We help IT Professionals succeed at work.

domino web access(iNotes).

jobby1
jobby1 asked
on
I need to provide web mail access to my users through internet. I have two domino serves configured as cluster in my LAN network. How can I provide web access to my users. I have CISCO ASA  firewall. I am using web redirection data base locally to access the web mail. How can I provide redundancy for the web mail access if one server fails. I am using domino 8.5.3.
Comment
Watch Question

Commented:
Hi there,,,

Actually, In my  Environment I've done it and I got the other part done by the Networking and Security Department  ....

- A New Lotus Domino server has been added and Located at the DMZ
- Port 1352 has been opened between this new server and the HUB Administration Server .
- A web redirection database has been created and configured to redirect users to their databases .
- Some new Connection Documents have been created between the HUB administration server & the other servers from one side and this new Server on the other side . Moreover, the replication schdule and the other replication related issues have been confiured in these connections documents .
-  For the users we desired to provide them with an access to their emails from the Internet a new replica have been created from their Mail Servers to this new DMZ server  and a new Internet password have been created on "Person Documents" of these users ...

******************** And over Here the Roll of Lotus Notes Admins Ends**********

Now In order, to have the users access this server from the Internet a VPN have been configured by the Networking and Security Adminstrator and each user has been provided with a VPN token so they just have to access the site then put the code provided by the VPN Token  ( The corresponding ports have been opened on the firewall )

- A new DNS  record has been created by the DNS Admin on  (Http://www.sitename.com) on our external DNS and a public IP has been provided to this site .....

Note: I really dont have much experince about the Networking and Security and what can be done in this case

I really hope this helps

Author

Commented:
I do not want to keep their mail files in the DMZ servers. Is there a solution for this.
Sjef BosmanGroupware Consultant
CERTIFIED EXPERT

Commented:
Set up a VPN to the internal network.

Commented:
In refrence to my previous comment # 37704738 this server has been located at the DMZ becuase it is required by the Security Department and the Aduitors . However, in this case as @sjef_bosman mentioned you have to set a VPN connection to the internal network , but you have in this case to review the security measure of your company .

Author

Commented:
we can not set up VPN for public access.
Sjef BosmanGroupware Consultant
CERTIFIED EXPERT

Commented:
VPN is meant to block public access: only people with the right credentials can safely access (part of) your internal network.

How else do you intend to let your users access your internal server from the Internet using ports 80 or 443 ?

Commented:
Ok ,,, if you have a  CISCO ASA  firewall Admin check if he can suggest any thing for this particular case or refer for some documentations on the Internet ....

Or

The only alternative solution which comes to my mind is to have a domino traveler ( it is free of charge the only thing is you have to have a dedicated server ) server for the users to be able to access their emails through mobile phones
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Getting_started_Lotus_Notes_Traveler_8.5.3

I hope this really helps

Commented:
As another alternative for clustering and fail over I have used, you could use an IIS server as a front end web server and install the Websphere IIS plugin.

The IIS can be placed in the DMZ and Websphere config setup to try server1 and failover to server2 if http access is not available and fail back if available after a set time.

following link describes some of the config settings for clustering or failover
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21219567

The WASIISplugin is included as part of domino and is easy to install in IIS.
The iis connects to the domino servers so external clients have no need to go through firewall at all, the firewall just needs to allow IIS to contact domino servers.

Author

Commented:
Is there any solution avaialble with Domino alone? Microsoft exchange has got clinet accesss role which allow this function. Something similar available in Domino.

Commented:
AFAIK, there is no such an identical solution , the solutions provided by IBM Lotus Notes are mentioned above by the experts
Sjef BosmanGroupware Consultant
CERTIFIED EXPERT

Commented:
What exactly does the MS solution do that iNotes can't do?

Author

Commented:
sjef_bosman:

In MS exchange we can keep our mailbox in LAN only client access we need to publish in DMZ. Client access will take care of connectivity to mail boxes whether is a cluster or no cluster.

Can we have a similar setup using domino without using any third party software/hw
Sjef BosmanGroupware Consultant
CERTIFIED EXPERT

Commented:
Maybe this:
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3.14_Setting_up_a_Redirection_Application_for_Lotus_iNotes_users
with a redirection type of Mail Server. There should be an additional Domino server installed in the DMZ, but the mail databases stay on their current server.

I must say I never tried this.

Here's some more info: http://slemfisk.blogspot.fr/2009/09/reverse-proxy-4-mail-servers-anyone.html

Commented:
sjef_bosman & jobby1 the mentioned idea in comment# 37734330 Is the one I tried to explain in my first comment #37704738 and I've implemented this in the real life the databases are on the mail servers and there must be a replication to the Internet mail access server at the DMZ .

Author

Commented:
sjef_bosman:

Even IBM says to keep the mail file replica in DMZ. This is not accepable.

Also if we use reverse proxy we need some load balancer in LAN to maintain single URL using the redirect.nsf. Pls connect me if I am wrong.


"Multiple Servers running iNotes, but all mail files have been replicated on one server located in a DMZ. All users should be redirected to the copy of the mail file on the DMZ server located in a folder called iNotes."

Commented:
The IBM suggestion you listed is just one of the possible scenarios suggested and not the one you should be using, agree no replicas in the DMZ.

The redirection app should work for you if you have a suitable domino compatible proxy accessible via the DMZ.
Do you want users to access mail on their home mail servers or a central point as this would only change the url users would be given from the redirection app.

For mailserver access only then.
You can have a single URL that everyone goes to such as inotes.yourdomain.com this just redirects to the redirection app which is set to use mailserver with fixed domain.
This would result in a redirection to example server1.yourdomain.com

Your reverseproxy can be set to push requests for this URL to the lan server via  secure port on your firewall. Clients would not be accessing the lan server directly it is all via reverse proxy, firewall only allows revers proxy ip access etc.
For a reverse proxy you could use Apache or IIS as both have reverse proxy capability that will work with Domino.

For IIS look at using the IISWAS plugin and in the config file you can have list of server connections and redirect by incoming url.

If you have clustered servers with all mail files available on all servers then the IISWAS plugin can load balance and provide fail over between servers. Or you can have redirretion app contact an internal ICM server which will redirect clients to the servers host name, but not tried this in reverse proxy config if internal server hostname is different to public hostname.

The exchange system is effectively using IIS as a reverse proxy similar to using IISWAS setup.

Author

Commented:
Can Domino http server provide the reverse proxy feature!!!
Groupware Consultant
CERTIFIED EXPERT
Commented:
NO!

Commented:
Can use IIS or Apache for reverse proxy, some others possibly but these have information on how to setup etc.