E-Pro: Sys Admin Newsletter Jan 2005
Tags :E-Pro Articles
Chris's 0.780029 THB
The holiday season is over, for some it is simply called the gift giving
and receiving season. This Christmas took on some special meanings
for me personally, ones that will change a person forever. But to
make this light-hearted as usual, let's talk about the useless gifts I
saw that can do nothing to change a person forever.
The remote control finder was the first to poke it's head out of a box.
Apparently we have become so lazy as a society, that not only do
we need remote controls to change channels on devices within 15 feet away,
but once we misplace the remote we can no longer function. So in
a moment of desperation, an inventor creates a device that lets you clap
you hands three times to have the attachment on the remote chime or chirp
to tell you where it is. The irony is that you might find it probable
to have to walk to another room to clap, clap, clap and find the remote
you set down when answering the door. Of course, by then you could
have changed the channel and sat back in the chair. My advice, learn
how to work the menu buttons on the actual TV or other electronic device.
No really, they have those same buttons and functionality on it,
I promise.
Next out of the magic gift bag was a mobile phone that played streaming
TV clips from a sports network. Of course this was the ad on television
for a new Nokia phone with enablement to watch up to 20 different channels
by 2006. With free Internet at many cafes, restaurants and people
that don't know how to turn on WEP and hide SSID, do we feel that disconnected
that TiVo is not even an option anymore? Or are we so comfortable
in our desires for media that we need to watch a slam dunk in basketball
on a 2 inch diagonal screen? I can't wait until my mobile phone comes
with a remote control for the TV function so I can attach the remote control
finder to it from above.
The Robosapien. Yes that is the word of an actual product. A
small robot with a lot of humanoid qualities made by a scientist from NASA.
Now it does some cool things, but nothing productive at all. Productive
would include get the coffee, let the dog out (which barked at and chewed
on Robosapien twice when he moved in the first place), pick up the kids
from school and even rake the leaves at least. But no, he gives kicks,
high-fives and even picks up a ball with his little grippers. Had
he been able to pitch for the St Louis Cardinals in the last baseball season,
we might have a useful toy here.
I feel obligated to point out that after the gift season comes Lotusphere
a short time behind. By the time this newsletter reaches your inbox,
I will be approaching scramble mode in what needs to be completed in preparation,
as well as handling the inbound calls that are starting due to our IBM
Lotus Award for the 3rd time. So join me in another, yet wonderfully
improved, Lotusphere at the end of January. The February newsletter
will have all sorts of tidbits I gather during the conference and from
the people I meet.
IdoNotes Mailbox: Domino Web Access and Reverse Proxy
Question:
Hi Chris,
Have a client that wants to make DWA available to travelling users. Been
looking at notes.net and there are mixed ideas on how to do this. May I
ask you what config you recommend. Is it reverse proxy or is it putting
a Domino server in the DMZ which replicates with the inside server.
If reverse proxy can you point me to configuration documents which will
help me set this up.
Many Thanks,
Frans Lombard
Answer:
Frans,
The reverse proxy makes the most sense in that no data is replicated out
or exposed to the Internet, plus another layer of security is provided
as the reverse proxy can, in may instances, also offload the SSL traffic
from the Domino server.
But let's cover a few of the issues with reverse proxies and working with
Domino. technote 1089765
A Web browser user's requests pass through a reverse proxy or SSL accelerator
before reaching the Domino server. For certain requests, you see
that the URL switches from HTTPS to HTTP or switches from the host name
of the reverse proxy server to the internal Domino's server's host name.
In both cases, the URL is generated by the Domino server when the response
is a 302 redirection. Domino builds the Location based on the host
name and protocol used to reach the server. So, in the case of an
SSL accelerator, the browser request is HTTPS, but the accelerator's request
to Domino is HTTP. When Domino returns a Location, it returns it
as HTTP. It does not know that the browser originally requested HTTPS
and was proxied by the accelerator. In much the same way, if the
browser sends a request to a reverse proxy server's host name, the reverse
proxy server then makes the request on behalf of the browser, but with
the internal host name of the Domino server. Domino builds the Location
in this case using its own host name, the name used to reach it by the
reverse proxy server. Again the Domino server cannot know that the
original request was proxied.
