SmartCloud Notes. Administering SmartCloud Notes: Hybrid Environment March 2015

Transcription

1 SmartCloud Notes Administering SmartCloud Notes: Hybrid Enironment March 2015

2

3 SmartCloud Notes Administering SmartCloud Notes: Hybrid Enironment March 2015

4 Note Before using this information and the product it supports, read the information in Chapter 11, Notices, on page 305.

5 Contents Chapter 1. Oeriew of SmartCloud Notes What's new in SmartCloud Notes What's new for SmartCloud Notes administrators 2 Administrators can be notified of directory synchronization errors Administrators can set policies for Notes client archiing Administrators can restore deleted user accounts What's new for SmartCloud Notes users Initee status iewable by meeting chair on Notes Traeler deices More Windows deices are supported for Traeler Notes Traeler features are aailable.. 3 Notes Traeler features are aailable.. 4 Setup improements for the Notes Traeler Android client Enhancements to supported encoding standards for inbound internet mail Accessibility Using SmartCloud Notes in a hybrid enironment.. 5 User experience in a hybrid enironment Company administrator experience in a hybrid enironment SmartCloud Notes clients Web client Traeler deices Notes client IMAP client BlackBerry deices with a Hosted BlackBerry Serices subscription Feature differences between Notes and Domino and the SmartCloud Notes serice Frequently asked questions about administering the serice Information resources Chapter 2. Planning to deploy the serice Planning security Planning network connections Network capacity for the web client Network capacity for the Notes client Planning directory serices Requirements for synchronized directories How directory synchronization works How the serice resoles duplicate Person documents Planning mail routing and mail settings Planning calendars and scheduling Planning free-time requests in a hybrid enironment Resource reserations in a hybrid enironment 36 Certifier requirements in a hybrid enironment.. 37 Version requirements for on-premises Domino serers Chapter 3. Preparing your enironment 39 Creating a certifier for your mail serers Preparing your network Preparing passthru serers Preparing the firewall Configuring the firewall for inbound connections Configuring the firewall for outbound connections How NRPC connections are made in a hybrid enironment Preparing for directory synchronization Setting up directory synchronization serers.. 45 Preparing to replicate Domino directories Preparing to replicate an extended directory catalog Preparing Global Domain documents Preparing for mail routing Setting up mail hub serers in the on-premises hub domain Preparing to route mail from serice users Preparing to route mail from serice users to on-premises users and deices Preparing to use a company SMTP serer to route outbound Internet mail Preparing to route mail to serice users Preparing to route mail to serice users registered in the on-premises hub domain.. 55 Preparing to route mail to serice users in a secondary domain Examples: Routing internal mail Example: Routing mail between users in the on-premises hub domain Example: Routing mail between users in a secondary domain Example: Routing mail between users in different Domino domains Examples: Routing external mail Example: Routing mail from an external user to a serice user Example: Routing mail from a serice user to an external user using a serice SMTP host.. 70 Example: Routing mail from a serice user to an external user using a company SMTP host. 71 Preparing for calendars and scheduling Example: Free-time requests between users in the on-premises hub domain Example: Free-time requests between users in different domains Helping serice users connect to application serers in secondary domains Copyright IBM Corp iii

6 Chapter 4. Configuring the serice Roadmap to configuring a hybrid enironment.. 83 Logging on as the first company administrator.. 86 Completing a checklist to prepare for configuration 87 Configuring your hybrid account settings Configuring directory synchronization Specifying a mail routing serer Creating a base name for your mail serers Specifying one or more passthru serers Proiding a certifier ID file Using the Pre-configuration Test tool to check your enironment Reiewing your setup and enabling your account 94 Downloading and running the Domain Configuration tool Verifying Internet domains Actiating your account Running configuration tests Completing the configuration Checking network connections from on-premises serers to the serice Issuing a Vault Trust Certificate Chapter 5. Customizing serice settings Enabling the accessible experience for the web client Setting up administration notifications Restricting access to groups Using administratie policies Creating policies for serice users Creating an archiing policy settings document Policy precedence Policy settings restrictions Archiing Settings restrictions Desktop Settings restrictions Registration Settings restrictions Mail Settings restrictions Security Settings restrictions Roaming Settings restrictions Notes Traeler Settings restrictions Using Desktop Settings to configure managed mail replicas Configuring logins Resetting serice login passwords Setting serice login password expiration Managing Notes IDs Resetting passwords for Notes IDs Setting password expiration for Notes IDs 126 Enabling password synchronization Notes IDs and passwords Limitations when Notes IDs are not in the ault Setting up federated identity management SAML federated identity concepts Preparing for federated identity management 135 Enabling federated identity management Configuring the Sametime rich client for SAML and downloading Restricting the IP address range Enabling application passwords Authentication methods by client Password rules by authentication method Configuring the name finder Standard and Adanced Name Finder options 145 Adding photos to Person documents Basic name finder illustration Basic Quick Search Only name finder illustration Standard name finder illustration Adanced name finder illustration Browse corporate hierarchy name finder illustration Configuring mail settings Changing the size limit for incoming messages 154 Preent automatic forwarding of messages Specifying how Notes links display in the web client Configuring how long mail remains in the Trash folder Deleting older and meetings Enabling the ActieX control for Internet Explorer users Specifying an SMTP serer to route mail to the Internet Preparing to use custom mail file templates Handling execution security alerts caused by custom templates Configuring mail file templates Using extension forms files to customize the look of the web client Extension forms file requirements Preparing customized mail file ACLs Enabling busytime details in calendars Configuring instant messaging Configuring the web client to connect to an on-premises Sametime community Manually configuring Notes clients to connect to the serice instant messaging community Instant messaging features Configuring IMAP access IMAP client limitations Logging actiity in journal files Downloading journal files Format of the Notes mail journal file Format of the Notes client session journal file 184 Chapter 6. Onboarding users Choosing a client deployment strategy Deciding whether to use the Notes client Deciding whether to transfer mail files Preparing for onboarding Preparing for the web client Preparing for Notes Traeler deices Preparing for Notes clients How the Client Configuration tool configures the Notes client Downloading Notes client software and other entitled software i SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

