Orchestration and Control Layer— Core Components

Thinfinity Gateway

Role: The only servers that receive external connections from the Load Balancer, exclusively through HTTPS (port 9443).

Function: Act as the entry point to the environment, encapsulating user sessions and securely relaying them to internal services.

Security: Connections remain encrypted end-to-end, supporting long-lived WebSocket tunnels.

Thinfinity Brokers

Role: Not accessed directly by users; instead, they register with the gateways via HTTPS (port 443).

Function: Handle session orchestration, license validation, and policy enforcement.

Integrations: Communicate with Active Directory for authentication and group management, and with the database for persistence of session metadata and configuration.

Database Service

Role: Central repository for session data, configuration, and authentication details.

Implementation: Typically provisioned as a managed service (e.g., OCI MySQL Database Service).

Access: Restricted to brokers only, using TCP 3306.

Monitoring Engine

Role: Collects metrics from gateways over HTTPS (TCP 443).

Function: Provides visibility into performance, availability, and user activity.

Benefit: Enables centralized monitoring, proactive fault detection, and the generation of governance and SLA reports.

Remote Desktop Services (RDS) License Server

Role: Provides CALs (Client Access Licenses) for Remote Desktop sessions when required.

Connectivity: Communicates with brokers via TCP 135 (RPC Endpoint Mapper) and dynamic RPC ports (49152–65535) on modern Windows Server versions.

Purpose: Ensures licensing compliance for large-scale deployments.

*This is only necessary for Windows session-based VDI hosts. It is not required for one-to-one (1:1) VDI hosts, such as Windows 10/11 or Linux.