Accessing a Sametime environment from the Internet has a lot of security and technical aspects. Learn how to install your Sametime Edge Proxy components in your DMZ and connect it to your internal Sametime environment. Install a Sametime Community MUX Server, a SIP Edge Proxy, a Meeting HTTP Edge Proxy, a TURN server and a Sametime Gateway.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
The IBM Sametime 8.5.2 Components we will coverIn Part 1:● IBM DB2 Database Server● IBM Sametime System Console● IBM Sametime Community Server● IBM Sametime Proxy Server● IBM Sametime Meeting Server● IBM Sametime Media Manager● IBM Sametime Advanced Server (optional)● IBM Sametime Connect Client
In this Part 2:● IBM Sametime Community MUX (optional)● IBM Sametime SIP Edge Proxy● IBM Sametime Meeting HTTP Proxy● IBM Sametime TURN Server● IBM Sametime Gateway (optional)
In Part 3:● Moving Sametime Servers to separate boxes● Implementing additional Servers for clustering● Clustering of Sametime Servers
IBM Sametime 8.5.2 Prerequisites● IBM Sametime 8.5.2 Community MUX Server requires
● IBM Sametime Community Server (Version >= 7.5.1)● IBM Sametime 8.5.2 SIP Edge Proxy
● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM Sametime 8.5.2 Mdia Manager
● IBM Sametime 8.5.2 Meeting HTTP Proxy● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM Sametime 8.5.2 Meeting Server
● IBM Sametime 8.5.2 TURN Server requires● IBM Sametime 8.5.2 Media Manager
● IBM Sametime 8.5.2 Gateway Server requires● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM DB2 9.7 or 9.5 FP1● LDAP directory server (Supported IBM® Lotus® Domino® Directory LDAP, Microsoft®
Active Directory, IBM Tivoli® Directory Server, SunOne® iPlanet®, Novell® eDirectory®)
● IBM Sametime Community Server (Version >= 8.0.1)
● IBM Sametime 8.5.2 System Console Server requires● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM DB2 9.7 or 9.5 FP1● LDAP directory server (Supported IBM® Lotus® Domino® Directory LDAP, Microsoft®
Active Directory, IBM Tivoli® Directory Server, SunOne® iPlanet®, Novell® eDirectory®)
● IBM Sametime 8.5.2 Community Server requires● IBM Lotus Domino 8.5.1 or 8.5.2 (32 Bit Version only)● LDAP directory server
● IBM Sametime 8.5.2 Proxy Server requires● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM Sametime Community Server (Version >= 7.5.1)
● IBM Sametime 8.5.2 Meeting Server requires● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM DB2 9.5 FP1 (provided automatically via Install)● LDAP directory server
● IBM Sametime 8.5.2 Media Manager requires● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM Sametime 8.5.2 Community Server● LDAP directory server
IBM Sametime 8.5.2 Prerequisites (cont.)● IBM Sametime 8.5.2 Advanced Server requires
● IBM WebSphere Application Server 7.0.0.15 (provided automatically via Install)● IBM DB2 9.7 or 9.5 FP1● LDAP directory server (Supported IBM® Lotus® Domino® Directory LDAP, Microsoft®
Active Directory, IBM Tivoli® Directory Server, SunOne® iPlanet®, Novell® eDirectory®)
● IBM Sametime Community Server (Version >= 8.0.1)
● Windows XP (SP2), XP Tablet, Vista and Windows 7 – 32 and 64 bit● MAC OS X 10.6.2 x86-64 and future OS fix packs● RHEL 5.0 Update 4 Desktop Edition x86-32 and future OS fix packs● SLED 10.0 SP3 and 11.0 SP1 32 and 64 bit and future OS fix packs● Ubuntu 10.04 LTS x85-32 and future OS fix packs
● Server● Windows Server 2003/2008 - 32 and 64 bit (including R2)● Linux (RHEL, SLES) - 32 and 64 bit● AIX 5.3/6.1● i5/OS 5.4, 6.1● Solaris 10● ESX and ESXi 4.0, MS Hyper-V R2
● Browsers● Microsoft® Internet Explorer 6.x, 7.x, 8.0 (Windows)● Firefox 3.5 and 3.6 (Windows, Mac, Linux)● Safari 5.0 (Mac)
● Other● Domino 8.5.1/8.5.2 for Community Server / 'Classic' meetings● WebSphere Application Server 7 for new servers and gateway (included)● DB2 9.7 for new servers and gateway (included)
● Microsoft® Internet Explorer 6.x(!!), 7.x, 8.0 (Windows)● Firefox 3.5 and 3.6 (Windows, Mac)
SPECIAL NOTE: Microsoft Internet Explorer 9, Apple Safari and Google Chrome are not supported with the Sametime Audio/Video Browser Plugin in this actual Sametime Version 8.5.2.
We do not support any Linux based OS now for Browser A/V.
Microsoft Internet Explorer 6 should work and is officially supported. But it is not recommended to use this version because it can cause issues when several parallel connections needs to be established with the meeting server.
● Make sure that all servers you want to use can be resolved in DNS.
● If DNS is not available then list all full qualified server names and IP addresses from all servers in the hosts file and publish this file to all servers.
