IdoNotes (and sleep)

E-Pro: Sys Admin Newsletter Jan 2005

Chris's  0.780029 THB

The holiday season is over, for some it is simply called the gift giving and receiving season.  This Christmas took on some special meanings for me personally, ones that will change a person forever.  But to make this light-hearted as usual, let's talk about the useless gifts I saw that can do nothing to change a person forever.

The remote control finder was the first to poke it's head out of a box.  Apparently we have become so lazy as a society, that not only do we need remote controls to change channels on devices within 15 feet away, but once we misplace the remote we can no longer function.  So in a moment of desperation, an inventor creates a device that lets you clap you hands three times to have the attachment on the remote chime or chirp to tell you where it is.  The irony is that you might find it probable to have to walk to another room to clap, clap, clap and find the remote you set down when answering the door.  Of course, by then you could have changed the channel and sat back in the chair.  My advice, learn how to work the menu buttons on the actual TV or other electronic device.  No really, they have those same buttons and functionality on it, I promise.

Next out of the magic gift bag was a mobile phone that played streaming TV clips from a sports network.  Of course this was the ad on television for a new Nokia phone with enablement to watch up to 20 different channels by 2006.  With free Internet at many cafes, restaurants and people that don't know how to turn on WEP and hide SSID, do we feel that disconnected that TiVo is not even an option anymore?  Or are we so comfortable in our desires for media that we need to watch a slam dunk in basketball on a 2 inch diagonal screen?  I can't wait until my mobile phone comes with a remote control for the TV function so I can attach the remote control finder to it from above.

The Robosapien.  Yes that is the word of an actual product.  A small robot with a lot of humanoid qualities made by a scientist from NASA.  Now it does some cool things, but nothing productive at all.  Productive would include get the coffee, let the dog out (which barked at and chewed on Robosapien twice when he moved in the first place), pick up the kids from school and even rake the leaves at least.  But no, he gives kicks, high-fives and even picks up a ball with his little grippers.  Had he been able to pitch for the St Louis Cardinals in the last baseball season, we might have a useful toy here.


I feel obligated to point out that after the gift season comes Lotusphere a short time behind.  By the time this newsletter reaches your inbox, I will be approaching scramble mode in what needs to be completed in preparation, as well as handling the inbound calls that are starting due to our IBM Lotus Award for the 3rd time.  So join me in another, yet wonderfully improved, Lotusphere at the end of January.  The February newsletter will have all sorts of tidbits I gather during the conference and from the people I meet.


IdoNotes Mailbox: Domino Web Access and Reverse Proxy

Question:
Hi Chris,

Have a client that wants to make DWA available to travelling users. Been looking at notes.net and there are mixed ideas on how to do this. May I
ask you what config you recommend. Is it reverse proxy or is it putting a Domino server in the DMZ which replicates with the inside server.
If reverse proxy can you point me to configuration documents which will help me set this up.

Many Thanks,
Frans Lombard

Answer:
Frans,
The reverse proxy makes the most sense in that no data is replicated out or exposed to the Internet, plus another layer of security is provided as the reverse proxy can, in may instances, also offload the SSL traffic from the Domino server.

But let's cover a few of the issues with reverse proxies and working with Domino.   technote 1089765
A Web browser user's requests pass through a reverse proxy or SSL accelerator before reaching the Domino server.  For certain requests, you see that the URL switches from HTTPS to HTTP or switches from the host name of the reverse proxy server to the internal Domino's server's host name.

In both cases, the URL is generated by the Domino server when the response is a 302 redirection.  Domino builds the Location based on the host name and protocol used to reach the server.  So, in the case of an SSL accelerator, the browser request is HTTPS, but the accelerator's request to Domino is HTTP.  When Domino returns a Location, it returns it as HTTP.  It does not know that the browser originally requested HTTPS and was proxied by the accelerator.  In much the same way, if the browser sends a request to a reverse proxy server's host name, the reverse proxy server then makes the request on behalf of the browser, but with the internal host name of the Domino server.  Domino builds the Location in this case using its own host name, the name used to reach it by the reverse proxy server.  Again the Domino server cannot know that the original request was proxied.

For both cases, the best solution is for the SSL accelerator or reverse proxy server to view the return header and modify the Location as desired.  This scenario is also the best if there are both internal and external users.  Internal users may not be proxied, and therefore the Domino-generated Locations do not need to modified, only those going to external users.  (Internal users may not be using SSL internally, and/or the internal host name is used to reach the server).

There are also some known problems with enabling GZIP compression in Domino and trying to access these attachments through proxies.  One of the only solutions is to disable GZIP in Domino for now.

I would highly suggest reading the Notes.Net article showing how to add a reverse proxy and all the implications of adding each component to your infrastructure.  You may find that article here.
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/a96b7591a013173185256c79005c1af3?OpenDocument&Highlight=0,reverse,proxy

Let me know which path you choose to take and which product if you choose the reverse proxy.

Chris



Connecting Sametime and Lotus Workplace with the Lotus Instant Messaging Gateway

With companies starting the deployment of Lotus Workplace for the deskless worker, Lotus has done some work to let you share instant messaging and presence awareness between Sametime in your Domino environment and Workplace.  It relies totally on the Lotus Instant Messaging Gateway.  To quote from IBM Lotus directly
"A Sametime server and a Lotus Workplace server each use a different infrastructure to support presence and instant messaging functionality. The Sametime server uses an infrastructure based on the proprietary IBM Lotus Virtual Places (VP) protocol while the Lotus Workplace server uses an infrastructure based on the open standard Session Initiation Protocol (SIP).

