Application Virtualization: Streamlining Distribution

Virtualization is all the rage these days, judging by the many products on the market--VMWare and Microsoft's Virtual PC, for instance--that let administrators virtualize at the OS layer. Forty percent of North American enterprises are using server virtualization, according to Forrester estimates, with support for the technology to be embedded into most server hardware by 2008.

But what about applying virtualization at the application level? A number of companies are entering this emerging area, which is variously referred to as application virtualization, application isolation, application sandboxing or application streaming. No matter the name, the process involves wrapping the application in a layer that isolates it from the operating system and other applications--whatever the application does, it can't affect or be affected by other running applications. Any file or registry changes the application requires or performs are isolated and captured by the wrapper layer. The result is an application that's much easier to distribute and remove from user workstations. Although virtualized applications can be used on servers, it is more likely that OS virtualization will be done on the server side and application virtualization will be relegated to the client side.

By now, most midsize and large IT shops have had to come up with a convention for distributing applications to users. The process might involve installing all necessary applications to a reference or "gold" machine and then cloning it (using a product like Symantec Ghost), or using a software-distribution system, such as Novell ZENworks or Microsoft Systems Management Server, to distribute applications one at a time.

Those options are fine for basic software distribution, but can lead to library conflicts if two apps need different versions of the same DLL--for example, when Outlook and Eudora try to use different versions of the MAPI32. DLL. Other problems can occur in the process of upgrading versions of Microsoft Office, where some documents must be opened using the new version while others must remain in the old version; it's unlikely that both Office versions will run on the same computer. And app-support groups often must provide tech support for multiple app versions that, by design, can only be installed once per machine. This is where app virtualization can help: It lets you easily distribute apps and run multiple versions of one app on the same machine.

Virtualization also eases removing apps from a workstation. It's a common practice to reinstall an OS to clean up the extra files not removed after an application is uninstalled, which can slow workstation performance. With virtualization, there is less registry bloat since the entries used by a virtualized app don't go into the OS registry, but into the virtual one. This results in a cleaner OS that should rarely need reinstallation. And depending on the way an application was virtualized, it may be possible to reset the app back to the originally installed state.Each virtualized application's DLL instances are kept separate from those of other apps, so there is less chance that a new virtual application will interfere with previously installed ones. Not every application can be virtualized. Device drivers and other programs that require kernel-level access are not good candidates. And the same is true for programs that rely on device drivers, such as those included with hardware scanners.

We examined three application-virtualization products--Altiris SVS (Software Virtualization Solution), Softricity SoftGrid Universal Desktop and Thinstall Embedded--that are a good representation of the types of products available. Each takes a different approach to application virtualization for Windows computers. The Altiris and Softricity products install a small client on the Windows workstation that provides the isolation layer. Thinstall Embedded is clientless--nothing special needs to be installed on the Windows OS. Instead, the small client piece is bundled as part of the new virtualized application Thinstall creates. Virtualization can be performed on the Unix/Linux platform with other products, such as Availigent's Duration, and Meiosys (now owned by IBM) has a product called MetaCluster that will do application virtualization in a cluster environment for Unix systems.

Altiris SVS

The SVS client provides a filter driver for the file system and Windows Registry to redirect calls from the virtualized application to the virtual registry and file store. The client is small and will have a slight performance impact when opening files, but once the file is open, no noticeable difference should be detected. We didn't notice any performance degradation while using SVS.

With Thinstall and SoftGrid, the virtualized application files are not visible outside of the virtualized application, meaning the files are hidden even from Windows Explorer. This is not the case with SVS: The files show up as if they were installed there by the application installer. Because of this, running multiple versions of the same program simultaneously isn't possible; instead, only one version of an application can be made active at a time. This also means that a virus or malicious user could damage an application and prevent it from running. On a positive note, such a mechanism makes it simple to reset an application package back to the installed state, removing any changes (and even restoring deleted files) with the GUI admin or command-line programs.SVS should work with any existing application-distribution system, including SMS or ZENworks. If you aren't using this type of system, you can buy Altiris' Software Delivery Solution to make delivery of SVS packages easier.

Virtualizing an application using SVS is straightforward. Using the admin tool, start the "Create new layer" wizard. Next, using the "Install application" option, enter the location of an application's install binary. The administration tool then launches the install. Once the process is complete, SVS builds the virtualized application into a read-only layer. There is no before/after snapshot needed.

There are prepackaged open-source or freely downloadable applications for use with SVS available from suites such as svsdownloads.com. After download, it's a simple matter of activating it on a workstation with the SVS client. We downloaded Open Office 2.0 from that site and used it to write this article.

Administrators who must evaluate multiple software packages will appreciate SVS. Getting an application virtualized and ready for use on a single workstation is much easier than it is with the other two systems we looked at. After evaluation, all it takes to remove all traces of the software is deactivating and deleting the layer--no more guessing if the uninstall program left any remnants. And at $29 per node or free for personal at-home use, SVS is a viable low-cost option.

