentation Server 4 is AIE (“Application Isolation Environments”), which makes it possible to install and/or run applications in a so called “Isolation Environment”.

How does AIE work ?

An application consists of numerous parts that normally would spread across your system like C:\Program Files; C:\Windows; C:\Windows\System32 and let’s not forget the registry in Current_User and Local_Machine hives. What AIE does is redirect the Files and Registry of an application installation to an “Isolation Environment”, which is managed through the Presentation Server Management Console. Then when an application is run AIE makes the application believe it’s running from the location you entered at installation time like C:\Program Files\%appname% while the complete application code is actually in C:\ProgramFiles\Citrix\AIE\%appname%. For the registry it’s a little bit different. The redirection is not on the file system but in the registry. So an application installation would normally create settings in a Registry Key like HKLM\Software\%vendorname% and HKCU\Software\%vendorname% but it’s now redirected to HKLM\Citrix\AIE\%vendorname% and HKCU\Citrix\AIE\%vendorname%. But again it makes the application believe it’s Registry Keys are in HKLM\Software\%vendorname% and HKCU\Software\AIE\%vendorname%.

The AIE feature can be used in two ways. You can Install and then Run an application in AIE. And you can Run a “normally” installed application in an AIE. For both ways you first need to create an AIE.

Creating an AIE.

For each application you want to Isolate you need to create a separate Isolation Environment. This is done from “Isolation Environments” Node in the Presentation Server Management Console. Right Click, choose New and type in a name for you AIE. This only needs to be done once for each Server Farm.

You are now ready to either Install or Run an application into the AIE.

Installing into and Running from an AIE.

There are two ways to install an application into an AIE. This can be done Automated through Installation Manager on multiple servers or manual using the AIESETUP executable with the appropriate parameters per Server.

Through Installation Manager is pretty easy. Simply select your .MSI of .WFS file like you would normally do and in the “Schedule Job” screen you now have the option to select in which “Isolation Environment” you want to install the application.

Through the AIESETUP command is a little more work but is the best way to really get familiar with AIE. The syntax of this command is pretty easy. Type AIESETUP /? to see the options. In the following example I will install Acrobat Reader into an AIE called “Acrobat Reader” with an Installer named “c:\AdbeRdr70_enu.exe”.

AIESETUP "Acrobat Reader" c:\AdbeRdr70_enu.exe

The setup starts and I decide to install to C:\Program Files\Adobe\Acrobat 7.0\

I’m actually monitoring the C:\Program Files\ folder while the installation is taking place. I don’t see an Adobe folder appearing. Also after the installation Finished successfully no Adobe folder is present under C:\Program Files\. All Files and Registry have been redirected. Here’s the folder where the application files actually are present:

The reason you see 3 folders here is because this application installs files outside the entered Installation Path. This includes Shortcuts, Common Files, a couple of .DLL’s in the Windows Folder etc. This is proof that everything an application tries to do is redirected and not only the Installation Path of an application.

There are two ways now to run the application. Publish it through the Presentation Server Console and in the “Specify what to publish” screen select “Isolate Application” click on settings, select the correct AIE, select “Application was installed into environment” and select the appropriate shortcut from the dropdown menu. The rest is the same as “normal” application publishing. Now you can run the application from a Citrix client.

The second way of running the application is through the AIERUN executable command. This is also the way you can run AIE application from the console or through a published desktop J.

Now from the console I run the application using the AIERUN executable command with a very long parameter:

AIERUN.EXE “Acrobat Reader” “C:\Program Files\Citrix\AIE\Acrobat Reader\Device\C\Program Files\Adobe\Acrobat 7.0\Reader\Acrord32.exe”

If you want to provide your users access to this application from a published desktop then simply create a shortcut to the AIERUN command as shown above.

The application starts. Now from within the application I browse (through File -> Open) to C:\Program Files\ and here I see the Virtualized (redirected) folder Adobe.

From the regular Windows Explorer I still don’t see the Adobe folder under C:\Program Files\

The Isolation Environment is actually a form of application virtualization since the AIE makes the OS and the Application Executable think it’s running from its native location.

Running a “normally” installed application in AIE.

The second way of working with AIE is to run a “normally” installed application in AIE. This can solve a lot of multi-user application issues. For example with an application that stores user specific settings in Local Machine registry. AIE really can help you with these kind of situations.

First of you have to create an AIE in the Presentation Server Console as mentioned earlier in which you won’t install any application code. Then you can either publish the application or run it with the AIERUN command. When publishing through the PSC in the “Specify what to publish” screen simply browse to the already installed executable and then select in which AIE you want it to run.

For demo purposes I created an AIE named “User Settings Demo”. I published regedt32.exe and selected the AIE “User Settings Demo”. Now I run the published application with an ICA Client from the Server Console. I also start regedt32.exe from the Server Console. Keep in mind that the Local Machine registry is the same from the Server Console as from within a published application as long you are running on the same server, which I am. During the Logon script of the published application I create two empty subkeys under Local Machine Software Registry named “usersetting1” and “usersetting2”. This is what a “bad” application could do during startup or while working with the application. The following is the result:

The left is the registry editor running on the Server Console. The right is the registry editor running through a published application on the same server at the same time J.

The registry keys are actually saved in the Current User registry under \Software\Citrix\AIE\%AIENAME% but for the application appear to be under the Local Machine Sofware registry. This means Machine Settings are saved per user from now on and multiple concurrent users on the same Server can have different machine settings.

What will not work with AIE ?

Off course there are limitations. But I think we will find out in the field the hard way.

OS Patches, Drivers and real deeply integrating applications probably won’t work, especially installing into an AIE. Until now all application Isolation, Virtualization and Redirection software I’ve come across have some sort of limitations like the ones I just mentioned.

What can it solve ?

Application Conflicts
- Run multiple version of the same application
- Run multiple version of the same .DLL
Multi User Issues
- Can solve configuration issues with hard coded path to .INI files
- Can solve configuration issues with HKLM registry keys
Give users “Virtual” more rights to an application