The Lotus Instant Messaging Gateway serves as an intermediary, or translator, between the Sametime and Lotus Workplace platforms and performs operations that enable users connected to these two disparate platforms to communicate through presence and instant messaging."

There are some network considerations that you must follow to get this gateway working though.  As many of you know, Sametime makes use of TCP port 1516.  The Lotus Instant Messaging Gateway actually uses this port for all communications to the Sametime server.  So if the gateway resides outside of a firewall, then this port must be accessible between the two for communication to work properly.

The port used between the Lotus Workplace server and the Lotus Instant Messaging Gateway may be selected during configuration of the gateway, or you may allow Lotus Workplace to use any available port.  I personally prefer specifying the port number for ease of firewall and network administration.  The communication over this port will utilize TLS (Transport Layer Security) for transmitting instant messages.  Now, you must make available port 5061 for Lotus Workplace to talk to the gateway for certain other communications.

The above ports are the default ports, so the administrator can configure them as an alternate one.  I would refer to the administrator guides for all the products if you plan on modifying the default ports.

One key thing to note about using the Lotus Instant Messaging Gateway.  Reverse proxies are NOT supported in either direction between the gateway and Sametime or Workplace.


From the IdoNotes mailbox : User's Receiving Mail For Other Domains

Chris,

We have a situation where we accept mail for numerous domains.  But, we only want certain individuals to receive mail for their company name only.  But mail can be received by them under any of the domain names.  We have set the server configuration to FullName only match for inbound SMTP mail but it does not seem to make a difference.  Any insight?

Mitch


Well Mitch, this one is not as bad as you think.  I know you have a Global Domain document that lists the primary and all the secondary domains that your server will accept mail for.  Unfortunately the way Domino behaves in this instance, is it will search for an exact match the first time through and then strip everything to the right of the @ sign for a second pass until it finds a match in ($Users).  Once it does that it delivers the message.

But there is hope!  If you simply move the secondary domains necessary to their own Global Domain documents, it will no longer behave like this.  For an excerpt of the documentation, we turn to technote #1192804  (http://www.support.lotus.com)

When the Internet Address Lookup is "FullName Only", the Domino Server performs a lookup in the Domino Directory ($Users) view for an exact match of the recipient address in the "RCPT To:" Field of the message header (e.g., JDOE@DomainB.com).  If this exact string is not found in the ($Users) view, then the Domino Server will check the domain part of the address (everything to the right of the @ Sign).  If it is an alias of the primary local Internet domain, Domino will replace this value with the actual primary local Internet address and then perform another search.

In this case, the Domino search initially looks for a match to "JDOE@DomainB.com" and found zero matches.  It then performs part 2 of its function and as there is an alias in the Global Domain document that matches DomainB.com and replaces the local Internet domain with "DomainA.com" (the primary Internet domain).  Then, the second search performs a match for "JDOE@DomainA.com" which results in the delivery of this mail to the user, John Doe/DomainA.

To prevent this behavior and force Domino to only deliver mail that is addressed to the exact string in the Person document, remove any aliases mentioned in the Global Domain document of the primary domain.  If the SMTP server accepts messages addressed to more than one Internet domain, then the solution in this situation is to create a separate Global Domain document for each internet Domino.

In the above scenario (with two Global Domain documents), this would cause a message addressed to "JDOE@DomainB.com" to be rejected and not delivered to John Doe/DomainA.


What is missing in the Domino Web Administrator client?

If you have no played with webadmin.nsf in Domino 6.x you are missing an incredible treat for remote administration work when you have no Notes client around or http/https is the only access available to that server.  I recommend only using this tool over https when on the public Internet.  Since you are passing your administrator username and password and then working with live control of a Domino server, take the extra time to purchase a SSL certificate or at least create your own self-signed one.

Most of the functionality you would receive from the Notes client may now be found in the web interface.  Even the GUI is coming along to be an exact duplicate.  That makes for easy navigation and efficiency when you do not have to learn another UI.  I know that was just one of the thoughts when they developed the tool.

What I wanted to provide in the tip was a list of things you could NOT do with the Web Administrator in Domino 6.  For one thing it was a much short list than the things you can do. :-)     I then follow each bullet with a quick thought from me.

Things you cannot do using the Domino Web Administrator:

• Use the Web Administrator to create Setup or Desktop policy settings documents. (this one confused me since I thought a limited desktop or setup policy could be specified.  Maybe not everything, but a good portion could be done)
• Add database links used to set up bookmarks or custom Welcome pages. (of course since there is no doclink creation ability from the web)
• The Assign Policy tool is not available in the Web Administrator.  (once again assigning the policy can be done manually, so I see this tool coming late)
• Enable statistic report generation. (This would be great for remote administrators that need statistics)
• Configure a server for SSL during the server registration process.  (I actually like that this is forced through the Notes client for numerous reasons)

• Upgrade existing users for roaming.  (As this feature is still growing in usage, I can wait)
• Remove a server from a cluster.  (Another thing I think could be done with AdminP requests)
• Create a cluster.  (Same as above, let us kick off AdminP on creating the cluster)

• Can only register users with the CA process. (If you have not investigated the CA Process, definitely explore this option!  No more worries about carrying the certifier or who has access.  You control it all from who can register and using what certifier through roles)
• Set registration preferences in the Web Administrator. (Makes sense since the preferences are stored locally in the Notes client)
• Can only use the registration settings in the CA and in the Registration policy settings document.  (Makes sense since you are using the CA to register the users and not the actual certifier id from the Notes client)

blog comments powered by Disqus



On Saturday, January 8th, 2005   by Chris Miller        

Next Document | Previous Document