Configuration Reference Table
FW-001
Edge
Firewall
Allowed Port
TCP 443 only (HTTPS/WSS)
Firewall Configuration / Base Transport Policy
Block all plain HTTP
FW-002
Edge
Firewall
TLS Protocols
TLS 1.2, TLS 1.3 only
Firewall Configuration / Base Transport Policy
Disable legacy protocols
FW-003
Edge
Firewall
Deep Inspection
Disabled for WebSocket endpoints
Firewall / WebSocket Handling
Allow HTTP/1.1 upgrade flow
FW-004
Edge
Firewall
Segmentation
Enforced between Edge and Orchestration subnets
Firewall Configuration
Micro-segmentation applied
FW-005
Edge
Firewall
Outbound Rules
NTP 123, CRL/OCSP 80/443 only
Firewall / Egress
Least-privilege egress
WAF-001
Edge
WAF
Mode
Learning → Enforcement
WAF Configuration / Deployment Approach
Start in Learning Mode
WAF-002
Edge
WAF
TLS Enforcement
HTTPS/WSS only
WAF Configuration / Transport Security
End-to-end encryption
WAF-003
Edge
WAF
WebSocket Upgrade
Allow Connection: upgrade, Upgrade: websocket
WAF Configuration / WebSocket Handling
Required for /thinfinity/*
WAF-004
Edge
WAF
Identity Endpoint Handling
Exclude /saml/* and /oauth2/* from CAPTCHA
WAF Configuration / Access Control
Preserve IdP integrations
WAF-005
Edge
WAF
Rate Limiting
Per-IP or per-user thresholds
WAF Configuration / Performance & Resilience
Prevent abuse
WAF-006
Edge
WAF
TLS Versions
TLS 1.2 / 1.3 only
WAF Configuration / Transport Security
Disable HTTP connections
WAF-007
Edge
WAF
Origin Validation
Validate Origin header
WAF Configuration / Access Control
Requests must come from trusted portals
LB-001
Edge
Load Balancer
Listener Protocol
HTTPS
Load Balancer / Best Practices
Secure listener
LB-002
Edge
Load Balancer
Listener Port
443
Load Balancer / Best Practices
Default HTTPS
LB-003
Edge
Load Balancer
Backend Protocol
HTTP (re-encrypted to 9443)
Load Balancer / Best Practices
To Thinfinity Gateway
LB-004
Edge
Load Balancer
Backend Port
9443
Load Balancer / Best Practices
Gateway HTTPS listener
LB-005
Edge
Load Balancer
Distribution Algorithm
Weighted Round Robin
Load Balancer / Best Practices
Even session distribution
LB-006
Edge
Load Balancer
Session Persistence
Disabled
Load Balancer / Best Practices
WebSocket manages state
LB-007
Edge
Load Balancer
Health Check Path
/health/
Load Balancer / Best Practices
For gateways and brokers
LB-008
Edge
Load Balancer
Health Check Interval
5s (5000 ms)
Load Balancer / Best Practices
Retry x3 before fail
LB-009
Edge
Load Balancer
TLS Versions
TLS 1.2, TLS 1.3
Load Balancer / Best Practices
Valid certificates required
GTW-001
Control
Gateway
Ports
9443 and 443
Thinfinity Gateways / Connectivity
Inbound bindings
GTW-002
Control
Gateway
Domain Join
Must be joined to AD
Gateways / Domain Integration
Central policy enforcement
GTW-003
Control
Gateway
Outbound Access
Controlled to 0.0.0.0/0
Gateways / Communication
Limit by rule scope
GTW-004
Control
Gateway
Load Balancing
Enabled
Gateways / Resilience & Scalability
Even session distribution
BRK-001
Control
Broker
License Service Port
7443
Brokers / Licensing Service
HTTPS
BRK-002
Control
Broker
AD Integration
LDAP 389 / LDAPS 636
Brokers / Active Directory Integration
Prefer LDAPS
BRK-003
Control
Broker
Database Connection
MySQL 3306
Database Integration
Sessions and configs
BRK-004
Control
Broker
Cache Policy
Periodic refresh
AD Cache Component
Reduce AD dependency
BRK-005
Control
Broker
AD Cache Contents
Users, groups, policies (hashed)
AD Cache Component
Secure cache
DB-001
Control
Database
Type
Managed MySQL (HA)
Database Service
Private access only
DB-002
Control
Database
Port
3306
Database Integration
Brokers only
MON-001
Control
Monitoring
Ports
4317–4318
Monitoring Engine
Metrics collection
MON-002
Control
Monitoring
Protocol
HTTPS
Monitoring Engine
Encrypted telemetry
RDS-001
Control
RDS License Server
Ports
135 + 49152–65535
RDS License Server
Windows RPC dynamic
RDS-002
Control
RDS License Server
Purpose
CAL validation
RDS License Server
Licensing compliance
VDI-001
Workload
VDI Instances
Public IP
Not required
Workload Subnets / VDI
Internal-only access
VDI-002
Workload
VDI Instances
Agent Connection
HTTPS (443) outbound to Gateway
Traffic Flow — Agent ↔ Gateway
Persistent WebSocket
VDI-003
Workload
VDI Instances
RDP Port
3389 temporary during provisioning
VDI Subnets Connectivity
Close after deployment
VDI-004
Workload
VDI Instances
Segmentation
Subnets per user group
Workload Subnets — Network Rules
Prevent lateral movement
FSL-001
Workload
FSLogix
SMB Port
445
FSLogix Cluster – Notes
Profile storage
FSL-002
Workload
FSLogix
ProfileType
0 (VHDX)
FSLogix Configuration (via GPO)
Default profile type
FSL-003
Workload
FSLogix
IsDynamic
1
FSLogix Configuration (via GPO)
Dynamic disk expansion
FSL-004
Workload
FSLogix
DeleteLocalProfileWhenVHDShouldApply
1
FSLogix Configuration (via GPO)
Clean local profiles
FSL-005
Workload
FSLogix
ForceLogoffOnSessionDisconnect
1
FSLogix Configuration (via GPO)
Enforce logoff
FSL-006
Workload
FSLogix
SizeInMBs
10000 (Prod) / 15000 (Dev)
FSLogix Configuration (via GPO)
Adjustable per group
FSL-007
Workload
FSLogix
VolumeType
vhdx
FSLogix Configuration (via GPO)
Consistent volume type
FSL-008
Workload
FSLogix
VHDLocations
Defined repository path
FSLogix Configuration (via GPO)
Storage cluster path
FSL-009
Workload
FSLogix
LogoffWaitTime
768 ms
FSLogix Configuration (via GPO)
Adjustable timeout
SEC-001
Cross
Certificates
TLS Validity
Trusted CA for all services
Security Resources Table
Load Balancer, Gateways, Brokers
SEC-002
Cross
Logging
Endpoints
/elogs/ , /health/
Firewall / Traffic Inspection
Central monitoring
SEC-003
Cross
Time Sync
NTP Port
123
Firewall / Egress
Trusted sources only
SEC-004
Cross
Authentication
Federation
SAML (Azure or IdP)
Security Resources Table
For SSO integration
SEC-005
Cross
Backup
Database and profiles
Regular backups
Governance Practices
Periodic validation
SEC-006
Cross
Compliance
AD Authentication
Mandatory
Orchestration Layer
Zero Trust enforcement
SEC-007
Cross
Zero Trust
Lateral Movement
None allowed between layers
Architecture Overview
Enforced segmentation
Last updated
Was this helpful?