I have been writing the monthly newsletter with extended commentary for over a twelve years now. That means every month for 144 editions you have seen 4-5 articles (that is well over 600 that are now available right here on IdoNotes). Well I definitely am not stopping that part of IdoNotes and will continue it as part of my own site and newsletters.
So here is what you need to do to make sure you get the newsletters is subscribe via this web form or the button above!!
Sponsors: I will be looking for sponsors to cover the cost of the services needed to manage such a large listing. Get in touch right away as I am thinking of early bird models versus those that want in later.
In this August 2009 issue, I cover the following topics:
* From the Editor: Chris's 0.0160760 AZN
* From the IdoNotes Mailbox: Sources for DAOS Documentation
* Sync Tool for Lotus Notes Contacts
* Quick Tip: Customizing the Lotus Notes Install Kit
* From the IdoNotes Mailbox: Reverse Proxy and iNotes 8.5 (The Conversation)
Remember you only have a few days left to buy CertFX exams at 25% off with the code "IamLUG" from the above banner
A Sametime server and a Lotus Workplace server each use a different infrastructure to support presence and instant messaging functionality. The Sametime server uses an infrastructure based on the proprietary IBM Lotus Virtual Places (VP) protocol while the Lotus Workplace server uses an infrastructure based on the open standard Session Initiation Protocol (SIP).
The Lotus Instant Messaging Gateway serves as an intermediary, or translator, between the Sametime and Lotus Workplace platforms and performs operations that enable users connected to these two disparate platforms to communicate through presence and instant messaging.
There are some network considerations that you must follow to get this gateway working though. As many of you know, Sametime makes use of TCP port 1516. The Lotus Instant Messaging Gateway actually uses this port for all communications to the Sametime server. So, if the gateway resides outside of a firewall, then this port must be accessible between the two for communication to work properly.
The port used between the Lotus Workplace server and the Lotus Instant Messaging Gateway may be selected during configuration of the gateway, or you may allow Lotus Workplace to use any available port. I personally prefer specifying the port number for ease of firewall and network administration. The communication over this port will utilize TLS (Transport Layer Security) for transmitting instant messages. Now, you must make available port 5061 for Lotus Workplace to talk to the gateway for certain other communications.
The above ports are the default ports, so the administrator can configure them as alternates. Refer to the administrator guides for all the products if you plan on modifying the default ports.
One key thing to note about using the Lotus Instant Messaging Gateway. Reverse proxies are NOT supported in either direction between the gateway and Sametime or Workplace.
The holiday season is over, for some it is simply called the gift giving and receiving season. This Christmas took on some special meanings for me personally, ones that will change a person forever. But to make this light-hearted as usual, let's talk about the useless gifts I saw that can do nothing to change a person forever.
The remote control finder was the first to poke it's head out of a box. Apparently we have become so lazy as a society, that not only do we need remote controls to change channels on devices within 15 feet away, but once we misplace the remote we can no longer function. So in a moment of desperation, an inventor creates a device that lets you clap you hands three times to have the attachment on the remote chime or chirp to tell you where it is. The irony is that you might find it probable to have to walk to another room to clap, clap, clap and find the remote you set down when answering the door. Of course, by then you could have changed the channel and sat back in the chair. My advice, learn how to work the menu buttons on the actual TV or other electronic device. No really, they have those same buttons and functionality on it, I promise.
Next out of the magic gift bag was a mobile phone that played streaming TV clips from a sports network. Of course this was the ad on television for a new Nokia phone with enablement to watch up to 20 different channels by 2006. With free Internet at many cafes, restaurants and people that don't know how to turn on WEP and hide SSID, do we feel that disconnected that TiVo is not even an option anymore? Or are we so comfortable in our desires for media that we need to watch a slam dunk in basketball on a 2 inch diagonal screen? I can't wait until my mobile phone comes with a remote control for the TV function so I can attach the remote control finder to it from above.
The Robosapien. Yes that is the word of an actual product. A small robot with a lot of humanoid qualities made by a scientist from NASA. Now it does some cool things, but nothing productive at all. Productive would include get the coffee, let the dog out (which barked at and chewed on Robosapien twice when he moved in the first place), pick up the kids from school and even rake the leaves at least. But no, he gives kicks, high-fives and even picks up a ball with his little grippers. Had he been able to pitch for the St Louis Cardinals in the last baseball season, we might have a useful toy here.
I feel obligated to point out that after the gift season comes Lotusphere a short time behind. By the time this newsletter reaches your inbox, I will be approaching scramble mode in what needs to be completed in preparation, as well as handling the inbound calls that are starting due to our IBM Lotus Award for the 3rd time. So join me in another, yet wonderfully improved, Lotusphere at the end of January. The February newsletter will have all sorts of tidbits I gather during the conference and from the people I meet.
IdoNotes Mailbox: Domino Web Access and Reverse Proxy
Have a client that wants to make DWA available to travelling users. Been looking at notes.net and there are mixed ideas on how to do this. May I
ask you what config you recommend. Is it reverse proxy or is it putting a Domino server in the DMZ which replicates with the inside server.
If reverse proxy can you point me to configuration documents which will help me set this up.
The reverse proxy makes the most sense in that no data is replicated out or exposed to the Internet, plus another layer of security is provided as the reverse proxy can, in may instances, also offload the SSL traffic from the Domino server.
But let's cover a few of the issues with reverse proxies and working with Domino. technote 1089765
A Web browser user's requests pass through a reverse proxy or SSL accelerator before reaching the Domino server. For certain requests, you see that the URL switches from HTTPS to HTTP or switches from the host name of the reverse proxy server to the internal Domino's server's host name.
In both cases, the URL is generated by the Domino server when the response is a 302 redirection. Domino builds the Location based on the host name and protocol used to reach the server. So, in the case of an SSL accelerator, the browser request is HTTPS, but the accelerator's request to Domino is HTTP. When Domino returns a Location, it returns it as HTTP. It does not know that the browser originally requested HTTPS and was proxied by the accelerator. In much the same way, if the browser sends a request to a reverse proxy server's host name, the reverse proxy server then makes the request on behalf of the browser, but with the internal host name of the Domino server. Domino builds the Location in this case using its own host name, the name used to reach it by the reverse proxy server. Again the Domino server cannot know that the original request was proxied.
For both cases, the best solution is for the SSL accelerator or reverse proxy server to view the return header and modify the Location as desired. This scenario is also the best if there are both internal and external users. Internal users may not be proxied, and therefore the Domino-generated Locations do not need to modified, only those going to external users. (Internal users may not be using SSL internally, and/or the internal host name is used to reach the server).
There are also some known problems with enabling GZIP compression in Domino and trying to access these attachments through proxies. One of the only solutions is to disable GZIP in Domino for now.
I would highly suggest reading the Notes.Net article showing how to add a reverse proxy and all the implications of adding each component to your infrastructure. You may find that article here.
Let me know which path you choose to take and which product if you choose the reverse proxy.
Connecting Sametime and Lotus Workplace with the Lotus Instant Messaging Gateway
With companies starting the deployment of Lotus Workplace for the deskless worker, Lotus has done some work to let you share instant messaging and presence awareness between Sametime in your Domino environment and Workplace. It relies totally on the Lotus Instant Messaging Gateway. To quote from IBM Lotus directly
"A Sametime server and a Lotus Workplace server each use a different infrastructure to support presence and instant messaging functionality. The Sametime server uses an infrastructure based on the proprietary IBM Lotus Virtual Places (VP) protocol while the Lotus Workplace server uses an infrastructure based on the open standard Session Initiation Protocol (SIP).
The Lotus Instant Messaging Gateway serves as an intermediary, or translator, between the Sametime and Lotus Workplace platforms and performs operations that enable users connected to these two disparate platforms to communicate through presence and instant messaging."
There are some network considerations that you must follow to get this gateway working though. As many of you know, Sametime makes use of TCP port 1516. The Lotus Instant Messaging Gateway actually uses this port for all communications to the Sametime server. So if the gateway resides outside of a firewall, then this port must be accessible between the two for communication to work properly.
The port used between the Lotus Workplace server and the Lotus Instant Messaging Gateway may be selected during configuration of the gateway, or you may allow Lotus Workplace to use any available port. I personally prefer specifying the port number for ease of firewall and network administration. The communication over this port will utilize TLS (Transport Layer Security) for transmitting instant messages. Now, you must make available port 5061 for Lotus Workplace to talk to the gateway for certain other communications.
The above ports are the default ports, so the administrator can configure them as an alternate one. I would refer to the administrator guides for all the products if you plan on modifying the default ports.
One key thing to note about using the Lotus Instant Messaging Gateway. Reverse proxies are NOT supported in either direction between the gateway and Sametime or Workplace.
From the IdoNotes mailbox : User's Receiving Mail For Other Domains
We have a situation where we accept mail for numerous domains. But, we only want certain individuals to receive mail for their company name only. But mail can be received by them under any of the domain names. We have set the server configuration to FullName only match for inbound SMTP mail but it does not seem to make a difference. Any insight?
Well Mitch, this one is not as bad as you think. I know you have a Global Domain document that lists the primary and all the secondary domains that your server will accept mail for. Unfortunately the way Domino behaves in this instance, is it will search for an exact match the first time through and then strip everything to the right of the @ sign for a second pass until it finds a match in ($Users). Once it does that it delivers the message.
But there is hope! If you simply move the secondary domains necessary to their own Global Domain documents, it will no longer behave like this. For an excerpt of the documentation, we turn to technote #1192804 (http://www.support.lotus.com)
When the Internet Address Lookup is "FullName Only", the Domino Server performs a lookup in the Domino Directory ($Users) view for an exact match of the recipient address in the "RCPT To:" Field of the message header (e.g., JDOE@DomainB.com). If this exact string is not found in the ($Users) view, then the Domino Server will check the domain part of the address (everything to the right of the @ Sign). If it is an alias of the primary local Internet domain, Domino will replace this value with the actual primary local Internet address and then perform another search.
In this case, the Domino search initially looks for a match to "JDOE@DomainB.com" and found zero matches. It then performs part 2 of its function and as there is an alias in the Global Domain document that matches DomainB.com and replaces the local Internet domain with "DomainA.com" (the primary Internet domain). Then, the second search performs a match for "JDOE@DomainA.com" which results in the delivery of this mail to the user, John Doe/DomainA.
To prevent this behavior and force Domino to only deliver mail that is addressed to the exact string in the Person document, remove any aliases mentioned in the Global Domain document of the primary domain. If the SMTP server accepts messages addressed to more than one Internet domain, then the solution in this situation is to create a separate Global Domain document for each internet Domino.
In the above scenario (with two Global Domain documents), this would cause a message addressed to "JDOE@DomainB.com" to be rejected and not delivered to John Doe/DomainA.
What is missing in the Domino Web Administrator client?
If you have no played with webadmin.nsf in Domino 6.x you are missing an incredible treat for remote administration work when you have no Notes client around or http/https is the only access available to that server. I recommend only using this tool over https when on the public Internet. Since you are passing your administrator username and password and then working with live control of a Domino server, take the extra time to purchase a SSL certificate or at least create your own self-signed one.
Most of the functionality you would receive from the Notes client may now be found in the web interface. Even the GUI is coming along to be an exact duplicate. That makes for easy navigation and efficiency when you do not have to learn another UI. I know that was just one of the thoughts when they developed the tool.
What I wanted to provide in the tip was a list of things you could NOT do with the Web Administrator in Domino 6. For one thing it was a much short list than the things you can do. :-) I then follow each bullet with a quick thought from me.
Things you cannot do using the Domino Web Administrator:
- Use the Web Administrator to create Setup or Desktop policy settings documents. (this one confused me since I thought a limited desktop or setup policy could be specified. Maybe not everything, but a good portion could be done)
- Add database links used to set up bookmarks or custom Welcome pages. (of course since there is no doclink creation ability from the web)
- The Assign Policy tool is not available in the Web Administrator. (once again assigning the policy can be done manually, so I see this tool coming late)
- Enable statistic report generation. (This would be great for remote administrators that need statistics)
- Configure a server for SSL during the server registration process. (I actually like that this is forced through the Notes client for numerous reasons)
- Upgrade existing users for roaming. (As this feature is still growing in usage, I can wait)
- Remove a server from a cluster. (Another thing I think could be done with AdminP requests)
- Create a cluster. (Same as above, let us kick off AdminP on creating the cluster)
- Can only register users with the CA process. (If you have not investigated the CA Process, definitely explore this option! No more worries about carrying the certifier or who has access. You control it all from who can register and using what certifier through roles)
- Set registration preferences in the Web Administrator. (Makes sense since the preferences are stored locally in the Notes client)
- Can only use the registration settings in the CA and in the Registration policy settings document. (Makes sense since you are using the CA to register the users and not the actual certifier id from the Notes client)
As you can see that is not a huge list of items anymore. It continually shrinks and the addition of the CA process was a huge leap. Keep in mind if someone will be using the CA process through a web interface, you want to check your security settings for remote console access to the servers also.
The main part was the actual installation. For those of you who've done IBM Lotus Workplace at all, you know there are numerous pieces just for the basic functionality. ILWWCM holds its own there also. While the required software is much simpler, the time spent changing local configuration files is where you need to have patience and attention to detail. One wrong character and you can find yourself going back through every step. I would definitely use the Websphere error logs and some of the built-in scripts to test as you go along.
