Thinfinity® Workspace Reference Architecture for High Availability (HA)

The following diagram presents the Thinfinity Workspace Reference Architecture, specifically designed for HA (High Availability) and considered the standard model for production environments.

This fundamental architecture offers a well-defined framework adaptable to diverse scales and operational requirements, ensuring a strict separation of concerns among the Edge Layer, the Thinfinity Workspace Orchestration and Control Layer, and the Workload Layer.

Edge Layer

The Edge Layer encompasses all components that exist in front of the Thinfinity Workspace infrastructure, serving as the first line of access and defense for user connections.

It includes external systems such as load balancers, web application firewalls (WAFs), proxy servers, and other network security gateways that handle, secure, and route inbound HTTPS traffic before it reaches the Thinfinity environment. This layer is responsible for TLS termination, traffic inspection, and network-level protection, ensuring that only trusted, encrypted, and policy-compliant connections are passed to the Thinfinity Gateways and Brokers. Because the Edge Layer may vary depending on each organization’s network design and security policies, its correct configuration is critical to the performance, reliability, and overall functioning of the Thinfinity Workspace deployment.

Thinfinity Workspace Orchestration and Control Layer

The Orchestration and Control Layer constitutes the core architectural component of any Thinfinity Workspace deployment, responsible for managing essential system functionalities. This layer incorporates Gateways, which serve as the primary ingress and routing nodes—maintaining secure WebSocket (WSS) tunnels with clients and enabling internal communication among system components.

Complementing the Gateways, Brokers oversee authentication, authorization, and session management. The AD (Active Directory) Cache Service interfaces with Active Directory to deliver centralized identity management and group policy enforcement.

Supporting infrastructure includes a database service for storing Broker metadata and audit logs, a licensing server to ensure compliance, and monitoring modules that gather metrics related to system performance, availability, and resource utilization.

Together, these components establish the control and access plane, providing comprehensive observability and management of system operations.

Workload Layer (VDI and Applications)

Southbound traffic from the Thinfinity Workspace Control Layer is routed via stateless firewall policies into designated workload subnets. These subnets are logically segmented based on user groups and host Windows Server or VDI instances that provision desktops and applications.

FSLogix clusters enable persistent, high-performance user profile loading across sessions, facilitating scalability and a consistent user experience. Micro-segmentation within the workload layer enforces strict lateral movement restrictions and adheres to Zero Trust security principles.

This layered architecture—comprising the Edge Layer, Thinfinity Workspace Control Layer, and Workload Layer—constitutes a standard production deployment of Thinfinity Workspace, optimizing security, performance, and manageability. It functions as the reference framework for best-practice architectural recommendations outlined in this guide.