7 Connecting to cloud Actiities through the Notes client sidebar Preparing for IMAP clients Preparing to use BlackBerry deices Settings enforced for BlackBerry smartphones 205 Preparing communications and training Adding multiple Internet addresses to Person documents Mail file quota Mail file delegation Transferring mail files Preparing for mail file transfer Preparing the staging serer Preparing mail file ACLs before mail file transfer Preenting local database encryption in new mail file replicas Importing IDs into mail files Scanning mail files for iruses Transferring mail files with help from an IBM partner How the transfer manager creates a mail file transfer request Transferring mail files to the serice data center Proisioning users Proisioning users without transferring mail files Registering a new user on-premises Proisioning users and mail files Deleting on-premises mail files Decommissioning on-premises mail serers 228 Checking user proisioning status Helping users get started Proiding account information to users Getting started with the web client Getting started with the Notes Traeler deices 233 Adding a Notes Traeler subscription to a user account Remoing user accounts from on-premises Notes Traeler serers Getting started with the Notes client Getting started with IMAP clients Getting started with BlackBerry deices Accepting the Research In Motion terms of use Adding a BlackBerry subscription to a user account Remoing user accounts from an on-premises BlackBerry Enterprise Serer Actiating a user's BlackBerry smartphone 239 Ensuring that mail encryption is aailable for BlackBerry smartphone users Proiding documentation to your BlackBerry smartphone users Chapter 7. Administering user accounts Best practices for maintaining your on-premises enironment Changing user mail file templates Viewing assigned mail file templates Language ersions of the standard mail file template Assigning extension forms files to users Setting a default extension forms file Explicitly assigning an extension forms file to many current users Explicitly assigning an extension forms file to indiidual current users Resetting serice login passwords Resetting passwords for Notes IDs Changing a Notes user name Rules to follow when you change a Notes name 257 Changing an Internet address Remoing a SmartCloud Notes subscription from a user account Suspending a user account Deleting a user account Restoring a deleted user account Permanently deleting a user account Remoing the SmartCloud Notes data for a deleted user account or subscription Moing users to different Domino directories Conerting a serice user to an on-premises user in a hybrid enironment Uploading a Notes ID to the ault Viewing subscriptions Viewing assigned subscriptions Managing IBM Notes Traeler deices Managing BlackBerry smartphones Reactiating a user's BlackBerry smartphone 274 Wiping a user's BlackBerry smartphone if it is lost or stolen Setting a deice password on a user's BlackBerry smartphone Remoing a BlackBerry subscription from a user account Frequently asked questions about BlackBerry smartphone administration Chapter 8. Integrating a single domain (Example) Preparing the on-premises enironment (Example) 281 Preparing the on-premises directory synchronization and mail hub serers (Example) 282 Preparing the on-premises passthru serer domain (Example) Configuring firewalls (Example) Preparing the Global Domain document (Example) Creating the certifier and names for mail serers (Example) Configuring the serice (Example) Completing an account settings worksheet (Example) Configuring account settings (Example) Downloading and running the Domain Configuration tool (Example) Verifying the Internet domain name (Example) 288 Testing network connections (Example) Issuing a Vault Trust Certificate (Example) Contents

8 Example illustrations Directory synchronization at Renoations Serice user sending Notes mail to an on-premises user On-premises user sending Notes mail to a serice user Serice user receiing Internet mail Serice user sending Internet mail Serice user requesting the free time of an on-premises user On-premises user requesting free time of a serice user Serice user requesting the free time of a resource Serice user resering a resource Finding troubleshooting tips in the Support Portal 303 Contacting Support Chapter 11. Notices Trademarks Priacy policy considerations Index Chapter 9. Integrating additional domains Chapter 10. Troubleshooting the serice Using the Configuration Test tool i SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

9 Chapter 1. Oeriew of SmartCloud Notes IBM SmartCloud Notes is a multi-tenant cloud mail serice. When you use the serice, administrators at IBM set up and maintain IBM Domino mail serers for you in the cloud on external IBM serers. The serice offers you the benefits of Domino mail serer security features and architecture without the mail serer maintenance oerhead. Using the following clients, users connect to the SmartCloud Notes serice oer the Internet to access their mail: Web client through a browser interface aailable at social; Notes; Mobile deices. Any combination of these clients can be used. At least one person at a company is designated as a company administrator. A company administrator has a user account with the Administrator role and is responsible for configuring the serice and administering user accounts. The SmartCloud Notes serice proides arious options that are designed to help you deploy the serice in a way that best satisfies your business needs. You can deploy the serice with the assistance of an IBM Software Serices for Collaboration representatie or a certified IBM Business Partner. Whether you choose this option depends on factors such as the type of SmartCloud Notes enironment you deploy and your in-house IT expertise and priorities. You can choose from a list of standard mail file templates that are aailable within the serice by default, or deelop a custom template for your company. You can deelop a custom template in-house or contract with an IBM or a third-party representatie to deelop the template. Approal of a custom template requires a short serice engagement with IBM Software Serices for Collaboration. A Notes Traeler subscription is aailable automatically. This subscription enables users to access the serice through supported mobile handheld deices. Note that the ultra-light mode of the web client supports the use of some mobile deices for no additional purchase. If you purchase a SmartCloud Notes for Hosted BlackBerry Serices subscription, users can access the serice through BlackBerry smartphones. To use BlackBerry 10 deices, use Notes Traeler instead. If you purchase the Connections Archie Essentials subscription, the content of user can be captured and retained for later legal discoery. For more information about this serice, see the Using Connections Archie Essentials documentation. What's new in SmartCloud Notes The following features and enhancements are new in IBM SmartCloud Notes. Copyright IBM Corp