Having said that and finished the installation, I'll add that the user interface was nice and consistent across each area of the content management. You have to get used to refreshing the screen each time you add something new, as it does not do it for you automatically when saving. (That would be a big benefit). I bring this up because if you do not refresh and you try to use what you just created while in another component, it will not even show there.
You can head over to my
blog for a fuller account of
what transpired. Until then we will keep on guest blogging and await Libby's
I returned from Copenhagen (Admin2004 Europe) with more than just a new country that I have never visited before. I met some wonderful people everywhere we went around the city. From those people and the others at the conference, from other numerous countries, I gained an understanding of how they view Domino technology and certification. I asked the same basic questions in each session and was surprised by the consistent feedback and input from the attendees.
In terms of Domino technology, there were few people who had aggressively upgraded their environment, especially when it was working successfully in the current state. I compared that to many of the companies here that move ahead quickly in the versions, or at least test the new versions as soon as they can download the code. Much of the feedback I received when we were discussing new features was that they understood what was available, but how could they do it with the version they were running. Some had no choice but to implement a Domino 6.5.1 server: to use Domino's built-in spam protection options, for example. So, they upgraded some elements while the rest of the internal infrastructure remained at 4.6.3b due to how stable it was for them and the fear of upgrading hardware. One site even went as far to say that the servers will stay R5 well past the time Lotus stops support since they have heavily customized the mail template and do not have the resources to test it on Domino 6 or 7. Plus they are stable and happy with the infrastructure.
Now certification has another twist. I went to the Lotus Certification pages to gather some statistics before writing this part. Before stating what I found from visiting with everyone in Copenhagen, here is some basic statistical information as of November 1, 2004:
- Lotus Workplace currently has 10 total certified individuals (I am one of the US administrators) with all the developers being in EMEA.
- Notes/Domino 6 certified individuals shows almost 2,000 more people in EMEA than the US/Canada
- Collaborative Solutions Certified are almost identical across the US/Canada and EMEA
- The number of people certified in Domino Release 5 has EMEA far exceeding the US/Canada by almost 9,000 people
Just my 0.116969 DKK for this trip.
Today's Underexposed Cool Tool: Domino Web Access Skin Editor
At Lotusphere 2004, Lotus debuted a new utility that is not part of the installation of the Notes client or Domino server. It allows you to greatly modify the Domino Web Access (DWA or iNotes) skins.
The types of changes you can make are:
- Placement of objects on the view pages
- Placement of objects on the form pages ("new" and "edit" pages)
- Add/remove objects from either the view or form pages
- Modify color and style of all objects on the page (via CSS rules in the StyleSheet.css file)
Lotus strongly recommends, as you see in the notes on the download page, that you back up forms5.nsf or forms6.nsf so if you do make any changes that do not function, you can always roll back to the standard templates without reinstalling to get the databases back.
The program is designed to run locally, according to the documentation, and here are some of the functionality highlights, taken directly from the download page:
After you open a Forms6.nsf (or Forms5.nsf) database, this tool displays a list of the skin groups. There is a skin group for Internet Explorer, for Mozilla, and for all other browsers. Choosing a skin group populates the skins selection control. Select one of these skins to view the HTML or CSS content.
Administration Tip: A Recent Sametime and LDAP Issue
A customer of ours has successfully been using Lotus Instant Messaging (Sametime) with authentication provided through LDAP. Everything seemed to work great for some time and then the issues began. At some points no one could log in to the system, there was no awareness, and no ability to authenticate for meetings. Restarting the Sametime server always seemed to fix the issue for some time. But when it came back we could not figure out why or how.
Little did we know that the LDAP server was actually becoming unavailable for short amounts of time, as we did not control nor monitor the LDAP server. But by the time we would check into the authentication failures, tests to the LDAP server would be successful. So we never caught this right away. Once we actually caught the LDAP server as down, through some freeware tests to verify the bind was correct, we caught on.
By restarting the Sametime server, it was re-authenticating with the LDAP server with the bind account. Apparently if there is a delay in time where the Sametime server cannot reach the LDAP server, the bind stops functioning. We could have gotten around a total restart of the Sametime server by simply restarting the STDirectory service and speeding up the time of availability. Restarting a Sametime server can result in it being unavailable for over 5 minutes. It may take a minute or two to shut down and then up to 5 minutes to get all the services running again. Just restarting STDirectory service would have had the system available in under one minute. Another lesson learned.
Lotus Domino Access for Microsoft Outlook (DAMO) .PST Size Issue and New Features
Lotus has released some information for those of you deploying Lotus Domino Access for Microsoft Outlook (DAMO) with Outlook 2003 in your environment. Previously, there were size limits on the local .pst file of 2GB in older versions of Outlook. Well, Microsoft went ahead and let you go up to 20GB in the new Outlook 2003 version. Unfortunately Domino does not see the difference in the ability for the different Outlook versions to have different local sizes. So instead, Lotus has stuck with the 2GB maximum size limit across all supported Outlook version with DAMO.
But Lotus did think ahead with the new calendaring features they released with Domino 6.5.3.
Starting in DAMO 6.5.3 the Calendar Management feature lets you set access restrictions on your mail file to allow another person to manage your mail file. You can specify a group or person as your delegate to read mail, schedule meetings, accept invitations, and check your schedule. Using this feature your designated mail manager can perform all of these functions using a single Microsoft Outlook client.
You can allow delegates to open your mail file and read your messages, Calendar entries, and to do items. Additionally, you can allow people to create, edit and delete messages, calendar entries, and to do items for you. You determine how much access, if any, other people have to your mail file.
In today's market, the Information Technology groups are starting to slide back under the control of the CIO in some enterprises. Cost control is back for IT spending and getting approval for new projects remains scarce. So, as consultants, technical partners (all shops that offer technical services or products fits into this one no matter what size they are), and even employees being hired, when you start discussions about capabilities, it is becoming more important to express your capabilities up front.
Three months into a long-term project is not the right time to tell the company that you left out the lack of a certification, information about a previous employer, or inability to perform a job function. This puts both sides in a peculiar position. While you may have shown outstanding abilities to serve their needs, not disclosing that information may have hurt the project. Can they overlook that fact and let the project continue, knowing you understand the discomfort in learning about it so far along? Do they forgive that fact and let the project continue if you show some concessions and desire to get it completed no matter what? If you are lucky enough to get that chance, embrace it and make every effort to make the project successful.
To avoid this situation (if you aren't in it already), let the company judge all the information before you sign the line on the contract. If you are in this situation now, open up and tell the enterprise exactly what was left out. You might be pleasantly surprised that even though you have never done work on a certain software, your skills in all your other areas are wanted. They might even be willing to work with you and get you the training you need.
Last time we investigated an outline of the reasons an enterprise would want to invest the time and effort into creating a policy specific to instant messaging (IM). We covered the why, who, and how often of IM policies. This month, we explore implementation. Based on some of the reader feedback so far from the first one (big thanks to everyone demanding to know when this second part was coming out), I might even take all the extra loose thoughts and wrap them into a third part. I would like to point out that Christopher Byrne did write some nice blog pieces (including a follow up) on this topic.
One thing I plan to stay away from in this article is citing specific products or companies that provide these services. I know some of the products personally, some from reading about how they operate, and others from the marketing materials only. The key of this article series is the actual implementation itself and not necessarily what you choose (or if you choose) to use in terms of a third-party product. One other thing I am not touching in this issue (although maybe the next), is the legal aspect of logging and auditing. There are reasons that some enterprises are required to log all the chat traffic, while others simply want to monitor what types of information are being shared.
What Should I Tell My Users?
Well, isn't this a conundrum right off the starting blocks? Spying on the employee makes the employee feel untrusted in their work environment. When it finally comes out that you are logging, watching, or auditing chats without telling them, sit back as they stop using IM or turn to public encryption (like the new AOL can offer). If this was a controlled 'work only' system, such as Sametime, how much productivity would be lost if the users ceased sending IM messages? How much would phone expenses go back up? I know these might seem like silly things to think about. The company controls the network and resources right? The employee can't control if you want to audit and archive chats. But they can stop using it if they feel it is untrustworthy or that you don't trust them.
What is it you should offer in terms of information to the employee then? I believe this can be a simple as a one-paragraph explanation. Let everyone know what is being logged. Is it based on keyword, who starts the chat, or is it every line typed? Do you show what files got transferred in or out of the company? The more you clarify, the less surprise later. If certain behavior is not tolerated, specifically state what actions are not, such as installing unapproved IM clients (even though this falls under desktop and network policies) and what the consequences are. I had a conversation with one company following part 1 of this article that had put the beginnings of a policy in place. It stated what was acceptable plain and clear. Yet there was no mention of what actions would be taken against the employee if these guidelines were not adhered to. Without the consequence, you do not have much ground to stand when reprimanding the employee.
How Do I Control Deployment?
The worst nightmare for your technically savvy users is controlled desktops. The best fantasy for the IT group is controlled desktops. So looking for that common ground, how about Web versions of the IM client? This way there are no downloading or installation issues. Patches are instant the next time a user logs in and controls can be set centrally for many aspects of functionality. Browser version and security controls are what you would have to deal with. But I already know everyone is doing that for the security of the users already. Right? In Part 1, I mentioned that everyone is going to be affected by this policy, so everyone should be affected by the implementation as well. Letting certain groups or people not fall under the guidelines set by policy leaves the enterprise itself open for legal and internal troubles.
Suppose the product you select does not have a Web version? Packaging is a great way to control what is installed on the desktop. If you are using Sametime and have not played with the Sametime Client Packager, then you are missing out on a neat tool. It will walk through the install package letting you pick and choose the parts. You can then build a few different packages, for example, if you want one group to have file transfer ability and not the other. Notice that everyone here still falls under the same policy, you are just expanding functionality to different users, creating a totally acceptable and fairly applied IM policy.
What Choices Do I Have For Implementation?
This is where you get to have some fun as an administrator: trying out the different options. Many vendors today are pushing towards software that gets installed on the instant messaging server to log, audit, and restrict chat sessions. Others take the approach of a network device that all traffic is funneled through like a gateway.
Taking the theory of the software approach that gets installed on the IM server, you have a few considerations. One is revisions and updates. How fast will the vendor supply new versions when the IM software vendor has you upgrading and applying fixes? If the vendor cannot be as aggressive in upgrade cycles and support of newer versions, you could be left behind. How many times has this happened in your environment already where you cannot upgrade due to a software package installed? Also, unless you are funneling all type of traffic somehow through this IM server, you really aren't preventing or restricting access for the other chat products. Getting an integrated product that supports logging of multiple IM products doesn't make much sense as you are then loading your primary IM server(s) with additional load from other chat services. That will lead us into the topic of the gateway products.
The good side of an integrated product is that it all runs (mostly) on a single piece of hardware; the administration interfaces are complementary or similar to the IM software you are running, and it has good interoperability with the IM software. Also logs and audits are easily performed as the data resides on the same server.
We also have gateway products, which are separate devices that sit on the network and can be as passive or aggressive as your enterprise desires. I have mixed feelings on this type of implementation (then again, I have mixed feelings on both types). The ability to funnel all the traffic gives you a central point for logging of all types of IM, and many vendors have multiple chat product support in one device. This also gives you granular control in turning off one or more chat products and a single interface into all the logging and auditing.
One other key feature immediately comes to mind: if the gateway device supports it, you can utilize LDAP or name space mapping to your internal infrastructure to log certain users and know what internal name maps to what external name across all the product lines.
With all those positives (and there are more), I get asked what could be negative? The primary example to give is that if this device fails then all chat logging, auditing, and outside access can be lost in a single gateway implementation. Essentially this could shut down IM until a fix or repair is put into place. How detrimental would that be to your productivity? This needs to be weighed heavily. The maintenance on this additional piece of hardware may outweigh the demand for having it, for some smaller shops. But for larger implementations, it is a viable solution with many options.
While writing this second part, I received another e-mail asking if I had a template or standard document they could work from. Interesting as I don't think I would want to base my unique enterprise on someone else's standards. I do understand the desire to have a place start in thinking and writing your own policies. I will take that debate back and see what I come up with. Who knows, by the time this article series is done, we might have explored everything from why to write one, what gets included, legal aspects, user experience, and an actual template. Then again, maybe this is enough for you to start your own already. IM me at IdoNotes and let me know... that is if your policy allows unrestricted outside communications. :-)
Our e-ProMag.com editor and Lotus Informer author, Libby, suggested a great topic. She suggested some tips or direction on creating an Instant Messaging policy. It seems that you, the ravenous reader, have requested this type of information as your companies start to deploy and grow these installations. So let me begin with the first of two parts. The first one will deal with the why, who, and how often. Then, part two will cover the actual implementation. I will make it as direct and short as possible, intended only to guide you in the iniital planning. Each company must make some hard choices on allowable clients and usage that fits everyone's needs. Your companies might have to make an investment to get the right hardware or software in place when the policy is done, but it is one step in better protecting the network and entire company.
We can cover statistical information for days, with all the current research that is being done on productivity, who is sending messages to whom, and how many users are accessing the technology at work. The end result of the research will tell you one thing: No matter what number of users your enterprise has, as soon as there is an enterprise, it is time to establish the IM Usage policy.
