By Kevin Cook, Principal Solutions Architect, Automotive & Manufacturing – AWS
By Anubhav Sharma, Principal Solutions Architect – AWS SaaS Factory
By Areti Gourzis, Associate Director, Enterprise Portfolio – LenelS2 Product Management
By Bill Tarr, Principal Solutions Architect – AWS SaaS Factory


A software-as-a-service (SaaS) delivery model offers value to both SaaS providers and their end customers (tenants). Tenants enjoy the advantages of the SaaS model by paying only for actual usage in the cloud instead of perpetual licenses. In addition, by using the SaaS model, tenants don’t have to worry about installing, upgrading, or managing on-premises-based installations.

Realizing these mutual benefits, LenelS2, a Carrier company, began offering OnGuard, its on-premises-based physical access control software, as a service in the cloud. OnGuard Cloud is a cloud-based solution using the SaaS delivery model with consumption-based pricing.

LenelS2’s OnGuard software is a leader in comprehensive physical access control systems for the enterprise. It integrates access control, video surveillance, intrusion detection, and identity management into a unified platform, managing card access, biometrics, intercoms, elevators, and other building systems.

Originally launched in the late 1990s, OnGuard uses a Windows-based client-server architecture. It offers a thick client for physical security administrators to manage access control systems using their standard desktops.

To modernize OnGuard, LenelS2 began with the goal of re-architecting its desktop-based application into a cloud-native and web-based SaaS application. The team modernized several modules to no longer require the use of a thick client, but LenelS2 soon realized that refactoring a well-established production code base would take considerable time and could significantly affect SaaS rollout timelines.

LenelS2 needed an immediate, cost-effective solution that helped them to go-to-market with their SaaS strategy quickly.

“As an established company with a complex Windows application, we faced high barriers to transitioning to a cloud-based SaaS model. To launch OnGuard Cloud, we would have needed to dedicate years to refactoring our legacy architecture. Amazon AppStream 2.0 gave us an innovative fast track, delivering our application as a scalable cloud service without risky and time-consuming code changes. This will quickly expand access for new customers globally. By collaborating with AWS, we rapidly evolved our business to meet market demands, greatly accelerating our SaaS capabilities and revenue potential.” ~ Kumar Sokka, Global President/GM at LenelS2, a Carrier company

In this post, we discuss how LenelS2 converted its existing OnGuard thick client-based application into a SaaS solution by using Amazon AppStream 2.0 multi-session functionality. LenelS2 was able to stream the OnGuard desktop application to users over the internet, without re-architecting the underlying application. LenelS2 moved to a SaaS model using AppStream 2.0 in weeks.

Ultimately, AppStream 2.0 will be a stepping stone in LenelS2’s journey towards full modernization and refactoring of the OnGuard thick client.

AppStream 2.0 with Multi-Session Capabilities

Amazon AppStream 2.0 is a fully managed service that offers software providers an option for migrating existing desktop applications into a cloud-based SaaS deployment model without refactoring. OnGuard Cloud customers consume the OnGuard thick client via AppStream 2.0 on any device via web browser. Customers immediately benefit from no longer having to maintain the thick client application on their hardware.

With AppStream 2.0, SaaS providers benefit from the use of modern identity providers with SAML 2.0; this includes federation with customer identity stores such as Active Directory. Improved insights into usage patterns can also be derived with added application telemetry and analysis of the AppStream 2.0 logs.

In 2023, AppStream 2.0 introduced multi-session fleets that allows providers to run multiple user sessions on the same underlying AppStream 2.0 instance. This provides a cost-effective approach for the scale required by a SaaS provider.

Multi-session capability improves resource utilization by having multiple users of a tenant share underlying resources for each AppStream 2.0 instance. It also helps reduce operational costs per user compared with a one-to-one user-to-instance arrangement. Multi-session fleets provide strong tenant isolation and security, as each tenant is provisioned with a dedicated AppStream 2.0 fleet.

Solution Architecture

LenelS2 needed a solution where it could create separate resources per tenant, opting for an AWS account per tenant siloed SaaS isolation model. This also matches OnGuard’s on-premises deployment model, which does not natively support a pool isolation model.

Figure 1 shows the high-level OnGuard Cloud deployment model. Each tenant gets an AWS account, with their own AppStream 2.0, application, and database server instances, along with a dedicated Amazon Simple Storage Service (Amazon S3) bucket.

