Remote Browser Isolation (RBI) – Server Implementation

1. RBI Server Implementation Technologies

RBI (Remote Browser Isolation) goes beyond simply "running a browser remotely" and is an architecture where server infrastructure, networking, streaming, and security technologies are combined.
It requires a system architecture designed for large-scale scalability and integration with cloud infrastructure, and it must provide stable service across multiple access points.

1.1. Server Technologies

1.1.1. Edge Computing

RBI minimizes network latency by running the browser on edge nodes geographically close to users. In this model, edge servers function not as simple content caches, but as the actual execution location of browser instances.

Diagram showing RBI browser execution on edge nodes close to users

Technology Elements

Multi-region edge node deployment and region-based traffic routing
Global load balancing based on Geo DNS or Anycast
Distribution of service touchpoints through PoP (Point of Presence) configuration

1.1.2. Screen Streaming

The browser screen running on the server is encoded as images or video and transmitted to users in real time. Since sending the full screen every frame causes bandwidth waste, the Delta Encoding (Dirty Rectangle) approach is applied to extract and transmit only changed areas. In addition, adaptive bitrate (ABR) technology dynamically adjusts image quality and transmission volume according to network conditions.

Delta Encoding streaming concept diagram that transmits only changed screen regions

Technology Elements

Changed-region transmission based on Delta Encoding / Dirty Rectangle
Video compression codecs such as H.264 and VP9, plus GPU-accelerated encoding
Automatic quality adjustment based on network conditions (ABR)
Low-latency real-time streaming based on WebRTC

1.2. WebRTC Connection Technologies

In a WebRTC-based streaming environment, three core mechanisms work together to establish a real-time connection between client and server.

Flow diagram showing Signaling, STUN, and TURN operating together in a WebRTC connection

1.2.1. Signaling

Signaling is the negotiation process performed in the initial stage of a WebRTC connection, exchanging SDP (Session Description Protocol), which defines communication methods (codec, resolution, encryption, etc.), and ICE (Interactive Connectivity Establishment) candidate information.

Technology Elements

Real-time message send/receive server based on WebSocket
Generation, parsing, and exchange processing of information required for connection (SDP)
User authentication and session state management (connection request/acceptance/termination)

1.2.2. STUN

STUN (Session Traversal Utilities for NAT) is a protocol used by clients in NAT environments to identify their public IP address and port.

Technology Elements

Building a STUN server or integrating with public STUN servers
Public IP/port collection by NAT type and ICE candidate generation processing

1.2.3. TURN

In environments where direct connection is impossible with STUN (strict firewalls, symmetric NAT, etc.), a TURN (Traversal Using Relays around NAT) server relays all data between clients.

Technology Elements

TURN server deployment, relay traffic processing, and bandwidth management
Authentication and access control based on TURN credentials
High availability (HA) and distributed architecture design, network cost optimization

1.3. Cloud Infrastructure Technologies

1.3.1. Multi-Region

Because browser screen streaming is sensitive to network latency, traffic is routed to the closest server according to user location by leveraging global regions from cloud providers such as AWS, GCP, and Azure.

Multi-region architecture routing to the nearest cloud region based on user location

Technology Elements

Traffic routing based on Geo DNS or global load balancers
Regional infrastructure composition and Edge / PoP placement

1.3.2. High Availability

Since even a single browser session interruption directly affects user experience, the system is designed to eliminate single points of failure (SPOF). Servers are distributed across multiple availability zones, and when failures occur, load balancers automatically reroute (fail over) traffic to healthy servers.

High-availability failover diagram rerouting traffic when failures occur

Technology Elements

Load balancer-based traffic distribution and health checks
Multi-AZ deployment and Auto Scaling (automatic scale-out/scale-in)
Automatic failover and fault detection systems

1.3.3. Scalability

RBI requires as many browser instances as users. In other words, if 1,000 users connect, 1,000 browsers must run. To solve this problem, horizontal scaling and autoscaling are essential.