● The Media Manager Server does not work when installing with a DNS alias. You must configure the full qualified machine host name (including domain part) and use this for the installation. This name does not need to be configured anywhere else and the client does not see it.
● If you use Windows 2008 as Operating System, then you need to start all installations and configurations in „Administrative mode“.
● You need a LDAP Server hosting your user base. This can be a Domino LDAP or Microsoft Active Directory or any other supported V3 LDAP.
● The Sametime gateway requires a public, not NATed IP address. NAT does not work with SIP traffic (specially when using TLS encryption) because the SIP packages contain the sending IP address inside. Then the receiver refuses the SIP package coming from another address then the one inside the package.
For a Windows installation of the Edge components you need to download these files from Passport Advantage:
CZYD7ML.zip IBM Sametime Community Server StandardCZYE0ML.zip IBM Sametime Meeting ServerCZYF0ML.zip IBM Sametime Media Manager ServerCZYF9ML.exe IBM Sametime GatewayCZYA0ML.zip IBM Sametime WebSphere Application ServerCZYH1ML.zip IBM Sametime WebSphere Application Server iFixes
Create a directory, for example “C:\Install”, on the servers where you want to install. Then unpack the downloaded files into this directory. Just unpack the files required for your deployment architecture on the particular server.
If you run the CZYF9ML.exe, create a subdirectory “C:\Install\SametimeGateway” to unpack the file.
When unpacked the CZYH1ML.zip file go into the subdirectory “C:\Install\SametimeWASiFixes\WebSphereUPDI” and unzip the update installer for your used operating system.
Compared with the last version of this document installing IBM Lotus Sametime 8.5.1 (from Lotusphere 2011), we have changed again our recommendation for a pilot deployment. The reason for the change is the availability of new features in installation methods as well as our increased experience and many successful installations using this method in the last months.
The most Edge components described in this part 2 can be installed on one single box in the DMZ because all of them use different ports for communication. Only the Sametime Gateway requires a separate box because it uses the SIP Protocol and requires a non NATed public IP address. The Sametime Gateway is optional and not required for the other Edge components to work properly.
It is important to have the full environment described in the Part 1 of this documentation up and running before starting the Edge components installation. The Sametime Advanced part is not required for this installation.
● 1 Server for the IBM Sametime 8.5.2 Community MUX, IBM Sametime 8.5.2 Meeting HTTP Proxy, IBM Sametime 8.5.2 SIP Edge Proxy, IBM Sametime 8.5.2 TURN ServerQuad CPU, 8GB RAM or more, 100GB disk space or more, 64 Bit OS1 GBit Network Interface with 2 IP addresses (internal and external).
● 1 Server for the IBM Sametime 8.5.2 Gateway ServerDual CPU, 4GB RAM or more, 50GB disk space or more, 64 Bit OS1 GBit Network Interface with 2 IP addresses (internal and external but not NATed).
● Various client endpoints
Hardware required for this Pilot Example Deployment
With such a configuration you can host up to ● 300 concurrent Meeting Participants *● 5.000 concurrent Sametime Clients *● 150 concurrent Media Streams *● 1500 concurrent Proxy web client users *
* Ask you IBM representative for more detailed sizing information in a defined environment
Special IP configuration for the WebSphere based Server
For this Edge environment it is required to have the same FQ Host names that you use in the internal network (see Part 1 of this documentation) be configured in the public DNS pointing to the public IP address of the server machine in the DMZ hosting the Edge components. This means splitted DNS configuration is required.
IBM Sametime requires some technical users for components to communicate in an authenticated mode. All of this users should be configured so that the password never expires and never needs to be changed.
db2admin This user is created during installation of the DB2 server in the Operating System. Do not create this user in advance. It is the user for all IBM Sametime related components using DB2 to access their databases. Be sure to match the password policy requirements of the OS.
wasadminThis is the user to access the IBM WebSphere components and to administer the system. This user must not exist in your LDAP directory. It is created during WebSphere installation in a local file repository. You can use the same user name and password for all components (makes it easier) or different names and passwords. But again, it does not work when this user exists in the LDAP.
Required technical users for IBM Sametime 8.5.2 (cont)
Domino AdministratorThis user is created during installation of Domino for the IBM Sametime Community Server. It is a best practice to not use a existing administrative account because it is the account with that the IBM Sametime System Console communicates with the Community Server.
LDAP Bind UserThis is a user account in your LDAP directory. This account is used to connect in authenticated mode to the LDAP server to get all required attributes. It is possible to connect anonymously to the LDAP but then it does not work with some LDAP systems or the LDAP server requires special configuration to allow anonymous bind.
In this pilot deployment we install and configure all WebSphere based Sametime servers using a single Cell. Then it is easy to administer all of them using just one administrative interface. (The Integrated Solutions Console of the Sametime System Console)
With Sametime 8.5.1 the services where created automatically for all servers because we used for all of them a separate “Cell Profile” deployment. Now with IBM Sametime 8.5.2 we use the Network deployment method by implementing all servers as a Primary Node federated to the Deployment Manager of the Sametime System Console in just one Cell.
Using this method the installer does not create some required components and it does not create some services in the Windows operating system. We need to manually create this components and Services. All the required steps are described in detail later this slide deck.
Audio/Video Plug-In for Browser access to Meeting Rooms
The Meeting Plug-In is shipped with the Media Manager in two formats.