The Why's are quite simple. In one sentence: you put a policy in place to protect the enterprise and the employee. Nothing more and nothing less. Every article and tip you read addresses one of those two parts of the puzzle. Many of you understand the issues with viruses via e-mail, but the real attacks on IM have not occurred yet. Imagine not only all those desktops running AOL Instant Messenger (IM)IM and Yahoo!, but also all the connected home machines and laptops with VPN access that dump those clients right onto your network. Mentioning the possibility of data leaving the network is not even necessary anymore (but I still did anyway, for those who have been sleeping on IM deployments)
Who gets the policy assigned to them? Everyone. This includes the technical staff and CEO. For some reason, when we perform audits (with IM becoming an ever increasing request in audits), we see that the technology bandits excuse themselves, and the CEO or other officers of the company have special requests. This should lead you down the path that any policy has to address all the employees, from the needs of the heavy constant user, to the needs of those who don't understand exactly what IM does.
Identity control is a large portion of the Who. If you run an internal IM system from a corporate directory, then you know who each person you correspond with is. But the name mapping for external systems is the trick. Letting employees use personal accounts with names you cannot control to have communication with customers is asking for trouble. A username on the Internet could be offensive or even derogatory and this may reflect on the enterprise if used in day-to-day business interactions.
How often the policy gets applied and updated should be planned for simplicity. Having to revisit the policy on a consistent basis means the original draft was not well constructed. The policy gets applied to every user, on an instantaneous basis. As soon as they need access to the approved IM systems, then they must sign a copy (preferably digitally through Lotus Notes, of course) that shows they have read and understand the regulations surrounding usage. You can do follow-ups by adding addendums to the document as you introduce new technology or expand the deployment. Adding to the policy via Notes mail and a mail-in database can reduce the time needed to add to the policy and notify all the users. With a simple database, you can track usage agreements and add addendums that notify users with a link that a new document must be read and approved.
So you are off and running that fast. Start the document ideas simple before you even get to what technology will make it all happen. The biggest fight seems to be in the Who area. Who will get what rights and who is restricted. The next difficulty is in determining how to do standards enforcement if you choose to use an outside or public system as the prime communication vehicle (I shudder thinking of this one). The next installment looks at the actual deployment and opportunities for controlling the IM traffic.
I presented a Webcast for e-ProMag.com last week on spam control in Domino 7. I focused a bit of the presentation on the current initiatives that are being proposed by groups such as Microsoft and Yahoo!. All these proposals share one common thread: to defeat spoofing of the mail domain or server sending the message. None of them addresses the actual message content; but they all hope to curb spam by reducing the amount of mail you receive. Has e-mail moved to the point where so much control has been given to the spammers we now need to know who is calling our mail server before accepting mail? You actually do not screen your phone: people call, and you see who the "header" is using caller ID before opening (answering) the phone right? You don't deny their call up front unless they are known spammers (this would fall under a Do Not Call List in my opinion). Everyone else is dealt with when you get the message.
With Caller-ID, the Microsoft offered product, you have to modify DNS with some new XML to register your sending servers so that when a message is sent, the receiving server knows that the message truly came from a legitimate server, theoretically preventing spoofing. Changes on both ends of the mail system are required for this to work. With Yahoo! you have Domain Keys that are available with DNS to verify that the server signing the message header was the actual sender. This method takes changes on both ends also. Basically, you have to have both ends agree to enable, configure, and use one or all of these selections.
Imagine if a quarter of your customers/partners/suppliers chooses Caller ID, another quarter chooses Domain Keys, another selects Sender Policy Framework (SPF), and then the rest do nothing? How many servers will messaging require? Can one server do all four? Can two even exist on one box? What about outbound versus inbound? How is that configured? I think you see where this is heading.
But the most important part here is even a known domain can spam. Sure the odds are much less, but spammers are getting trickier and taking over a server, or sometimes finding an open one in a trusted domain. I understand the goal is to lighten the load on what the server actually receives, and then scan for content on those messages. It just seems as we create more elaborate means to reduce the mail, the spammer is two steps ahead in planning alternate ways.
Rearrange the Columns Viewable in the Domino Administrator
A customer sent me an IM today asking a question that threw me off for a moment. The administrator needed to provide a printout of the mailfile templates for all the users with the user name. Well, the Person document viewable in the Domino Administrator does not contain this information. You can get version information from the Person document in Domino 6.x, but not what actual template they are using.
That led us to look further into the Domino Administrator, to see that you can find the template on the Files tab when looking locally or on the server.
However, the column to view the template is way to the right on the screen, far away from the username itself. You are also not able to drag and drop columns in the Domino Administrator. It took me a moment to recall if this was even possible and I just wanted to share where I found it.
From your Notes client, go to File, Preferences, Administration Preferences, and then select Files on the left. You will see all the columns that are available to view. Of course, just to the right is the columns you are actually using. You can move them in and out of your Domino Administrator with a simple arrow selection. Amazingly, I never realized the little arrows below that allow you to reorder the columns any way you desire. I never minded the default setup myself, but I can see the need to reorganize them in certain circumstances. So a few clicks and there was the order they needed.
But (there is always a but here isn't there?) you can neither print nor export from the Files tab on the Domino Administrator. You may be able to take screenshots, or create a custom view in the Domino Directory, but exporting the necessary information is not possible from the Domino Administrator.
One other tip, if you have the Domino Administrator open when you make the column changes, you will not see them right away. The Domino Administrator must be restarted to see the new column selections and order.
Domino 6 Out of Office Agent
The Out of Office (OOO) agent in Domino 6 seems to be a hot topic recently. There was a design change made that will not allow anyone but the calendar profile owner to enable the OOO as shown in Figure 1. This has caused concern for many enterprises that if a user goes out of town, or on extended sick leave, they won't be able to go in and enable the agent for that user. Since e-mail, as we know, is now a huge part of business processes, missing that important e-mail could cost the company money. Enabling the OOO for someone else was previously possible through Domino 5 though.
In fact, the actual menu item under Tools, Out of Office is now missing unless you are the database owner.
Of course, as always, there is a way around this. The administrator can go to the mail file and sign the agent to run on behalf of another user (the database owner). Unfortunately this is not 'user friendly' and common knowledge. It would be great of Lotus to offer, as an option in the delegation selections, to have someone else have the ability to enable/disable the OOO for users, such as an assistant, help desk, or department manager.
Deep breath here as the first newsletter is over and you have not complained to me about content. So we are off and running together on what will be, as I mentioned in the inaugural newsletter, a wide topic array.
I spent about four days this month at a new customer site working on a project. What I discovered while there was a lesson we should all learn from. It deals with company mergers and integrating two Domino systems. I watched this from a distance (as my project was not part of the merger) as they had meetings, conference calls and invested incredible amounts of time in talks over management of the systems. Now you might be saying to yourself this is common and has to be done. You are absolutely correct. Except for the fact that the two organizations had entirely different models for security and administration in Domino. This left one group dissatisfied no matter which direction got chosen. It seemed that no one wanted to give in and cooperation would not be easy to make the changes.
So the lesson I took away was that your security, architecture and deployment plans should have been well documented and presented to each other already. Each team should have reviewed the others in advance to see where they could come together and make changes or concede. Harmony would take some time, but at least singing the same song would be a great start.
Choosing the Right Directory for Sametime
If you are just getting into installing Sametime (Lotus Instant Messaging and Web Conferencing) due to business demand or simply because they offer the chat services free, making the directory choice on installation is a more important decision that you may think. The easy solution is to simply choose the Domino Directory as the source for your user information, add a home Sametime server to the person document and be on your way to endless hours of chatting with co-workers on what is for lunch today.
But your other option, LDAP, is far more powerful and has greater reach later. One key portion to choosing LDAP is if you plan to integrate Sametime with Quickplace or any of the other extended products. LDAP is now a requirement for awareness in the recent releases. In older versions, you had some manual work to do replicating databases (stauths.nsf for example) and manually copying some system level files to get it to work. Now LDAP allows you to bring all types of systems together for authentication and presence awareness. If your organization has Active Directory users not in Domino or simply a customer and partner directory that can serve LDAP (even their own at their site), you can now offer and integrate that service into numerous applications and website pages. Imagine your partners that log into a special part of your website being able to see you on-line and have secure messaging not over public networks as many of you do now? Sounds like a dream right? Not anymore.
A few things to mention though. Your LDAP directories should contain a home Sametime server field for authenticating users. This can be done simply by extending the schema of any directory. (This link gives an example on how to extend Active Directory schemas http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/adschemaext.asp ). Second is that you should select a standard field that will be used for authentication across all the directories. Whether it is the shortname (uid in many systems) or email address itself, a common schema across all the directories will make your management easier.
FROM A READER: If we have multiple Sametime servers and do a calendar invitation, can each user attend on their own home server?
This is a dual sided question. Yes each user could attend the meeting on their home Sametime server. But it is how the meeting is set up that is important here. Using the standard calendar invitation that now includes the ability to establish a live Sametime session, it would only create that meeting on the home Sametime server of the chairperson of the meeting. This would not then propagate out to all the other servers as you desire. However, creating a meeting in advance on your home Sametime server, inviting all the necessary other servers that people can attend from and then including that meeting link in your calendar invitation would get the result you desire.
Vpuserinfo.nsf and multiple servers
While at the client site I mention in my 0.0606584 BRL I was working on the theory (and live production in place) of multiple Sametime servers. One interesting thing to note is the vpuserinfo.nsf database that stores all the user buddy lists. I was asked about clustering the database and had to go look up the Lotus answer for this on whether they suggest or support this approach. Here is what I found and thought I would share this since so many companies are finding Sametime a business necessity tool.
It is not recommended that the vpuserinfo.nsf database be replicated unless in a clustered environment where Domino clustering is setup so that the vpuserinfo.nsf can be replicated in real-time. Replicating vpuserinfo.nsf outside of a cluster is not supported. Additionally, even in clustered environments, the vpuserinfo.nsf should be replicated within a cluster only.
In a multiple Sametime server environment,
it is recommended that the user's Sametime Server field in their Person
document is populated. Once that field is populated, users will always
be re-directed to their home server so there is no need to replicate the
vpuserinfo.nsf, as the user will always connect to the same server every
- Enforce anti-relay policies and test your settings. Domino 6 now sets a default in the configuration documents to stop some basic relaying on your server, but if you migrated from a previous version of Domino, your previous settings are maintained.
- To learn how to quickly test your settings, see my previous e-Pro Magazine article on Troubleshooting Internet Messaging in Domino at e-ProMag.com, article ID 1999.
- Authenticate all users for relay privileges. You can choose not to authenticate local domain users, but if someone is forging an address then you’re defeating the purpose of this ability introduced in Domino 6 (you could do this previously but only if you locked the whole SMTP server down) The ability to modify these setting can be found in the Configuration document under the Router/SMTP – Restrictions and Controls – SMTP Inbound Controls – Inbound Relay Enforcement.
- Use blacklists to reduce that spam. Now that Domino 6 natively supports blacklists by adding them into the Server Configuration document’s DNS Blacklists Filter section, take advantage of the numerous free blacklist services that can be found!
- Understand whitelists and their purpose for mail management. Whitelists allow the administrator (or user, on local spam products) to allow certain messages to be allowed through your spam filters based on sender or domain If an address is on both a whitelist and a blacklist, the whitelist will win, causing the message to be delivered. Whitelisting is not available natively in Domino, but there are third-party tools available.
- Investigate purchasing a third-party spam filtering tool when Domino SMTP/Router and blacklists rules are not enough to reduce spam in your environment.
- Create SMTP/Router rules in the Server Configuration document for better enterprise mail management . You can deny, sort, and route mail based on server-side rules of subject, sender, importance, and even recipient count! There are many others, investigate these options! Remember server based rules effect everyone, not similar to mailfile rules users maintain on their own.
- Change the setting in the Server Configuration document to not allow mail for local domain recipients not found in the Domino Directory (Domino 6 only). Enabling this setting reduces the amount of dictionary-attack spam clogging your mail.box on the server by not accepting mail that is destined for unknown names.
- Try to use named groups or wildcard Server Configuration documents to control multiple servers at one time. This gives you consistent control over numerous servers to ease administration and to make sure each server responds the same for troubleshooting. Keep in mind there may be instances when a server will need specific configurations based on user needs, such as a server that needs specific domains or users to be blocked while still aloowing other servers to receive the same mail.
- Increase the number of mail.box databases on your system if you currently have only the default one (1). This allows faster processing of mail and increases performance (up to a certain point). Busy SMTP servers benefit greatly from an additional mail.box. It can consume resources if you allow the server to have too many. Best practices for the number of mail.box databases relies on server usage and mail load. Remember, too many mail.box databases can have adverse effects!
- Enable a maximum message size for mail messages. A mistake many enterprises make is not establishing a balance between business need and convenience. Is it convenient to accept 100MB messages via email? Of course it is! But does your business need large graphic packages or CAD drawings? If not, you need to evaluate a business need for a size limit. A majority of enterprises we deal with are very comfortable in the 15-20MB limit. This also saves disk space and prevents someone from sending a large attachment to multiple users, possibly bringing your system to a halt.
- Leave the default Configuration document settings that are created for each server. By default a new Configuration document does have an anti-relay setting, as I mention above, but everything else is left to the administrator to configure. There are great performance enhancements that can be found by understanding all the variables I am not able to fit here. I would suggest following the administration guide for a full description of each field and section.
- Simply enable the setting to check for connecting host names in DNS. Not all companies have correctly configured DNS, or their ISP does not allow reverse DNS entries for them. This will have your system denying their mail to you. While this is a very powerful feature at reducing spam, it immediately becomes noticeable that you will reject legitimate email.