Technology Elements

Running browser instances based on Docker containers
Autoscaling through Kubernetes (K8s) orchestration
HPA (Horizontal Pod Auto-Scaler) policy design based on resource usage

1.4. Security Technologies

1.4.1. Security Isolation (Sandboxing)

Malicious code on web pages runs in an isolated server environment, not on user endpoints. Each session operates in an independent container or VM, and the environment is destroyed or reset when the session ends, fundamentally blocking the possibility of persistent malware remnants.

Sandbox isolation architecture using containers or VMs separated from user endpoints

Technology Elements

Session-level isolated environment configuration based on Docker or VMs
Process and network isolation using Linux namespaces and cgroups
Automatic environment reset and disposal when sessions end

1.4.2. Zero Trust Security Model

Under the principle of "trust nothing by default," RBI continuously verifies not only external web content but also internal user access. This plays a critical role in preventing data leaks and insider threats in enterprise environments.

Concept diagram of a Zero Trust security model continuously validating all access requests

Technology Elements

MFA (Multi-Factor Authentication) and user authentication
Device posture checks and network condition verification
Access control based on policy engines such as OPA (Open Policy Agent)
Continuous session validity verification and application of the least-privilege principle

1.4.3. Security Inspection

Web content users browse and downloaded files are pre-analyzed on the server side. When malicious code or suspicious content is detected, downloads are blocked or warnings are provided to users.

Security inspection flow that examines web content and downloads to block threats

Technology Elements

Dynamic malware analysis using antivirus engines and sandboxing
URL/domain filtering and content policy inspection
File download blocking and security event logging system

1.5. Server Operations Technologies

1.5.1. Session Management

Each user is assigned a fully isolated browser instance, and login state, cookies, cache, and browsing history are managed independently.

Architecture that creates independent browser sessions per user and manages state separately

Technology Elements

Creation and isolation of per-user browser instances based on containers and VMs
Session state management (cookies/cache/login information) using distributed storage such as Redis
Session lifecycle management (create/maintain/expire/auto-cleanup)

1.5.2. Input Handling and Protection

Mouse and keyboard input events are delivered from the client to the server and reflected in the remote browser. Input data is encrypted in transit to prevent information theft caused by keylogging attacks.

Processing flow that encrypts client input events and delivers them to the remote browser

Technology Elements

TLS-based encrypted transmission of input events
Server-side input event processing and browser reflection logic
Use of WebSocket or WebRTC data channels for low-latency input handling

1.5.3. Network Optimization

Because RBI transmits browser screens in real time, bandwidth and latency control become key operational challenges as session counts increase. Continuously transmitting full frames causes network usage to surge, so transmitting only changed screen regions is essential. In addition, during degraded network conditions, codec compression ratio and bitrate must be dynamically adjusted to balance latency and image quality degradation.

Network optimization concept diagram controlling bandwidth and latency as sessions increase

Technology Elements

Changed-region extraction/transmission based on Delta Encoding / Dirty Rectangle
Encoding pipeline based on H.264 and VP9 with hardware acceleration
Automatic quality adjustment based on ABR (Adaptive Bitrate)
Transmission parameter tuning based on packet loss and latency monitoring

1.5.4. Monitoring and Operations Management

In large-scale browser session environments, CPU, memory, network, and process states must be collected and visualized in real time to detect anomalies early.

Operations dashboard monitoring CPU, memory, and network metrics

Technology Elements

System metric collection and dashboard composition
Log collection and distributed tracing based on ELK Stack (Elasticsearch, Logstash, Kibana) or OpenTelemetry
Threshold-based alerting and auto-healing systems

1.5.5. Browser Engine Optimization

In RBI, Chromium-based browsers are customized for lightweight server operation, removing unnecessary UI extensions and minimizing CPU and memory usage. Also, because security vulnerabilities are continuously discovered in browser engines, regular security patch application and a validated deployment strategy must be carried out together.

Diagram showing Chromium engine lightweight optimization and regular security patch deployment strategy

Technology Elements

Lightweight configuration based on Chromium headless mode and removal of unnecessary features
GPU acceleration and rendering pipeline optimization (off-screen rendering)
Resource usage limit configuration for CPU and memory (cgroup, ulimit, etc.)
Browser version management and security patch update strategy based on Blue/Green deployment

Search This Blog

Dear Son (EN)