Figure 1 – Account per tenant siloed isolation model.

To reduce the cost footprint of its SaaS application, LenelS2 chose the multi-session capability of Amazon AppStream 2.0. Users within the same tenant share underlying AppStream 2.0 instances, reducing the cost footprint of LenelS2’s SaaS application by up to 80%.

“Service optimization is very important to the OnGuard Cloud offering. We want to carefully manage our cloud costs so we can extend the highest value to our end customers. AppStream 2.0’s multi-session capability helps us to meet that goal. Being able to scale the number of users permitted into OnGuard Cloud in real-time is critical to the success of our operations, and managing our customers’ needs.” ~ Areti Gourzis, Associate Director for Product Management at LenelS2, a Carrier Company

Amazon AppStream 2.0 multi-session fleets include support for Fleet Auto Scaling, performance monitoring to match available resources with user demand, and tracking of underlying resources. This enables LenelS2 to optimize and fine-tune performance and resource utilization by adjusting the number of users on each instance.

Users connect to AppStream 2.0 through a secure streaming gateway to access the OnGuard Client, which (installed on the AppStream 2.0 instance) securely connects to the application server hosted inside the tenant’s dedicated virtual private cloud (VPC).

OnGuard also supports a rich third-party partner ecosystem. A siloed SaaS model enables LenelS2 to deploy extensions and third-party add-ons as required by the customer, without worrying about impacting other customers.

LenelS2 uses the AWS Cloud Development Kit (CDK) to build infrastructure as code (IaC) that automatically deploys a new tenant environment for each new customer. LenelS2 also followed the best practices of automated tenant provisioning, automated release management, and centralized observability. This enables the team to provision and update tenant deployments centrally, reaping the full benefits of a SaaS model.

Customer Benefits

In an on-premises model, upgrading the OnGuard thick client can take hours or days to complete across hundreds or thousands of Windows desktops. Significant planning is required to synchronize the upgrade of the server software at the same time as desktop software upgrades are rolled out. Because of the burden of upgrading, downtime required, and the advanced planning and orchestration required, some OnGuard customers have been running earlier versions of OnGuard.

LenelS2 overcame these challenges for customers by configuring a single AppStream 2.0 Fleet for all users of a tenant. Using this approach, LenelS2 builds an AppStream 2.0 image specific to each release. As the image is applied to the tenant AppStream 2.0 instance, it synchronizes the update of the backend application server.

By using this approach, LenelS2 reduced the OnGuard Cloud upgrade scope from potentially thousands of Windows thick clients to one AppStream 2.0 upgrade. This cloud-based SaaS model provides LenelS2 control to minimize the impact as it rolls out releases for customers.

In addition, LenelS2 gains application insights to help tune its roadmap to address the most critical needs of customers. By taking advantage of AppStream 2.0 features like AppStream 2.0 Usage Reports, LenelS2 can identify how customers are interacting with the OnGuard client.


LenelS2 uses Amazon AppStream 2.0 to gain the immediate benefits of multi-session application streaming and version maintenance for OnGuard Cloud.

LenelS2 was also able to migrate to a SaaS model in weeks using Amazon AppStream 2.0. Getting to market quickly with its SaaS offering helps LenelS2 incrementally re-architect the OnGuard thick client with a cloud-native, web-based approach.

LenelS2’s long-term goal is to use a fully cloud-native technology pattern. Until that work is complete, however, AppStream 2.0 helped the team launch OnGuard Cloud while shielding their customers from underlying modernization changes. This provides value both to LenelS2 and end customers.

About AWS SaaS Factory

AWS SaaS Factory helps organizations at any stage of the SaaS development journey. Whether looking to build new products, migrate existing applications, or optimize SaaS solutions on AWS, we can help. Visit the AWS SaaS Factory Insights Hub to discover more technical and business content and best practices.

SaaS builders are encouraged to contact their AWS account representative to inquire about engagement models and to work directly with the AWS SaaS Factory team.

Build and scale your SaaS business. Visit the SaaS on AWS website to start leveraging resources today.

Carrier – AWS Partner Spotlight

Carrier is an AWS Partner and global leader in intelligent climate and energy solutions. LenelS2, a Carrier company, provides advanced physical security solutions, including access control, video surveillance and mobile credentialing.

Contact Carrier | Partner Overview