SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR …FILE/T1S1-DominoHybridCloud.pdf · IBM SmartCloud servers must share a root certificate with the on premises servers No cross

Gabriella Davis - [email protected]

IBM Lifetime Champion for Social Business

The Turtle Partnership

1

SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR

WAY TO THE CLOUD

mailto:[email protected]

WHO AM I?

AdminofallthingsandespeciallyquitecomplicatedthingswherethefunisWorkingwithsecurity,healthchecks,singlesignon,designanddeploymentofIBMtechnologiesandthingsthattheytalktoStubbornandrelentlessproblemsolverLivesinLondonabouthalfoftheAmegabriella@turtlepartnership.comtwiDer:gabturtleAwardedthefirstIBMLifeAmeAchievementAwardforCollaboraAonSoluAons

2

THE GOAL

All users continue working together regardless of whether they are assigned to on premises or cloud servers

Applications hosted on on premises servers can be accessed by any user

Administration continues to be handled by corporate Domino administrators

All users have access to Notes, Verse, Traveler, Connections, Sametime

3

HYBRID RULES

You continue to create, manage and secure your own users and servers

IBM has no rights or access to change that

IBM creates, manages and secures its own servers

You have no rights to the IBM servers

You create your own SmartCloud users

IBM provisions your users into Smartcloud on request

You and I jointly manage your provisioned users with IBM managing the server and mail file aspects and you managing everything else

4

ARCHITECTURE

5

HYBRID SERVER ROLES

Hybrid Servers are the “bridges” between the IBM owned and hosted Smartcloud servers and your own hosted and managed on premise servers

The IBM servers need to route mail from your SmartCloud users to your on premise users

Your on premise users need to lookup free/busytime information for your SmartCloud users

Everyone needs to use the same directory

6

DIRECTORY SERVER

Directory Server - synchronises directories into the SmartCloud

Multiple directories from multiple Domino domains can be synchronised

Directories can be used to provision users or purely for lookups

There can be up to two Directory servers in a failover not clustered configuration

Multiple servers must use identical file names / paths for directories

7

HUB SERVER

Hub servers are used for routing mail primarily between on premises Notes users and Smartcloud Notes users

Envision setting up a configuration where you want to route mail to another company running Domino, just that other company is IBM

Configuration options allow you to set all non SmartCloud mail to route via your Mail hub servers (more on that later)

Mail hub servers should not have any mail files on them

There can be up to two Hub servers in a failover, not clustered environment8

PASSTHRU SERVER

IBM SmartCloud always initiate the connection to your on premises servers

The SmartCloud servers never directly access your on premises primary (mail) domain(s)

Passthru servers ensure that you do not need to open a port from the public side (IBM SmartCloud) to your mail servers on premises

Passthru servers hold no data themselves but they authenticate requests for server access and route traffic

Passthru servers ports can be encrypted so that all traffic routed through them is also encrypted

9

10

ON PREMISES TURTLE DOMAIN

Mail Server1

Mail Server2

Mail Hub

Directory Server

CLOUD DOMAIN

Smartcloud Server1

Smartcloud Server2

ON PREMISES PASSTHRU DOMAIN

Passthru Server

Assigned servers in IBM Cloud

These are managed for you

Mail Hub Server : All mail between on premises and SmartCloud users route through this server

Directory Server : Synchronising directories (and populating users) in the SmartCloud

Smartcloud servers connect to the Mail Hub and Directory

Servers via the Passthru

PLANNING - PASSTHRU

How many Passthru will you have

Servers are connected to from the SmartCloud, they do not connect to the SmartCloud

They are connected to in a failover, not load balanced, configuration

Only if the first server fails to respond will the second server be tried

Passthru servers are single points of failure for the entire hybrid environment

11

PLANNING - MAIL ROUTING

Internal Users route internally via on premises servers

Smartcloud to On Premises routes via Passthru server(s) to Mail Hub

Smartcloud to extended directory users routes via Passthru to Mail Hub

On premises to Internet routes out via SMTP on internal network routing

Smartcloud to Internet routes directly out via IBM’s cloud servers by default

Customer SMTP routing is an optional alternative

12

PLANNING - HUB SERVERS

How many Hub servers will you have

How much on premise to SmartCloud traffic do you expect to be routing

Servers are connected to via the Passthru servers

Hub servers are routed to in a failover, not load balanced, configuration

Only if the first server fails to respond will the second server be tried

How will outbound mail route

By default IBM routes outbound mail sent by service users out through its own servers

You can configure your IBM Cloud account to send outbound mail via your Mail Hub instead

You would do this if you want to control all organisational mail, content scanning, virus scanning and logging for instance13

DIRECTORY SYNCHRONISATION

There are two types of directories

Those that contain users to be provisioned to the SmartCloud service

Those that contain contacts that SmartCloud users might need to address mail to

What directories replicate to SmartCloud?

