RES Word Template - A4Citrix Published Applications
.....................................................................................................
4
Partially Managed Environments
.................................................................................................
4
General
..............................................................................................................................
5
Troubleshooting
......................................................................................................................
9
Step 2: Examples
..................................................................................................................
11
Process Interception
Page 3 of 20
Introduction Process Interception is a new feature of RES Workspace
Manager 2012. It is an extension of the Managed Application control
that currently exists. Traditionally, applications were managed by
RES Workspace Manager by changing the shortcut that pointed to an
existing application. This allowed RES Workspace Manager to control
what happened when an application was launched, or even if it was
allowed to be accessed. This is a very good approach for most
situations and is still supported and recommended. RES Workspace
Manager extends this functionality by including Process
Interception. Process Interception monitors what processes are
being launched by the user, pauses the process if necessary to
apply configurations, and then resumes the process. This approach
allows more flexibility for Managed Applications and helps to open
up new use cases for RES Workspace Manager. This document explains
in which situations Process Interception should (or should not) be
used and explains how to set up Process Interception. A
Troubleshooting section is included at the end of the document.
Refer to the RES Workspace Manager Administration Guide 2012 for
more information about this feature, available at
http://support.ressoftware.com/workspacemanageradminguide2012/.
About this Guide The purpose of this Guide is to explain Process
Interception which was introduced in RES Workspace Manager 2012.
The provided information in this guide applies to:
Product Version Service Release
RES Workspace Manager 2012 -
Microsoft Windows 2008 R2 -
Citrix XenApp 6.5 -
Audience RES Software Best Practice Documentation is carefully
researched and written for a specific target audience and is
intended primarily for Administrators. This document also makes the
assumption that the reader is familiar with RES Workspace Manager
and knows how to set up and configure different features, including
Managed Applications.
Finding Product documentation RES Software provides product
documentation for different stages of deployment: from designing
the environment, to installing, using and troubleshooting. After a
product is released, information is provided via the integrated
product help file, the Administration Guide and the online
Knowledgebase, available at http://support.ressoftware.com.
Page 4 of 20
When to use Process Interception Process Interception is very
flexible and has numerous use cases. The three most commonly used
scenarios for Process Interception include intercepting Citrix
Published Applications without the need for republishing, partially
managed laptops and desktops, and when applications call other
application directly. Each scenario is described below.
Citrix Published Applications In previous releases, RES Workspace
Manager needed to republish Citrix Published Applications through
the console in order to manage different aspects of Citrix
Published Applications. This approach required that all
modifications to applications needed to be done through the RES
Workspace Manager console. Furthermore, any modification to a
published application through the RES Workspace Manager console
required the console to be running on a Citrix XenApp server in the
farm on which the application existed. With Process Interception,
the RES Workspace Composer monitors the Citrix server and
intercepts the specified application, regardless whether they are
launched locally, through a published desktop or through a
Published Application. This allows Citrix Administrators to use the
Citrix XenApp console to manage the basic application properties
while still being able to leverage the context awareness of RES
Workspace Manager. All of the benefits that existed before still
apply. However, modifications do not need to be done on a console
running on a server in the same farm as the application.
Partially Managed Environments Partially managed laptops and
desktops are another area where Process Interception offers great
advantages. In this use case, usually in existing environments
where desktop transformation is being used, RES Workspace Manager
is slowly being incorporated to manage the most critical
applications without having a large impact on the end user. By
using Process Interception, the administrator can slowly start
managing specific applications while still allowing the user the
flexibility they are accustomed to having. Another advantage of
using Process Interception in this type of environment is that
users do not need to change the way they work or change their
preferences. Two examples of this flexibility are using the run
command to launch an application, and selecting which browser is
the default. Both can be supported when using Process
Interception.
Application Dependencies The last use case that is discussed in
this document is when applications call other applications
directly. Applications are normally launched from another
application via file type associations. In RES Workspace Manager
this is normally handled through file type association
redefinitions. However, when file type associations are not used,
RES Workspace Manager does not have a way to know that a specific
application is called. This results in the application being
launched unmanaged. With Process Interception, an application can
be managed regardless of how it is launched. One common application
that has been difficult to use with managed shortcuts and file type
associations from RES Workspace Manager is iManage by Autonomy, a
document management system that tightly integrates with Microsoft
Office. This type of application requires that any configuration is
done on a global level and not at application level, because RES
Workspace Manager has no way of knowing when the application is
launched. Process Interception can be used to move the
configuration back to the application level where it belongs.