For both cases, the best solution is for the SSL accelerator or reverse
proxy server to view the return header and modify the Location as desired.
This scenario is also the best if there are both internal and external
users. Internal users may not be proxied, and therefore the Domino-generated
Locations do not need to modified, only those going to external users.
(Internal users may not be using SSL internally, and/or the internal
host name is used to reach the server).
There are also some known problems with enabling GZIP compression in Domino
and trying to access these attachments through proxies. One of the
only solutions is to disable GZIP in Domino for now.
I would highly suggest reading the Notes.Net article showing how to add
a reverse proxy and all the implications of adding each component to your
infrastructure. You may find that article here.
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/a96b7591a013173185256c79005c1af3?OpenDocument&Highlight=0,reverse,proxy
Let me know which path you choose to take and which product if you choose
the reverse proxy.
Chris
Connecting Sametime and Lotus Workplace with the Lotus Instant Messaging
Gateway
With companies starting the deployment of Lotus Workplace for the deskless
worker, Lotus has done some work to let you share instant messaging and
presence awareness between Sametime in your Domino environment and Workplace.
It relies totally on the Lotus Instant Messaging Gateway. To
quote from IBM Lotus directly
"A Sametime server and a Lotus Workplace server each use a different
infrastructure to support presence and instant messaging functionality.
The Sametime server uses an infrastructure based on the proprietary IBM
Lotus Virtual Places (VP) protocol while the Lotus Workplace server uses
an infrastructure based on the open standard Session Initiation Protocol
(SIP).
The Lotus Instant Messaging Gateway serves as an intermediary, or translator,
between the Sametime and Lotus Workplace platforms and performs operations
that enable users connected to these two disparate platforms to communicate
through presence and instant messaging."
There are some network considerations that you must follow to get this
gateway working though. As many of you know, Sametime makes use of
TCP port 1516. The Lotus Instant Messaging Gateway actually uses
this port for all communications to the Sametime server. So if the
gateway resides outside of a firewall, then this port must be accessible
between the two for communication to work properly.
The port used between the Lotus Workplace server and the Lotus Instant
Messaging Gateway may be selected during configuration of the gateway,
or you may allow Lotus Workplace to use any available port. I personally
prefer specifying the port number for ease of firewall and network administration.
The communication over this port will utilize TLS (Transport Layer
Security) for transmitting instant messages. Now, you must make available
port 5061 for Lotus Workplace to talk to the gateway for certain other
communications.
The above ports are the default ports, so the administrator can configure
them as an alternate one. I would refer to the administrator guides
for all the products if you plan on modifying the default ports.
One key thing to note about using the Lotus Instant Messaging Gateway.
Reverse proxies are NOT supported in either direction between the
gateway and Sametime or Workplace.
From the IdoNotes mailbox : User's Receiving Mail For Other Domains
Chris,
We have a situation where we accept mail for numerous domains. But,
we only want certain individuals to receive mail for their company name
only. But mail can be received by them under any of the domain names.
We have set the server configuration to FullName only match for inbound
SMTP mail but it does not seem to make a difference. Any insight?
Mitch
Well Mitch, this one is not as bad as you think. I know you have
a Global Domain document that lists the primary and all the secondary domains
that your server will accept mail for. Unfortunately the way Domino
behaves in this instance, is it will search for an exact match the first
time through and then strip everything to the right of the @ sign for a
second pass until it finds a match in ($Users). Once it does that
it delivers the message.
But there is hope! If you simply move the secondary domains necessary
to their own Global Domain documents, it will no longer behave like this.
