Understanding the System as a Flow of Responsibility
Kasm’s logical architecture is best understood as a lifecycle of intent.
- A user initiates a session via a browser
- The system authenticates and interprets that intent
- A decision is made about where to run the session
- A workload is instantiated on an available resource
- The session is streamed back via web-native protocols
Each step maps to a role. These roles represent responsibilities in a distributed system, not just deployable services.
The Five Kasm Roles
1. Web App Role (Control Plane and Orchestration Engine)
The Brain and System BoundaryThe Web App role combines user interaction and orchestration into a unified control plane.
- Hosts the web UI and API endpoints
- Authenticates users and captures session requests
- Maintains awareness of system state and capacity
- Determines workload placement and execution strategy
Architectural meaning:
- Centralized control plane
- Combines broker, scheduler, and API gateway
Mental model:
This is where intent is translated into action.
2. Agent Role (Optional, Container Execution Plane)
The Distributed Runtime Fabric
Agents are responsible for executing user's container workloads.
- Launch containerized workspaces
- Provide compute resources (CPU, memory, GPU)
- Report health and capacity back to the control plane
Architectural meaning:
- Vertically and horizontally scalable execution nodes
- Fully decoupled from orchestration
Mental model:
Agents are ephemeral workload hosts, not persistent desktops.
3. Connection Proxy Role (Optional, Unified Transport and Legacy Protocol Layer)
The Engine of Web-Native Session Delivery
The Connection Proxy enables Kasm’s core capability to deliver fully interactive workspace sessions to traditional endpoints (Windows, Linux, macOS) directly through a web browser.
The Connection Proxy is a customized Guacamole-based connection handler that encodes and proxies RDP, VNC, and SSH into WebSocket streams usable by modern browsers.
Each Kasm Deployment Zone requires at least one Connection Proxy when supporting RDP, VNC, or SSH workloads. Rather than a single service, this role is composed of four tightly integrated components:
kasm_guac
Protocol Translation Core
- Built on a custom-compiled Apache guacd
- Converts RDP, VNC, and SSH into web-native streams
- Spawns one guacd process per CPU core by default
- Automatically load-balances sessions across processes
This design ensures efficient utilization of multi-core systems.
Interpretation:
This is the rendering and encoding engine that makes remote systems browser accessible.
kasm_proxy
Session Routing and Broker Layer
- Routes client connections to the correct component
- Acts as the reverse proxy for session traffic
Interpretation:
This is the traffic director, ensuring sessions reach the correct execution endpoint.
kasm_rdp_gateway
Feature-Enforcing RDP Mediation Layer
- Enables native RDP client access to Kasm sessions
- Enforces:
- Data Loss Prevention (clipboard, uploads, downloads)
- Single Sign-On (SSO)
- Credential injection
- Supports advanced device redirection:
- Smart cards
- USB
- Webcam
Interpretation:
This layer adds policy enforcement and enterprise-grade control to RDP sessions.
kasm_rdp_https_gateway
Transport Compatibility Layer
- Tunnels RDP traffic over HTTPS
- Enables traversal through restrictive firewalls
- Implements Microsoft RD Gateway protocol
Important distinction:
- Does not interpret RDP traffic
- Acts purely as a secure transport wrapper
Interpretation:
This layer ensures connectivity in constrained network environments.
How these components work together
For browser-based sessions:
Client → kasm_proxy → kasm_guac → Target Session
For native RDP sessions (default path):
Client → kasm_RDP_HTTPS_Gateway → kasm_RDP_Gateway → Target Session
This layered design allows Kasm to:
- Support both web-native and thick-client access
- Balance security, compatibility, and performance
Architectural meaning of the Connection Proxy role
- Protocol abstraction layer
- Session routing and delivery mechanism
- Security enforcement boundary
- Web-native translation engine
Mental model:
The Connection Proxy transforms any remote interaction into a controlled, browser-delivered experience.
4. Dedicated Proxy Role (Optional, Geo-Distributed Edge Layer)
Separating User Proximity from Control Plane Location
In standard deployments, proxy functionality resides with the Web App. At scale, this can be externalized.
- Deploys proxies across geographic regions
- Routes sessions through the nearest proxy to the user
- Reduces latency while maintaining centralized control
- Uses the Web App for authentication and orchestration
Architectural meaning:
- Edge-distributed access layer
- Enables global scale without duplicating control logic
Mental model:
The Dedicated Proxy moves the workspace experience closer to the user, not the control plane.
5. Database Role (Persistence and Coordination)
The System Memory
- Stores users, configuration, sessions, and metadata
- Enables stateless control plane operation
- Coordinates distributed roles
Architectural meaning:
- Foundation for system consistency
Mental model:
This is what allows a distributed system to behave consistently over time.
Zero Trust Through Architectural Design
Kasm enforces zero trust principles inherently:
- All access is mediated through proxy layers
- No direct connectivity to backend systems
- Sessions are isolated and ephemeral
- Control and execution planes are separated
With Dedicated Proxies:
- Access becomes geo-distributed without expanding trust boundaries
Closing
Kasm Workspaces redefines VDI by dissolving the dependency on persistent desktops and replacing it with:
- A centralized control plane (Web App Role)
- A distributed execution fabric (Agents)
- A unified protocol and transport layer (Connection Proxy)
- A globally scalable edge access model (Dedicated Proxy)
- A persistent coordination layer (Database)
Together, these roles form a system where:
User intent is transformed into a secure, isolated, browser-delivered session, instantiated dynamically, governed centrally, and delivered globally.