- You can also very senders domain in DNS instead of the connecting host. By not checking the host in DNS (to protect false positives for ones that don’t allow reverse DNS), but instead checking the actual sender’s domain name, you can trim down unwanted emails that way also. A legitimate sender should have a DNS entry correct?
- Try to micro-manage who can and cannot receive Internet email. Maintaining that listing is a manual process that most administrators do not have time for. I have only seen a couple companies that had reasons to only allow mail to certain people or addresses.
1. Upgrade to the latest versions. Sounds simple, right? LIM runs on top of Domino, and with each release, Domino performs better with HTTP and other protocols. And CPU usage has been documented to decrease through each version of LIM for chat and meeting services, so it only makes sense to upgrade to the most recent Domino and LIM versions possible. Note: The Domino 6.5.1 release is now out, but to run previous LIM versions, such as 3.1, you need Domino 6.0.2CF1. If you are running LIM 3.0, you have to run Domino 5.0.12. Be aware of the server requirements for the LIM version you are installing.
2. Apply the LIM patches as they become available. For example, the STCore.jar file was modified in the most recent patch (Incremental Fix 1 for LIM 3.1) to address the issue of meetings not starting correctly in multi-CPU systems. You can find recent patches under the Support Files section at www-10.lotus.com/ldd/down.nsf.
3. Consider the additional load from repackaging all LIM communications as HTTP when scaling your hardware. Tunneling all LIM traffic across port 80 is a great usability feature because it eases communications by reducing the number of ports. But it's a heavier load on the server, so weigh the need carefully. For example, with an installation used only behind the firewall, you might not need tunneling for any reason.
4. Experiment with adjusting Connection Speed settings for better performance. While in the LIM Web Administrator, if you navigate to the Configuration, Audio/Video, Connection Speed Settings tab, you can modify the following for better performance (but keep in mind all are global settings):
- Adjust the Jitter Buffer (not over 500mx is recommended) to correlate how much latency or delay the end user experiences in audio/video when tunneling. Smaller values have less latency but can miss speaker movements or portions of words.
- Tweak connection speed settings in LIM. You can administer and control the bit rate settings for audio/video and even screen sharing. Modifications to these areas can improve network performance.
- Adjust the setting for audio frames per packet to minimize network packet loss. This setting also controls network bandwidth consumption.
6. Specify the number of days to keep meeting history in notes.ini. In the variable STPurgeMeetingPastDays=X, the value X should represent any number but zero (which would mean no purge and defeat the purpose of the setting). The best practice on this setting is to meet any requirements of your organization for retention of meeting information. Otherwise, make it as minimal as possible to remove unnecessary documents.
7. Make sure that the server on which you install LIM has a video card and supports a color setting of 256 colors or higher. Failure to ensure this can result in some of the following:
- Users cannot save the whiteboard.
- Images on the whiteboard do not render correctly.
- The meeting room client opens with a gray whiteboard.
1. Take advantage of the many flavors of clients that LIM now offers across platforms. Your choices include:
- LIM Connect client: a downloadable and installed client for Windows machines. Use this client for users with dedicated machines that need the most functionality.
- LIM Java client: a client launched in a Web browser window. It has most of the functionality that you find in the LIM Connect client. Use this client for roaming users or when the user does not have the ability to install software on the local machine.
- LIM/Notes client integration: the client with the most limited functionality. It eases embedding awareness into mail and applications. Chat is the only piece available with the native client integration at this point. Use this client for ease of integration and communication. It is missing such features as file transfer, but for immediate chats, it is easy to manage and requires no extra software installation outside of Domino 6.5.x.
- Lotus Team Workplace (formerly Quickplace) and LIM function well together if you carefully follow the technotes for implementation. (www-1.ibm.com/support/docview.wss?rs=297&uid=swg27002835). The trick is to utilize LDAP from the beginning for the integration. If you do not, moving either package to LDAP for authentication can be a painful experience.
- LIM and the Notes client are growing closer together beginning in Notes 6.5. Be aware that you cannot hide this integration piece inside the Notes client until 6.5.1.
4. Discover LIM links and what they offer to your Web applications. LIM links let you start a simple chat session with a user without running LIM. This feature is great for help desk and customer-accessed applications via the Web. With advanced features through pop-up links, you can even send an e-mail, share an application, and add people to a contact list (if they are also using LIM).
5. Utilize Broadcast Meeting types when you have more than 20 attendees who do not need the ability to control the presentation. This broadcast type gives the presenter all the features -- whiteboard, screen sharing, chat, and the ability to send Web pages or polls. The attendees receive only the broadcast, including audio, but cannot interact. This capability is great for company announcements.
This brief list of performance and usability
tips will get you on your way to a better-performing environment with happier
users on the system. For more information, read some of the technical articles
at developerWorks:Lotus at www-136.ibm.com/developerworks/lotus
and in e-ProMag.com's
article archive under the topic
Most of the fearless readers of this article have either chosen Lotus Instant Messaging (previously Lotus Sametime) or are heading down the treacherous path of choosing and evaluating an enterprise instant messaging (IM) system. (Note that I am not including the option of Lotus Web Conferencing, as it is not necessarily the focus of this article. It is a complementary piece that contains another list of competitors for that market.) Choosing the right IM package for the business has become choosing your favorite form of business torture. It can either make or break the size office you will be getting very soon and/or determine how far away from the office your parking space is.
With numerous smaller players existing in the enterprise IM market, it was only a matter of time before the large public instant messaging providers entered into the race to gain a foothold and momentum (I prefer calling it catching up since Lotus Instant Messaging holds such a strong lead) into the enterprise instant messaging market. The three major public providers, Yahoo!, AIM (AOL Instant Messaging), and Microsoft have all announced attempts into the corporate market.
Take into account that the end user is familiar with the consumer product interfaces and the volume of IM that travels across the networks using these public providers; they launch a strong case in utilizing their new solutions. But IBM Lotus is the only one of these providers that does not have a public IM branding, giving them the edge and years of head start in enterprise integration. (see Quenching Your IM Thirst with Sametime-Ade in the May 2003 issue of E-Pro Magazine)
According to the September 2003 Osterman Research Semi-Annual IM Tracking Survey, the three providers I list above now show a 9.1% market ownership. Taking this a step further to include: recent announcements by Yahoo! and AIM for agreements with Rueters; the existing Microsoft Exchange IM (which will see some enterprises moving to the new Microsoft Live Communication Server); and the multi-carrier abilities of Jabber; the market penetration moves to an incredible 32.7%. There are other providers listed in the survey that are not included in this percentage. For example, Novell offers an enterprise IM solution that hasn’t quite taken hold in the market.
Michael Osterman, president of Osterman Research, Inc. had the following to say when asked his overview from all the information he gathers in his IM surveys.
“The leading consumer IM providers -- AOL, Microsoft and Yahoo! -- are well positioned to gain substantial market share in the enterprise IM space. Each of these providers' IM systems is already used widely in the enterprise -- our tracking surveys show that each of these products has a presence in at least 50% of enterprises that currently use IM. Microsoft, in particular, may have an advantage in the enterprise space by integrating its new enterprise-grade IM offering with Microsoft Office, thereby expanding IM use beyond simple text chat and into true collaboration. Although Lotus still holds a substantial lead among those enterprises that have already established a corporate IM standard, that market share has been under assault over the past 18 months.”
I compiled a comparison of the capabilities with some general information on each provider, as well as some of the drawbacks. You can go to http://www.e-ProMag.com for a graphical comparison chart for easier observations of the differences. These vendors were chosen based on their current marketshare of the public IM market and competitive capabilities they offer. A brief overview of the product, followed by important features and drawbacks were listed for each one. Microsoft is the newest offering and had the most limited information available at the time this article was written.
YAHOO! Business Messenger
Yahoo! calls their enterprise release “business-class instant messaging bringing the best features of free public IM, with business-class security and administrative control.” This is exactly the type of marketing effort I discussed above. They claim with over 30 million public IM users of their network, they needed to build a business class product.
Encryption of traffic through SSL
Centralized management by an administrator
Logging & archiving
Integration to leading portal software and directory providers
Macintosh support, web messenger and mobile devices (version 2.0)
Reliance on a hosted model
Lack of full integration with Notes client and presence awareness
No developer API for application integration available
Yahoo! took a strong position by changing the actual product name soon after it was released. To show their desire to capture the small to medium business market, the name changed from Enterprise Messenger to Business Messenger.
The approach taken is that Business Messenger is a hosted environment with two options. The service is either entirely outsourced to Yahoo! or portions may be installed onsite. Having a server onsite allows encrypted file transfers and messages since it would sit behind the company firewall. The architecture relies on J2EE servlets that run and act as connectors from the enterprise IM client to your IT services group. Presence and message routing are handled by Yahoo! in it’s data centers.
Yahoo! also allows authentication from corporate directories for auditing or regulatory compliances. With the ability of Domino to serve LDAP compliant directory services, username integration could be fairly simple. While Domino wasn’t listed as an optional directory on their website, other LDAP servers were.
Policies are possible to provide certain features per user or group. The administrator may restrict all or individual features for security, bandwidth or usage reasons. Lotus Instant Messaging only offers global setting in regards to things like the ability to perform file transfers. No granular policies are available. Auditing and reporting are also done through J2EE servlets. A hidden feature regarding logging is if the logging server goes offline for any reason, the local client buffers the logs until it can move them to permanent storage on the server.
Recently, in late Oct 2003, Yahoo! moved the Business Messenger group to the free consumer sales and marketing division and laid off people from the previous enterprise solutions division. (see http://www.news.com/2102-1032_3-5100685.html for more on this story) This had no reported impact on services or new sales offered. It was stated by Yahoo! to be an organization move only.
Microsoft Office Live Communications Server (LCS) 2003
Microsoft finally brought LCS to production in Oct 2003 after much talk, press and anticipation. The new LCS brings many features along that were nowhere to be found in the Exchange IM product that was offered previously. But overall it turned out to be a letdown in manageability, deployment and features in this first release.
The enforcement of having Windows 2003 servers to support LCS gives other vendors the immediate edge. Most enterprises are not nearly that aggressive in upgrading or deploying that new a server version from Microsoft. You must also deploy the Messenger 5.0 client to perform the basics of IM with LCS.
Utilizes the Microsoft Management Console (MMC) for administration
Permissions are managed from the Active Directory from a new LCS tab that is placed on the property pages
Archiving for all IM traffic (requires SQL server)
Kerberos and NTLM authentication – except there is a new documented issue with current passwords having to be at least 14 characters long
TLS encryption of IM traffic
Integration into Microsoft Outlook 2003
Rich text support
Only Microsoft Windows Server 2003 and Windows 2000 or later client operating system required
Servers must be members of the Windows domain
Third party management tools must be purchased to fill gaps in the core product
Even with SIP and SIMPLE support, you could only use the Messenger 5.0 client in tests performed by eWeek Magazine.
As enterprises consider moving towards upgrading to Windows Server 2003 and more features are added to the core product, the integration with Microsoft Office and Outlook could make it more attractive. However other drawbacks are immediately recognizable.
The reliance on Active Directory, or LDAP, could be an immediate show stopper for those companies that have not progressed from older Windows domains. Or, have not consolidated all users into an LDAP container with the proper naming, groups and structure to manage and assign policies correctly. Also those companies that are years away from a Windows 2003 migration will find that they cannot run the product.
Jabber Extensible Communications Platform (XCP) 2.7
In September 2003, Jabber released version 2.7 of the XCP messaging platform with some new features and benefits. Jabber and Lotus Instant Messaging are currently the only ones that have a web interface that allows for more flexibility and less need for client deployment. They currently claim over 4 million seats deployed.
You might ask why I chose to include them in this comparison. Well, I wished to have a baseline, growing company that works with numerous public providers through a custom interface. This left quite a few ‘consolidation clients’ that were able to offer this. But Jabber has built their own server architecture, based upon XMPP (Extensible Messaging and Presence Protocol), an open standard for interoperable messaging systems, and linked it into public providers also. I feel that they are a good definition of where the market needs to head to gain even more momentum in turning IM from a commodity into a business critical function. XMPP is expected to be ratified by the Internet Engineering Task Force (IETF) soon as an Internet standard for IM.
In an October 2003 press release from the company, Don Bergal, VP of Business Development for Antepo, talks about how the open standards of XMPP is leveraged by stating, “The XMPP-to-SIMPLE gateway extends XMPP networks to other relevant and leading players in the marketplace. For example, it interoperates with IBM’s Lotus SameTime, the largest enterprise IM installed base.”
Sending IM transcripts to other users
Alternate user name display for LDAP fields
Client-Server version locking: Administrators can lock the server to enforce the use of a specific client or clients, ensuring that all users have a specific client and/or version
Integration of weather, news and sports into the client available
The client is more plain that the other three public providers, but does offer custom views
No easy administration interface
Native message log analyzing is through external tool as it is stored in a flat text file
On November 11, 2003, Jabber announced it has also partnered with Akonix (as was mentioned about AOL previously) to provide a unified reporting and compliance ability to track communications internally on Jabber and across the gateway to the public networks. This move lets enterprises secure, manage and archive all IM traffic to not only internal employees, but also external partners and customers.
AOL Enterprise Gateway
Launched in 2002, AOL entered the market with an interesting beast of a product. Imagine taking all the wonderful features of their public IM and wrapping security, auditing/ reporting and directory integration into it. It makes for a strong competitor and attacker of the Lotus IM market. The gateway itself was developed by Facetime (who offers their own product, under the name IM Auditor, with similar capabilities). It secures and monitors communications between users, can intelligently route traffic and even restrict who can access the public network. An API allows developers to exploit the IM network into their applications.
