VDI Layers Connectivity

All network traffic between VDI instances and Gateways must be transmit exclusively over TCP 443 (HTTPS) utilizing secure, end-to-end encrypted channels. This communication must remain empty by intermediate network devices such as firewall, proxies, or monitoring tools. Any interference introduces latency, performance degradation, or connectivity failures that negatively impact the user experience and the stability of the environment.

Technical Notes

• The Thinfinity Agent deployed on each VDI instance establishes outbound HTTPS (TCP 443) sessions to communicate with the Gateways.

• The FSLogix Agent uses SMB (TCP 445) to connect VDIs with the centralized FSLogix storage cluster for persistent user profile management.

• RDP (TCP 3389) is exposed only temporarily from the Broker’s IP during initial provisioning and must be closed immediately after deployment.

Workload Layers— Network Rules

Traffic Flow — Thinfinity Agent ↔ Thinfinity Gateway

Within this architecture, each Windows Server VDI instance located in the Workload Layer corresponding to User Group N is provisioned with a Thinfinity Agent component. Theses agents initiate outbound TCP connections to the Thinfinity Gateways utilizing HTTPS protocol on port 443 (TCP 443).

Nature of the Connection

The communication between the Thinfinity Agent and the Gateway is established over a secure WSS (WebSocket Secure) tunnel using HTTPS/TLS. This tunnel is persistent and supports bidirectional data flow, enabling real-time session management, mutual authentication, and data transfer. Unlike conventional HTTP transactions—characterized by stateless request–response interactions—WSS maintains an open TCP connection, allowing a continuous exchange of data frames between the client and server.

Security and Performance Considerations

Do not implement restrictions or inspections on WSS traffic

Post-handshake (after establishing the Connection: upgrade → Upgrade: websocket ), firewall and WAF policies must permit unimpeded transmission of WSS frames.

Any form of DPI (Deep Packet Inspection), SSL/TLS interception, or proxy buffering activities will disrupt or compromise session stability.

Use of packet delay or reordering mechanisms—such as inline monitoring tools, IPS (Intrusion Prevention Systems), or proxy servers—introduces latency and jitter, which can significantly impair performance metrics and lead to session termination.

Firewall Configuration Guidelines

• Permit outbound HTTPS traffic on TCP port 433 from all Thinfinity Agents to the designated Gateway.

• Ensure that inbound traffic corresponding to theses sessions remains unrestricted and exempt from content inspection procedures.

• Configure idle and session timeout setting to be sufficiently extended to sustain persistent WebSocket connections without premature termination.

Why This Matters

The Thinfinity Agent functions as the essential communication interface between VDI workloads and the Thinfinity Gateway. Any interruption or degradation in this communication channel can lead to session disruptions, authentication latency or session termination. Ensuring a continuous, low-latency WebSocket connection facilitates reliable session continuity and optimal end-user experience.

Summary

Communication between the Thinfinity Agent and the Gateway (HTTPS 443, WebSocket) must be fully allowed—without interception, inspection, or latency introduced by intermediate devices such as firewalls, WAFs, or proxies. This traffic must be considered trusted, persistent control-plane communication to ensure the stability and performance of all Thinfinity Workspace VDI sessions.