Softricity SoftGridThe SoftGrid approach is to provide a complete application management and distribution system. Its client-server architecture provides a scalable way to let the corporate workforce (including mobile users) get the applications they need installed and running. SoftGrid is built around Microsoft's Active Directory and Internet Information Services. For shops that don't already have an AD domain or IIS running in their infrastructures, those technologies must be implemented before the product can be used. This is a big negative for SoftGrid.

Each user workstation requires the SoftGrid desktop client, which communicates with the Virtual Application Server (or pool of servers) to see what applications a logged-in user or specific workstation has been granted rights to. The icons for these apps, along with the file associations, are added to the local workstation. File association lets users open an app that may or may not have been previously installed or run on the user workstation. When the virtualized app is started on the workstation, SoftGrid will start to stream the app to the local workstation. The virtualized application is packaged so the files needed to get the program up and running are sent first. SoftGrid will stream to the workstation only what is needed and cache it locally on the workstation. A virtualized application also can be forced to completely cache by a user or admin. This is handy with a large mobile workforce, since you can ensure the remote workstations have what they need before they disconnect from the network.

As with Thinstall, the running virtualized app itself is the only thing that can see or access the files packaged in the virtual app bundle. Other apps cannot even see that the virtual apps files exist, making it possible to run multiple versions of an app at the same time. We used both Microsoft Word XP and Word 2003 simultaneously on the same workstation without any problems, for example.

SoftGrid does more than just application virtualization. It also lets you perform license tracking and compliance reporting, which simplifies the process of figuring out if purchased software licenses are actually being used.SoftGrid's client access license costs $200 per named user or device; a license for unlimited servers and sequencers costs $5,000.

Softricity was recently acquired by Microsoft. The company says in the short term, it doesn't expect any changes to its product line. Longer term, it says Microsoft will help improve its small-business market coverage.

Thinstall Embedded

All of Thinstall's application files and registry entries, as well as the run-time client, are combined into a single EXE file (depending on the application virtualized, it might be a very large file). As long as users can run an app in user mode, they can run the virtualized app just by launching it. After the application is closed, only a few temporary files holding any file or registry changes made by the virtualized app remain. If the application is run again, the changes from the previous execution will be used from these temporary files. An admin can simply copy the file to the local workstation and provide a desktop shortcut to launch the app, or provide an icon that would launch the virtualized application off of a network share instead of copying the single EXE to the local workstation.

One downside of Thinstall's clientless solution is that apparently locked-down machines could be compromised by, for instance, user deployment of a favorite but forbidden program that runs as a virtualized application. Of course, it's unlikely that a user would go to the trouble of buying virtualization software, but there's a chance that applications virtualized with Thinstall technology will be freely available on the Internet. Another downside: Pirating software can be easily accomplished by copying the single EXE file. Fortunately, Thinstall's built-in licensing mechanisms help prevent this by letting an administrator tie the application to various hardware identifiers (such as MAC address).Thinstall's technology is also useful for home/remote employees. An IT department can put a single application binary on a CD and make it autorun when placed in a computer. The remote worker can run the app without actually installing the software on the workstation.

Thinstall Embedded is targeted at the ISV/ISP market and is in use internally by Lucent, Qualcomm, T-Mobile and the U.S. Department of Defense. You must know what files and registry settings a particular application needs to run to build the target virtualized application, so it's best used for in-house-developed applications.

The good news is this technology works well. We took an app developed locally and turned it into a virtualized one with little difficulty. We bundled the entire app, including example files and registry settings, into a single EXE file. We then took this EXE to a workstation that had been locked down to prevent users from making file and registry changes and ran it from a network share. Using the app's Open File dialog box, we browsed to the location on the local hard drive where the example files would be if the app were local. Sure enough, the example files appeared to be on the local file system, though they weren't. We also know that this app writes several temporary files where it's installed. On a locked-down workstation, we would have to let the app write these files to the system--creating a hole through which other apps or viruses could create or modify files. The virtualized app acted as if it could write out these temporary files, even though no rights to the local file system had been granted.

Another Thinstall feature is that the single binary it creates can compress files (the default setting) and even encrypt them. The compression means less network bandwidth is needed to launch a virtualized application when the application binary resides on a server.

Thinstall should soon be in beta with a new product aimed at IT administrators called Thinstall Virtualization Suite. We were shown an alpha version of this software product. which lets admins capture a typical software package install and turn it into a virtualized application. Just about any application should be able to be virtualized this way. You start by taking a snapshot of a clean Windows workstation, then install the software package to be virtualized, run the application and do any desired customization, and take a second snapshot. The Virtualization Suite will then capture any changes and store the information in a format ready to build a virtualized application from. This is a product worth watching for.Thinstall Embedded costs $5,000 per application and $15 per workstation; Thinstall Virtualization Suite is expected to cost $10,000 per administrator and $75 per workstation.

Given the maturation of this market, app virtualization should be on everyone's watch list. This is how Windows apps should have been packaged from the start. na

James E. Drews is a network administrator for the CAE Center of the University of Wisconsin-Madison. Write to him at [email protected].