1.) Download VersionThis version files needs to be copied onto a Web Server that can be accessed by the Browser from the client who want to access the Meetings using Audio and Video services. This could be the Domino based Sametime Community Server, the Sametime Proxy Server or the Sametime Meeting Server or any other web server in your organization.
In this pilot deployment recommendation we use the Sametime Proxy server for this service.
To download and install this Plug-In it is required to have Administrative access rights on Windows 7. With all other OS the user right is enough
2.) Deployment VersionThis version can be deployed using your preferred deployment tool. It contains a MSI installer file. But be careful in some operating systems as Windows 7, it is required to install this version with administrative rights.
The 25 steps to deploy a Sametime 8.5.2 EDGE environment1.Enable Trust for the Community Mux in the Sametime Community
Server2.Install the Sametime Community Mux3.Configure the Community Mux in the Sametime System Console4.Install the SIP EDGE Proxy without the Sametime System Console5.Configure the SIP Edge Proxy6.Post Install Tasks7.Create a Deployment Plan for the Sametime Meeting HTTP Proxy8.Install the Sametime Meeting HTTP Proxy9.Run the guided activity to add the Sametime Meeting HTTP Proxy to
the Meeting Cluster10.Remove the Sametime Meeting Server on the Edge Server11.Create the WebSphere Meeting Http Proxy on the Edge Server12.Post Install tasks13.Install the TURN Server14.Configure the TURN Server and enable NAT Traversal15.Test all the Edge components
The 25 steps to deploy a Sametime 8.5.2 EDGE environment
16.Create the Sametime gateway DB2 Database17.Configure the DB2 Database Prerequisite in the Sametime System
Console18.Enable Trust for the Gateway in the Sametime Community Server19.Install the Sametime Gateway without the Sametime System Console20.Post Install Tasks21.Register the Gateway to the Sametime System Console22.Connect to the local Sametime Community23.Connect to a Partner Sametime Community24.Enable clients to use the Sametime Gateway25.Test the Gateway
STEP ONE: Enable Trust for the Community MUX in the Sametime Community Server
Summary
A Sametime Community Server only accepts connections from a Community Services multiplexer that is listed in the "CommunityTrustedIps" field of a "CommunityConnectivity" document to prevent an unauthorized machine from connecting to the Sametime community server.
This can be configured directly in the “STCONFIG.NSF” Database - “CommunityConnectivity” Document, or – and this is now much easier – in the Sametime System Console. This is the way we want to configure this part.
Enter the URL „http://sametime.renovations.com:8700/admin“.
The WebSphere Application Server Administrative interface (the Integrated Solutions Console ISC) is always secured by SSL. Therefore you will be redirected to HTTPS and the port 8701 automatically. You are prompted to accept the default certificate. For different browsers the procedure to accept this IBM signed certificate is different.You can use the direct URL: „https://sametime.renovations.com:8701/ibm/console“.
Restart your Sametime Community Server to apply the trust settings. Be aware to use this “restart server” console command only in your test environment. On a production server this won't work because the restart is often faster then stopping all 41 Sametime server tasks. The complete restart can take up to 5 minutes. Wait until all 41 ST... tasks appear in your Task Manager.
This step installs theIBM Sametime 8.5.2 Community MUX.
We like to use a CMD command line window to enter some of the commands and start the installers. For that we have created a short cut in our fast start section.You can use the Windows Explorer as well to navigate to the destination directory and double click the installation file (setupwin32.exe)
Remove “Program Files\” and click the “Next” button to continue
We recommend to use path names without spaces (as some scripts may require this) and also shorten the path name so that the typical limits of some operating systems and applications for path + file name length are avoided.
Important to know...Consider the requirements of the community server multiplexer machine before installing it.
* community server multiplexer installation files are available for Windows®, AIX®, Linux®, and Solaris. A stand-alone community server multiplexer cannot be installed on IBM® i. However, Sametime® on IBM i supports the use of a stand-alone multiplexer installed on a Windows system.
* The minimum system requirements for the community server multiplexer machine are the same as the system requirements for the core Sametime community server.
* A machine that meets the minimum system requirements should be able to handle approximately 20,000 simultaneous client connections.
* Testing indicates that machines with dual 1133 MHz CPUs and 2 GB of RAM can handle approximately 30,000 simultaneous client connections.
* TCP/IP connectivity must be available between the community server multiplexer machine and the Sametime community server. Port 1516 is the default port for the connection from the community server multiplexer machine to the Sametime Community Server.
Install a Sametime Connect client in the public network and connect to your Sametime Community Mux server. In the public network this should be the same address as in your local network “chat.renovations.com”. The Sametime Community Mux forwards your connection to the internal Sametime Community Server. Login with a user in your directory to see that the Mux works.
Another way to test the functionality and connectivity of your Sametime Community Mux is to enter the command “netstat -an” in a CMD line window. There you should see the ST Mux is listening on ports 1533 and 8082. There are established connections to your Community Server (IP 192.168.30.20) on port 1516 and from your Sametime Client (IP 192.168.0.9) on port 1533.