When not to use Process Interception Although Process Interception
is very flexible and has many different use cases, it should not be
used in every situation. For example, it is not recommended to use
Process Interception if multiple managed applications exist that
have the same command line. Currently, Process Interception only
matches based on process name and path and not on parameters. This
means that if multiple managed applications exist but only differ
on the parameter, the first one to match alphabetically will be
intercepted.
Process Interception
Page 5 of 20
How to Set Up Process Interception This section describes how to
set up Process Interception in different scenarios. This covers
only the differences in setting up Process Interception and does
not cover how to set up Managed Applications.
General In the Applications node, Windows Shell Shortcut Creation
can be set to Do nothing, Merge or Replace. Process Interception
works for all creation modes. To enable or disable Process
Interception per Workspace Container select the option Disable
process interception for unmanaged shortcuts, available on the
Properties tab. Exceptions per Workspace Container can be created
by clicking the [+].
Process Interception
Page 6 of 20
Standard Desktop/Laptop/VDI Process Interception still uses Managed
Applications to determine which applications to track and
configure. As shown below, Process Interception can be enabled by
setting the option If managed shortcut was not used from Ignore to
Intercept new process and apply configuration.
With this approach, anytime WINWORD.exe is launched from the above
command line, the process will be paused, context checked,
configurations applied, and then resumed. The only difference
between using Process Interception and a managed shortcut is that
the application can be launched independently of the managed
shortcut. This is especially useful in non-greenfield scenarios
where only specific applications need to be managed and desktop
transformation is not complete.
Process Interception
Page 7 of 20
Citrix XenApp Published Applications Process Interception can be
used with existing Citrix XenApp Published Applications that are
not controlled by RES Workspace manager. The process to manage
Citrix XenApp Published Applications is very similar to standard
desktops or laptops. The application still needs to be listed as a
managed application and pass all of the access control tests. Also,
just like a desktop or laptop, the Run Workspace Composer
functionality needs to be set to Automatic mode in the section
Administration > Agents as shown in the screenshot below. This
functionality did not exist in previous releases of RES Workspace
Manager.
NOTE: The option to set Run Workspace Composer to Automatic is only
available on Windows Server Operating
Systems running both the RES Workspace Manager Agent and also a
version of Citrix XenApp. At the release of this document, Process
Interception does not support Windows Remote Desktop Services and
Windows Remote Applications.
RES Software provides a tool to help migrate or manage existing
Citrix XenApp Published Application into RES Workspace Manager.
This tool is called the "Integration Toolkit for Citrix XenApp v2",
and can be found on the support site under Downloads > RES
Workspace Manager > Utilities. A new addition to this tool is
the ability to enable Process Interception as shown in the
screenshot below. For more information, please consult the
documentation provided in the download.
Process Interception
Page 9 of 20
Troubleshooting This section describes troubleshooting steps to
take if Process Interception does not appear to be working. The
following three sections describe basic troubleshooting steps, an
example scenario and some advanced logging.
Step 1: Back to basic In this scenario, Microsoft Windows Notepad
is used as example application, in order to verify that Process
Interception works in a basic setup. Notepad is created as a
Managed Application in the RES Workspace Manager Console and
Process Interception is activated as shown below:
One way to make sure that Process Interception is being used is to
display a Notification on launch of the application. NOTE: Although
it is possible to use an Action like a drive mapping or a Execute
Command from the
Configuration section for this purpose, the Action may fail for
reasons that are not related to Process Interception. This is why a
Notification is suggested.
Process Interception
Configuring the Notification:
NOTE: Do not use ''Show once'' in this troubleshoot scenario,
because it will only appear the first time. The following example
tests launching Notepad using a Citrix XenApp session running RES
Workspace Manager. To launch Notepad, browse to c:\windows\system32
and launch notepad.exe directly. If Process Interception is
working, the notification below is shown:
Process Interception
Page 11 of 20
After the notification is shown and OK is clicked (or after waiting
for 60 seconds), Notepad is launched. This confirms that the
process was intercepted, because the Notification was shown. If the
process was not intercepted, Notepad is launched directly without
showing the notification. NOTE: If it is not possible to browse to
the c:\ drive due to restrictions, a shortcut can be made available
to
c:\windows\system32\notepad.exe on the User's Home Drive or any
other accessible location.
Proceed to Step 2 if Notepad was intercepted and the notification
was shown.
Proceed to Step 3 if Process Interception did not work.
