The IBM Notes Traveler configuration differs based on the mobile device that is being leveraged by the end user. The Traveler environment leverages the native mail, calendar, scheduling, and contact information clients on Apple iOS, Windows Mobile, and Nokia devices (legacy Nokia technology in addition to the new focus for the technology based on the Windows Mobile platform). The Android devices leverage a proprietary client developed by IBM to provide consistency throughout the environment. As a result of different implementations across the providers of Android-based mobile devices, the IBM Notes Traveler development team has developed a client that is deployed on the end user's device. The goal is to provide the required consistency across the end user community to allow for a simplified management and support organizations throughout the environment.
There are a number of configurations for the IBM Notes Traveler Server environment. This section will review the communication from devices to the infrastructure, along with the different topologies that can be deployed within the environment to provide support for the IBM Notes Traveler Server(s). It is important to note that the size of the organization, the demand on resources, security, and the requirements for redundancy/high availability will all significantly impact the final deployment configuration.
The standard configuration for the IBM Notes Traveler Server is to have devices connect to the infrastructure via HTTP or HTTPs. Alternatively, with Nokia, Windows, and Android devices (not Apple iOS), a Short Message Service (SMS) message can be sent to the devices to alert them that there is information on the server to initiate a pull from the device.
The IBM Notes Traveler Server connects to the IBM Domino servers through the standard NRPC 1352; so when planning the topology for the Traveler environment, it is important to understand where the servers are placed within the environment and how the end users will be accessing the servers. The largest concern is typically over the security of the environment and adherence to internal security policies on what can be placed in the DMZ and how access from the external environment, through the DMZ and to the internal environment, is accomplished. The environment may already have variances for the opening of ports or the placement of specific servers.
The IBM Notes Traveler Server can be located on the IBM Domino Mail Servers or on a secondary server running the IBM Notes Traveler services. If the IBM Notes Traveler Server is located on the mail servers, the service will reference names.nsf on the server directly. If the IBM Notes Traveler service is located on a secondary server, the IBM Notes Traveler service will look up the mail server and the file on the local, names.nsf, and redirect to the appropriate server to fulfill the request. In some situations, to add an additional level of security, the IBM Notes Traveler Server can be established in another domain to allow for the isolation of names.nsf for IBM Notes Traveler specific configurations and updates or for more security. If the IBM Notes Traveler Server is established in its own domain, the environment will not contain the required mail server and file information. Therefore, the IBM Notes Traveler Server will require the establishment of Domino Directory Assistance to allow for the lookups. It is important that the administrator leverage the default traveler policies to ensure that consistency is maintained across the environments. Additionally, this will enforce the policies for any user that connects to the IBM Notes Traveler Server.
The demand on the overall environment, mail, and Traveler servers, is dependent on the distance that the servers are located from each other in terms of network. It is not necessary to have Traveler servers located on each mail server or in each location that mail servers are supported, but the distance between the two will impact the delay in delivering information to the devices. This delay can cause a perception among the user community that the servers are not performing at optimal levels. Locating multiple servers within the infrastructure to reduce the distance between the traveler and mail servers should be given great consideration, particularly when regional geographical conditions exist.
While there are a number of different configurations that can be deployed with Traveler; the main configurations are through VPN technology, reverse proxy, or direct connection. Each topology has implications on costs and security for the environment; it is important to understand the placement of your Domino Servers, reverse proxy/VPN architecture along with the corporate security policies that are in place to ensure that the correct method is instituted. The following is a short overview of the architectures that are commonly put in place within the environment.