STEP FOUR: Install the SIP EDGE Proxy without the Sametime System Console
Summary
The IBM® Lotus® SIP Edge Proxy is a SIP Application installed over a WAS server. Since there is no specific installer for the IBM Lotus SIP Edge Proxy server, you can use the SIP Proxy/Registrar installer and then perform manual steps in order to adjust the environment to the Lotus SIP Edge Proxy.
Remove “Program Files\” and click the “Next” button to continue
We recommend to use path names without spaces (as some scripts may require this) and also shorten the path name so that the typical limits of some operating systems and applications for path + file name length are avoided.
If you are using Windows 2008 R2 or Windows 2003 R2 then it can be possible thatyou run into a JAVA heap memory overflow. To prevent this issue change a parameter inThe “IBMIM.INI” configuration file of the Sametime Install Manager. See the next 2 slideshow to do this. And then click the „Restart Installation Manager“ button to continue.
In the File Explorer navigate to your Install Manager's eclipse directory “C:\IBM\Install Manager\eclipse”. Then open the configuration file “IBMIM.ini” in notepad.
Add he parameter “-Xmx1024m” at the end. Then save and close the file.This parameter is case sensitive.Now click the “Restart Installation Manager” button in your Install Manager screen to continue your Installation.
With IBM Sametime 8.5.2 it is possible to install Sametime on top of an existing WebSphere 7.0.0.15 Server. We don't want to do this in this pilot deployment.Just click “Next” to continue.
In this screen you need to select the WebSphere deployment method. We use “Standalone” for this installation. And you need to define the WebSphere Application Server administrative user. You need to authenticate with this user to access the Integrated Solutions Console of your Media Manager Server. It is important that this user does not exist in your LDAP. In this example we use the standard „wasadmin“. Enter the password twice and click the „Next“ button to continue.
The host names for the SIP Proxy/Registrar, Conference Manager, Packet Switcher, and Community Server must be all different. The Proxy/Registrar host name should be the local host, and the others should be different from the Proxy/Registrar host name and also from each other. We use in this example: * Conference Manager host name: “sametime.renovations.com” * Proxy/Registrar host name: “edge.renovations.com” * Packet Switcher host name: “meeting.renovations.com” For the Community Server we use our chat server “chat.renovations.com”Then click the „Validate“ button to continue.
If the connection to the different hosts was successful, then you should see that the text in the button has changed to „Validated“.Now click the „Next“ button to continue.
Important to know...It should be possible to do this installation with every other Sametime component that is WebSphere based to just have the WebSphere binaries and the Cell profile structure on the box. But we need to implement a special application - the Edge Proxy Application. This application is shipped in the Media Manager install package. So it is easier to use this installer for this installation.
If you plan to implement all Edge components on one box, like described in this document, then you need to install the SIP Edge Proxy component first – before the Meeting Http Edge Proxy. The reason is the required configuration steps for the Meeting Http Edge Proxy disallow the complete Cell installation of the SIP Edge Proxy.
The SIP Edge Proxy needs to be configured. Several steps are required to complete this configuration:A)Login to the new Media Manager integrated Solutions ConsoleB)Uninstall all Media manager applicationsC)Install the new SIP Edge Proxy applicationD)Configure the SIP PortsE)Modify the SIP Edge Proxy Settings in the edge-proxy.xml fileF)Replace the default certificateG)Exchange certificates between the SIP Edge Proxy and the SIP Proxy Registrar
Enter the URL „http://edge.renovations.com:8800/admin“.
The WebSphere Application Server Administrative interface (the Integrated Solutions Console ISC) is always secured by SSL. Therefore you will be redirected to HTTPS and the port 8701 automatically. You are prompted to accept the default certificate. For different browsers the procedure to accept this IBM signed certificate is different.You can use the direct URL: „https://sametime.renovations.com:8801/ibm/console“.
Then click the “Add Exception” button.
A) Login to the new Media Manager integrated Solutions Console
The IBM signed certificate is not trusted by the browser. Click the „Get Certificate“ button to accept the certificate by clicking the “Confirm Security Exception Button”. (this dialog is different using other browsers)
Select the installed applications “ConferenceFocus” and “SSCConnect.ear”. If other applications are installed like “SIP Proxy”, “SIP Registrar” or “Packet Switch”, select them as well and then click the “Uninstall” button.
If you run your browser on the Edge machine, you can use “Local File System”. If you use your Browser from your workstation, then the install files are “remote”. So use the “Remote file system” and click the “Browse” button.
Select the directory where you have unpacked the Media Manager install files. And from there the subdirectory “SIPEdgeProxy”. Then select the “EdgeProxyAppl.ear” file and click the “OK” button.
To set up ports for the IBM® Lotus® SIP Edge Proxy, an administrator needs to determine the SIP ports used for the SIP Proxy/Registrar and ensure that the Lotus SIP Edge Proxy listens on these same ports.
To perform this configuration step we open a new browser window and connect to our Sametime System Console – Integrated Solutions Console. Enter the URL “http://sametime.renovations.com:8700/admin”. If the console is already open in your browser, then switch to this browser window.
Now we need to make sure that the setting “Use available authentication data when an unprotected URI is accessed” is switched off. To check that click on “Security” - “Global Security”.