10 What's new for SmartCloud Notes administrators The following features are new for IBM SmartCloud Notes administrators. Administrators can be notified of directory synchronization errors Administrators can configure the serice to send notifications if directory synchronization errors occur. Administrators specify the addresses of one or more people to receie the notifications. A notification describes the error and proides a link to information about how to resole it. Related tasks: Setting up administration notifications on page 103 Set up the serice to send notifications that report when specific types of errors occur in the serice. Administrators can set policies for Notes client archiing In hybrid enironments, administrators can now use Archie Settings in policies to set standard archiing behaior for Notes client users. Mail archiing is run on the Notes client. Users can archie local mail replicas or managed mail replicas and create the archies on the client or on-premises serers. Users cannot create archies on cloud serers. For more information, see the section Customizing serice settings > Using administratie policies. Administrators can restore deleted user accounts Administrators hae 30 days to restore user accounts after deleting them. The accounts are restored with complete functionality, including mail file access. Related tasks: 2 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

11 Deleting a user account on page 261 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Restoring a deleted user account on page 263 After you delete a user account, you hae up to 30 days to restore it if you change your mind. Restoring the account returns it to full functionality, including full mail file access. What's new for SmartCloud Notes users The following features are new for IBM SmartCloud Notes users. Initee status iewable by meeting chair on Notes Traeler deices Initee status display is now supported on Apple, BlackBerry 10, Windows Phone, Windows Tablet, and Android deices. The meeting chair can iew the status of each initee's response to the current ersion of the meeting. Possible statuses are accepted, tentatie, declined, and no response. Additionally, the Android client can show a status of delegated. More Windows deices are supported for Traeler IBM SmartCloud Notes Traeler users can now use Windows Phone and Windows Tablet (Windows Pro and Windows RT) deices with the serice. There is no need to install client software on these deices to use them with the serice. For deice requirements, see the SmartCloud Notes client requirements. Related information: SmartCloud Notes client requirements Using Notes Traeler documentation Notes Traeler features are aailable The IBM Notes Traeler client proides the following new features: Calendar improements for Android clients Local calendar information displays in IBM Notes Traeler calendar You can now add the information from your local deice calendars into your IBM Notes Calendar iew. Create calendar eents from mail messages You can now create a calendar eent while iewing mail, using the oerflow menu. Calendar eents created from mail messages will form with the initees populated with the message recipients, and the eent details information pre-filled with the content of the mail. Interface improements for Android clients Action bar The action bar is a mobile feature that identifies your location within IBM Notes Traeler, as well as proides action icons and naigation modes. Naigation drawer for mail The naigation drawer is a panel that slides in from the left of the screen to display IBM Notes Traeler's main naigation options. For mail, the Chapter 1. Oeriew of SmartCloud Notes 3

12 naigation drawer displays your user account and mail folders (inbox, outbox, sent, and personal). The naigation drawer is only aailable from the parent list iew of a mail folder. Android Contacts application IBM Notes Traeler on Android now proides its own dedicated Contacts application, rather than utilizing the deice Contacts application. New mail item list layout with thumbnail photos The mail item list has been redesigned to make it easier to consume the sender, subject, and message body where applicable. If the screen is wide enough, a person thumbnail image displays using the sender's mail address to search for aailable photos, either from local contacts, IBM Notes Traeler contacts, or from the new Sametime Integration feature. New mail list selection mode A new selection mode oerlays a 'Contextual Action Bar' oer the existing action bar, showing the number of selected items. It also proides batch operations on the selected items, such as: Moe to Folder, Discard, Mark as Read, or Mark as Unread. Only the actions which are applicable to all selected items displays. Gesture actions for mail and contacts To quickly act on mail items in a list or take action on a contact, you can now swipe the item from right to left to display a list of action buttons without haing to open the mail or contact itself. Aailable on phones with Android 3.0 (Honeycomb) and aboe. Add to Contacts from mail When iewing a mail item, you can now add the sender to your contacts. Mail list person actions You can now tap a user photo from a mail message and see a list of possible actions to take with that person. The actions aailable depend on the information aailable for the person. If there is a mail address associated with the person, you can perform the following actions: View the person's IBM Connections Profile (only if IBM Connections mobile is installed) Chat with the person (only if IBM Sametime mobile chat is installed and connected) Mail the person (opens the Android mail selection dialog). If there is at least one phone number associated with the person, and your deice is a phone, you can also call and text the person directly. These options are only aailable where a person photo displays: mail, calendar and contacts. Notes Traeler features are aailable The IBM Notes Traeler client proides the following new features. New reply options for mail messages in Android deices When replying to a mail message on Android deices, you can now choose to reply with or without message history and attachments. 4 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