Step 2: Examples The above scenario was very basic and many other
factors are usually involved in a real world scenario. The next
example takes a step further in basic troubleshooting. The general
steps for troubleshooting Process Interception are as
follows:
1. Configure a Notification at application launch 2. Check the User
Event log for related errors 3. Make sure that the path of the
configured application and the application being launched match 4.
Make sure that the RES Workspace Composer is set to run in
''Automatic'' mode
Example 1 In this example, Notepad is configured as a managed
application and Process Interception is enabled. There is an action
configured to map the M: drive when Notepad is launched. However,
when Notepad is launched, the M: drive is not available when the
user tries to save the file. To confirm that the process was
intercepted, configure a Notification at application launch as
described in Step 1 and check whether it is shown. If the
notification was shown, the next step is to review the User Event
log in Diagnostics (Diagnostics > User Sessions, double click
the user, Diagnostics > Event Log) to determine why the drive
was not mapped. In this example, the issue was related to a
misconfigured drive mapping and not related to Process
Interception. This is one reason why the suggested approach is to
use a Notification. The below screenshot of the Event Log shows the
issue:
Process Interception
Page 12 of 20
Example 2 In this example, Notepad is configured as a managed
application and Process Interception is enabled. The application is
launched from the Citrix Web Interface and RES Workspace Manager
Composer is set to Automatic. When the user launches the Citrix
Published Notepad application, several Actions configured are not
executed. A Notification is configured and is not shown and there
are no errors in the Event Log. Next step is to check the
application path to verify that they are correct. In Citrix
XenApp:
Process Interception
Page 13 of 20
In RES Workspace Manager:
In this example, the paths do not match. After adjusting the path
in the Citrix XenApp published application, the process is
intercepted. It is important to remember that the process is
matched on the entire command line and not just the process name
(unless a wildcard is used). If many applications are configured, a
dump of all intercepted processes can also be useful. More
information about this in Step 3: Advanced Troubleshooting.
Process Interception
Page 14 of 20
Example 3 In this example, Microsoft Office Outlook is configured
as a managed application and Process Interception is enabled.
E-mail settings are configured and should be pushed when a user
launches Outlook. However, the Email Settings are not configured
when the user launches Outlook and the user is presented with the
Microsoft Office Outlook Wizard. A Notification is configured and
is not shown and there are no errors in the Event Log. This
behavior may occur on certain servers but not all. The configured
application:
Like in the example above, examine the paths first to see if a
match can be found. The option to generate a dump will be described
in Step 3: Advanced Troubleshooting. For this example, Microsoft
Office is installed in the C:\Program Files directory and that
Outlook.exe can be found in "C:\Program Files\Microsoft
Office\Office14\Outlook.exe". This path may not be the same for all
servers if they are a mix of 32-bit and 64-bit, or if the version
of Microsoft Office is different. One way to solve this is to use
wildcards or parameters as discussed above in How to Setup Process
Interception.
Process Interception
Page 15 of 20
Step 3: Advanced Troubleshooting If the problem could not be found
and fixed in Step 1 and 2, we need to proceed with advanced methods
to acquire more information. This consists of creating a dump of
all Process Intercepted paths and tracing when the problem occurs.
There are 2 separate traces that are needed for troubleshooting:
the general trace and the trace that is specific for Process
Interception. Dump of all Process Intercepted paths When many
applications are configured in the RES Workspace Manager console, a
dump of all Process Intercepted paths for the current session can
help when comparing paths. This dump file is configured for a
specific user as follows:
The setting ImgGuardDump=Yes needs to be configured in the user’s
pwruser.ini file under the Preferences section. This can be done
via the RES Workspace Manager console or manually. Via RES
Workspace Manager Console:
1. Create a new object at Composition > Files and Folders >
Home Directory. The Object is the pwruser.ini, Action is set to Set
specific values in INI-file:
Process Interception
Page 16 of 20
2. Click the Browse button as shown above. This will launch the
Edit INI-file value dialog box where you can fill in the values
shown below and click OK.
When the user logs on to a RES Workspace Manager session, this
generates a file called
ImgGuardDump_servername in the Personal Settings\pwrmenu folder of
the Home Drive of the specific user.
Process Interception
Process Interception
Page 18 of 20
Tracing: This will generate 2 trace files. The first file is the
general trace file with information of RES Workspace Manager
processes. The second file is the trace for Process Interception.
Enable tracing: To enable tracing through RES Automation Manager,
follow the steps below or download the Building Block on the RES
Software Support portal: http://support.ressoftware.com.