Now we need to confirm 2 more settings in the Server configuration for our SIP Edge Proxy Server. Click on “Servers” - “Server Types” and then on “WebSphere application servers”
Confirm that the setting “com.ibm.ws.sip.sent.by.host” contains the full qualified host name of your Edge Proxy Server machine. If this is wrong, click on “com.ibm.ws.sip.sent.by.host” and change the host name. Then check that a property “com.ibm.ws.sip.security.trusted.iplist” does not exist. If it exists mark it and click the “Delete” button. Then click the “Save” link in the next screen.
E) Modify the SIP Edge Proxy Settings in the edge-proxy.xml file
Next step is to configure the “edge-proxy.xml” file and populte it to the server node.Open a windows File explorer and navigate to the directory:“C:\IBM\WebSphere\AppServer\profiles\STMSDMgrProfile\config\cells\edgeMediaCell\applications\EdgeProxyAppl.ear\deployments\EdgeProxyAppl\EdgeProxyWeb.war\WEB-INF”. Then open the file “edge-proxy.xml” with notepad or better with wordpad.
The authoritativeProxy section contains the hostname, port, and transport of the SIP Proxy/Registrar:
* Specify the SIP port used for TCP. * Specify the SIP port used for TLS.
The edgeProxy section contains the hostname, port, and transport of the Lotus SIP Edge Proxy:
* Specify the SIP port used for TCP. * Specify the SIP port used for TLS.
The authProxySourceAddr section specifies the address of the SIP Proxy/Registrar. When the Lotus SIP Edge Proxy receives stand-alone or initial requests, it determines the remote address from which the request was received. If the remote address does not match the SIP Proxy/Registrar address, the request is sent to the SIP Proxy/Registrar for further processing. Supported values: IP address, regular expression that matches the SIP Proxy/Registrar address (for example, "10.10.102.14 | 10.10.102.16").
We use in our example:authProxyHost=”sametime.renovations,com”authProxyPort=”5081”authProxyTransport=”TLS”authProxySourceAddr=”192.168.30.10”edgeProxyHost=”edge.renovations.com”edgeProxyPort=”5081”edgeProxyTransport=”TLS”
Next is to copy the edited file to the application server configuration in the Deployment Manager. Open a second File explorer and navigate to the directory:“C:\IBM\WebSphere\AppServer\profiles\STMSDMgrProfile\config\cells\edgeMediaCell\nodes\edgeMediaNode\servers\STMediaServer”.
To avoid the problem of IBM® Sametime® clients rejecting the certificate issued for the IBM Lotus® Edge Proxy server, an administrator needs to replace the default certificate on the Lotus SIP Edge Proxy so that it contains the SIP Proxy/Registrar's FQDN.These instructions are for the default certificate, which is meant for internal communications (not meant to act as a CA). Sametime clients verify that the certificate was issued for the SIP Proxy/Registrar. In a Lotus SIP Edge Proxy deployment, the client opens a TLS connection to the Lotus SIP Edge Proxy resulting in the client receiving a certificate issued for the Lotus SIP Edge Proxy server. This certificate will be rejected by the client.
Click on “Security” and then on “SSL certificate and key management”.
In the “Replace with” selection box select the newly generated “sip-pr-cn-cert” certificate. Check mark both check boxes “Delete old certificate after replacement” and “Delete old signers”. Then click the “OK” button.
The certificate was extracted successful. Now you need to copy this certificate file to your Sametime Media Manager box. Best is to copy it there into the “C:\temp” directory.
We have exported the root certificate in the SIP Edge Server and need to import that into the Sametime Media Manager. We have copied the file and need to import it next. Go to the Sametime System Console (which is the Integrated Solutions Console for our Sametime Media Manager). The Browser window should still be open from a previous step. But it can be possible that the session is timed out. Then you need to re-authenticate with your “wasadmin” account.
Enter a name for the certificate, we just use “edge_root”. In the “File name” field enter the path to where you have copied the certificate file and the filename. We use “c:\temp\edgeroot.cer”. Then click the “OK” button.
Now we need to do the same thing in the opposite direction. Copying the root certificate of our Media Manager to the SIP Edge Proxy. For that we check the check box near the root certificate (the one with “root” in the Alias) and then click the “Export” button.
Enter a name for the Media Managers root certificate. We just use “sip_root”. In the “File name” field enter the path to where you have copied the file and the file name. We just use “c:\temp\siproot.cer”. Then click the “OK” button.
Because we did security changes in bot servers it is required to restart the Deployment Manager and all nodes on both servers. Lets start with the Sametime Media Manager Server first. In the Services window select the Deployment Manager (the Service with the “..._DM” at the end) and click the “Stop service” button. You are asked to stop all services. Click “Yes” to really stop all services.
When all services are stopped you should start all services. Start with the SametimeSystem Console, then the Media Manager, then the Meeting Server and at last theProxy Server. This takes a long time and sometimes the services cause into a popupWindow saying a service could not be started. You can ignore that and just wait untilAll services are started.
Another option is to reboot the Operating system of the box. Then you need to wait asWell until all services are started. This really can take some time.We can recommend to check this in your “Task Manager”. Wait until you can see 10Java.exe tasks running and each of them consuming between 170 and 450 MB of RAM.When the CPU usage goes down then the startup of all tasks has finished.
For the SIP Edge Proxy Server box we will do the restart after we configured the post install tasks.