13 Add Notes Traeler contact from a phone number On Android phones that support the option, you can now choose to make a new Notes Traeler contact from a phone number. Setup improements for the Notes Traeler Android client When setting up a new IBM Notes Traeler Android client, you are no longer required to type in your datacenter URL to connect to the serice. You are now automatically connected to the correct data center based on your login identity. Enhancements to supported encoding standards for inbound internet mail IBM SmartCloud Notes web and IBM Notes Traeler clients now support the RFC 2231 standard for inbound Internet . This standard proides improements, including the correct display of attachment file names that are specified in character sets other than US-ASCII. The serice supports the new standard for incoming messages that are encoded to support RFC The RFC 2231 encoding is retained when a recipient replies to or forwards a message. The serice does not use the new encoding in new outbound messages. Accessibility IBM SmartCloud Notes Administration, the interface that is used to administer SmartCloud Notes, is accessible. The ersion of this documentation that is in the Knowledge Center is accessible. All OS leel keystrokes for accessibility are recognized. For the best accessibility experience, use a ersion of Mozilla Firefox supported by the serice and the latest ersion of the JAWS screen reader. See the IBM Human Ability and Accessibility Center for more information about the commitment that IBM has to accessibility. Related tasks: Enabling the accessible experience for the web client on page 103 You can submit a request to enable the accessible experience for the web client for eeryone in your organization. Mail, Calendar, Contacts, and Preferences features proided with this experience are all accessible. Related information: System Requirements Knowledge Center documentation Using SmartCloud Notes in a hybrid enironment When you deploy the IBM SmartCloud Notes serice in a hybrid enironment, it functions as a irtual extension of your on-premises IBM Domino domain configuration. With a hybrid enironment, company administrators continue to manage users and groups using the on-premises tools with which they are familiar. Chapter 1. Oeriew of SmartCloud Notes 5

14 Mail routing and directory synchronization between your on-premises serers and the SmartCloud Notes serice occur through an on-premises hub domain. You designate at least one serer in the domain as a directory synchronization serer to handle replication of Domino directories in your enironment to the serice. You also designate at least one mail routing serer to handle mail routing between on-premises serers and the serice. Note: Routing of incoming Internet mail addressed to users in the serice is configured and done on-premises. The SmartCloud Notes serice performs outbound Internet mail routing only. You can hae a combination of on-premises users (users with mail serers at the company site) and serice users who use SmartCloud Notes mail serers. The two groups of users can communicate by Notes mail, look up each other's free time, resere shared rooms and resources, and schedule meetings with each other. If you hae Domino application serers on-premises, serice users can access Domino applications in the same way they did before using the serice. A customer proides a unique organizational unit (OU) certifier ID to be used for their SmartCloud Notes mail serers. This OU certifier is within the trust hierarchy of both the serice users and the on-premises Domino application serers. Therefore a serice user's Notes ID proides access to both the SmartCloud Notes mail serers and the on-premises application serers. In the following illustration, Dan Misawa is a serice user at the fictional company Renoations. His Notes ID, which is certified under /Renoations, enables him to access his SmartCloud Notes mail serers, which are certified under the OU /SMC/Renoations. He can also continue to access an on-premises Domino application serer which is certified under /Renoations. 6 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

15 Inbound connections from the serice to the customer's on-premises enironment occur ia a passthru serer domain in the customer's demilitarized zone (DMZ). The passthru serers authenticate SmartCloud Notes serers and allow passthru connections only for those serers with IDs that are certified by the OU certifier you proide. SmartCloud Notes proides a Domain Configuration tool that you configure and then download and run on-premises. The tool creates all the Domino Directory documents in the passthru domain and the on-premises hub domain that are required for communication between on-premises serers and the serice. User experience in a hybrid enironment In a hybrid enironment, the experience of serice users and on-premises users is similar. Chapter 1. Oeriew of SmartCloud Notes 7

16 A serice user's IBM Notes ID proides access to both on-premises IBM Domino application serers and IBM SmartCloud Notes mail serers. A Location document and Connection document added to Notes clients enables the clients to connect to the mail serers. Existing Notes client bookmarks and links to Domino application serers work without modification. A serice user can look up the people, groups, and mail-in databases in any on-premises Domino directory that has been replicated to the serice through directory synchronization. A serice user can look up names in a Domino directory indirectly, for example, by clicking To in a mail memo. The user cannot use File > IBM Notes Application > Open to open the directory, howeer. Serice users who use the Notes client and who hae a collaboration subscription can access both serice Actiities and on-premises Actiities through the client sidebar. Company administrator experience in a hybrid enironment IBM administrators maintain user mail serers in the serice. Company administrators administer serice users. Company administrators continue to perform many user administration tasks on-premises with familiar tools such as the Domino Administrator client. Some tasks are performed through web administration features in the serice at To use the administration features, a company administrator logs on to the serice using an account name that is assigned the Administrator role. Table 1. Tasks to administer serice users in a hybrid enironment Task Where task is performed Additional information Adding users to the serice Deleting users from the serice Adding and managing groups Changing the Notes names of serice users Configuring policies On-premises and through social On-premises and through social On-premises On-premises and through social On-premises, with a few restrictions Proisioning users on page 218 See the topic about deleting a user in the Domino documentation. Remoing a SmartCloud Notes subscription from a user account on page 259 Deleting a user account on page 261 Remoing the SmartCloud Notes data for a deleted user account or subscription on page 264 See the topic about using groups in the Domino documentation. Changing a Notes user name on page 255 Creating policies for serice users on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

