---
myst:
html_meta:
"description lang=en": "Deploy Kasm Workspaces sessions to specific geographic regions using deployment zones."
"keywords": "Kasm, Deployment, Zones, Network, Configuration"
"property=og:locale": "en_US"
---
```{title} Deployment Zones
```
## Deployment Zones
Deployment Zones are created to enable logical grouping of Kasm services. In large or distributed deployments, it may
be desirable to route users to Kasm services that are closer geographically to improve the user experience. In other
use cases, Deployment Zones might be defined for special network segments representing different tenants or security
enclaves. Administrators can then leverage standard routing, DNS, load balancing, or other networking techniques
to direct user traffic to a desired Zone.
```{figure} /images/zones/deployment_zones_diagram.png
:align: center
**Deployment Zones Diagram**
```
### Capabilities
Utilizing multiple deployment zones allows administrators to:
- Prefer end-user sessions are provisioned in the Deployment Zone the user is connected to.
- When a user connects to the Kasm UI, the server will attempt to provision the Kasm on Agents in the same Zone, only falling back to other Agent's in other Zone's if all Agents in the current zone are full or unavailable.
- Restrict certain {term}`Workspaces ` to only provision on Agent's within a given Deployment Zone.
See [Add/Edit Kasm Workspace](../workspaces.md#add-edit-workspaces)
- This option is most useful if the Deployment Zones represent special network enclaves that only certain Workspaces and perhaps certain Users should be allowed to access.
### Configuring Deployment Zones
#### Defining Zone Configurations
Existing Deployment Zones can be updated in the UI by an administrator.
```{note}
Deployment Zones can only be created at Web App installation time. See [the instructions](../../install/multi_server_install/multi_installation_steps.md#install-web-app-role) for more information.
```
```{figure} /images/zones/deployment_zones_list.webp
:align: center
**Zones List**
```
```{figure} /images/zones/deployment_zones_config.webp
:align: center
**Update Zone**
```
```{eval-rst}
.. table:: Zone Configuration Options
:widths: 50
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Field | Description | Default Value |
+==========================+====================================================================================================================================================================+==================+
| Zone Name | The Name given to the Zone | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Allow Origin Domain | Connections to Kasm sessions are restricted to authorized Origins. This value is the authorized origin domain. | "$request_host$" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Upstream Auth Address | Connections to Kasm session are authenticated against a Kasm API server. This value is the address of the server. | "proxy" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Load Balance Strategy | When a user requests a new Kasm session, the server can use several Load Balance Strategies to determine which Agent(s) to prioritize for the request. | Least Load |
| | | |
| | * **Least Load** | |
| | The system will prioritize the Agent(s) with the least consumed CPU/Memory resources.* | |
| | * **Most Load** | |
| | The system will prioritize the Agent(s) with the most consumed CPU/Memory resources.* | |
| | * **Least Kasms** | |
| | The system will prioritize the Agent(s) with the least number of existing Kasm sessions. | |
| | * **Most Kasms** | |
| | The system will prioritize the Agent(s) with the most number of existing Kasm sessions. | |
| | | |
| | *\*For Server Pools of type Server, load is estimated by comparing the number of current Kasm sessions to the configured supportable number of sessions.* | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Search Alternate Zones | When a user requests a Kasm session, the system will first search for available resources on Agents within the same Zone. When enabled, the server can also search | Enabled |
| | alternate Zones to satisfy the request if it can not be satisfied within the same Zone. Agents in the same Zone are always preferred over alternate Zones. | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Prioritize Static Agents | Utilize fixed agents before using auto scaled `Docker Agents `_. | Enabled |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Proxy Connections | When disabled, the user will make a connection to Kasm session directly to the Kasm Agent where the Kasm session container resides. When enabled, | Enabled |
| | the connection to the Kasm session is proxied through another server | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Proxy Hostname | The location of the proxy server when Proxy Connections is enabled. | "$request_host$" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Proxy Path | The base path to append to the Kasm connection when Proxy Connections is enabled. | "/desktop" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Proxy Port | The port to use for the proxy server when Proxy Connections is enabled. | "0" |
| | Kasm Workspaces will attempt to automatically determine the correct port from window.location.port | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Proxy RDP Local Client | When enabled, RDP connections made from native RDP clients are proxied through one or more Kasm Web App servers, to the Kasm RDP Gateway. This allows all requests | Enabled |
| Connections | to come through a single domain name. When disabled, RDP clients will connect directly to the Kasm RDP Gateway component, which is part of the Guac role. | |
| | This requires the Guac role servers to have a public IP address and resolvable hostname. This setting applies only when the zone setting | |
| | **Enable RDP HTTPS Gateway** is enabled. | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| RDP HTTPS Proxy Hostname | The hostname/ip of a load balancer or proxy in front of the HTTPS based RDP Gateway component. | "$request_host$" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| RDP HTTPS Proxy Port | The port number of a load balancer or proxy in front of the HTTPS based RDP Gateway component. | "443" |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Restrict RDP Client IP | Require that the client's IP address be the same on the incoming RDP connection as on the API call that requested the session from the Kasm dashboard. | Disabled |
| Address | In general, this restriction is not compatible in situations where the client IP address may change inbetween requests to Kasm such as load | |
| | balances, reverse proxies or cloudflare tunnels. | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Enable RDP HTTPS Gateway | Use the HTTPS RDP Gateway protocol. When disabled, standard RDP over port 3389 is used. | Diabled |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
| Enable RDP HTTPS Gateway | Send HTTPS RDP connections through DLP (Data Loss Prevention). Enabling DLP has performance and scalability implications. Disabling DLP will disable many data | Disabled |
| DLP | loss prevention features enforced by Kasm, however, many of these features can be enforced by proper Group Policy in Windows. Disabling DLP will also break single | |
| | sign on. This setting applies only when the zone setting **Enable RDP HTTPS Gateway** is enabled. | |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+
```
```{note}
**\$request_host\$** referenced as the default for several settings above can be used to automatically reference the domain/host used in the URL to access the Kasm deployment.
For example if users accesses Kasm via {code}`https://east.kasm.server` , **\$request_host\$** will be {code}`east.kasm.server`.
```
#### Assigning Zone Configurations
{term}`Agents ` are assigned the Zone of whichever manager they are currently checked in to.
Once defined, the Kasm services need to be configured to be members of the given Zone.
The Deployment Zone setting for API Servers (kasm_api, kasm_manager) is set their configuration file. The default
zone is **default**
```bash
grep zone_name /opt/kasm/current/conf/app/api/api.app.config.yaml
zone_name: east
```
- Ensure all Kasm services are stopped
```Bash
sudo /opt/kasm/bin/stop
```
- Edit the **zone_name** property in api.app.config.yaml
```Bash
vi /opt/kasm/current/conf/app/api/api.app.config.yaml
```
- Restart the Kasm Services
```Bash
sudo /opt/kasm/bin/start
```