JasonSamuel.com

We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.

Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.

We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.

After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.

UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

Windows 7, Citrix Receiver 3.0, 3.1, 3.2 etc., and Web Interface 5.4 all work hand in hand with newer XenApp farms. But you might notice if you have older farms in your Web Interface, apps from those farms will not launch when using Windows 7 and Citrix Receiver. You’ll get a message like this when you click on an app icon:

The network connection to your application was interrupted.  Try to access your application later, or contact your help desk.

Really helpful right? Well if you look at your event log on your Windows 7 box, you get something even more cryptic:

The description for Event ID 1 from source ICA Client (Vanadium) 
cannot be found. Either the component that raises this event is not 
installed on your local computer or the installation is corrupted. 
You can install or repair the component on the local computer.

If the event originated on another computer, the display 
information had to be saved with the event.

The following information was included with the event: 

Vanadium: TW Protocol error: Data rejected
Cmd = CMD_TW2_TEXTOUT
The data containing the error is below (1953 bytes)

I get this error with apps hosted on legacy MetaFrame XP and Presentation Server 4.0 farms. The work around is to go to your farm’s console, right click on your farm name, Properties > ICA Settings and uncheck the “Discard redundant graphics operations” setting.

After making this change, the apps will launch just fine. Additionally on some MetaFrame XP apps, I’ve had to go under the actual published application properties and lower the resolution of the app. I doubt Citrix will ever release a fix for this since legacy farms are not supported and reached End of Life years ago. You should get your apps moved over to newer XenApp farms as soon as possible.