17 Table 1. Tasks to administer serice users in a hybrid enironment (continued) Task Where task is performed Additional information Managing Notes ID passwords. Selecting mail file templates for mail files Configuring serice-specific mail settings Configuring IMAP access Configuring instant messaging Managing mobile deices if a Notes Traeler for Notes subscription is purchased Managing BlackBerry smartphones if a SmartCloud Notes for Hosted BlackBerry Serices subscription is purchased. Configuring mail archiing to allow retrieal for legal purposes if an IBM Connections Archie Essentials Cloud subscription is purchased On-premises through policies and through social social social social social social social social Resetting passwords for Notes IDs on page 125 Creating policies for serice users on page 105 Setting password expiration for Notes IDs on page 126 Configuring mail file templates on page 164 Configuring mail settings on page 154 Specifying an SMTP serer to route mail to the Internet on page 160 Configuring IMAP access on page 178 Configuring instant messaging on page 171 Managing IBM Notes Traeler deices on page 272 Creating policies for serice users on page 105 Managing IBM Notes Traeler deices on page 272 Using Connections Archie Essentials SmartCloud Notes clients Related tasks: Chapter 4, Configuring the serice, on page 83 After you hae prepared your on-premises enironment, configure the serice to work with your enironment. Completing the configuration on page 100 After you hae completed the account setup for your organization, perform the tasks in this section to complete the configuration. IBM SmartCloud Notes clients proide mail, personal Information Management features such as calendars, contacts, and to do lists, and with some clients, integrated collaboration features, such as embedded chat. Chapter 1. Oeriew of SmartCloud Notes 9

18 Web client The IBM SmartCloud Notes web client proides access to mail serers through a browser. The web client is a hosted mail client; there is no client for users to install. Users simply log on to using their serice login address and password. The serice authenticates the client and then the client is redirected to the mail file in the serice. User can access the web client in either of these ways: On a computer -- after logging on, users click Mail. On a mobile deice -- users point the browser on the deice to the serice, and then log on to the ultra-light mode. Users need a subscription for either SmartCloud Notes or SmartCloud Notes Entry to use the web client. Each subscription proides a full mail client with mail, calendar, and contacts, as well as to do and notebook applications. Each subscription proides access to the serice through either full or ultra-light mode. Full mode -- The full mode offers the widest range of features including mail, contacts, calendar and scheduling, as well as notebook and to do tasks. Ultra-light mode -- The ultra-light mode is aailable at no extra cost on a mobile deice, and on a personal computer. There is no additional setup or client install on the mobile deice required. Users simply point their deice browser to to access their mail. The ultra-light mode supports Android, as well as Apple iphone, ipod Touch, and ipad deices. See the client requirements for details on the supported leels of deice operating systems. Decide which web client subscription best fits your needs. The SmartCloud Notes Entry subscription includes many of the same features that are aailable with the standard SmartCloud Notes subscription, but with the following limitations: Users are proisioned with a new mail file. There is no data migration of an existing mail file. Users cannot access mail using either the Notes client or an IMAP client. Users cannot access mail using Blackberry smartphones. User mail files hae a 1 GB quota. For a list of browsers supported for use with the web client, see the client requirements. Related tasks: Preparing for the web client on page 193 Before you proision users who will access IBM SmartCloud Notes using the web client, prepare for the web client. Related information: SmartCloud Notes client requirements Using the web client Traeler deices A Notes Traeler subscription supports Apple, Android, Windows Phone and Windows Tablets, Windows Mobile, and BlackBerry 10 deices. See the deice requirements for details on the supported leels of deice operating systems. To get started, users perform simple steps to install and configure Notes 10 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

19 Traeler on their deices using the installation and configuration information in the SmartCloud Notes product documentation for their specific deice. Related tasks: Preparing for Notes Traeler deices on page 195 Before enabling users to use IBM Notes Traeler mobile deices with the serice, prepare your enironment and the deices. Related information: Notes Traeler deice requirements Using Notes Traeler Notes client Use of the IBM Notes to connect to the serice is optional. A IBM SmartCloud Notes subscription entitles you to the Notes client license. Users who access mail by using a Notes client can take adantage of the many collaboration features that are aailable through the client. As with the web client, the Notes client proides mail, calendar, and contacts, as well as to do and notebook applications. You can manage your Inbox using full-text search, delegation, mail filtering and sorting, conersation iews, and flags. The following features and applications are also aailable to you when you use the Notes client. Actiities - Beginning with Notes 8.5.2, if your organization has a collaboration subscription, then the sidebar is automatically configured to access Actiities in the serice without further authentication. IBM Sametime - Use the embedded Sametime client to manage instant messaging contacts and initiate chats. RSS feeds - Subscribe to RSS feeds that display in the sidebar. Widgets - Add widgets to the sidebar. Widgets are aailable only in hybrid enironments in which they are deployed through company serers. Create and manage IBM Notes applications - Using Notes templates, create and manage Notes applications, such as teamrooms, or discussion databases. Notes applications on serers are only aailable through on-premises company serers. Keep the following in mind if your users will use the Notes client: SmartCloud Notes supports only the standard configuration of Notes, and not the basic configuration. You should decide which supported ersion of the client to use in your enironment. See the SmartCloud Notes client requirements for information on supported ersions. Related tasks: Preparing for Notes clients on page 196 Use of the IBM Notes client to connect to the serice is optional. If you want your users to use the Notes client, understand the steps to prepare. Related information: SmartCloud Notes client requirements Using Notes Chapter 1. Oeriew of SmartCloud Notes 11