For an excerpt of the documentation, we turn to technote #1192804
(http://www.support.lotus.com)
When the Internet Address Lookup is "FullName Only", the Domino
Server performs a lookup in the Domino Directory ($Users) view for an exact
match of the recipient address in the "RCPT To:" Field of the
message header (e.g., JDOE@DomainB.com). If this exact string is
not found in the ($Users) view, then the Domino Server will check the domain
part of the address (everything to the right of the @ Sign). If it
is an alias of the primary local Internet domain, Domino will replace this
value with the actual primary local Internet address and then perform another
search.
In this case, the Domino search initially looks for a match to "JDOE@DomainB.com"
and found zero matches. It then performs part 2 of its function and
as there is an alias in the Global Domain document that matches DomainB.com
and replaces the local Internet domain with "DomainA.com" (the
primary Internet domain). Then, the second search performs a match
for "JDOE@DomainA.com" which results in the delivery of this
mail to the user, John Doe/DomainA.
To prevent this behavior and force Domino to only deliver mail that is
addressed to the exact string in the Person document, remove any aliases
mentioned in the Global Domain document of the primary domain. If
the SMTP server accepts messages addressed to more than one Internet domain,
then the solution in this situation is to create a separate Global Domain
document for each internet Domino.
In the above scenario (with two Global Domain documents), this would cause
a message addressed to "JDOE@DomainB.com" to be rejected and
not delivered to John Doe/DomainA.
What is missing in the Domino Web Administrator client?
If you have no played with webadmin.nsf in Domino 6.x you are missing an
incredible treat for remote administration work when you have no Notes
client around or http/https is the only access available to that server.
I recommend only using this tool over https when on the public Internet.
Since you are passing your administrator username and password and
then working with live control of a Domino server, take the extra time
to purchase a SSL certificate or at least create your own self-signed one.
Most of the functionality you would receive from the Notes client may now
be found in the web interface. Even the GUI is coming along to be
an exact duplicate. That makes for easy navigation and efficiency
when you do not have to learn another UI. I know that was just one
of the thoughts when they developed the tool.
What I wanted to provide in the tip was a list of things you could NOT
do with the Web Administrator in Domino 6. For one thing it was a
much short list than the things you can do. :-) I then follow
each bullet with a quick thought from me.
Things you cannot do using the Domino Web Administrator:
- Use the Web Administrator to create Setup or Desktop policy settings documents. (this one confused me since I thought a limited desktop or setup policy could be specified. Maybe not everything, but a good portion could be done)
- Add database links used to set up bookmarks or custom Welcome pages. (of course since there is no doclink creation ability from the web)
- The Assign Policy tool is not available in the Web Administrator. (once again assigning the policy can be done manually, so I see this tool coming late)
- Enable statistic report generation. (This would be great for remote administrators that need statistics)
- Configure a server for SSL during the server registration process. (I actually like that this is forced through the Notes client for numerous reasons)
Clustering
- Upgrade existing users for roaming. (As this feature is still growing in usage, I can wait)
- Remove a server from a cluster. (Another thing I think could be done with AdminP requests)
- Create a cluster. (Same as above, let us kick off AdminP on creating the cluster)
Registering Users
- Can only register users with the CA process. (If you have not investigated the CA Process, definitely explore this option! No more worries about carrying the certifier or who has access. You control it all from who can register and using what certifier through roles)
- Set registration preferences in the Web Administrator. (Makes sense since the preferences are stored locally in the Notes client)
- Can only use the registration settings in the CA and in the Registration policy settings document. (Makes sense since you are using the CA to register the users and not the actual certifier id from the Notes client)
As you can see that is not a huge list of items anymore. It continually shrinks and the addition of the CA process was a huge leap. Keep in mind if someone will be using the CA process through a web interface, you want to check your security settings for remote console access to the servers also.
blog comments powered by Disqus
On Saturday, January 8th, 2005 by Chris Miller