The simplest configuration of the traveler environment is a direct connection to the Traveler server in the DMZ. This allows for the mobile devices to access the Traveler server over HTTPs or HTTP and the Traveler Server will access the Domino Servers through the firewall over NRPC Port 1352. This configuration can be viewed as the least secure, as the Traveler Server is sitting in the DMZ and is accessible directly from the Internet. The following is a simplified example of this architecture:
Deploying the IBM Notes Traveler environment leveraging a reverse proxy provides more security within the environment, although it adds another layer of complexity. This allows for the mobile devices to access the reverse proxy over HTTPs and then the reverse proxy maintains the access through to the Traveler Server over an HTTPs connection. The IBM Notes Traveler Server then will access the Domino Servers over NRPC 1352. In this configuration, the Domino Servers sit behind the firewall and the transaction is secured through the environment. Although the IBM Notes Traveler environment has only been tested against IBM Lotus Mobile Connect 6.1, IBM WebSphere Edge Server 6.1, and IBM Tivoli Access Manager 6.0, the environment is flexible and should leverage the current reverse proxy configuration deployed in your environment; it is encouraged that you test the environment to ensure complex fidelity.
IBM Mobile Connect (formerly IBM Lotus Mobile Connect), known as IMC, provides a full-featured wireless VPN. This software provides the ability to send mobile data securely end-to-end through an enterprise. One of the features that IMC brings to the table is the ability to secretly access enterprise applications via a single frontend. Specific features include:
IBM Sametime client for mobile device access is provided by the IBM WebSphere Proxy Server and not directly via IBM Mobile Connect.
The next diagram shows a reverse proxy environment that your company can implement. IBM Mobile Connect can be an optional part of this configuration.
Note
We have shown that you can use both HTTP (traffic that is not encrypted) and HTTPS (traffic that is encrypted). There is not a simple answer on when each of these protocols can and/or should be used. In some cases a company will use HTTPS for frontend access into a corporate network. Then the internal network may use HTTP (not encrypted). This "may" be done if the internal network is considered trusted. This is an advanced topic between you, the owner of your network, and your network experts. The authors do recommend that if in doubt, use HTTPS.
Deploying the IBM Notes Traveler environment leveraging a Virtual Private Network (VPN) environment allows for the device to access all elements of the network through a single communication channel. The VPN connectivity should work for all devices, and it should be noted that the VPN service on the iOS devices are required to be started and managed by the end user manually, and this could cause connection delays due to the lack of connection to the IBM Notes Traveler Server. The IBM Notes Traveler Server will allow for access to the servers and will treat the connection as if it were native on the network; therefore, it is recommended to deploy the VPN configuration leveraging HTTP to minimize the duplication of providing security both through the VPN connection and the HTTPS connection. The IBM Notes Traveler Server then will access the Domino Servers over NRPC 1352. In this configuration, the Domino Servers sit behind the firewall and the transaction is secured through the VPN technology or HTTPS if required or configured. Since the IBM Notes Traveler Server is separated from the VPN connection technology, there is no requirement for a specific product to be used or tested (it should be noted that the IBM Lotus Mobile Connect client is entitled within the IBM Domino environment on a per-user basis; please refer to the IBM Lotus Mobile Connect product information for more information), although it is to encouraged that you test the environment to ensure complex fidelity.
VPN Connection to the IBM Notes Traveler Server
The deployment of the IBM Notes Traveler Server in the environment can create new security considerations that have not existed with Mobile Device Management in the past, the Blackberry Enterprise Server was a very hardened and secure environment that required lock-down from the server and the device. As the shift is occurring to allow flexibility in devices, the establishment of strong security policies allows for flexibility on ownership of the device and continue to meet the corporate security requirements. The IBM Notes Traveler Server environment is configured to allow for a consistent deployment of security settings across the environment through the default device settings document located in the Traveler administration database. This policy document is designed to meet the standard security and device control settings that are required within an environment. If greater flexibility is required for specific users or groups of users, the deployment of security policies to differing groups in the environment, the administration of the environment can leverage Traveler Security policy settings. Both sets of security documents allow for the establishment of general polices in addition to device-specific settings.
The IBM Notes Traveler service meets the requirements for delivering messaging information from an IBM Domino environment to mobile devices without the need for additional software or services unless required to meet specific security policies. Included in Appendix B, Mobile Device Management, is a review of the requirements for mobile device management when addressing delivering technology to mobile devices. The IBM Notes Traveler Service provides a robust set of MDM features and can provide a secure environment that meets the requirements of today.