Post to Twitter |
Comments (3) |
Views (11377) |
In Citrix Application Streaming, the "Application Hub" is the place where streaming profiles are stored. The streaming profiler writes content to the Application Hub and the streaming client pulls content from the Application Hub at runtime. Here's a picture of App Streaming high level infrastructure. Focus on the box titled "File Server" circled in red, this is the "Application Hub". It could also be a web server.
Calling the place where streaming profiles are stored the "Application Hub" is great, it describes the concept and makes it clear that this is the place where streaming content is stored, in the hub! Marketing folks LOVE IT. Programmer folks are underwealmed, its a file server.
What gets obscured by the fancy title is that there is ZERO Citrix code running on that server. This was a design goal from the beginning and we have worked hard to keep that pronciple in place - no Citrix code on the server! This done both to reduce the number of places we install stuff, but also to follow the model of "keeping it simple". Customers already have servers, don't ask them to put yet another protocol on their network.
The Application Hub stores your applications, but it is YOUR hub. Any vanilla file server will do or web server. It doesn't matter if its SMB, CIFS, Samba, Novell or HTTP, HTTPS, Apache or IIS. The streaming client will access the content either via UNC based file opens or via a HTTP/HTTPS "get". That it. No extra magic.
Now - you can use your Application Hub (server) to control access to content. Profiles are on-purpose stored in directories of their own. Notice that you have a top level directory that holds all your profiles and that you have subdirectories for applications (profiles) below that space. The streaming profiler absolutely insists that this structure be maintained when profiles are stored. Why? So you can DACL protect the entire profile with rights assigned to a single directory. Its low budget, but it works and administrators are already good at controlling things like this. Relying on the network/web infrastructure that is already in place makes it easy for the Application Hub to implement things like controlled access, again with the Citrix dev team not having to write any code. This makes my life happy and I hope this description of the Application Hub takes away the mystery. Remember though, it is the very grand and glorious "Application Hub" that provides the content for Application Streaming!
Joe Nord
Product Architect - Application Streaming and User Profile Manager
Citrix Systems, Fort Lauderdale, FL
Comments (3)
Dec 09, 2008
Anonymous says:
I'm a little confused... isn't access to streaming apps controlled by the applic...I'm a little confused... isn't access to streaming apps controlled by the applications properties within the farm? Why would an admin want to manage access at a file level on the 'app hub'?? Or maybe i'm just missing the point?
Dec 10, 2008
Joseph Nord says:
Actually, you're not missing the point at all. Here's some more details. ...Actually, you're not missing the point at all. Here's some more details.
Applications can be PUBLISHED to different users via the Access Management Console. This will control whether users get "icons" for the application that they can easily click on to get the application running. It does not control whether users can "see" the profile content. Consider that you have 5 profiles stored on your application hub, each containing 1 application. This will give you 5 icons to publish and you can assign those 5 icons to users. So far, so good. Users who do not have the application published will not "see" the icons to launch the applications.
Some administrators act on the side of paranoia. Let's assume that one of the profiles on the fileserver holds "double secret" information in a database that is packaged along with the installation image. This would be published to the double secret group, but the "hardly trusted at all group" might still be able to see the profile stored on the file server/web server and this would be bad because these hardly trusted people - being smart, could open the database using tools outside of the published space.
To secure the double secret data, the admin can control access to the directory holding the double-secret application. In this way, the not trusted folks will both not get an icon for easy access AND they will be prevented from "seeing" the double secret data via network/web. By using standard protocols for accessing the profile content on the Application Hub, the streaming system gets free utilization of the existing infrastructure and its ability to control access to profile storage. Do folks do this? Most I talk do don't bother, but they CAN and this tends to make them happy.
Dec 30, 2008
Anonymous says:
Or You can do it in a easy way. Use a Active Directory global group (or interlac...Or You can do it in a easy way. Use a Active Directory global group (or interlacing groups) for both permissions, the file system and the published application.
Add Comment