20 IMAP client If you enable IMAP access, users can configure third-party clients to access mail in the serice. The following IMAP clients are supported: Apple Microsoft Outlook 2003, 2007 Thunderbird There is no additional charge or subscription required to use IMAP clients. Related tasks: Preparing for IMAP clients on page 202 If you plan to use IMAP clients, complete these tasks to prepare. BlackBerry deices with a Hosted BlackBerry Serices subscription If your company has an IBM SmartCloud Notes for Hosted BlackBerry Serices subscription, users can use BlackBerry smartphones to access mail and personal information management features. IBM administrators set up and maintain BlackBerry Enterprise Serers for you on sites that they manage. The Blackberry subscription proides the following features: Mail, Calendar, Task, To Do, and Contact applications Corporate directory lookup Smartphone management through This subscription does not support BlackBerry 10 deices. Those deices are supported by IBM Notes Traeler. Related tasks: Preparing to use BlackBerry deices on page 203 If you plan to use BlackBerry deices that are supported by a Hosted BlackBerry Serices subscription, complete these tasks to prepare. Feature differences between Notes and Domino and the SmartCloud Notes serice Some features in IBM Notes, IBM inotes, and IBM Domino are unaailable or hae limitations within the IBM SmartCloud Notes serice. For an explanation of the differences, see the following article in the IBM Connections Cloud wiki: Feature differences between Notes and Domino and the SmartCloud Notes serice. 12 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

21 Frequently asked questions about administering the serice The following table proides answers to questions frequently asked about the tasks that company administrators perform in a IBM SmartCloud Notes enironment. Table 2. Frequently asked questions about administering SmartCloud Notes Question Answer Do company administrators hae access to user mail files? Do mail files hae a size limit? By default, administrators do not hae access to user mail files. Howeer, new users can be proisioned with mail files that hae customized access control lists (ACLs). In addition, the mail delegation feature can be used to delegate management of a mail file to an administrator or to a group of administrators. For more information, see Preparing customized mail file ACLs on page 168 and Mail file delegation on page 208. Currently a size limit (quota) of 25 GB is enforced on most mail files. An exception is the mail files of SmartCloud Notes Entry users, whose mail files hae a1gblimit. What options are aailable for managing mail file size? Can we use a customized mail file template? For more information, see Mail file quota on page 207. Company administrators can manage the size of mail files by setting limits on the size of incoming messages. Additionally, they can specify how long mail remains in mail files by enabling automatic mail deletion for older mail. For more information, see Configuring mail settings on page 154. Yes, company administrators can apply a customized template to user mail files. This is done through SmartCloud Notes Administration. The template must meet specific design requirements. A representatie of IBM Software Serices for Collaboration must approe it as part of a short consulting serices engagement. For more information, see Preparing to use custom mail file templates on page 161. Chapter 1. Oeriew of SmartCloud Notes 13

22 Table 2. Frequently asked questions about administering SmartCloud Notes (continued) Question Answer Can users create local replicas of their mail files? Are company administrators responsible for mail database maintenance? In a hybrid enironment, do company administrators manage serice users through an on-premises IBM Domino Administrator client and on-premises Domino serers? How does a company administrator change a user's Notes name? In a hybrid enironment, administrators can proide local access by using policies to enable the managed mail replica feature. This feature creates automatically a local cached ersion of user mail files. For more information, see Using Desktop Settings to configure managed mail replicas on page 120. Although managed mail replicas are recommended, as an alternatie, users can create local replicas of their mail files and schedule replication between the local replicas and the serer replicas. For more information about creating local replicas, see Getting started with replication in the Notes documentation. No, compacting and other mail database maintenance tasks are handled within the serice for you. Yes, the tasks to administer serice users and on-premises users primarily are the same. Some differences are: You must use explicit policies when applying policy settings to serice users; The ID ault tool in the Domino Administrator is not used to manage the Notes ID files of serice users; some administration tasks, for example, Notes ID file password resets, are done through the SmartCloud Notes Administration, which is accessed through the IBM Connections Cloud website at For more information, see Chapter 7, Administering user accounts, on page 243. In a hybrid enironment, company administrators change the Notes name in the on-premises Domino directory using the Domino Administrator client, as they do for on-premises users. The name change replicates to the serice during directory synchronization. To change a user's serice web login name, company administrators edit the user account in the serice. For more information, see Changing a Notes user name on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

