Best Practices for Server Installation in Large-Scale Environments

When installing servers in a large-scale environment, adhering to best practices is crucial to ensure reliability, security, performance, and ease of maintenance. Here you will find tips based on our experience and they should be used as a supplement to the standard best practices found in relevant literature for large-scale environments.

Thinfinity® Workspace includes several internal components that can be configured to enhance availability, performance, and redundancy, ensuring your installation supports business continuity effectively.

Standard Environment Schema

Thinfinity Gateway Load Balancing and Multi-Network Balancing

To ensure high availability and reliability, it's a best practice to implement redundancy across as many components as possible. If one component fails, the redundant component can take over the workload. During normal operations, these redundant components can distribute the load through load balancing.

Multiple Thinfinity Gateway components can be deployed across different servers, providing scalable redundancy. The Gateway, which is the Thinfinity Workspace component installed in the DMZ (Demilitarized Zone), is exposed to the internet. To manage traffic and ensure balanced distribution, a traffic load balancer (NGINX, AWS Load Balancer, or Palo Alto) should be placed in front of the Gateways.

For security, only port 443/TCP (HTTPS) should be open in the firewall to allow external access to the Thinfinity Gateways.

Thinfinity Primary Brokers

The Primary Broker is responsible for managing Access Profiles, including applications, desktops, and other resources accessible to the user. Access Profile information is stored in a central SQL database shared among all Primary Brokers. Any configuration changes are automatically synchronized across all Primary Brokers.

To ensure redundancy, it is advisable to deploy an additional server with a replicated database. The connection between the Primary Brokers and the Gateway is initiated in reverse, enabling the placement of a second firewall with no open ports, further isolating the installation from external threats. This configuration adheres to Zero Trust Network Access (ZTNA) principles.

Thinfinity Secondary Brokers

Depending on the scale of your deployment, you can implement two or more Secondary Brokers. These brokers handle the virtualization processes, while the Primary Broker monitors their activity and performs load balancing among them.

Secondary Brokers can be installed on-premises, in the same cloud environment, or in different cloud environments, providing flexibility based on your infrastructure needs.

When the Primary Broker selects a Secondary Broker it establishes a reverse connection to the Gateway.

Additional Considerations

The virtualization process has only a small memory requirement: you can consider less than 100MB for each connection through the Secondary Broker. The additional consumption of CPU and other resources is negligible.

Thinfinity Software Installation and Update

Thinfinity Workspace provides a silent method for updates and installing the version unattended. You can use this to add more Secondary Broker resources to an existing environment. For details, see Silent Installation.

Thinfinity Cloud Manager is a proprietary Cybele Software alternative for AWS, IONOS or AZURE, and on premise when you use VM-Ware and Hyper-V.

Hardening the installation

• Standardize OS Versions: Choose a common OS across servers to simplify management.

• Automated Installation: Use tools like PXE boot, or Windows Deployment Services (WDS) for automated OS deployment.

• Hardening the OS: Disable unnecessary services, apply security patches, and limit access using firewall rules.

• Hardening Thinfinity: Disable all the unnecessary features of Thinfinity that you do not use.

Storage Considerations

• Thinfinity and your application create logs files: Detect their location and create the scripts necessary to maintain them in control.

• Data Backup and Recovery: Implement robust backup solutions with clear recovery points and recovery time objectives. Default local databases are available for each of the following components: Access and Authentication Profiles, Enterprise Logger, Notifications, Resource Reservation, Cloud Manager, IDP Service, ACME and Screen Cast. Alternatively, custom databases can be configured.

Resource Allocation

Verify and control the allocation resources, allocate CPU, memory, and storage to virtual machines based on workload requirements.

Migration and Failover

Implement live migration features for zero downtime during server maintenance. Thinfinity provides tools such as Broker Monitor with Drain out features for maintaining secondary servers without business interruptions.

Monitoring and Logging:

• Centralized Logging: Thinfinity provides extensive logging, and it can also be centralized if you have several installations running at the same time.

• Capacity Monitoring: Regularly assess storage, memory, and CPU usage to plan for scaling.

Patch Management

• Automated Updates: Avoid automated updates, each patch must be tested.

• Staging Environment: Test patches in a staging environment before applying them in production.

Compliance

• Security Compliance: Ensure adherence to industry-specific regulations (e.g., GDPR, HIPAA) through proper configuration, logging, and monitoring.

• Penetration Testing: Regularly perform security audits and penetration testing to identify vulnerabilities. Cybele Software regularly performs penetration tests, available to clients upon request.

• Maintain an updated version of Thinfinity.

By adhering to these best practices, you can ensure a stable, secure, and scalable server infrastructure capable of handling a large environment.