AOL also prides itself on being able to make the claim that the public network processes 2 billion messages per day. This includes over 2 million unique users daily. Both of those statistics are further backed by AOL stating it has not had a full service outage in the company’s six year history of offering the service, unlike Microsoft.
One feature that stands out for this gateway service is the intelligent routing capability. If you choose to let your employees utilize the public IM network through policies, the gateway is smart enough to realize that traffic destined for another internal user should remain behind the gateway and it is not sent to the Internet. This allows for internal communications to continue if access to the public Internet is lost.
Ability to block signing on
User/group policy management
Use audio features
Send and receive buddy lists
Send and receive files
Access the public IM network
Map external IM names with directory names
Encryption through S/MIME
Support for federated authentication
Rich text client
A portion is still hosted
AOL has recently been signing agreements with third parties to provide more functionality and features. Akonix was partnered with to bring advanced corporate messaging capabilities and compliance features in Oct 2003. It gives the ability to track IM traffic in real-time based on keywords, phrases or even time of day. It is a solution for behind the enterprise firewall that is managed through the Microsoft Management Console (MMC).
A news report from CNET News on Oct 31, 2003 states that AOL is pulling back from selling directly to enterprises and instead is focusing on partnering with established vendors like Reuters.
Lotus Instant Messaging
With beginnings years ago, Lotus entered the IM arena with Sametime, before changing the name to Lotus Instant Messaging in 2002. Lotus has the foresight before the push to have it in the enterprise existed. It was offered as an integrated and stand-alone version in the first releases until Lotus realized the powerful product they had and continued to evolve collaboration by offering ease of developing solutions that utilized Sametime. That is where they made such strong inroads in market penetration mentioned in surveys and articles about it being the current champion.
Carl Tyler, Chief Technology Officer of Instant Technologies, a 2003 Lotus Beacon and Apex Readers Choice Award for it’s instant messaging solution, offered an excellent overview of where he sees Lotus IM in the marketplace.
“IBM Lotus Instant Messaging is facing a number of new challengers in the Corporate Instant Messaging market right now with major challenges coming from the traditional consumer based IM players such as Yahoo and AOL. Yahoo and AOL obviously have experience in building systems that can scale to huge numbers, but do they have the experience working with traditional corporations? AOL and Yahoo are still building a sales force, and skills to sell to this type of customer, and it’s not something that can be built overnight. Where IBM Lotus has the biggest lead over the new competitors is in their toolkits, toolkits for 3rd parties to develop applications for the enterprise versions of Yahoo and AOL are slim if not non-existent, as people use Instant Messaging in their day to day business they realize that integration of presence and awareness are the components that make Instant Messaging much more powerful and useful than just chat. IBM Lotus should not sit idly by however, where AOL and Yahoo do have a huge advantage is the ability to integrate with their existing consumer base, allowing for easy corporate to consumer communications, IBM Lotus can make an effort to educate the customer though, these corporate to consumer conversations are often not encrypted, there is no guarantee the person you’re chatting with “BillBobLogger37” is actually who you believe it is. So IBM Lotus must be sure to let corporations know that there are other solutions that can be used to provide conversations with consumers via websites etc. using the toolkits that are available for IBM Lotus Instant Messaging. If IBM Lotus plays this right, AOL and Yahoo entering the market can help validate their offerings, and show that much of what is promised for the future is available today.”
Pulling of public groups from the directory source
Notes client and database integration
Lack of a rich text client support found in the other packages
Connection to AOL does not include namespace mapping
No ‘out of the box’ auditing and archiving
No ability for user and group policies, settings are global
The ability to use audio and video relies on a separate browser window launching and is not available on the integrated Notes client version
I asked Ed Brill, Manager, Lotus Competitive Project Office for Lotus Software his final thoughts of where Lotus Instant Messaging will continue to offer the best advantage to enterprises as the battle wages on. He responded by saying, “Today, instant messaging is viewed mainly as a stand-alone tool. In the next few years, though, as web services becomes a more prevalent model, and the need for instant communication increases, IM will morph into a component of the overall collaboration infrastructure. Think back to when e-mail first was widely adopted by businesses -- it was used primarily for interpersonal communication. As APIs and standards emerged, e-mail became the core business communications engine. IM is in for a similar evolution -- from stand-alone, person-to-person chats -- to becoming an adjunct to the traditional asynchronous messaging, embedded within business processes and systems.”
One feature introduced in Domino 6.5 to slow the intrusion, was the tighter integration of Lotus Instant Messaging and the Notes client (see Notes/Domino 6.5 Preview in the Sep 2003 issue of E-Pro Magazine). Awareness indicators come standard in the mail template for Notes and iNotes and can easily be placed into databases through simple design changes.
The current drawback of the integrated Lotus Instant Messaging into the Notes client is the lack of functionality it provides compared to the actual Lotus Instant Messaging fully installed client. While new features may be introduced in later versions, currently such items as file transfer, multi-user chat capabilities and presence alerts are not possible.
However, Domino also has the ability to serve it’s directory as LDAP so the other providers can take advantage of this. Lotus also introduced Lotus Workplace features into the Notes 6.5 client. This allows easy deployment on applet or HTML based chat from some of the providers to be integrated into the welcome page of the Notes client, also web applications.
All the major public vendors are working with everyone, everyone but each other on a regular basis, to stitch together the tens of millions of IM users.
AIM signed an agreement with Reuters to share users and add names to buddy lists
IBM Lotus signs a similar arrangement with Rueters
MSN then follows in the same arrangement with Rueters
Akonix as a vendor has it’s own agreements with the public IM providers and now AIM and Jabber.
This is increasing the need and demand for corporate IM standards. The difficulty arises when certain departments in your company are finding that their partners, suppliers and customers are using numerous IM packages. Therefore, no standard will work for everyone. IM is fast becoming a line item in 2004 budgets and providers are scrambling to be the ones to capture those funds.
As Lotus builds the barricades to thwart the attack of IM providers, they continue to deliver an integrated, behind the firewall solution. Adding to that the vision of automated IM bots that interact with applications and data stores, componentizing of IM into the Lotus Workplace strategy and ease of awareness integration that came in the Domino 6 products, Sametime continues to prove why it is the leader and “king of the castle” in enterprise IM.
By Chris Miller
IBM and Lotus attacked the market more than a year ago with Notes/Domino 6 and its offerings of better mail management and spam control at the server level. They’ve also committed to a faster stream of product enhancement release cycles in addition to the normal fixes and updates.
Sure enough, the new Notes/Domino 6.5 release (planned for release in the fourth quarter of 2003) will soon give even more control to end users. Shops that already have Domino 6, or those just looking to upgrade from previous releases, should be testing the available public betas of this version.
Here I preview some of the improvements that Notes/Domino 6.5 brings to the Notes client, Domino Web Access (iNotes), and the Domino server. One confusing change in 6.5 is that the official names have changed for both iNotes and Sametime. The new names are IBM Lotus Domino Web Access and IBM Lotus Instant Messaging, respectively. To keep it simple here, I use both names together.
[RS: I cut all instances of “IBM Lotus” preceding subsequent references to product names.] ok
As vendors race to integrate their product offerings, IBM/Lotus starts 6.5 with a leap into awareness with stronger Instant Messaging (Sametime) integration. Presence awareness is lighter, faster, and streamlined into both the client and iNotes. It was previously possible to see the online status of team members in e-mail, but actual chat still relied on running the Sametime Connect client on the desktop. Instant Messaging (Sametime) now shows in your status bar as a seamless part of your client experience (Figure 1).
For example, when you wish to send an instant message, you can click the new toolbar icon (and here comes the cool part). A pop-up box appears that lets you type the name of the person to whom you want to send an instant message. I love that feature! I can quickly type a first, last, or partial name of someone, and Notes displays either a list of people who match or an automatic IM with the only available selection. For example, type Dave here at our office, and you get five billion optional names it seems. But Notes 6.5 will read the other aliases in the fullname field (as of this writing).
Some of you are familiar with the OpenNTF initiative and the OpenNTF mail template (http://www.openntf.org), with the new indicators found in the mailfile that show when documents have been replied to or forwarded (Figure 2). You can expect to see these features, which are very popular with users, in the new supported mail template. Lotus has stated in a public discussion forum that these changes are generated from customer requests for features and not from the OpenNTF design.
Taking the customer feature requests even further, you can also find the following abilities built into the standard template (note that these were current when I wrote this; they may be modified or removed when the product is fully released):
Follow-up: Lets the user set a flag that the message needs more attention at a later date. No more forgetting to act on those items at later times!
Unread view: Simply put, the ability to see unread mail only. If you don’t read all your e-mail at once, this is the view for you to keep up.
New time/date column: Now you can see the thread and response times of e-mails without opening them or checking properties.
Drag and drop: Lets the user drag a mail message to the calendar or to-do bookmark to make a “copy into”-style document.
Domino Web Access (iNotes)
The list of enhancements to Domino Web Access (iNotes) is quite large and should entice many organizations to look hard at upgrading - if not for the features, then definitely for the performance enhancements. It appears a large effort went into bringing more people to the iNotes client with the addition of Mozilla 7 as a supported browser. This gives Lotus the edge in reaching the growing number of Linux desktops.
The Instant Messaging (Sametime) links technology has been exploited and integrated, replacing the previous heavy Java applet. This, coupled with the new zlib compression, has reduced network utilization up to 70 percent, according to statements from Lotus on the performance of Domino 6.5 Domino Web Access (iNotes).
Not to be overshadowed by all the performance enhancements is a feature that many enterprises have asked for since the initial release of Domino Web Access (iNotes): The ability to easily customize the Domino Web Access (iNotes) template. You may now easily modify or customize the template to a company look and feel.
I found myself particularly eager to test these new abilities in Domino 6.5 Domino Web Access (iNotes) (note that these were current when I wrote this; they may be modified or removed when the product is fully released):
Send and file: I enjoy being able to file the message as I send it — a feature previously available only in the Notes client.
A personal dictionary: For all those odd words (e.g., new Lotus product names) not found in the Lotus dictionary that I use all the time.
Database size and quota information: No more excuses from the Domino Web Access (iNotes) users that they had no warning of how much space they were using.
Multi-window support: Users may now open calendar, mail, welcome, ToDos, and notebook in separate windows.
Reply with Internet-style formatting: For the user who just must have the “>” symbol in front of mail replied to
Support for name change requests: Nothing was more frustrating than having an all-Domino Web Access (iNotes) infrastructure and not being able to properly use AdminP for name change requests.
Mail rule for block sender: For those pesky co-workers you don’t want mail from anymore.
Mail Encryption: Send encrypted mail, and sign and verify Notes encrypted messages.
IBM/Lotus didn’t forget to offer a few quick tidbits for the Domino server itself. Notes/Domino 6.5 adds support[ok? yes] for Windows 2003 and Linux on the zSeries as server platforms. As a side note for those of you who wish to test loads, they have also exposed new server tasks to the Server.Load tool for IMAP and Domino Web Access.
Just a Peek
This is just a brief review of what’s to come in Notes/Domino 6.5. The product continues to develop, and IBM/Lotus is conducting usability tests and gathering beta testing feedback. It’s enough to create a plan to test now, and then implement this release when it becomes available later this year. Read the Release Notes (http://www-12.lotus.com/ldd/doc/domino_notes/6.5m2/readme.nsf) for a full listing of enhancements, and make your own informed decision from there. This move won’t be as large as a migration from 4.6x or 5.x to ND6, but there are some changes on the client (specifically, the new Instant Messaging (Sametime) integration into the client and how it functions) that will require some explanation for users. [edit ok? Yes and I changed the word web]
by Chris Miller
As the manager or owner of your enterprise, you feel that business is doing well. You can hear the sounds of doors opening and closing, a doorbell ringing, and the click of your employee’s keyboards. Unfortunately, what you don’t realize is that much of that keyboard activity may actually be employees using chat clients.
In today’s computing environment it’s becoming common to see unmonitored and unrestricted chat, file transfers, and audio and video connection bandwidth utilization. This largely personal use of enterprise resources is growing and will soon become an issue that all companies have to face.
It was back in the days of talk on Unix systems that simple realtime messaging in the most basic form was introduced to computing environments. Realtime messaging today has evolved into a language that combines fonts and emoticons (see Figure 1) with text, and has seemingly become the way some teenagers spend all their waking moments. And some of your employees are following the trail blazed by youth.
Current estimates are that 70 percent of enterprise employees are utilizing instant messaging, according to Gartner. (You can find more statistics on its findings at http://www3.gartner.com/3_consulting_services/marketplace/instMessaging.jsp.) Unfortunately, this figure represents both authorized and unauthorized instant messaging. Osterman Research released a study (see http://www.ostermanresearch.com/results/surveyresults_im0902.htm) that shows the current mindset of enterprises in curbing or embracing the rise in instant messaging. The survey found that 30 percent of enterprises support instant messaging, 35 percent were neutral in their support stance, and 14 percent just say “OK” to its existence in the enterprise but have no security safeguards in place as of yet. Osterman’s final estimate is that 225 million people will have instant messaging as part of their daily work lives by 2005.