Directories containing SmartCloud users must be replicated

Directories containing on premises users must be replicated if smart cloud users are going to schedule meetings / work seamlessly with them

LDAP directories cannot be referenced or used in Smartcloud environments14

DOMAINS

The Passthru server should be in its own domain

A domain is separate from an organisational certifier

Servers can be in different domains but have the same certifier

IBM SmartCloud servers must share a root certificate with the on premises servers

No cross certification is available

Having a server in its own domain minimises the risk of exposing internal configuration details and provides a layer of “opt in” security

15

CREATING AN OU CERTIFIER

The SmartCloud servers will be created by the IBM Smartcloud service and named automatically

They will use an OU certifier you create that must be separate from any other used in your organisation

That OU must be a child of your organisational certifier so it shares a trusted root with all other servers

The server certifier used for the Smartcloud server must be a downstream OU, not a different O

It can’t be changed so if your Organisational certifier needs to change at any point you need to consider that

The ID can have a password but only one

The OU name must be at least 3 characters long16

UNIQUENESS

Your Organisational certifier will be verified for uniqueness within the SmartCloud service

Your top level certifier name must be unique within Smartcloud..

If there’s another “Turtle” out there then I have to use a different certifier for my SmartCloud and passthru servers.

17

BEFORE STARTING

18

STEP 1: BUILD YOUR PASSTHRU SERVER

Build your Passthru server(s) in its own domain

This is a standard Domino server build where the setup is as “first server” in a new domain

This will allow us to create a new domain for our Passthru server

19

STEP 1: BUILD YOUR PASSTHRU SERVER

20

This is what my Passthru server will be called

STEP 1: BUILD YOUR PASSTHRU SERVER DO NOT CREATE A NEW CERTIFIER ON THIS PAGE

21

We must use an existing certifier already created that either

has the same, or shares a trusted root with our other on premises

servers

VERIFYING THE PASSTHRU SERVER

Once the Passthru is created, go to Actions - Edit Directory Profile in its names.nsf and verify the of your Passthru server Domain is entered correctly

SmartCloud setup will ask for this and verify it

22

STEP 2: BUILD YOUR HUB SERVERS

Hub servers are Domino servers that should be configured to be inside your mail routing Domino domain

There can be up to two hub servers assigned for use by IBM SmartCloud and you can add a second one later if you need to

Hub servers should contain nothing but the contents of your Domino directory for routing

No mail files should be on your hub servers

Only the tasks except Adminp , Updall, Replica and Router need to be running23

STEP 3: BUILD YOUR DIRECTORY SERVERS

Build your Passthru server(s) in its own domain\

This is a standard Domino server build

Build your mail hub and directory server(s) within your existing internal domain

Replicate the directories you want to use in the cloud to the directory server(s)

Create the OU certifier to be used by the SmartCloud servers

24

CONFIGURATION

25

SETTING UP YOUR HYBRID CONFIGURATION

Order a subscription to IBM’s SmartCloud for as many users as you need provisioned into the cloud

Login to https://apps.na.collabserv.com using whatever administrative account you registered the subscription with

26

Choose “Admin” then “Manage Organization”

https://apps.na.collabserv.com

27

Select IBM SmartCloud Notes to set up mail. If it isn’t

available you probably have the wrong subscription

checkbox for “Hybrid Environment”

Then click on “Set Up My Account”

28

This is our starting point. We have

configured nothing.

We can keep coming back to this point to check what needs to

be done next

29

Flores/Turtle

We can add multiple Domino directories to use

They don’t need to be configured as directories on the Directory

sync server Each directory can have a failover server but this doesn’t use

Domino clustering to failover

Configuring the Directory Sync Servers

30

Configuring how mail will route Domino

server name of hub server

On Premise Domino Domain

31

The SmartCloud servers that will be created for you will use this

base name + # + OU e.g.

TurtleMail1/TTL/Turtle

TurtleMail2/TTL/Cloud

32

“Cloud” is the OU I setup to be used by the

cloud serversptserver.turtlehost.net

Configuring the passthru server(s)

public FQHN for the passthru server

http://ptserver.turtlehost.net

33

Upload the dedicated OU certifier and submit its

password so Smartcloud can use it

34

Once all the steps are complete click on the pre-

configuration tool which downloads an NSF called

liveservercheck.nsf

35

Open liveservercheck.nsf in

Domino Administrator. Make sure you can connect to all servers

with Admin rightsFlores/Turtle

36

Once all the tests are successful you can Enable the Smartcloud

Notes account

Once the account is enabled the menu item for the Domino Configuration Tool will appear

37

downloads liveserverconfig.nsf which you should open through Domino

Administrator

1. 2. 3.