Enter the full qualified host name of your Sametime Meeting Server. In this example we use „edge.renovations.com“. Enter a WebSphere administrative user name and its password twice. We just use the standard „wasadmin“ name.Click the „Next“ button to continue.
In this step you install the Sametime Meeting Server secondary node for the Sametime Meeting Edge HTTP Proxy Server using the preconfigured settings in the deployment plan on the Sametime System Console.
STEP EIGHT: Install the IBM Sametime Meeting Server
On your Edge Box start a CMD line window and navigate to the Sametime Meeting Server install directory. We do this with the command: „cd \Install\SametimeMeetingServer“. Then start the Launchpad installer with the command „launchpad“.
Because we have already installed a WebSphere based Sametime Server on this box, (The Sametime SIP Edge Proxy Server) we can reuse the installed binaries. The installer detects this and checks the „Use the existing package group“. And therefore the path is greyed and can not be changed. Click the „Next“ button to continue.
Enter the Sametime System Console Server information and credentials to authenticate.In our example we use „sametime.renovations.com“ as SSC Server name and „wasadmin“ as the WebSphere Administrative User name. The last field is the host name where we want to install the Sametime Meeting Server. Here we use „edge.renovations.com“. Then click the „Validate“ button to check the connection to the System Console Server.
The connection to the Sametime System Console was successful when the button text „Validate“ changes to „Validated“. Click the „Next“ button to continue.
Select your Sametime Meeting Server Deployment plan that you have created in the previous step. We use our „Meeting Edge“. Then click the „Next“ button to continue.
The Sametime Meeting Server is now installing. This takes approximately 30 to 45 minutes. But because we already have the binaries installed and reuse this data, the installation is much shorter. It then takes only 15 to 20 minutes.
Important to know...The Meeting Server can be clustered using the WebSphere Network Deployment. This can be configured and deployed with the Sametime System Console.The new Sametime Meeting Server consists of two components. - the Meeting Server - the Meeting HTTP ProxyClustering means that a meeting room is running only on one server at a time. The Meeting Proxy servers have the information on witch Meeting Server instance the Meeting Room is running and forward incoming requests to the right server. Meeting data are stored only in the database. In case of a fail over the Meeting Room will be started on another Meeting Server in the cluster immediately.
For external access a separate Sametime Meeting Server in your DMZ is recommended for better security.
In this step you create a Meeting cluster, add the new node on your Edge Server to the WebSphere Cell of your Sametime System Console and add it to the cluster.
STEP NINE: Use the Guided Activity in the Sametime System Console to federate the new installed Meeting Server node to the Deployment Manager and cluster it.
Click the “Create cluster” button to create the cluster. This step can take 4 or 5 minutes. If the process takes too long and runs into a timeout, then you get a failure message here. Wait 2 minutes and click the button “Create cluster” again. Then it works mostly.
Check the check box near your new meeting Server “STMeetingServer1”. The one who is not running and installed on your edge box. Be sure to select the right one. Then click the “Delete” button.
In this step you create a Meeting HTTP Edge Proxy on your Edge Server to forward incomming HTTP requests from Internet clients to your Sametime Meeting and Sametime Proxy servers in your Intranet.This step has to be done in your Sametime System Consoles Integrated Solutions Console.
STEP ELEVEN: Create the WebSphere Meeting HTTP Edge Proxy.
Select the node on your edge server “edgeSTMNode1” and enter a name for your Edge HTTP Proxy Server. We just use “STMeetingHttpEdgeProxy”. Then click the “Next” button to continue.
The Installer has installed a service for an server that does not exist anymore. We first need to remove that service and then create the services we need.
To create the right services we need the profile path in the command line. In your file explorer navigate to the directory “C:\IBM\WebSphere\AppServer\profiles\edgeSTMSNProfile1”. Copy the link into your dashboard with the “Ctrl-C” keycombination.
Now enter the command to create the service: “wasservice -add STMeetingHttpEdgeProxy -serverName STMeetingHttpEdgeProxy -profilePath C:\IBM\WebSphere\AppServer\profiles\edgeSTMSNProfile1 -stopArgs “-username wasadmin -password passw0rd” -encodeParams”.Check that the command was processed successfully.
Now enter the command to create the Nodeagent service: “wasservice -add STMeetingHttpEdgeProxy_NA -serverName nodeagent -profilePath C:\IBM\WebSphere\AppServer\profiles\edgeSTMSNProfile1 -stopArgs “-username wasadmin -password passw0rd” -encodeParams”.Check that the command was processed successfully.
Last step is to configure the dependencies between the 2 services. For that enter the command:“sc config “IBMWAS70Service – STMeetingHttpEdgeProxy” depend= “IBMWAS70Service – STMeetingHttpEdgeProxy_NA””.Confirm that the command was processed successfully.
First you need to check that JAVA is installed and in the PATH environment variable. Open a CMD line window and enter the command “java -version”. If you get back the version info, then all is ok. The JAVA Version should be 1.6 at minimum. Because we have installed 2 Websphere parts before, we already have the Java version we need.
In your File Explorer copy the “TURN_Server” directory from your Media Manager Install package to the destination folder you want. We copy the directory to “C:\IBM”.
