6.3.2 Secondary Brokers

The Secondary Broker

The Secondary Broker is a specialized component designed to offload the virtualization process to target networks, typically isolated IT or OT networks. It extends the functionality of the Primary Broker and enables a more decentralized architecture compared to solely relying on a Primary Broker for virtualization workloads.

Secondary Brokers are typically situated on the application host or within the target network where the final connections are established. They serve as a connection agent or bridge to local resources, managing access to specific application servers or resource pools. A key function of Secondary Brokers is to enable secure access across different networks and locations without requiring any inbound ports on the target network, which significantly enhances security and reduces the attack surface.

Secondary Brokers can be also used for efficient load distribution and resource availability, especially in high-demand environments and can be deployed in multiple locations or domains. Secondary Brokers can also function as a secure alternative to a jump server for accessing IT or OT networks. When used in pools with the same pool name, they create a load-balancing scenario for applications across multiple similar servers.

Key Roles and Responsibilities of the Secondary Broker

Offloading Virtualization and Connection Facilitation

The Secondary Broker takes the Virtualization Server process to the networks where the final connections are established. It acts as a connection agent or bridge to local resources on the target network, such as application servers, terminal servers, VDI servers, remote desktops, virtual machines, physical desktops, Windows applications, and web applications.

Enabling Secure Access Without Inbound Ports

A crucial function of the Secondary Broker is to enable seamless connections to various resources across different networks and locations without requiring any inbound ports to be opened on the target network. This design minimizes network exposure and significantly enhances security. The Secondary Broker facilitates secure, outbound-only connections for remote desktop access, reducing potential security risks associated with open ports.

Supporting Scalability and Remote Load Balancing

Secondary Brokers extend the functionality of the Primary Broker, allowing the architecture to scale access across multiple environments and locations. They are instrumental in optimizing resource distribution and load balancing across networks. When multiple Secondary Brokers are configured with the same pool name, they create a load-balancing scenario, pooling applications across multiple servers to enhance efficiency and redundancy. The Primary Broker monitors the activity of Secondary Brokers and performs load balancing among them.

Acting as a Secure Jump Server Alternative

Secondary Brokers function as a secure alternative to traditional jump servers for accessing target IT or OT networks. They securely route users to network resources while maintaining strict isolation of sensitive systems, without requiring inbound ports.

Managing Resource Pools

Secondary Brokers manage specific resource pools in different locations or domains. They facilitate resource pooling, allowing applications or desktops to be dynamically assigned based on demand, which contributes to efficient resource use and supports scaling. They can replace TS collections through the creation of Application Pools.

Deployment Flexibility

Secondary Brokers can be deployed in different networks, such as a data center or public cloud, allowing resources across various networks and locations to be available within the same Thinfinity Workspace. They can be installed on-premises, in the same cloud environment, or in different cloud environments. They can be installed by choosing the "Broker and HTML5 Services" option and then selecting "Secondary Broker" during the setup process. They can also operate in Agent Mode for establishing RDP connections without opening inbound ports.