Appearance
Network and Load Balancing
Use this page to design Turbo Server network topology, secure communication paths, and configure redundancy.
What You'll Learn
- How to install redundant server roles
- Required communication paths and ports
- CDN and load balancer considerations
- How to set and use the Domain URL
Installing Redundant Roles
Install redundant roles across multiple servers by selecting the role during Turbo Server setup. You can add or remove roles after installation; see Managing the Domain. Deploy more than one Portal server for failover or high concurrency (see Portal System Requirements). Size the number of application servers based on concurrent users and application resource needs. For maximum redundancy, configure a secondary domain that uses federation to replicate workspaces and authentication settings.
Network Architecture Overview
Understanding Turbo Server network architecture helps you plan firewall rules and infrastructure design. The sections below outline components, communication flows, and requirements.
System Components
The Turbo ecosystem includes:
Client Components:
- Turbo Desktop Client: Native Windows application for running virtualized applications.
- Web Browser: Accesses the Turbo Hub portal and can launch applications via HTML5 client.
- Mobile Apps: Native clients for iOS and Android devices.
Server Components:
- Turbo Portal: Web interface and entry point for authentication, application discovery, and service coordination.
- Turbo Hub: Image repository and distribution service for application containers.
- Application Servers: Execute virtualized applications in secure containers and stream them to clients.
- SQL Server: Database storing configuration, user data, and system information.
Supporting Infrastructure:
- Load Balancer: Distributes traffic across multiple Portal servers for high availability.
- Content Delivery Network (CDN): Optional component for faster application image delivery.
Network Communication Flow
Communication Paths and Security Requirements
| Source | Destination | Protocol | Default Port | Direction | Purpose | Security Notes |
|---|---|---|---|---|---|---|
| Web Browser | Portal/Load Balancer | HTTPS | TCP/443 | Inbound | Web portal access, authentication | SSL/TLS encryption required |
| Web Browser | Portal/Load Balancer | WSS | TCP/443 | Inbound | HTML5 client streaming (/tunnelws/rxp) | WebSocket over SSL, WAF exceptions may be needed |
| Desktop Client | Portal/Load Balancer | HTTPS | TCP/443 | Inbound | Service discovery, authentication | SSL/TLS encryption required |
| Desktop Client | Hub/CDN | HTTPS | TCP/443 | Inbound | Application image download | SSL/TLS encryption required |
| Mobile App | Portal/Load Balancer | HTTPS | TCP/443 | Inbound | Mobile portal access | SSL/TLS encryption required |
| Application Server | Portal | HTTPS | TCP/443 | Bidirectional | Configuration sync, coordination | Two-way HTTPS access required |
| Application Server | Hub | HTTPS | TCP/443 | Outbound | Application image access | SSL/TLS encryption required |
| Application Server | SQL Server | SQL over TLS | TCP/1433 | Outbound | Database operations | Encrypted SQL connection recommended |
| Portal | SQL Server | SQL over TLS | TCP/1433 | Outbound | Database operations | Encrypted SQL connection recommended |
| Hub | SQL Server | SQL over TLS | TCP/1433 | Outbound | Database operations | Encrypted SQL connection recommended |
| Load Balancer | Portal | HTTPS | TCP/443 | Outbound | Traffic distribution | Internal SSL termination |
| Desktop Client | P2P Coordinator | TCP | TCP/6881-6889 | Bidirectional | Peer-to-peer image distribution | Hardcoded ports, cannot be changed |
| Desktop Client | Other P2P Clients | TCP | TCP/6881-6889 | Bidirectional | Direct peer-to-peer file sharing | Cross-subnet/VLAN support with proper firewall config |
Security Considerations
Firewall Configuration
- Allow inbound HTTPS (TCP/443) from client networks to Portal/Load Balancer.
- Allow WebSocket traffic (
/tunnelws/rxp) for HTML5 client functionality. - Ensure Application Servers can reach Portal, Hub, and SQL Server on required ports.