23 Table 2. Frequently asked questions about administering SmartCloud Notes (continued) Question Answer How do I reset a user's password? There are two passwords. One is the serice login password that is used to log on to the IBM Connections Cloud website at Another is the Notes ID password used to log in to mail serers through Notes. Reset the serice login password through the serice user account. Reset the Notes ID password through the SmartCloud Notes Administration. For more information, see Resetting serice login passwords on page 124 and Resetting passwords for Notes IDs on page 125 Information resources The following information resources are aailable for IBM SmartCloud Notes. Be sure to use these resources to keep up-to-date on technical content, known issues, and product news. Table 3. Information resources for SmartCloud Notes Resource Description IBM Connections Cloud wiki The wiki proides the following information: Known issues and troubleshooting information Getting started information Technical articles by IBM employees and other community members Links to other resources such as courseware and multi-media content SmartCloud Notes known issues This wiki article links to a comprehensie list of SmartCloud Notes technotes on the Support site. These technotes describe known issues and workarounds. The article also links to technotes about the Notes client. SmartCloud Notes Fix List This page shows a chronological list of fixes made to the SmartCloud Notes serice. SmartCloud Notes Support newsletter This newsletter highlights important technotes and new technical articles and courseware. To receie automatic notification when a new edition of this newsletter is aailable, add SmartCloud Notes to your My Notifications subscription and include the Product information and publications document type in your subscription. Chapter 1. Oeriew of SmartCloud Notes 15

24 Table 3. Information resources for SmartCloud Notes (continued) Resource Description My Notifications from SmartCloud Notes Support Support page My Notifications enables you to receie daily or weekly announcements through , custom Web pages and RSS feeds. These customizable communications can contain important news, new or updated support content, such as publications, hints and tips, technical notes, product flashes (alerts). Click Support > Technical Support from this page for information about how to contact SmartCloud Notes Support. 16 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

25 Chapter 2. Planning to deploy the serice Planning security To plan for the IBM SmartCloud Notes serice, understand the features it offers, the deployment options that are aailable, and the planning considerations. Before you prepare your enironment for the serice, make decisions about implementing security in the serice by answering questions described in this topic. About this task Table 4. Security questions Question Will you use federated identity management? Considerations Federated identity management allows users who are logged on to your company system to use the serice without logging on again. To enable federated identity management, you register your organization as a trusted identity proider in the IBM Connections Cloud serice. Before you register, you must implement and test a federated identity management system that uses Security Assertion Markup Language (SAML). While you are implementing your system, you must make some choices and prepare seeral artifacts. For more information about this option and other login options, see Configuring logins on page 124. Copyright IBM Corp

26 Table 4. Security questions (continued) Question Do your company top-leel organization certifiers comply with serice requirements? Considerations There are some restrictions on organization certifier names. Your organization certifiers must be different from certifiers used by other companies in the serice. In addition, specific organization certifier names are prohibited for use with the serice. What decisions do you need to make about the OU certifier to use for your mail serers? If you use more than one organization certifier, decide which one to use for the following serers. All of these serers must be certified under the same organization certifier. Passthru serers that the serice uses to connect to your enironment Directory synchronization serers and mail hub serers in the on-premises hub domain Your mail serers in the serice, which are created for you in the serice using the OU certifier that you proide If there will be serice users who are certified under a different organization certifier than the one used for these serers, you must create cross-certificates to establish trust between the two certifiers. The cross-certificates must be in a Domino directory that is synchronized with the serice so that they replicate to the serice. The cross-certificates allow the users to access their mail serers. For more information, see Certifier requirements in a hybrid enironment on page 37. Decide on a name for the OU certifier. A short name is best. Consider carefully the name you choose; after you upload the OU certifier ID file to the serice during serice configuration, you cannot change to a certifier of a different name. Decide who will create the OU certifier and who will upload the certifier ID file to the serice. Uploading the ID file to the serice requires physical access to the ID file. Companies often allow only specific people to create certifiers and to access certifier ID files, so account for this possibility in your planning. 18 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

27 Table 4. Security questions (continued) Question Is public key checking enabled on on-premises serers that the serice will connect to? What firewall changes are required? Considerations If public key checking is enabled on the following serers, it must be disabled. Passthru serers that the serice uses to connect to your enironment Directory synchronization serers and mail hub serers in the on-premises hub domain Your firewall must be opened to specific ports and host names. For more information, see Planning network connections. Planning network connections Before preparing your enironment, answer questions described in this topic to help you make decisions related to network connectiity with the serice. About this task Table 5. Network planning questions Question What process does your company use to make network changes? Does your network hae sufficient bandwidth and Internet connectiity? Considerations Your company might hae a reiew and approal process for making the network changes required by the serice. Ensure that you understand the process and allow time to implement the required changes. Clients and serers that connect to the serice are likely to increase the amount of network traffic to the Internet and also change the load on particular parts of your network. It is important to assess whether your current network has sufficient bandwidth and Internet connectiity to handle these changes. You may need to work with your Internet Serice Proider to increase network bandwidth before you proision users for the serice. What firewall changes are required? For information, see the topics about network capacity for the web and IBM Notes clients. Port 1352 must be opened for inbound connections. Ports 1352 and 443 must be opened for outbound connections. You might need to open additional ports, depending on which features you use with the serice. For complete information, see the topics Configuring the firewall for inbound connections on page 41 and Configuring the firewall for outbound connections on page 42. Chapter 2. Planning to deploy the serice 19