1. Stop the "RES Workspace Manager Agent Service" 2. Add the
following registry values to the machine running RES Workspace
Manager in the key
32-bits OS: HKEY_LOCAL_MACHINE\SOFTWARE\RES\Workspace Manager
64-bits OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RES\Workspace
Manager
Value: Trace
Type: REG_SZ
Data: Yes
Value: TraceDetailed
Type: REG_SZ
Data: Yes
Value: TraceFile
Type: REG_SZ
Data: c:\temp\RESTrace.log
3. Start the "RES Workspace Manager Agent Service" 4. Verify that
the trace file is created at the specified location. This is the
value of the TraceFile key
(C:\temp\RESTrace.log in this example).
Note:
The location of c:\temp\RESTrace.log can be changed if
necessary.
It is not possible to use a variable like %systemroot% or
%windir%.
This file will reach a maximum size of 2MB, after which older
entries will be overwritten. The file will not change the
date/timestamp from the original creation date.
Please make sure that every user has Modify permissions on the
folder where the log file is created.
If you have configured Read-Only Blanketing make sure you make an
exception for the location of the trace file.
After reproducing the problem, two trace files will be
generated:
The general trace will be in the location specified in TraceFile
(c:\temp\RESTrace.log in this example).
The Process Interception trace will be in the %TEMP% directory of
the user called igstub.log. General trace: In the general trace
file, verify that pfwsmgr.exe is present. If this process is not
shown in the file, the user did not have permission to write to the
file. Please change the TraceFile variable and try again. When
troubleshooting Process Interception, look specifically for
"ImgGuard" as shown in the screenshot below.
4324 pfwsmgr 3 Testuser015 ProcessImgGuardEvent; Title =
[IG1_2_1_6336] 4324 pfwsmgr 3 Testuser015
sharedImgGuard.SetImgGuardEvent; Setting ImgGuard event: IG1_2 4324
pfwsmgr 3 Testuser015 sharedImgGuard.ProcessImgGuardEvent; Loading
user settings, actions, etc for application 4324 pfwsmgr 3
Testuser015 fysnChangedRunProgram; ImgGuard intercept launch ->
RuleID = 1; MsgID = 2; ProcessID = 6336 4324 pfwsmgr 3 Testuser015
fysnChangedRunProgram; mstrPwrGateParms = %PWRGATEPARMS%
Process Interception trace:
The Process Interception specific trace file is called igstub.log
and can be found in the %TEMP% directory of the user. NOTE: This
specific file is written in the User's Temp directory in the Local
AppData folder and might be removed
when logging off the session. Example file: If after following the
above troubleshooting steps the issue still occurs, please send
both files including a clear problem description and
troubleshooting steps already taken to
[email protected].
IgStub HandleNotification; Creating event IG1 IG1_1 IgStub
HandleNotification; Creating event IG2 IG2_1 IgStub
HandleNotification; Process ImageFileName
\Device\HarddiskVolume1\Windows\System32\notepad.exe IgStub
HandleNotification; Parent ProcessName
\Device\HarddiskVolume1\Windows\explorer.exe IgStub
HandleNotification; Opened mutex:000000c8
IgStub HandleNotification; Waiting for mutex:000000c8
Disclaimer
Whilst every care has been taken by RES Software to ensure that the
information contained in this publication is correct and complete,
it is
possible that this is not the case. RES Software provides the
publication "as is", without any warranty for its soundness,
suitability for a different
purpose or otherwise. RES Software is not liable for any damage
which has occurred or may occur as a result of or in any respect
related to the
use of this publication. RES Software may change or terminate this
publication at any time without further notice and shall not be
responsible
for any consequence(s) arising there from. Subject to this
disclaimer, RES Software is not responsible for any contributions
by third parties to
this publication.
Copyright Notice
Copyright © on software and all Materials 1998-2011 Real Enterprise
Solutions Development BV, P.O. Box 33, 5201 AA `s-Hertogenbosch,
The
Netherlands. RES and the RES Software Logo are either registered
trademarks or service marks of Real Enterprise Solutions Nederland
B.V. in
Europe, the United States and other countries. RES Automation
Manager, RES Workspace Manager, Dynamic Desktop Studio, Virtual
Desktop
Extender and RES VDX are trade names of Real Enterprise Solutions
Nederland B.V. in Europe, the United States and other countries.
All other
product and company names mentioned may be trademarks and/or
service marks of their respective owners. Real Enterprise
Solutions
Development BV, The Netherlands has the following patents: U.S.
Pat. "US 7,433,962", "US 7,565,652", "US 7,725,527", other patents
pending or
granted.