A couple days ago, a new version of iPass was released for use in Citrix. Right after the announcement letter, I received an inquiry.
CAN this application be streamed?
Background: What is iPass?
When traveling to places with outrageously priced internet service, this tool uses a corporate account to get access at a more reasonable price. The beautiful part for my personal view; without iPass, I would have to personally expense $14.95 for hotel or airport internet, while with iPass the corporate contract kicks in and has the fee for the internet use disappears into the Ether of company-wide contract. Awesome, I’m happy, company happy, iPass happy, everyone happy!
Getting to the particulars, this application sits in the network stack to observe wireless network connections and when it finds one that is “iPass enabled”, it automatically fills in the connection details to make things work – without a bunch of questions and without having to PAY.
Getting to the technical details
Observe that the application has a handful, yes multiple NT Services. It also has at least one kernel mode device driver. Below captured from version 3.70, now old.
Although the isolation system can happily load and isolate NT Services, it cannot load and isolate kernel mode device drivers. The follow on to that statement is that to my knowledge there are precisely ZERO application virtualization systems can isolate kernel mode device drivers, and for good reason. Notice I said “isolate”.
Back to the question:
Can Application Streaming isolate this application successfully?
No. The kernel mode driver will need to insert itself into the network filter stack and that isn’t going to happen from inside of isolation. The follow-up question is …
COULD this application be streamed?
One could vision changes to the isolation system to observe the “installation” of kernel mode device drivers and enhancements to the isolation system to automatically load and unload these device drivers as a function of running applications from the supporting profile. This EXACT same thing is done for isolation of services and the isolation system already knows how to do that, so “yes”, this could also be done for loading of kernel mode device drivers. The side note is that kernel mode device drivers are “services” from the perspective of installation.
Given enough time and money, anything can be coded!
I instead provide this response.
SHOULD this application be streamed?
IMHO, the answer is No. This application is “infrastructure” and should be part of the set of installed applications.
Technically, iPass is “part app”, “part driver”. It doesn’t have a piece of hardware connected so it falls away from the true nature of a device driver, but it DOES have a .SYS extension kernel mode device driver and this means that it’s kernel mode and all powerful. For this discussion, “think infrastructure”.
More than this, iPass by it’s nature is supposed to make internet available to “all” applications on the machine. Running from inside of isolation to effect applications outside of isolation rather goes against the idea of an application isolation system.
Just because an application CAN be run isolated does not necessarily mean that it SHOULD be run isolated. The RADE aspects of Application Streaming are SUPER things for getting applications onto execution machines, but this doesn’t always overpower the nature of the application.
When designing the layers of abstraction, the concept is that some applications should be “installed” while most applications should be virtualized.
In each case and for each customer need, the administrator has to make an asscessment of what type of delivery is appropriate for the specific application. This is what Citrix Flexcast is all about – making sure the admin has a sufficiently large toolbox to solve all of their needs.
In the iPass case, locally installing the application is the correct answer.
Product Architect – Citrix Systems XenApp Product Group
App Streaming, Profile Manager, Encrypted Data Plug-in