Many administrators underestimate the number of chat clients and services that are available to the public. Outside of the biggest four (AOL, MSN, Yahoo, ICQ), there are numerous others. A current explosion of what I call “consolidation clients” is now being embraced by the user community. The most popular client is provided by Trillian (see figure 2). It lets the users to log into all of the abovementioned clients, plus IRC, from a single interface. All buddy lists, as well as the features of each individual chat service, are available and integrated. Some other vendors now offer the same consolidation but Trillian appears to be the leader in that space.
In my view, this proliferation encourages users to join more than one chat community. By simplifying the user interface and ability to maintain presence in numerous systems, users are amassing large groups of chat buddies.
If an Internet standard to connect these services together is ever agreed upon, the rise in usage can only grow. Currently SIP does connect messaging services together through gateway servers so communities may interact (more on that in a minute). Users that can only reach family on AOL IM because the enterprise supports it, will soon be able to reach all their friends on MSN and Yahoo through the same connectivity.
Chat Security Concerns
Aside from the concerns about company time and bandwidth being eaten alive by excessive chat, this situation raises legitimate security concerns. For example, how many of your users would you expect use the same password for the public chat services that they use to access internal systems? Would you wager over 60 percent of your users do that? If so, according to a recently published survey, you’d lose that bet because your estimate is low. This means most chat users are sending the same password they use to access your internal e-mail and file systems in plain text across the Internet to public- and shared-chat services.
Another feature that the public instant messaging clients now offer is file transfers. Some even offer upload ability to a temporary Web server if your firewall won’t allow clients to connect. This means, for example, that you must manually configure your virus scanning software within each chat service independently or you have a vulnerability. InstantMessagingPlanet (http://www.instantmessagingplanet.com/security/print.php/1470691) completed a survey in the fall of 2002 that included statistics on file transfers. The most surprising result I read was not the fact that 48 percent of those surveyed had accepted a file transfer within the six months previous to the survey. The surprise to me was that 15 percent of those accepted files came from unknown parties. Imagine an employee receiving a file transfer with the Klez, Nimda, or Slammer virus hitching a ride. Then imagine the subsequent effect on your internal network maybe several times a month.
For an example, imagine a new fast spreading virus is brought into your infrastructure. The Sapphire/Slammer virus, as an example, shows the speed at which it can take over your infrastructure much in the same way it propagated throughout the Internet. (http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html) This virus doubled in size every 8.5 seconds and infected most vulnerable hosts within 10 minutes. Overlay that theory as a loose virus in your enterprise and you can see the possible results through file transfers.
Even worse, one of the biggest existing security holes is the passing of corporate data unmonitored and uncensored out of your network. After all, such file transfers can be set to automatically accept and send files upon connection. Imagine an employee placing confidential product or sales information in that essentially public folder, after which pretty much anyone can grab and download those files. The next most dangerous security hole is the users’ ability to do simple cutting and pasting of information into instant messages. Without any logging and filtering, data might be passing out of your enterprise by this means even as you read this article.
Plugging the Holes
Some corporations have set stringent firewall policies that only allow port 80 requests to access the Internet, in the hopes that this will eliminate use of public messaging clients. Unfortunately, the majority of those putting this finger in the dike also offer the capability of pushing requests over port 80 to the ISP’s servers. Some go so far as to offer SOCKS and proxy server configuration options with detailed help files.
The next preventive step some administrators take is to set the firewall to only allow requests that are generated by a browser to go through the proxy servers. But once again, the chat community has already overcome that restriction with a product designed to act like a browser request. Users even have the choice of what type of browser to use to present the chat request, to better trick the firewall into allowing the traffic (see figure 3). This product also lets the user install and run a proxy host that masks the Internet traffic and bypasses your filtering at the firewall level.
With so many dangers to allowing public IM products to operate in most environments, why don’t enterprises just lock them entirely out of the desktop environment and prevent anyone from loading them? Well, because such messaging services can be useful and productive when used responsibly in a business setting..
The Osterman Research study also examined some IM benefits and found that most companies using IM do it to maintain communication with remote employees. Improving overall corporate communications and reducing telephone use and expense were close behind in the reasons that enterprises employ IM. Other reasons for using IM are to provide quick answers to questions and the ability to share documents.
Due to the demand for IM for legitimate purposes, some enterprises’ efforts to manage it consist of simply creating Quality of Service (QOS) contracts for their users that include restrictions and requirements for presence and availability. Limiting the hours the user is available online, or restricting knowledge of IM’s presence to limited parties, is fast becoming a standard part of such contracts.
Corporations have numerous options for putting controls on use of public messaging clients. As mentioned earlier, many administrators think the most direct approach is to simply put port restrictions in the network that disallow access to the common messaging services. Although this can deter novice users, the chat companies themselves offer help files on how to reconfigure a client to bypass this restriction.
My first comment to the companies I visit is to suggest they put controls in place and possibly streamline the available client options. Basically, I’m advising the administrators of the network and systems to become even savvier about IM than their users. While a lot of administrators use IM in their daily activities, many don’t yet know all the tricks for controlling client usage and for thwarting and client control workarounds. This means administrators need to take the time to learn details such as what ports the different clients access, when they access them, and to what host names the clients connect on the Internet.
Most commonly, the next question I hear is whether I can provide a list of these ports and hosts. As I mentioned before, there are so many clients available, you could spend quite a bit of time accumulating those options. But you can still affect the majority of users by learning about the top few services (see figure 4). A recent poll (available at http://www.InstantMessagingPlanet.com) shows that of those surveyed, 37 percent are AOL users, 27 percent use ICQ (also owned by AOL and now integrated to talk to each other), 16 percent use MSN Messenger and 12 percent use Yahoo Messenger. The remainder used numerous other clients, such as Jabber, Bantu, EyeballChat and even NetMeeting for host to host calls. The only answer is to keep an eye on which chat clients your users access and educate yourself accordingly.
Something overlooked that I find important is the monitoring of employee chat when regulations mandate it. Because users are allowed to use online names, matching any name with a particular employee can be a time-consuming process. Some users employ more than three aliases that they use regularly depending on the chat service or time of day. Some are used for business reasons and some for personal. But such anonymity won’t protect your enterprise if some content that passes into your organization becomes the source of sexual-harassment or other inappropriate-content complaints.
Some third party vendors, such as Facetime Communications (http://www.facetimecommunications.com), are offering chat filtering software that operates via a corporate gateway. In this scenario, users can access public IM systems, but all traffic is routed out through the gateways, which provide monitoring for usage, content, and auditing, a necessity in today’s world of lawsuits and document retention.
Another Solution: Lotus Sametime
IBM/Lotus has stepped in to take the lead in business IM. More than 66 percent of corporations that have adopted any official corporate standard have made Lotus Sametime that standard. Among large organizations, more than 80 percent of the market share belongs to Sametime. IBM Lotus Software is currently rebranding Sametime. The attempt is to make the name more recognizable in function. The new names are Lotus Web Conferencing and Lotus Instant Messaging. (New to the enterprise market is AOL and Microsoft offering an enterprise controlled messaging environment based on their chat systems.) There have been other vendors in this space for some time, but these two are flexing their names in the public IM space as the largest providers to enter into the enterprise market. Of course, both also offer custom integration of the enterprise and public IM systems.
As I discussed earlier, You can control the security risks inherent in public IM systems by using a corporate-standard IM product. Lotus Sametime fits such situations well because it was designed with the following in mind:
Secure chat sessions and meetings
Scaling with clustering
Web services integration
Integration with other chat systems
Web meeting services
Lotus Sametime enables directory integration instead of relying strictly on self-registration. Administrators can use an existing Domino Directory or provide authentication through any LDAP server. This flexibility alone lets you integrate Sametime easily into environments that have Active Directory or any other LDAP service running but no secure chat services, without worrying about custom integration work. When you first install and configure Sametime it prompts you to choose which directory type to use. (You can always modify this later either direction.) This removes the anonymous naming capabilities of the public messaging systems.
Sametime also supports intranet and extranet deployment. Sametime behind the corporate firewall is a simple installation as long as the network infrastructure is in place. Placing a Sametime server in the DMZ is just as simple. While installing, you have the option to have Sametime tunnel requests over port 80 to reduce the effort of reconfiguring firewalls. (Note that some firewall work may be necessary to exploit all of the capabilities.) Sametime, installed with the default settings, uses numerous ports for all its capabilities. You can find a list of supported ports Technote #192384 at http://www.support.lotus.com.
You can even take this architecture one step further by connecting your extranet and intranet environments. Employees connect to the internal server while customers and partners use the external server in the DMZ. Sametime then has the ability to host a simultaneous meeting on both servers without having the users pass inside or outside of the network firewalls to share in that meeting. Presence may also be extended through both servers to enable secure IM.
Sametime 3.0 offers numerous enhancements in clustering and scalability. For example, 3.0 lets you provide a redundant infrastructure by creating Community Clusters of Domino servers. This lets chat clients connect to an alternate server if connection is lost due to server failure.
Also, for scaling purposes, you 3.0 lets you create Community Server multiplexers (MUX servers) that receive only Sametime client connections, which then connect to the actual Community Services on a Sametime server. This reduces the client connection load on the Sametime server, and lets you add additional MUX servers as demand increases. Each Sametime server then maintains only a single IP connection to each MUX, reducing the load considerably.
Sametime also enables geographic dispersion of chat services. For example, let’s suppose a national company with offices on each coast wants to deploy a corporate-standard IM service. Due to existing WAN traffic, having all users access a single point isn’t feasible. Creating Community Clusters on each coast and assigning users to the clusters by geographic region provides the necessary redundancy. Then by connecting the two communities you provide the scaling in one overall solution.
In addition, Lotus has introduced the Sametime Enterprise Messaging Server (EMS), which sits in front of Sametime clustered servers. This new server provides failover and load balancing while providing no Sametime services itself. It’s strictly used to manage large IM loads across numerous servers.
Through an API or a third-party utility, you can also log Sametime chat activity. This logging may be archived and indexed for searches if necessary. For those companies under federal requirements to maintain chat as well as e-mail records, this service is invaluable.
There are products for the public IM services available, but the user names chosen may not be easily matched to the users in your organization. (Please see “Lotus Business Partner Products with Name-Matching Capabilities” for a list products with these capabilities). You can write your own chat logging application by using some C++ programming and the API. Information on how to do this is available in Technotes at http://www.support.lotus.com. I suggest starting with Technote #187707, which gives a very brief overview of writing your own chat logging support.
Sametime also brings secure, encrypted chat and e-meeting capabilities to further increase security of your messages between employees, or even between employees and customers through Web services on your corporate Web site.
As corporations merge and collaborate, you’ll likely begin to encounter different messaging systems from company to company. Sametime 3.0 now has the ability for Session Initiation Protocol (SIP). The SIP Gateway functionality and SIP Connector enable users in one SIP-enabled IM community to share online presence and IM services with another SIP-enabled community.
Taking that SIP connection a step further, you can then also add Transport Layer Security (TLS) to encrypt traffic between the two SIP communities. Although during a meeting you would see the open padlock in the corner of the browser (reflecting that a session was not encrypted), because the Sametime server cannot tell if the other SIP-enabled community supports encryption, the session can still be encrypted if the administrators both configure TLS. This configuration does require an additional server to handle the SIP Gateway. Sessions between the SIP Gateway and the Sametime server are also encrypted with TLS, and then a proprietary encryption is utilized between the Sametime server and Sametime Connect client (see figure 5). The SIP Gateway isn’t open to just any other community to connect to yours you decide which other gateways are allowed to connect.
Sametime offers additional features many other consumer products don’t that may be useful to you. For example, Sametime provides Meeting Services with whiteboards, screen sharing, and audio/video capabilities, all integrated into the same server and with security wrapped around it.
It’s OK to Use IM If It’s Secure
It’s not my intent to scare you away from IM. It has many uses and its importance will continue to grow. But what is important is that you realize that unsecured IM is a danger to the confidentiality of your enterprise information, and that solutions and compromises do exist that both support users’ IM needs while providing the security and control you need.
But in my mind, the best solution is to secure, standardize and implement a corporate standard for IM. A well-defined QOS plan that provides reliability, auditing, and filtering can deliver a business benefit and productivity enhancement for your enterprise. Lotus Sametime, in particular, has proven itself to be a valuable business solution for all of these needs.
Chris Miller is the Director of Messaging and Collaboration at Connectria in St. Louis, Missouri. A CLP in ND6, PCLP in R5 and R4, Chris has been working with Domino administration since 1994 and is just finishing his Lotus Collaboration CLP also. Some say he spends all his time behind a computer, but you can also find him on the soccer field — playing or coaching.
By DYS Analytics
IM Auditor Enterprise
By Facetime Communications
Facet for Sametime
by Chris Miller
Lightweight Directory Access Protocol (LDAP) is a TCP/IP protocol that was designed as a lightweight option to Directory Access Protocol (DAP) to access X.500 directories. LDAP defines a standard way to search for and manage entries in a directory, where an entry is one or more groups of attributes that are associated with a distinct name. LDAP provides a format that defines the communication between the server and client for X.500 directory searches. Binding occurs when a client opens a session with an LDAP server. The client then searches based on anonymous rights or is authenticated (if offered the opportunity) to gain more privileges.
People often say that they’re “implementing an LDAP directory.” What they really mean is that they’re implementing an LDAP-accessible directory. An LDAP directory can contain many types of entries for example, entries for users, groups, devices, and application data.