Configure the TURN Server configuration file with the IP addresses who are used in your environment. In this example we use:turn.local.hostname.ipv4 “192.168.40.40”turn.allocation.hostname.ipv4 “192.168.30.50”turn.public.hostname.ipv4 “192.168.0.1”Andudp.turn.port “3478”Then save and close the file.
To start the TURN server open a CMD line window and navigate to the TURN Server directory with the command “cd \IBM\TURN_Server”. Then start the turn server with the command “run”.
On your Sametime Media Manager Machine open a File Explorer and navigate to the directory: “C:\IBM\WebSphere\AppServer\profiles\STSCDMgrProfile\config\cells\sametimeSSCCell\nodes\sametimeSTMSNode1\servers\STMediaServer”.Here open the file “stavconfig.xml” using your Wordpad. (we need to edit the file so a browser wont work)
To synchronize this change to the Sametime Media Manager go to your Sametime System Console – Integrated Solutions Console and click on “System Administration” and then on “Nodes”.
Go down to the “NAT Traversal” settings. In the “UDP host name” field enter the edge server host name “edge.renovations.com”. Then click the “OK” button.
For that you need a small tool called “SRVANY.EXE”. This tool is in the Microsoft Windows Resource Kit for the Windows Server 2003. Take a Windows 2003 Server, download the resource kit from Microsoft and install the kit. Then copy this file from the resource kit to your Windows OS into the directory “C:\Windows\system32”. (This can be Windows 2003 or 2008, 32 or 64bit. It works in all versions)
To create the service open a CMD Windows in Administrator mode and enter the command: “sc create “IBM Sametime TURN Server” binPath= “C:\Windows\System32\srvany.exe”
Don't forget the space between the “binPath=” and the path.
Now you need to configure the service. This can be done only in the Registry Editor. Open your regedit and navigate to the key of your new service: “HKEY_LOCAL_MACHINE” - “SYSTEM” - “CurrentControlSet” - “Services” - “IBM Sametime TURN Server”
Enter the string: “java.exe -Djava.util.logging.config.file=c:\IBM\turn_server\logging.properties -cp c:\IBM\turn_server\TurnServer.jar;c:\IBM\turn_server\ICECommon.jar com.ibm.turn.server.TurnServer”
The Service runs the JAVA command out of the “C:\Windows\System32” directory. And this requires that the TURN Server Properties file is there as well. So copy your “turnserver.properties” file from your “C:\IBM\TURN_Server” to your “C:\Windows\System32” directory.
Install a Sametime Connect client in the public network and connect it to “chat.renovations.com” for community services. Tthis DNS host name should be routed to your Edge server in your public DNS.Login with a user in your LDAP. You should see that you are online and that you have connectivity to your Media Manager when the Audio and Video icons appear.
Configure the Sametime meeting server “meeting.renovations.com” to access your meeting rooms. This host name should point to your Edge server as well in your public DNS.
You need to copy the DB2 Database creation script “createDb.sql” from the Install directory “C:\Install\SametimeGateway\database\db2” to your DB2 server machine. We copy it to “D:\Install” on this box..
A new CMD line window opens. This window now has the environment to run the DB2 Database installation script. Enter the command “db2 -tvf createDb.sql”.
Enter the data in the form:Host name: “sametime.renovations.com”Database name: “stGW”Application user ID: “db2admin”Application password: password of your db2admin userThen click the “Finish” button.
Open the Sametime System Console, and navigate to the Sametime Community Server by clicking on „Sametime System Console“ then „Sametime Servers“ and then „Sametime Community Servers“.
Enter the IP address of the Server you want to allow connecting to the Sametime Community Server. In this example we use the IP „192.168.30.60“ for the Sametime Gateway Server and then click the “Add” Button.
Now restart the Sametime Community Server by entering the command „restart server“ in the Domino Console window. Never use this command in a production Sametime server because it can happen that not all Sametime tasks are stopped before the domino server restarts. This can cause massive problems for starting the Sametime Services. Stop your Domino Server using the “Quit” command or by stopping the “Lotus Domino Service”. Wait until all ST... Tasks disappeared in your TaskManager. Then restart the Domino Server again.
It takes up to 5 Minutes until the Sametime Community Server is completely restarted and all 41 Sametime tasks are again active.
Complete these steps to install Sametime® Gateway as a single server on Windows®, to create an administrative user ID for WebSphere® Application Server, and to connect to an LDAP server. This installation program installs WebSphere Application Server and Sametime Gateway.
Select the directory “ifpackage” under the directory to where you have unpacked the WebSphere Application Server install package. Click the “Open” button to continue.
Enter the user name for your WebSphere Administrator. As for other WebSphere based servers before, this user must not exist in your directory. We use our standard user name “wasadmin”. Enter the password for this user twice. Then click the “Next” button to continue.
In this screen we need to configure the DB2 server and database properties. We use:DB2 Host name: “sametime.renovations.com”Database name: “stGW”Application User ID: “db2admin” and its passwordSchema User ID: “db2admin” and its passwordThen click the “Next” button to continue.
The Host name in our example is “ldap.renovations.com”. And the Port is “3268” because it is an Active Directory Server. Then click the “Next” button to continue.
The Bind distinguished name in our example is “cn=LDAP Bind,cn=users,dc=ad,dc=renovations,dc=com”. Enter the password of this user in the Bind password field. Then click the “Next” button to continue.
