domino web access(iNotes).

I need to provide web mail access to my users through internet. I have two domino serves configured as cluster in my LAN network. How can I provide web access to my users. I have CISCO ASA  firewall. I am using web redirection data base locally to access the web mail. How can I provide redundancy for the web mail access if one server fails. I am using domino 8.5.3.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi there,,,

Actually, In my  Environment I've done it and I got the other part done by the Networking and Security Department  ....

- A New Lotus Domino server has been added and Located at the DMZ
- Port 1352 has been opened between this new server and the HUB Administration Server .
- A web redirection database has been created and configured to redirect users to their databases .
- Some new Connection Documents have been created between the HUB administration server & the other servers from one side and this new Server on the other side . Moreover, the replication schdule and the other replication related issues have been confiured in these connections documents .
-  For the users we desired to provide them with an access to their emails from the Internet a new replica have been created from their Mail Servers to this new DMZ server  and a new Internet password have been created on "Person Documents" of these users ...

******************** And over Here the Roll of Lotus Notes Admins Ends**********

Now In order, to have the users access this server from the Internet a VPN have been configured by the Networking and Security Adminstrator and each user has been provided with a VPN token so they just have to access the site then put the code provided by the VPN Token  ( The corresponding ports have been opened on the firewall )

- A new DNS  record has been created by the DNS Admin on  (Http:// on our external DNS and a public IP has been provided to this site .....

Note: I really dont have much experince about the Networking and Security and what can be done in this case

I really hope this helps
jobby1Author Commented:
I do not want to keep their mail files in the DMZ servers. Is there a solution for this.
Sjef BosmanGroupware ConsultantCommented:
Set up a VPN to the internal network.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

In refrence to my previous comment # 37704738 this server has been located at the DMZ becuase it is required by the Security Department and the Aduitors . However, in this case as @sjef_bosman mentioned you have to set a VPN connection to the internal network , but you have in this case to review the security measure of your company .
jobby1Author Commented:
we can not set up VPN for public access.
Sjef BosmanGroupware ConsultantCommented:
VPN is meant to block public access: only people with the right credentials can safely access (part of) your internal network.

How else do you intend to let your users access your internal server from the Internet using ports 80 or 443 ?
Ok ,,, if you have a  CISCO ASA  firewall Admin check if he can suggest any thing for this particular case or refer for some documentations on the Internet ....


The only alternative solution which comes to my mind is to have a domino traveler ( it is free of charge the only thing is you have to have a dedicated server ) server for the users to be able to access their emails through mobile phones

I hope this really helps
As another alternative for clustering and fail over I have used, you could use an IIS server as a front end web server and install the Websphere IIS plugin.

The IIS can be placed in the DMZ and Websphere config setup to try server1 and failover to server2 if http access is not available and fail back if available after a set time.

following link describes some of the config settings for clustering or failover

The WASIISplugin is included as part of domino and is easy to install in IIS.
The iis connects to the domino servers so external clients have no need to go through firewall at all, the firewall just needs to allow IIS to contact domino servers.
jobby1Author Commented:
Is there any solution avaialble with Domino alone? Microsoft exchange has got clinet accesss role which allow this function. Something similar available in Domino.
AFAIK, there is no such an identical solution , the solutions provided by IBM Lotus Notes are mentioned above by the experts
Sjef BosmanGroupware ConsultantCommented:
What exactly does the MS solution do that iNotes can't do?
jobby1Author Commented:

In MS exchange we can keep our mailbox in LAN only client access we need to publish in DMZ. Client access will take care of connectivity to mail boxes whether is a cluster or no cluster.

Can we have a similar setup using domino without using any third party software/hw
Sjef BosmanGroupware ConsultantCommented:
Maybe this:
with a redirection type of Mail Server. There should be an additional Domino server installed in the DMZ, but the mail databases stay on their current server.

I must say I never tried this.

Here's some more info:
sjef_bosman & jobby1 the mentioned idea in comment# 37734330 Is the one I tried to explain in my first comment #37704738 and I've implemented this in the real life the databases are on the mail servers and there must be a replication to the Internet mail access server at the DMZ .
jobby1Author Commented:

Even IBM says to keep the mail file replica in DMZ. This is not accepable.

Also if we use reverse proxy we need some load balancer in LAN to maintain single URL using the redirect.nsf. Pls connect me if I am wrong.

"Multiple Servers running iNotes, but all mail files have been replicated on one server located in a DMZ. All users should be redirected to the copy of the mail file on the DMZ server located in a folder called iNotes."
The IBM suggestion you listed is just one of the possible scenarios suggested and not the one you should be using, agree no replicas in the DMZ.

The redirection app should work for you if you have a suitable domino compatible proxy accessible via the DMZ.
Do you want users to access mail on their home mail servers or a central point as this would only change the url users would be given from the redirection app.

For mailserver access only then.
You can have a single URL that everyone goes to such as this just redirects to the redirection app which is set to use mailserver with fixed domain.
This would result in a redirection to example

Your reverseproxy can be set to push requests for this URL to the lan server via  secure port on your firewall. Clients would not be accessing the lan server directly it is all via reverse proxy, firewall only allows revers proxy ip access etc.
For a reverse proxy you could use Apache or IIS as both have reverse proxy capability that will work with Domino.

For IIS look at using the IISWAS plugin and in the config file you can have list of server connections and redirect by incoming url.

If you have clustered servers with all mail files available on all servers then the IISWAS plugin can load balance and provide fail over between servers. Or you can have redirretion app contact an internal ICM server which will redirect clients to the servers host name, but not tried this in reverse proxy config if internal server hostname is different to public hostname.

The exchange system is effectively using IIS as a reverse proxy similar to using IISWAS setup.
jobby1Author Commented:
Can Domino http server provide the reverse proxy feature!!!
Sjef BosmanGroupware ConsultantCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Can use IIS or Apache for reverse proxy, some others possibly but these have information on how to setup etc.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.