Before LDAP, as each network and application grew, so did the number of unique directories. Each directory became an island that was unreachable from the others. LDAP evolved to address this problem, and vendors have embraced it. LDAP is appearing frequently in many software packages as a way to offer directory integration. Even Sun recently used LDAP as a directory infrastructure in Solaris 9.
Lotus began offering LDAP capabilities in Domino version 4.6x, and R5 included many enhancements. Here, I’ll explore how to configure and use LDAP effectively and troubleshoot common errors in Domino R5.
Domino LDAP Security
Before you open your Domino Directory to LDAP searches, you should review which fields you’re making available (for security purposes) and which policies you’ll set regarding directory updates via LDAP. Although opening your directory to the public for searches of e-mail addresses or phone numbers might be beneficial, it may not be a good idea to make available certain information that’s enabled by default, such as Location. On the LDAP tab in the Server Configuration document in the Domino Directory (Figure 1), you can configure the fields that users with anonymous access are allowed to search.
Domino integrates the security policy of the Access Control List (ACL) into LDAP to authenticate users wanting more access to information or more permission for directory management. You can let users update entries via LDAP by setting at least Editor access or Author access with additional roles in the ACL of the Domino Directory. You must also enable the “Allow LDAP users write access” setting in the Server Configuration document (Figure 1). After you select Yes at this field, authenticated LDAP users can make adds, deletes, and modifications based on the roles and rights in the ACL.
If you don’t allow anonymous access and require all users to provide a name and password to authenticate, you have options for forcing users to provide their user (short) names or their more specific, fully qualified, distinguished names. By default, Domino LDAP uses the short name option. The only way to enable the more specific option, which refers to RFCs 2251 through 2254, is to add a line to the Notes.INI of the server:
Once you have this Notes.INI setting in place and restart the LDAP server task on Domino, users can authenticate using only their hierarchical names. For example, Bob Jones/Sales/Corp can authenticate, but Bob Jones or bjones can’t.
Authentication options for allowing anonymous access are set in the Domino Server document. Select Ports, Internet Ports, and the Directory tab. As long as “TCP/IP port status” is enabled, you can answer Yes or No to allowing Name & Password and Anonymous access from LDAP clients. If you do allow Anonymous access, I’ll cover how to set which fields are available to Anonymous access in a moment.
Loading LDAP on Domino the First Time
One configuration item that confused me at first is how Domino offers LDAP configuration. You can set advanced LDAP settings (e.g., timeout values, anonymously queryable fields) in the Server Configuration document. But this tab is only available if you select the option “Use these settings as the default settings for all servers” on the Basics tab.
Basically, there is one default document for your domain that controls LDAP for all servers. You specify LDAP settings for all servers in the domain in one general configuration. Don’t create a specific Configuration document for the server running LDAP or you’ll lose the LDAP tab. Lotus designed this feature to ease administration by listing information in one global document. But sometimes you need to maintain different LDAP settings for different servers; for example, some company staff settings might be inside the firewall, and those for business partners and customers may be in the DMZ.
A common misconception about the timeout setting on the Server Configuration document for LDAP is that connections are dropped after the timeout period specified. (This timeout is for LDAP searches only and not actual connections to the LDAP server.)
Loading LDAP on your Domino R5 server for the first time is as simple as typing load ldap on the server console. This starts the LDAP server task and lets LDAP clients make inquiries against your Domino directory.
One immediate error message that may appear is, “LDAP Server: Error reading configuration settings, check server and domain configuration records . . . LDAP Server: Initialization failure.” This error occurs when LDAP Port 389 is set to Disable in the Server document. The problem is easily remedied by editing the document in the Domino Directory for the server running the LDAP task. Select Ports, Internet Ports, and the Directory tab, and notice the TCP/IP port status field. Before loading LDAP, verify that this field is set to Enable (unless you’ll be using LDAP only over an SSL or Simple Authentication and Security Layer (SASL) connection).
If you choose SASL in your LDAP solution, there are a few items you should be familiar with. No protocol other than LDAP has the ability to utilize SASL. Domino integrates SASL into the LDAP server. Administratively, you need only enable SASL and go to the same Server document tabs as above and enable the SSL port for LDAP. The connecting LDAP client must also support SASL, of course, and when it connects, the Domino server automatically initiates an SASL session. For more information about SASL, consult RFCs 2222 and 2444 at http://www.rfc-editor.org/rfc.html. SASL is still evolving, so expect modifications.
Performance Enhancement Opportunities
Lotus offers one main option to enhance LDAP performance: Create a full-text index of the Domino Directory on the server running LDAP. (This is for cases in which you’re only looking up names of users.) As Domino uses the ($users) view first, full-text indexing isn’t necessary in such cases, so you use resources maintaining the full-text index.
The Domino LDAP task also allows (by default) searches to take as long as necessary when a query is made from an LDAP client. If your server performance slows, set limits for the timeout and maximum number of entries returned on searches. These configuration options are also found in the Server Configuration document. But if an LDAP client also has the ability to control these settings, the one with the lower setting takes precedence.
One other area that can affect performance is the setting you configure for search results returned and the number of wildcards allowed. The setting lets you specify the number of characters that an LDAP client must place before the wildcard search (*) in the request. The default number of characters is 1. If performance is slow, and you’re aware that LDAP clients are performing searches, try increasing this value to 2. This simply requires the LDAP client to make a more specific search, so the lookup also returns fewer entries to the client.
Some caveats exist. If the LDAP client attempts to use a wildcard as the first character (e.g., *ones), then Domino drops the first wildcard (unless “Minimum characters for wildcard search” is set to 0) and proceeds with the remainder of the search without it. To take this one step further, let’s say the search was cn=*h* and the minimum number of characters required for a search was set to 2. Domino ignores the first wildcard (*) and then rejects the entire search because the user didn’t specify two characters and the other wildcard (*) was at the end.
Also, the “Minimum characters for wildcard search” won’t apply to the LDAP client search if the only character sent in the search is a wildcard. Basically, you use that type of search only to see if a specific LDAP attribute exists. You can still set the “Maximum number of entries returned” configuration setting if you’re concerned about performance hits from that search type.
LDAP Capabilities in Domino
Overall, the directories in Domino aren’t updated as often as they are searched or read. I’ve heard many administrators say that no one even reads their Domino Directories, and they don’t keep anything other than the items created at registration in the Person record. But the server reads the Domino Directory consistently, checking access rights and configurations. Most administrators never realize how often the Directory is read until it breaks.
LDAP searches the Domino Directory in a certain order, looking for requested information. The order of the search is as follows:
1. The ($users) view
2. The full-text index
3. If there is no full-text index, the ($PeopleGroupHier) view
If the LDAP client makes an attribute request, such as a spouse’s name, the Domino LDAP task goes directly to the full-text index. If there is no full-text index, it goes to the ($PeopleGroupHier) view.
I recently had a client ask for the ability to synchronize a Domino Directory by pulling updates from another existing LDAP-accessible directory. Domino doesn’t currently let you pull updates from another directory via LDAP. This is possible if you choose to make all initial changes in Domino and then let some third-party LDAP directory connect and update itself from Domino. You’ll need to check with the third-party vendor to verify that its product has that capability.
Domino R5 also has the ability to export the Domino Directory into Lightweight Data Interchange Format (LDIF). LDIF is the RFC-compliant format that LDAP servers and clients adhere to in building their LDAP schemas. You can retrieve the exported file via a simple command at the Notes client command line:
ldapsearch -h LDAPservername objectclass =
* > filename.txt
You can then import the specified output file to another LDAP server. I’ll say more about LDAP schemas in a moment.
Not all fields are available for LDAP searching. Resource documents are one such field. Resources are an object class of a database, which excludes them. When you’re configuring LDAP fields in the Server Configuration document, some of these excluded fields show as choices, but they aren’t valid. For a complete list of fields that are excluded from LDAP accessibility, see technote #190495 at http://www-3.ibm.com/software/lotus/support.
Groups in a Domino Directory serving LDAP requests are also handled differently if your groups contain spaces. When an LDAP client makes a request for the e-mail address of a group that’s stored with a space, the LDAP server returns underscores where the spaces were. This is because spaces in Internet addresses aren’t valid SMTP characters. Of course, mail to this address will fail because it’s not valid in the Domino Directory. You can correct this by editing the Group document and filling in the Internet Address field on the Basics tab. All LDAP client searches will then return a valid Internet address that can accept mail properly.
If you use LDAP queries for Web authentication on your Domino server, you must enter names differently within ACLs for users to authenticate correctly. LDAP retrieves names in full canonical format. A returned result looks like “CN=Bob Jones/OU=Sales/O=Corporation”. This is the exact name you’ll then list in the ACL for a user authenticating via a Domino LDAP lookup. (Of course, if the user is a member of a group, the group must exist in the primary Domino directory.)
On the Notes client side, I once had a client request the ability to search each LDAP-accessible directory individually from the Notes client. Currently, you create an Account document in a user’s Personal Address Book (PAB) to selectively search one of multiple secondary address books via LDAP. Lotus documents this ability as an enhancement request. This situation also involves type-ahead addressing from the Notes client. In R5, you can’t get type-ahead features to work when addressing a mail message. You must hit F9, which invokes the namelookup, to get an address-choice list to appear.
The Notes client may also encounter an issue with searching for groups that Domino accesses via LDAP rules in a Directory Assistance database. Domino stores groups in a flat naming convention, and creating a rule to search for anything but the default of */*/*/*/*/* (see Figure 2) won’t return that group. For example, say you create a rule based on */*/*/*/Company/US for all searches related to that LDAP directory. If you want the group to show in a search with those restrictions, each group must be created hierarchically. Refer to technote #180188 for more information.
Working with the Domino LDAP Schema
A schema is a map of LDAP attributes to the actual record stored in the directory. Any software that provides an LDAP-accessible directory uses schemas. Domino R5 offers special forms with mapping information in the Domino Directory that link to other forms. This gives the LDAP task access to virtually all the information stored in it.
It’s possible to get errors related to loading the LDAP schema. One reason that such errors occur is if one of the LDAP forms is corrupted or was customized incorrectly. The LDAP task can’t reconcile the schema. This, in turn, shows the LDAP task closing immediately after loading it. For this type of error, you can add a line to the Notes.INI file to show the form (or the directory) that’s not functioning correctly:
Keep in mind that this will continue to run and create an output file as long as the Notes.INI variable is in place.
A couple of options let you retrieve information about the schema that Domino provides on your Domino LDAP server. The most user-friendly selection is the Domino LDAP Schema database (SCHEMA50.NSF). That database is created in the data directory if you use the following command on the Domino server console:
tell LDAP exportschema
Make sure you have the database closed before running the console command, or the export into it won’t function. You can run this command as often as necessary to update the database when you make schema changes.
The Designer task that normally runs on your Domino server also updates this database (or creates it for the first time) after loading the schema into memory. The Domino LDAP Schema database provides extensive information on attributes. I suggest opening and becoming familiar with this database after loading LDAP. You can even do full-text searches in the database by default after the full-text index is created, of course.
You may also use the ldapsearch utility mentioned earlier with some other options or any LDAP V3-compliant client. A sample command to retrieve the directory schema is:
ldapsearch -h hostname -b "cn=schema" -s base "(objectclass=subschema)">filename.txt
This creates an output in text format. Although it’s not as user-friendly, other LDAP directories can import this type of output.
It’s also possible to extend the Domino schema by adding attributes and object classes to it. You do this by using Domino Designer and creating new or modifying existing subforms and forms within the Domino Directory. Any time you extend the schema, you can enter “tell ldap reloadschema” at the Domino server console to put the new schema into memory. Then, use the above export server command to put the schema into the Domino LDAP Schema database.
The LDAP service in Domino doesn’t perform schema checking by default. You must manually enable it by editing the Notes.INI file with the line
You must then restart the Domino LDAP server task for this to take effect. Once enabled, LDAP will only accept modifications that already conform to the directory schema. The Domino directory LDAP attributes and content are then kept under control. Keep in mind that schema checking is based on the primary Domino Directory. If you use Directory Assistance and have customized those designs, you must also make those changes to the primary Domino Directory for schema checking to function correctly. If any check of the schema fails while doing adds or modifications, you’ll get an “Object Class Violation” error.
Comments on Notes and Domino 6 LDAP
Notes and Domino 6 takes LDAP a step further with some new enhancements. The first big thing is that LDAP is a mandatory task that starts by default on the administration server for the domain. Even if you don’t have the LDAP task in the ServerTasks line of the Notes.INI file, Domino sees that server as the Administration Server for the domain and automatically loads LDAP and writes it to the Notes.INI file. To find more information about ways to disable or make this unavailable, see the Release Notes for Notes and Domino 6 at http://www-10.lotus.com/ldd/notesua.nsf/find/rnrnext.
Regarding enhancements, Lotus plans some performance improvements, including
· the ability to edit the ACL and pull names from a LDAP directory via the normal “add” dialogue rather than the way I described above
· improved migration capabilities via the LDAP Directory Upgrade Service
· Directory Assistance Failover capability to failover to third-party LDAP directories
But, of course, all of these features may not make it into Domino 6.
LDAP continues to grow as a protocol and in usage across applications. It can be quite a powerful tool for administrators to bring together disparate directories quickly, and it’s flexible enough to be modified to suit your enterprise’s needs. Domino has embraced LDAP and integrated it with the Domino server and Notes client, and you can expect more LDAP functionality in Domino as the technology continues to mature.