38

39

For each domain in your Global Domain Document a unique key will be created that you must use to create a

CNAME DNS entry

40

Once all the configuration pieces are complete the SmartCloud Notes

account can be activated

41

Once your Smartcloud account is activated these management

menu options appear

MANAGEMENT

42

PROVISIONING USERS

Register users and their IDs in your own domain as you would an on premise user

a temporary, unused, mail file is created for the user during registration on the on premises server

The SmartCloud servers connect to your Directory Servers to replicate the directory(ies) you have defined as containing service accounts

You can configure multiple directories to be populated into Smartcloud

specifying “do not provision from this directory’ prevents the Smartcloud server creating user accounts from person documents

Once the directories are in place you can provision users into the cloud

A new mail file is created on the SmartCloud servers and their person document updated 43

44

Users who are synchronised and ready to be provisioned

All users

45

Search and find a user to provision

46

Default mail template

47

48

Provisioned user

49

Management options.

The ID is automatically uploaded from the on premises ID Vault

50

REPLICATION OF DIRECTORY

Pull

Person documents not including mail server and mail file name

Policies (not including organisational policies)

Groups

Rooms and Resources

Push

Mail file, server and SaasIdentityID fields in person documents (the last representing the Connections cloud account

Specific server groups used by Smartcloud

ID Vault information for the Smartcloud vault51

DUPLICATE NAMES

Domino directory takes priority of Extended Catalog

First person entry is the one used

Public key checking won’t work

52

RESERVED GROUPS AND ALL ENTRIES

Directory Synchronisation servers - Manager access including delete rights

Server Group “LLNServers” - Editor rights with roles [UserModifier] [GroupCreator] [GroupModifier]

LLNMailHubs is reserved for Smartcloud

Certifiers_ or SAAS are group prefixes used by Smartcloud

Server Group “SaaSLocalDomainServers” - Manager with delete rights

Wildcard naming in group names aren’t supported e.g */Turtle53

POLICIES

On premise Domino administrators can use policies to manage both on premise and SmartCloud users

Policies in a synchronised directory are applied to SmartCloud users

Only explicit policies are recognised, organisational ones are ignored

Policy names should be unique across all directories

54

CUSTOMISATION

55

OPTIONS FOR NOTES SMARTCLOUD

56

EMAIL MANAGEMENT

57

EMAIL MANAGEMENT

58

EMAIL MANAGEMENT

59

EMAIL MANAGEMENT

60

EMAIL FILTERS

61

IMAP

62

JOURNALING

63

INTEGRATION SERVER / FTP

Used to download logs and journaling via a SmartCloud FTP account

Create a new administration user account or use an existing one

Send an email to [email protected] asking for Integration Server rights to be set up and for which accounts

https://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_t

this may not work in which case secure http is available64

mailto:[email protected]://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_thttps://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_t

MAIL TEMPLATES

Selecting Mail Templates

Uploading a custom templates

Field extensions forms9_x.ntf

65

INSTANT MESSAGING

66

INBOUND MAIL ROUTING

67

NAME FINDER

68

NAME FINDER

69

SECURITY

70

ON PREMISES OPEN PORTS

Inbound

NRPC 1352 for access to the Passthru servers

NRPC 1352 for service users to access on premises server applications (via VPN or public via Passthru)

SMTP (25) if you have configured Smartcloud to route all outbound mail via on premises servers

Outbound

NRPC 1352 for Notes client to access SmartCloud servers

HTTPS 443 for Traveler, Connections

Instant Messaging 153371

SUPPORTED LOGINS

Notes ID - Notes client access

SmartCloud Service Account - iNotes, Verse, Traveler, Sametime

Federated SAML Login - iNotes, Verse, Traveler for Android only

Application Passwords - Traveler, Sametime

72

USER LOGINS

ID Vault

Syncing ID passwords when service passwords are changed

Password settings can be controlled by a security policy that applies to SmartCloud assigned users

73

PASSWORD MANAGEMENT

74

FEDERATED LOGINS

SmartCloud Notes support SAML Federation

You must configure SAML in your on premises environment first then contact customer services to provide them the information for the Smartcloud servers

If SAML is enabled then service login passwords are no longer used and application passwords must be used instead

75

APPLICATION PASSWORDS

Application Passwords vs Service Passwords

Application passwords are 16 characters long and generated automatically on user request

they are shown to the user once

users can generate new ones or disable the existing one

Restricting access to the service for an ip range will most likely prevent Traveler or mobile applications from working and requires an application password

76

SUMMARY

Hybrid Cloud does not require you to make any changes to your existing on premises servers or users

You add a new layer of passthru, directory and routing servers specifically to talk to the SmartCloud servers

You can still register your users and have policies that apply to them

You can move as many or as few users onto SmartCloud servers as you want

Your on premises users should not be able to tell if someone is being managed by a SmartCloud server or an on premises server and vice versa

You can continue to manage all mail routing through your on premises servers if you wish

Hybrid gives you the ability to evaluate SmartCloud as a solution for your mail users whilst retaining your on premises servers for applications 77

QUESTIONS?

78

Gab Davis

[email protected]

http://turtleblog.info

twitter: gabturtle

skype: gabrielladavis