Deployment Zones
Deployment Zones are created to enable logical grouping of Kasm services. In large or distributed deployments, it may be desirable to route users to Kasm services that are closer geographically to improve the user experience. In other use cases, Deployment Zones might be defined for special network segments representing different tenants or security enclaves. Administrators can then leverage standard routing, DNS, load balancing, or other networking techniques to direct user traffic to a desired Zone.
Capabilities
Utilizing multiple deployment zones allows administrators to:
-
Prefer end-user sessions are provisioned in the Deployment Zone the user is connected to.
- When a user connects to the Kasm UI, the server will attempt to provision the Kasm on Agents in the same Zone, only falling back to other Agent's in other Zone's if all Agents in the current zone are full or unavailable.
-
Restrict certain Workspaces to only provision on Agent's within a given Deployment Zone. See Add/Edit Kasm Workspace
- This option is most useful if the Deployment Zones represent special network enclaves that only certain Workspaces and perhaps certain Users should be allowed to access.
Configuring Deployment Zones
Defining Zone Configurations
Existing Deployment Zones can be updated in the UI by an administrator.
Deployment Zones can only be created at Web App installation time. See the instructions for more information.
| Field | Description | Default Value |
|---|---|---|
| Zone Name | The name given to the Zone. | |
| Allow Origin Domain | Connections to Kasm sessions are restricted to authorized Origins. This value is the authorized origin domain. | "$request_host$" |
| Upstream Auth Address | Connections to Kasm sessions are authenticated against a Kasm API server. This value is the address of the server. | "proxy" |
| Load Balance Strategy | Determines how the system prioritizes Agents when a user requests a new Kasm session: • Least Load: Prioritizes Agents with the least consumed CPU/Memory. • Most Load: Prioritizes Agents with the most consumed CPU/Memory. • Least Kasms: Prioritizes Agents with the fewest active sessions. • Most Kasms: Prioritizes Agents with the most active sessions. For Server Pools of type "Server", load is based on session count vs. configured supportable sessions. | Least Load |
| Search Alternate Zones | Allows the system to search for resources in alternate Zones if the same-Zone Agents cannot satisfy the session request. Same-Zone Agents are always preferred. | Enabled |
| Prioritize Static Agents | Prefers using fixed Agents before utilizing auto-scaled Docker Agents. | Enabled |
| Labels | Labels assigned to all servers and agents in this zone. These labels can be used to control where Workspace sessions are launched. You can specify these labels in a Workspace's "Include Labels" or "Exclude Labels" settings to ensure sessions run only on certain servers or agents. | None |
| Proxy Connections | When enabled, the user connects to the Kasm session via a proxy server. When disabled, connections go directly to the Kasm Agent hosting the session. | Enabled |
| Proxy Hostname | Hostname of the proxy server used when Proxy Connections are enabled. | "$request_host$" |
| Proxy Path | The base path appended to the Kasm connection URL when using Proxy Connections. | "/desktop" |
| Proxy Port | The port used for the proxy server. If set to 0, Kasm Workspaces will try to detect the correct port from window.location.port. | "0" |
| Proxy RDP Local Client Connections | When enabled, RDP connections from native RDP clients are proxied through Kasm Web App servers to the RDP Gateway, allowing use of a single domain. When disabled, clients connect directly to the Guac role, which requires public IP and DNS. This setting applies only if Enable RDP HTTPS Gateway is also enabled. | Enabled |
| RDP HTTPS Proxy Hostname | Hostname/IP of the load balancer or proxy in front of the HTTPS-based RDP Gateway. | "$request_host$" |
| RDP HTTPS Proxy Port | Port number of the load balancer or proxy for the HTTPS-based RDP Gateway. | "443" |
| Restrict RDP Client IP Address | Enforces that the client's IP for the RDP connection matches the IP of the API call that initiated the session. Not compatible with changing IPs (e.g., via load balancers, proxies, or tunnels like Cloudflare). | Disabled |
| Enable RDP HTTPS Gateway | When enabled, uses HTTPS RDP Gateway protocol. When disabled, standard RDP over port 3389 is used. | Disabled |
| Enable RDP HTTPS Gateway DLP | Sends HTTPS RDP connections through Data Loss Prevention (DLP). This may affect performance/scalability. Disabling DLP disables some Kasm data protection features and breaks single sign-on. Applies only if Enable RDP HTTPS Gateway is enabled. | Disabled |
$request_host$ referenced as the default for several settings above can be used to automatically reference the domain/host used in the URL to access the Kasm deployment.
For example if users accesses Kasm via https://east.kasm.server , $request_host$ will be east.kasm.server.
Assigning Zone Configurations
agents are assigned the Zone of whichever manager they are currently checked in to.
Once defined, the Kasm services need to be configured to be members of the given Zone. The Deployment Zone setting for API Servers (kasm_api, kasm_manager) is set their configuration file. The default zone is default
grep zone_name /opt/kasm/current/conf/app/api/api.app.config.yaml
zone_name: east
- Ensure all Kasm services are stopped
sudo systemctl stop kasm
- Edit the zone_name property in api.app.config.yaml
vi /opt/kasm/current/conf/app/api/api.app.config.yaml
- Restart the Kasm Services
sudo systemctl start kasm