Services
Every WebStream role is the same binary — webstream.exe — launched in a different service mode by a command-line flag. A deployment is a set of these services wired together over HTTP and WebSocket, from a single shared instance in a proof of concept to dedicated, independently scaled instances in production.
One binary, five services
The mode is selected at startup. Each service listens on its own port(s), owns a distinct responsibility, and communicates with its peers through well-defined HTTP/WebSocket contracts described on the pages below.
| Service | Flag | Default port | Responsibility |
|---|---|---|---|
| Gateway | -gw / -gateway | 443 (HTTPS), 9000 | Public entry point: SSL termination, load balancing, session routing, entitlement enforcement, built-in IAM. |
| Session Host / Backend | -backend / -be | 9005 (HTTP) | Private application server: RDP session pool, per-session streamer launch, gateway registration and heartbeat. |
| Streamer | (default, no flag) | 9010+ per session | Per-session process: screen capture, input relay, audio, policy enforcement inside the user's session. |
| Metrics Engine | -me / -metricsengine | 9009 (HTTP) | Central telemetry: metrics ingestion, activity/audit logging, usage metering, Operations and Reports data. |
| Access Management (IAM) | -am (or built into -gw) | 8090 (standalone) | Control plane: organizations, users, groups, applications, workspaces, policies, authentication, entitlements. |
All services read the same app.config.xml; each mode consumes the sections relevant to it. The Persistence Layer page covers the PostgreSQL databases behind the IAM and Metrics Engine services.
Shared or dedicated instances?
Because every role is one process, the topology is a deployment decision rather than an installation decision. The preference shifts from shared to dedicated EC2 instances as concurrent session count grows.
Proof of concept — one shared instance
All services run co-resident on a single EC2 instance: the Gateway (with built-in IAM), a Session Host with its Streamers, and the Metrics Engine, all against a local PostgreSQL. This is the cheapest and fastest topology to stand up, and is exactly what the AWS Marketplace image deploys. The trade-off is a single point of failure and compute contention between streaming sessions and the control services.
Early production — split the control plane from compute
The first split moves the Gateway (+ built-in IAM) to its own small instance. The gateway is stateless and light on CPU, but it is the public front door — isolating it keeps routing and authentication responsive no matter how busy the session hosts are. Session Hosts (each running its pool of Streamers) become the scalable app tier; they are the unit of compute that grows with concurrent sessions. The Metrics Engine also moves to its own small instance so telemetry writes never compete with session I/O.
Production at scale — dedicated role per instance group
Each role gets dedicated instances (or an auto-scaling group): gateways behind a load balancer, an auto-scaling group of session hosts sized by session demand, a Metrics Engine instance, and the databases moved to managed PostgreSQL (RDS/Aurora). See AWS Deployment Patterns for the full topology ladder.
| Service | Stateless? | Scales with | Shared EC2 OK? | Dedicate an instance when… |
|---|---|---|---|---|
| Gateway | Yes (affinity cache only) | Connection count | PoC / small | You have more than one session host, or need the front door isolated from session load. |
| Session Host / Backend | No (active sessions) | Concurrent sessions | PoC / small | Always the first tier to scale out; add hosts as session demand grows. |
| Streamer | Per-session process | One per session | Runs on its session host | Never separated — it always lives on the host that runs its session. |
| Metrics Engine | No (owns metrics/activity DBs) | Node and session count | PoC / small | Telemetry volume grows, or you want Operations/Reports unaffected by session load. |
| Access Management | No (owns IAM DB) | Login/entitlement rate | Usually built into the gateway | Multiple gateways need one shared control plane, or org count is large. |
Whatever the topology, the message contracts between services are identical — a backend registers with the gateway the same way whether they share an instance or sit in different Availability Zones. Moving up the ladder is a configuration change, not a re-architecture.