Back in 1996, not long after our first release of WinFrame, Citrix received some feedback that there was a need for more security. Specifically, it was considered dangerous to specify any executable from the client side to be run on the server. It was not hard to see that if an administrator left open a machine to be executed with anything on the server, it would be possible to start things like command prompts and special diagnostic tools without too much trouble.
Generally it would be a nightmare to lock down executables individually. What could be done instead?
Ta da! Published applications were born. With some fairly small design changes, the only applications that were allowed to run would be published between the servers in a simple data store. These applications would be referred to by an admin generated name and map to an actual executable path on the given server. This listings acted as a gateway to the actual location of the programs. Anything outside the list was considered off limits (based on admin settings).
This solved another problem as well. If you have a client that is connecting to two different servers over time and the applications are installed in different locations on those servers, then the client needs some kind of translation layer. The common application name allowed to map to different physical locations on the two servers.
Then you have to consider that applications publishing also allowed for load balancing. If you want a specific application but do not care which server you get, they the load balancing can find the best fit for your request based on the common name.
Published applications also make it possible to support seamless integration with Web Interface, PN Agent, and even how seamless windows works.
This all started as a security requirement but quickly expanded to include many other fields. It is really a cornerstone in Citrix’s success over the last 10 years to have this support as part of Presentation Server.
Now with the concept of publishing desktops, the idea has come full circle. When Citrix Desktop Server grows to meet the market, a key aspect of how it works will have been started from the 1996 venture to secure WinFrame.
Er. Do you really believe it was 1996 in which someone first said “hey, I should write an access control list?”
I suggest you spend more time with old people before documenting history. VAX/VMS programmers are laughing at you right now; they had this in the late 1970s, when VMS was new, and even they knew they didn’t invent it (I couldn’t tell you who did; that’s the oldest case I can think of.)
Seriously, people need to learn the difference between “we invented it” and “mine was the first I knew of.” Do a little research before claiming you invented something next time; by the time you guys came up with it, any patent on the original would have expired with age.
I was a bit surprised that you reacted this way. If you read the post closely, you will see that I did not ever claim that Citrix was first to create such a technology.
I posted this to reveal the nature of how published applications were created within Citrix to address a security concern with WinFrame.
It is not common knowledge how this happened. I thought people might be interested.
As to earlier systems, I respect the wisdom of their creators. They did the best of their time and computer technology is riddled with history repeating itself. Often is the case that if people knew of the designs of the past they would be more respectful of them and acknowledge that they are really modeling the same idea on different systems. It is difficult to be highly innovative when so many things have been done already.
Thanks for your feedback.
Published Applications and ACLs are different concepts.
If you noticed, Jeff’s post was about Published Apps – which, by the way, I believe that Citrix did invent.