Book Demo!

The article discusses different deployment architecture scenarios to scale Xton Access Manager (XTAM) utilizing multiple session manager components.

New Xton Documentation Center
Xton help has moved. Please visit the current version of this page for the most recent updates. Our new documentation center can be found at

XTAM Session Manager Scaleability

Component Architecture

XTAM contains several components. When XTAM is deployed on a single host all components are installed on the same server and they communicate between each other inside this server. One of these components is Session Manager. XTAM communicates with Session Manager using XTAM proprietary protocol through the port 4822. Session Manager, in turn, communicates with remote computers using RDP, SSH, Telnet or VNC protocols depending of the remote computer.

XTAM component architecture PAM

Session Manager can be installed on a separate host than XTAM WEB application. Then XTAM can be instructed to use this Session Manager instead (or together) with the one installed on the XTAM computer. This way, RDP (or SSH) session will be established from Session Manager server to a remote server and XTAM will communicate with Session Manager server using port 4822 (the port should be opened in Session Manager Server firewall). This architecture is not specifically related to RDP. Any protocol will work in the same way.

Use Cases for Session Manager Deployment

There are two applications of this deployment:

Performance optimization.

XTAM can automatically load balance sessions between multiple Session Managers (there could be more than two) each time selecting one with least number of currently active sessions. This architecture also supports high availability requirement.

XTAM PAM session manager deployment architecture performance scale-ability

Network isolation.

XTAM could be configured to select a specific session managers group out of several configured groups (called Proximity Groups) to serve remote computers located on a specific XTAM Vault, in specified IP range or in a specific domain. For example, computers from the network 10.0.0.x/24 could be served by SERVER SM1 or SERVER SM2 (balanced) while computers from the network 10.1.1.x/24 could be served by balanced session managers SERVER SM3 or SERVER SM4.

XTAM PAM session manager deployment architecture access isolated networks

For the end user there will be no visible differences – the sessions will open as usual.

How to Configure

Practically, to support this scenario install Session Manager as an individual application on the Session Manager host. To do that, run the regular installer on this host but only select one option: Session Manager. The installer at some point will ask about certificates. In a test environment ignore it leaving the communication channel between XTAM and Session Manager over the port 4822 insecure. Alternatively, bring file from $XTAM_HOME folder of XTAM WEB application host. These certificates are generated during the installation and they keep the communication channel encrypted.

After that, open XTAM GUI, navigate to menu Administration / Settings / Proximity Groups, edit Default Group and add there a new server (host, port 4822). Make sure that port 4822 is accessible from XTAM server. After saving the configuration XTAM will check connection automatically displaying whether the communication channel is established (blue), failed (crossed-out) and whether it is secured (green). Optionally, remove localhost or keep it so XTAM will load balance between localhost and external one. Add more proximity groups for remote servers in specific IP ranges of with specific domain masks. Each proximity group might contain multiple session managers so XTAM will load balance between them inside a group.

Proximity groups with multiple session managers is the way how XTAM scales for large or busy environments.

Categories: xton

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts


How to enable Windows Remote Management using domain policy

Xton Access Manager (XTAM) uses Windows Remote Management technology to execute jobs such as password reset on the remote Windows computers. WinRM is enabled on the windows computer using the following command executed from command Read more…


Configuring Windows Server NLB for Multi-Node Deployment

Configuring Windows Server NLB for Multi-Node Deployment Architecture This article discusses details of Windows Network Load Balancer (NLB) configuration to balance two or more XTAM Server nodes. Earlier we discussed XTAM Server multi-node architecture built Read more…


The Challenge of Multi-Factor Authentication and Shared Accounts

Recently, I wrote about the importance of combining multi-factor authentication (MFA) and privileged access management. According to 2018 Global Password Security Report, 45% of organizations are already using two-factor authentication (2FA) and the 451 Group Read more…

Copyright © 2020 Xton Technologies, LLC. All rights reserved.