Theis are the detected baseDN settings retrieved from our AD LDAP. If using another LDAP like Domino LDAP, then this screen can be different. We use the default “DC=ad,DC=renovations,DC=com”. Then click the “Next” button to continue.
In this step you install the WebSPhere Update Installer and install some WebSphere iFixes that are required by the Sametime Gateway. Then you create the service to start the Sametime Gateway automatic with the Operating System.
STEP TWENTY: Post Install tasks for the Sametime Gateway.
You need to unzip the installer for the WebSPhere Update installer first. Unzip the zip file for your Operating System. In our example we use Windows. So we unzip the file “7.0.0.15-WS-UPDI-WinIA32.zip”.
Open a CMD line window and navigate to the directory where you have unpacked the UPDI install files. We just use the command “cd \Install\SametimeWASiFixes\WebSphereUPDI\UpdateInstaller”. Then start the installer with the “install.exe” command.
To create the service we need the profile path. Open a file explorer and navigate to this directory “C:\IBM\WebSphere\AppServer\profiles\RTCGW_Profile”. Then copy this path into your dashboard using the Ctrl-C key combination.
Now start a CMD line window. There navigate to the WebSphere binaries directory with the command: “cd \IBM\WebSphere\AppServer\bin”. Then enter the command to create the service:“wasservice -add RTCGWServer -serverName RTCGWServer -profilePath C:\IBM\WebSphere\AppServer\profiles\RTCGW_Profile -stopArgs “-username wasadmin -password passw0rd” -encodeParams”Confirm that the service creation was successful.
After installing an IBM® Sametime® Gateway server on IBM AIX®, Linux™, Sun Solaris, or Microsoft™ Windows™, register it with the Sametime System Console, so you can manage all of the Sametime servers from a central location.
STEP TWENTYONE: Register the Sametime Gateway in the Sametime System Console.
This registration requires to configure two preferences files and then run a registration batch file. Open a file explorer and navigate to the directory “C:\IBM\WebSphere\STgateway\console”. There open the file “console.properties” in a notepad session.
In this file you need to enter several variables:DepName “Sametime Gateway” (or whatever you want to name it in your SSC)WASPassword Enter the password of your local wasadmin user in the Gateway.
Enter the DNS FQ Host name of your Sametime Community Server. We use “chat.renovations.com”. The Port is “1516”.Important is to set the flag “IsFederated” to “true”. Otherwise the registration can fail.Save and close the file.
Open a CMD line window and navigate to the console directory with the command “cd \IBM\WebSphere\STGateway\console”. Then start the registration bat with the command “registerProduct.bat”.
Connect a local Sametime® Community Server or Sametime community cluster to Sametime Gateway to enable Sametime users to have instant messaging with external users.
Important: You can only connect one gateway to a community; otherwise the awareness and chat features may not work properly. Likewise, you can connect only one local Sametime community to Sametime Gateway. You must add the local community to Sametime Gateway before you add external communities.
STEP TWENTYTWO: Connect the Sametime Gateway to the local Sametime Community.
Fill the form with your data. For the Name we just use “Renovations”. The Domains should contain your local internet e-mail domains. We use “renovations.com”. The Sametime Community Host is “chat.renovations.com” in our example. Then click the “Apply” button.
Add an external Sametime® community to IBM® Sametime Gateway. You connect to a Sametime community by specifying domains in the external community, selecting a translation protocol, and setting the host name, port, and transport protocol for the external community.
STEP TWENTYTHREE: Connect the Sametime Gateway to an other Sametime Community.
We have already prepared a partner community with a working Sametime Gateway. We need to fill the connectivity data to this community now.Name “IBM”Type “External”Domains “ibm.com”Protocol “SIP for Sametime Gateway”Host name “gateway.ibm.com”Port “5060”Transport “TCP”then click the “OK” button.
You are done with installing and configuring all the Edge components. Now you want to know if all works. Here we test the Sametime Gateway functionality.
STEP TWENTYFIVE: Test the Sametime Gateway with the Sametime Client.
Because of the policy change you can add external users now.
Check the check box to “Add external users by E-mail address” and enter a valid E-mail address from your partner community. We try it with the name “[email protected]”.
Additional Steps after the installation:Some additional Tuning steps can be done after all components are installed. You should consult the Sametime Product Documentation in the Internet about this steps here:http://www-10.lotus.com/ldd/stwiki.nsf/dx/Tuning_st852
If you want to implement SSL to access your Sametime Meeting or Sametime Proxy Server, additional configuration steps are required. See the Lotus Sametime InfoCenter for more details or contact the author of this document.
Automatic URL redirection to https (SSL) can be configured. To get the install instructions you can contact the author of this document.
If you want to connect your Sametime Gateway to AOL, then a trusted certificate is required. This needs to be bought from a public certificate authority.
If you want to connect your Sametime Gateway to Google, then you need some special XMPP records in the public DNS.
You can connect your Sametime Gateway to a Microsoft Office Communication Server community or other XMPP based communities (Jabber)
See the Sametime documentation for more information.http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation
The first part (Basic installation) of this documentation can be found here:http://www-10.lotus.com/ldd/stwiki.nsf/dx/IBM_Sametime_8.5.2_Installation-From_Zero_To_Hero-Basics
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.