- Allow clients to reach Hub directly for image downloads (TCP/443).
- P2P Requirements (optional): If peer-to-peer distribution is enabled, allow bidirectional TCP traffic on ports
6881-6889between clients and server and between clients themselves. Ports are hardcoded.
SSL/TLS Requirements
- Use HTTPS/SSL for external communication.
- Encrypt internal connections between Application Servers, Portal, Hub, and SQL Server.
- Maintain end-to-end encryption when using a CDN.
Network Isolation
- Isolate Application Servers from direct internet access.
- Restrict database access to Application Servers, Portal, and Hub.
- Consider placing Portal servers in a DMZ with appropriate controls; place Hub servers in the DMZ or internal network based on your architecture.
High Availability
- Deploy multiple Portal servers behind a load balancer.
- Scale Application Servers to meet user load and application resource requirements.
- Use database clustering or backups for data protection.
Configuring Network
If you place internal services behind a reverse proxy, configure the URLs that services and clients use to reach each other. See Domain Addresses.
Configuring Content Delivery Network (CDN)
Deliver Turbo SVM images over a CDN by setting the Hub CDN URL. CDN support works best when clients use the Turbo synchronization protocol for objects over the configured Hub CDN Max File Size. If you do not set a max file size, automatic protocol selection does not occur. Consult your CDN provider for max file size limits.
For clients without automatic protocol selection, disable direct downloads in the Turbo Client configuration. If direct download remains enabled, some CDNs limit object size and may force origin delivery for large images. Images delivered over a CDN may be downloaded from the public internet—remove confidential data from images before delivery.
Sample CDN Configurations
Use these examples for Cloudflare, AWS CloudFront, and Azure CDNs.
Cloudflare
Create a CNAME that resolves the Turbo Server URL and enable Proxy status. Use the CNAME as the Hub CDN URL in Turbo Server. Add two Page Rules:
- Cache Level: Cache Everything
- Edge Cache TTL: a month
Set the Hub CDN URL to the CNAME and Hub CDN Max File Size to the maximum supported by your Cloudflare subscription.
AWS CloudFront
Create a CloudFront distribution:
- Origin domain: Turbo Server URL
- Path pattern: Default (*)
- Viewer protocol policy: Match the Turbo Server HTTP configuration
- Allowed HTTP methods: GET, HEAD
Set the Hub CDN URL to the Distribution domain name and Hub CDN Max File Size to the maximum supported by your subscription.
Azure CDN
Create an Azure CDN resource:
- Pricing tier: Standard Microsoft
- Check Create a new CDN endpoint
- Origin type: Custom origin
- Origin hostname: Turbo Server URL
Set the Hub CDN URL to the Endpoint hostname and Hub CDN Max File Size to the maximum supported by your subscription.
Load Balancing
To load balance Application Servers, install the Application Server role on the target servers and configure the strategy in Domain Settings. To load balance Portals, point the Domain URL to an external load balancer.
Understanding the Domain URL
The Domain URL is how end users and clients reach Turbo Server services and must be reachable from the networks where users run Turbo applications. Map it to the server with the Portal role. Users should enter the Domain URL in the Android or iOS app server settings. For example, if the Domain URL is https://mydomain.com, point DNS for mydomain.com to the Portal server. Users then navigate to https://mydomain.com to access the portal.
Configure the CLI with the Domain URL using turbo config --domain=mydomain.com. See Command Line Reference.
The Domain URL also exposes service topology endpoints such as https://mydomain.com/service/settings and https://mydomain.com/service/topology, which clients use to discover services like Hub IO, login, and Application Server Broker. If you leave the Domain URL blank, it defaults to the first server with the Portal role.
Troubleshooting
The HTML5 client fails to launch with websocket tunnel reconnect error.
Ensure your load balancer is not blocking the WebSocket path /tunnelws/rxp. See how to add a WAF exception.