Everything you need to understand, deploy, and integrate WebStream for your Windows business applications.
AWS deployment patterns from PoC to enterprise multi-AZ. Interactive diagrams showing how WebStream scales.
Step-by-step instructions for deploying WebStream ACP in AWS environments.
Detailed guide for running a proof of concept with your Windows application.
Comprehensive documentation of security controls, audit capabilities, and compliance features.
Technical documentation for ISVs integrating WebStream with their applications.
Access WebStream Core source code, issues, and community contributions.
The open source engine that demonstrates browser-based Windows application delivery. Includes file handling, print redirection, and clipboard integration.
Learn More →App Control Plane — the enterprise product that adds policy enforcement, audit trails, SSO integration, and session recording to Core capabilities.
Learn More →Isolated environments that define which applications users can access and what policies apply. Each workspace has its own configuration.
Rules that control file access, printing, clipboard usage, and other interactions. Policies can be applied at workspace, application, or user level.
Assignments that connect users or groups to workspaces and applications. Entitlements determine who can access what.
Comprehensive logging of all user activity including login, file operations, printing, clipboard usage, and policy enforcement actions.
WebStream scales from simple PoC to enterprise multi-AZ deployments. Choose the pattern that fits your stage.
Great for initial evaluation. Single EC2 instance running all WebStream components.
architecture-beta
group internet(cloud)[Internet]
group vpc(cloud)[AWS VPC]
group pub(cloud)[Public Subnet] in vpc
group data(cloud)[Data] in vpc
service user(internet)[User Browser] in internet
service dns(server)[Route 53] in internet
service eip(server)[Elastic IP] in pub
service ec2(server)[WebStream Server] in pub
service cw(server)[CloudWatch] in pub
service s3(disk)[S3 Storage] in data
user:R --> L:dns
dns:R --> L:eip
eip:B --> T:ec2
ec2:R --> L:cw
ec2:B --> T:s3
Notes: Simple and fast to deploy. Single point of failure. TLS terminated on instance or via reverse proxy.
Recommended for serious PoC. HTTPS done properly with predictable browser behavior.
architecture-beta
group internet(cloud)[Internet]
group vpc(cloud)[AWS VPC]
group pub(cloud)[Public Subnets 2 AZ] in vpc
group app(cloud)[App Subnet] in vpc
group data(cloud)[Data] in vpc
service user(internet)[User Browser] in internet
service dns(server)[Route 53] in internet
service alb(server)[ALB HTTPS] in pub
service acm(server)[ACM Certificate] in pub
service ec2(server)[WebStream Server] in app
service cw(server)[CloudWatch] in app
service s3(disk)[S3 Storage] in data
user:R --> L:dns
dns:R --> L:alb
acm:B --> T:alb
alb:B --> T:ec2
ec2:R --> L:cw
ec2:B --> T:s3
Notes: Best "PoC that feels production". ALB handles TLS + WebSocket upgrades reliably.
Beyond PoC. Scale-out capability with operational separation of Gateway and Session hosts.
architecture-beta
group internet(cloud)[Internet]
group vpc(cloud)[AWS VPC]
group edge(cloud)[Public Subnets] in vpc
group app(cloud)[Private App Subnets] in vpc
group data(cloud)[Data Subnets] in vpc
service user(internet)[User Browser] in internet
service dns(server)[Route 53] in internet
service alb(server)[ALB HTTPS] in edge
service acm(server)[ACM] in edge
service gw(server)[Gateway] in app
service asg(server)[Auto Scaling] in app
service worker(server)[Session Hosts] in app
service cw(server)[CloudWatch] in app
service db(database)[RDS] in data
service s3(disk)[S3] in data
user:R --> L:dns
dns:R --> L:alb
acm:B --> T:alb
alb:B --> T:gw
gw:R --> L:asg
asg:B --> T:worker
worker:B --> T:db
worker:R --> L:s3
gw:B --> T:cw
worker:B --> T:cw
Notes: Gateway stateless, session hosts handle compute. RDS for multi-instance consistency.
Production-ready. Resilient, auditable, aligned with security reviews. MAP-ready reference architecture.
architecture-beta
group internet(cloud)[Internet]
group edge(cloud)[Edge Security]
group vpc(cloud)[AWS VPC]
group app(cloud)[Private App Multi AZ] in vpc
group data(cloud)[Data Multi AZ] in vpc
service user(internet)[User Browser] in internet
service dns(server)[Route 53] in internet
service waf(server)[WAF] in edge
service alb(server)[ALB HTTPS] in edge
service acm(server)[ACM] in edge
service gw(server)[Gateway Cluster] in app
service asg(server)[ASG Session Hosts] in app
service ec2(server)[Backend Streamers] in app
service cw(server)[CloudWatch] in app
service rds(database)[RDS Multi AZ] in data
service s3(disk)[S3] in data
service fsx(disk)[FSx Windows] in data
user:R --> L:dns
dns:R --> L:waf
waf:R --> L:alb
acm:B --> T:alb
alb:B --> T:gw
gw:R --> L:asg
asg:B --> T:ec2
ec2:B --> T:rds
ec2:R --> L:fsx
ec2:R --> L:s3
gw:B --> T:cw
ec2:B --> T:cw
Notes: FSx for Windows mapped drives. RDS for IAM/policies/audit. S3 for artifacts/exports/recordings.
Manage workspaces, applications, users, and policies programmatically via the ACP REST API.
Receive real-time notifications for session events, policy violations, and audit activities.
Deep integration SDK for ISVs to enable rich communication between applications and the browser.
Our team is here to help with deployment, integration, and technical questions.