Multi-Zone Proxies with Kubernetes
By default, all session traffic is routed through the Kubernetes cluster where the Kasm Helm chart is deployed. When you define additional zones, those zones only receive the App role from the Helm chart — proxy and agent components must be provisioned externally.
Multi-zone deployments are commonly used to serve users across geographic regions, but zones can also be used to segment groups of users or isolate different workload types across separate pools of compute resources — for example, separating contractor traffic from internal users, or giving a specific team dedicated agent capacity.
This guide walks through deploying the external proxy components for an additional zone. The Connection Proxy is required if the zone supports RDP or VNC sessions. The Dedicated Proxy is optional for Docker sessions — it routes traffic locally within the zone rather than through the App role, which reduces latency when the zone is geographically distant from the primary zone.
See Kubernetes Deployment Options for a breakdown of which roles the Helm chart covers and which you need to provision externally based on your session types.
This guide covers two configurations:
- Docker sessions only — no additional VMs required. Optionally deploy a Dedicated Proxy to reduce latency.
- Docker and RDP/VNC sessions — requires one VM per additional zone (a Connection Proxy). Optionally add a Dedicated Proxy to reduce Docker session latency.
Before You Begin
VM Requirements
| Session Type | Required VMs | Optional VMs |
|---|---|---|
| Docker only | None | Dedicated Proxy (reduces latency) |
| Docker + RDP/VNC | Connection Proxy | Dedicated Proxy (reduces Docker session latency) |
DNS Hostnames
Each proxy VM needs its own DNS hostname, separate from the zone's proxyAddress, sharing the same parent domain. For example, given:
proxyAddress: zone-b.kasm.contoso.com
| VM | Example Hostname | Configured in Kasm UI as |
|---|---|---|
| Dedicated Proxy | proxy.zone-b.kasm.contoso.com | Proxy Hostname |
| Connection Proxy (RDP/VNC) | rdp.zone-b.kasm.contoso.com | RDP HTTPS Proxy Hostname |
Network Requirements
- Dedicated Proxy: must have network connectivity to all Kasm Agents in the zone and bidirectional connectivity to the zone
proxyAddress. - Connection Proxy: must have network connectivity to all RDP and VNC targets in the zone that users will access, and bidirectional connectivity to the zone
proxyAddress.
For best performance, Kasm Agents and their zone's Dedicated Proxy should be deployed on infrastructure that is close to each other and to the users they serve. This keeps session traffic within the zone rather than routing it back through the primary zone.
Step 1: Configure Multi-Zone Kasm Helm
In your my-values.yaml, configure the kasmZones section to define multiple zones:
publicAddr: kasm.contoso.com
kasmZones:
- name: primary
proxyAddress: kasm.contoso.com
- name: zone-b
proxyAddress: zone-b.kasm.contoso.com
Then install or upgrade your Kasm Helm chart with these values. See Install Kasm on Kubernetes or Upgrade Kasm on Kubernetes for instructions.
- The first zone in the list is treated as the primary zone and receives the full set of proxy roles from the Helm chart. External proxies are only needed for additional zones.
- Traffic to the configured
publicAddrin the ingress rule is routed to the primary zone.
Step 2: Install the Dedicated Proxy (optional)
Skip this step if latency through the primary zone is acceptable. Without a Dedicated Proxy, Docker session traffic routes through the App role's built-in proxy rather than a zone-local relay.
Follow the proxy installation steps (--role proxy) in the Multi-Server Installation guide, setting --api-hostname to the zone's proxyAddress from my-values.yaml (e.g., zone-b.kasm.contoso.com). This tells the dedicated proxy where to forward upstream authentication requests.
Step 3: Install the Connection Proxy (RDP and VNC sessions)
Skip this step if you are only proxying Docker sessions.
Follow the connection proxy installation steps (--role guac) in the Multi-Server Installation guide, using the following flag values specific to this zone:
--api-hostname: The zone'sproxyAddressfrommy-values.yaml, e.g.,zone-b.kasm.contoso.com.--public-hostname: The DNS hostname of this connection proxy VM (see Before You Begin).--registration-token: Retrieve your token with:kubectl get secret --namespace {NAMESPACE} {RELEASE_NAME}-secrets -o jsonpath="{.data.service-token}" | base64 -d; echo--server-zone: The zonenamefrommy-values.yaml, e.g.,zone-b.
Step 4: Configure the Kasm Zone
Log in to your Kasm UI. You can retrieve the admin@kasm.local password with:
kubectl get secret --namespace {NAMESPACE} {RELEASE_NAME}-secrets \
-o jsonpath="{.data.admin-password}" | base64 -d; echo
In the Kasm Admin UI, go to Infrastructure → Deployment Zones → Edit your additional zone:
- Upstream Auth Address: Set to the zone's
proxyAddressfrommy-values.yaml, e.g.,zone-b.kasm.contoso.com. - Proxy Hostname: Set to your dedicated proxy hostname, e.g.,
proxy.zone-b.kasm.contoso.com. - RDP HTTPS Proxy Hostname (RDP and VNC sessions): Set to your connection proxy hostname, e.g.,
rdp.zone-b.kasm.contoso.com.