Chris Miller is director of messaging and collaboration at Connectria in St. Louis, Missouri. A PCLP in R5 and R4, Chris has been working with Domino administration since 1994 and is just finishing his Lotus Collaboration CLP. Some say he spends all his time behind a computer, but you can also find him on the soccer field — playing or coaching. You can reach him at firstname.lastname@example.org.
One of the most important aspects of your messaging and collaboration system is security, and some of the security improvements in ND 6 are related to more granularity in administrative functions. For example, can you imagine the ability to extend tiny pieces of server and database administration to users without giving them the keys to the kingdom? How about enhanced certificate management and new smart card integration for the Notes client? Well, loosen your imagination because Lotus listened to the administrators and developers to create some wonderful security enhancements.
The most exciting change in Domino security involves the user registration process. Previously, the administrator, or delegate, needed access to a copy of the certifier to be used and the certifier password. Now the administrator can authorize certain individuals or groups the rights to create new users without direct access to the certifier and password by assigning them particular rights in the Certificate Authority (CA). (Note that in R5, CA refers only to Internet certificates. Notes certificates are now part of the CA process.)
This new role is a Registration Authority (RA) administrator. Each certifier can be given its own RA to offload and delegate administration. It's all done via the CA process, which includes the CA and Certificate Requests (Certreq.NSF) databases and a new CA server task. Only one CA task runs on the server, but you can link this task to numerous certifiers in the database.
The Certificate Requests database contains active certificate and revocation requests. The administration process receives requests from this database for processing. Requests may be processed manually or automatically. If you choose automatic processing, the administrator must have permissions to run unrestricted agents in the Security section of the Server document where the databases reside.
You can manage the CA server task from the Domino console with Tell commands. A key ability is locking of certifiers that carry a lock ID, so new certificates can't be issued. An administrator can also process new requests immediately and then push a nonscheduled Certificate Revocation List (CRL) to the Domino Directory. For example, a CRL push would occur for a security breach or to remove someone immediately. For a full list of the available commands, see the Lotus Domino Administrator 6 Help at http://www-10.lotus.com/ldd/notesua.nsf/find/dominornext.
CRLs consist of revoked or expired Internet certificates. You can view CRLs in the Issued Certificate List (ICL) database. An ICL database is created each time a new certifier is entered into the CA to store a list of the certificates that haven't expired. A certifier document is also created at the same time and placed in the Domino Directory. This new area entails some configuration, but it can simplify management of certificates.
ND6 also introduces extended Access Control List (xACL) entries, which apply only to the Domino Directory, Administration Requests database, and Extended Directory Catalog. You configure xACL on the Advanced tab under File, Database, Access Control. This new granular access level even allows document-level control. Some developers may suggest that this capability exists already in Reader and Author name fields. But creating those fields is unnecessary on a form you want to protect with xACL. You can apply it to all the necessary forms at one time through a single interface. The xACL has three components: Privileges, Targets, and Names. They're all defined in the Lotus Domino Administrator 6 Help. Keep in mind that xACL rights can't override the rights provided by the ACL of the database or Reader and Author name fields.
Server Document Security
The next place to see the most change in ND6 (once your Domino Directory design is updated) is in the Domino Server document itself. Lotus has changed several tabs to add fields and configuration areas for backward compatibility. Some fields have also been moved or modified. The main security tab remains in the Server document (Figure 1), but the sections and fields included on it are moved around. For example, the former section for Server Access is now titled Administrators. The previous setting providing access to administer the server from a browser still appears (for the sake of backwards compatibility), but you don't use it in ND6. Due to the new fields introduced, control is passed to the ACL of the Webadmin.NSF database.
All of the new fields in the Server document let you enter users, groups, and wildcards. I suggest using groups or wildcards for an organizational unit (OU) if your architecture is designed that way, to ease the administration of these fields.
One of my favorite new security fields is View-only Administrators. This lets you display a server console with the administration client or other console tool and perform simple commands (e.g., Show users, Show server, Show tasks, Show stats) to show the status of the server. It's certainly helpful for senior help desk staff to be able to see server status. When such employees can confirm that tasks are running and view simple server statistics, you can decrease the number of calls that escalate to the next level in your support organization.
The Restricted System Administrator field lets you issue server commands that are listed in the Restricted System Commands field. An administrator can now allow a junior administrator general maintenance-task access. For example, in a distributed server environment that has a WAN or even dial-up access to servers, you could give someone local to the site the rights to perform some simple operations (e.g., Fixup, Compact, Updall).
A wonderful new administration level is the Database Administrator. According to the documentation, users in this field can adjust ACLs, set administration servers, and delete databases as needed, but server commands and controls remain restricted to Domino administrators. In testing this field, I determined that users placed in it have rights to compact and create full-text indexes but not to manage the ACL. Either a correct listing in the ACL or higher server administrator rights is necessary for ACL maintenance.
Full Remote Console Administrators is self-explanatory. You can issue any server console command, including the ability to shut down the Domino server.
Administrators takes on a new meaning while offering the same capabilities provided in previous Domino releases. In my testing, I found no changes in rights from what existed in the R5 Administrators field.
The biggest change is the new field Full Access administrators. This level of access includes everything that an Administrator can perform, with an added benefit of manager access to all databases on the server, regardless of the ACL setting. You must give this field careful consideration before implementing it. For example, some enterprises forbid administrators from having default manager access, which provides access to mail and other databases that could contain sensitive information. Encryption of data within the database is the best precaution when utilizing this new feature.
Administrators should be aware that Lotus has modified certain security fields in previous releases of Domino. In the past, fields such as "Access server," "Not access server," and "Only allow server access to users listed in this Directory" applied only to Notes clients. Now, these fields apply to all types of Internet protocols. This option isn't enabled by default; you must modify the Server document for Internet Ports for each protocol for which you want to use this new feature.
HTTP Security Changes
Another exciting change is in the HTTP task area of the Domino server. Lotus has hardened HTTP for security purposes in several areas in which HTTP servers come under attack. For example, to help prevent buffer-overflow attack, Lotus has included the following changes:
- The maximum URL length request is now 4 K.
- URL path segments (e.g., http://www.abc.com/a/b/c/d/e/f/g/h) are restricted to 64 segments by default.
- The default number of header requests is 48.
- The request headers are restricted to 16 K.
You can increase some of these settings in the Server document, but unless you have a need, I don't recommend it. As more varied types of attacks are made against Web servers, these enhancements to the management of the Domino HTTP task will become more important.
Notes Client Security Enhancements
A casual Notes user may find some of the new certificate and security features overwhelming. The average user will never modify or investigate most of them. But as Notes and Domino reach further into Internet integration, and as security becomes a more prevalent demand, enterprises will demand to have them available.
One new feature is the ability to either blank the Notes client screen when your user ID logs out due to inactivity or hit F5 to lock the client and prevent anyone from seeing the screen you were just visiting. (In R5 and previous Notes releases, you couldn't open documents once the client was locked, but you could see the documents in the view if a database was left open. This was a potential security risk.) You can even place your own image on the screen when it's locked. The setting to blank the screen can be found in user preferences and in the ID file properties.
In previous Domino releases, configuration items were scattered across the client. ND6 lets you manage these items in an easily navigated user interface (Figure 2). Some changes may occur after this article is published (ND6 is still at Pre-Release 2, and nothing is set in stone until the Gold version is released), but the current version is already a huge leap toward a unified place for managing encryption, certificates, and security preferences for the client.
First, you now use a different menu option to inspect a User.ID file. The user selects File, Security, User Security to display the dialog. The structure of this information has moved and changed a bit to account for the new features and functionality.
The Basics section includes name and certificate information for the user, the ability to change the user password, and the ability to set the idle timeout. The administrator can create a server-wide setting to synchronize user IDs and Internet passwords. (This ability was missing in R5 but desired by large shops that didn't want to manage this field.) The user can override this administrator setting so the two passwords don't synchronize. However, unless this synchronization was included in a policy assigned to the user or was selected during the user registration process, the user cannot enable this option. (For information about policies in ND6, see the Lotus Domino Administrator 6 Help.)
Another added option is a button for users to click when they believe that their Notes User.ID passwords have been compromised. The button initiates a four-step process for the user to follow to help secure the ID file.
The section titled Your Identity contains three subsections. Your Names simply contains your current certified name plus aliases it finds from the Domino Directory. There are no variables to change. The subsection Your Certificates (formerly Certificates when you're inspecting an ID on the R5 client) has a wonderful drop-down list to inspect all Notes, Internet, and saved key information. The previous R5 abilities of requesting new certificates, requesting name changes, and creating safe.id files are located in this section now, too. A new subsection, Your Smartcard, is also configured here.
I encourage sites to look at the option of smart cards where possible. Lotus has taken advantage of this technology within the Notes client. In ND6, you can select the necessary smart card driver and then configure Notes to utilize it. The smart card must be with the user when logging in each time. The user enters a smart card PIN (rather than the Notes ID) for authentication. I suggest following the advice of Lotus and backing up your ID file before you embed the smart card information into it.
It's not possible, however, to move your Notes certificate to the smart card (although this would be a useful feature). You can move Internet certificates (e.g., S/MIME for Internet mail encryption) to the smart card from the interface. But you can't move existing certificates on the smart card back into Notes.
The subsection People, Services under Identity of Others lets a user query a local address book and/or Domino server for certificate and trust information on users. Another drop-down menu lets you show all users that you trust already by their Notes or Internet certificates. This menu lets you manage these certificates centrally, whereas in previous releases you had to search your Personal Address Book (PAB) view for certificates.
A new enhancement that deserves a special mention is users' ability to download the trusted certificates that are stored in the Domino Directory on their home servers (that is, to merge them into their user ID files) or to simply browse other address books to find a certificate. The user clicks the radio button "Find more about people/services," and a button appears to offer the choice to retrieve the administrative defaults. This way, the Domino administrator can build a trusted list once and users can retrieve that trust when needed directly from the server. Of course, automated ways of distributing this trust are always easier, but this feature lets users be selective or take the entire trusted list for their enterprises.
You can also retrieve an Internet certificate and import it into your ID file. After you click the button "Retrieve Internet service certificate," a pop-up box appears to let the user specify an Internet site name and optional protocol/port information. All the default protocol/port choices for HTTP, Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP) are the SSL ports for security when retrieving the certificates.
When testing options in the Authorities section, I was able to reproduce what Notes thought was an attack or corrupt certificate (Figure 3). For administrators who must cross-certify with numerous sites, this is a welcome new security feature. The user sets the trust (or, if the certificates are downloaded from the central authority, the administrator has set the trust) for each certificate.
The previous Execution Control List (ECL) has been moved into a section called What Others Do. Here, the user specifies which permissions the signer of a piece of code or agent may perform on the local workstation. The client also now receives more detailed information when an ECL alert pops up. Details about the signature and design note are included to help the user make an informed decision about whether to trust the requested action.
The Log.NSF on the Notes client shows entries for ECL events. Previously, once an event occurred, no audit trail was available for the action. The design title, NoteID, database title, and even the path are now stored in the Miscellaneous Events view. Also, changes that are pushed to the client through programmatic actions (such as an ECL refresh) that modify the ECL in any way (including adds and deletes) are logged in the same place.
Notes Data lets you configure the default encryption settings for any new local replicas created. The subsection Documents lets you view and control secret keys (single encryption keys) that are stored in the user.id file. The creation, mailing, and importing of secret keys is available through a drop-down list or button as well. These private keys let you encrypt single documents and give that single key only to those people you trust.
Encryption settings for mail, signature warnings, and Internet Mail style options are listed in the Mail section. You can import, retrieve, and examine certificates used for encrypting Internet mail. You can also edit all the locations that must use the new or existing certificate.
Security management has come to the forefront
of most enterprises. CIOs are now given directives to obtain and manage
certificates for encryption and SSL and to unify the multiple directories
across their companies. This single-interface management ability has become
crucial to Domino to allow it to move ahead and bring user ID files and
Internet certificates closer together. I hope this information about ND6
helps guide you in upgrade decisions.
But you have no fear because your enterprise runs on Domino, so you can easily let others search authenticated or anonymously against your directory with the capabilities of LDAP. You can even search their directories if they allow LDAP.
The basics of LDAP (Lightweight Directory Access Protocol) are quite simple, yet with any protocol and software there can be areas of mishap and necessary troubleshooting when establishing a LDAP architecture.
A Very Brief LDAP Background
LDAP, a communication protocol over TCP/IP, was designed as a lightweight option to DAP (Directory Access Protocol) to X.500 directories. LDAP defines a standard way to search for and manage entries in a directory, where an entry is one or more groups of attributes that are associated with a distinguished name. The communication between the server and client on X.500 directory searches is defined in a format by this protocol. When a client opens a session with an LDAP server it is called binding. The client then searches based on anonymous rights, or authenticate (if offered) to gain more privileges.
Of course, people always say that they are implementing a LDAP Directory. The true meaning would be a LDAP accessible directory, but I will let that one go for the sake of terminology. A directory can contain many types of entries -- for example, entries for users, groups, devices, and application data.
Before LDAP, as each network and application grew, so did the number of unique directories. Each directory became an island that was not reachable or interoperable with the others. LDAP evolved to meet that need and vendors have embraced it. LDAP is gaining wide acceptance across numerous software packages as a way to offer that directory integration that you were just tasked with. Even Sun has recently put LDAP as its directory infrastructure in the new Solaris 9.
Continue Reading here" E-Pro: Troubleshooting LDAP in Domino" »