28 Table 5. Network planning questions (continued) Question Do you use a forward proxy to control user access to the Internet? Which serers will function as your on-premises passthru serers? Considerations If so, you must allow network traffic to pass transparently through the proxy oer ports 1352 (NRPC) and 443 (HTTPS). All connections from the serice to your on-premises enironment occur through one or two on-premises Domino passthru serers. For security reasons, these serers must be set up in a unique Domino domain. Putting them in a network demilitarized zone (DMZ) between an inner and outer firewall is recommended. For more information, see Preparing passthru serers on page 40 Related tasks: Preparing your network on page 40 Prepare your network for connections between IBM SmartCloud Notes serers and on-premises serers. Configure inner and outer firewalls. Then set up a dedicated IBM Domino domain between the firewalls. The domain will function as a passthru serer domain through which connections from SmartCloud Notes serers to your on-premises serers occur. Network capacity for the web client Before using the web client, hae an understanding of the approximate network capacity that your Internet Serice Proider will need to proide to support connections from the web clients to the serice. Use the following formula as a general guideline only: number_of_clients x 2.5 Kbps where number_of_clients is the expected number of web clients and 2.5 Kbps is the aerage network kilobits per second required for each client to connect to the serice. This formula assumes an aerage leel of client actiity based on IBM Domino mail benchmarks for serer-based mail files. Your actual network capacity requirements will depend on the client usage patterns in your enironment. Network capacity for the Notes client Before configuring Notes clients to connect to the serice, hae an understanding of the approximate network capacity that your Internet Serice Proider must proide to support those connections. Use the following formula as a general guideline only: number_of_clients x 3.1 Kbps where number_of_clients is the number of Notes clients used and 3.1 Kbps is the aerage network kilobits per second required for each client. This formula assumes an aerage leel of client actiity based on IBM Domino mail benchmarks for serer-based mail files. Your actual network capacity requirements will depend on the client usage patterns in your enironment. 20 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

29 Planning directory serices Before preparing your enironment, answer questions described in this topic to help you make decisions about directory serices. About this task Table 6. Directory serices questions Question How many directory synchronization serers will you use? Which serers will be directory synchronization serers? Considerations Directory synchronization serers are on-premise hub serers that handle replication of Domino directories between your on-premises enironment and the serice. You can configure one or two directory synchronization serers. Using two to proide failoer is recommended. For pilot deployments, one directory synchronization serer might suffice. Use existing Domino serers or install and set up new serers. If a directory synchronization serer is also the administration serer for the on-premises hub domain, see the next row in this table for ersion requirements. Otherwise, a directory synchronization serer can run any Domino ersion. Do you need to upgrade the administration serer for the on-premises hub domain? Do you hae directory serers in your enironment that access directories through the Lightweight Directory Access Protocol (LDAP)? Which directories will you replicate to the serice? Directory synchronization serers must comply with certifier requirements for the serice. For more information, see Planning security on page 17. The on-premises hub domain administration serer must run Domino Fix Pack 2 or a later ersion, with the corresponding Domino Directory template. The administration serer is the serer that handles administration process requests for the domain Domino Directory. These directories can be used in the serice only if they are a Domino directory or an extended directory catalog that is replicated to the serice. If a Domino directory contains serices users, you must replicate the full directory to the serice. If a Domino directory contains only on-premises users but no serice users, replicate the directory contents to the serice if you want serice users to address mail or schedule meetings with the on-premises users. In this case, you can replicate the full Domino directory to the serice or you can aggregate the directory contents into an extended directory catalog and replicate the directory catalog to the serice. Chapter 2. Planning to deploy the serice 21

30 Table 6. Directory serices questions (continued) Question Do you want serice users to be able to select the names of users and deices in internal foreign domains from the corporate directory? Considerations To enable serice users to select the names of users and deices associated with an internal foreign domain that is not a Domino domain, add Person documents for the users and deices to a directory that is replicated to the serice. In the Mail system field of the Person document, select Other Internet Mail to ensure that mail addressed to the names is routed to the on-premises hub domain. If you do not create Person documents for users and deices in foreign domains, serice users can still send mail to the users and deices if they know their addresses. If you replicate multiple directories to the serice, are there policies with the same name in two or more directories? If you replicate multiple directories to the serice, are there groups with the same name in two or more directories? Do you use the directory ACL feature Extended Access? A policy name must be unique across all directories that are replicated to the serice. It is a good practice to make group names unique across directories that replicate to the serice. The Extended Access feature is not supported for directories that are replicated to the serice. Related tasks: Preparing for directory synchronization on page 45 Set up at least one Domino serer in the on-premises hub domain to be a directory synchronization serer. Then prepare to replicate directories to the serice. Requirements for synchronized directories Understand the requirements and limitations for directories that are synchronized with the serice. General Note the following general requirements for synchronized directories: Each directory synchronization serer must hae a replica, not a copy, of each Domino directory to be synchronized. You must schedule regular replication of each synchronized directory between the directory synchronization serers and other serers in your enironment. Each synchronized directory database must inherit its design from the master template StdR4PublicAddressBook. This master template is the standard directory template used with any supported ersion of Domino. To determine whether a directory inherits from this template, click File > Application > Properties, click the fourth tab, and erify that StdR4PublicAddressBook is shown in the Template name field in the Inheritance section of the property page. If you use two directory synchronization serers, each replica of a synchronized directory must hae the same file path and file name on each serer. You must synchronize any Domino directory that contains Person documents of users to be proisioned for the serice. The Access Control List (ACL) of the 22 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

31 directory must hae the following entries. The Domain Configuration tool adds these entries and you must not modify them. ACL entry Name: Explicit name of the on-premises directory synchronization serer and any backup directory synchronization serer; for example, Dirhub1/Renoations, Dirhub2/Renoations Additional information This entry allows directory changes to replicate to the serice. Access Manager User type: Serer Priileges: Delete documents Name: LLNSerers Access Editor User type Serer group Roles UserModifier, GroupCreator, GroupModifier Name: SaaSLocalDomainSerers Access Manager User type Serer group Priileges: Delete documents This entry allows the serice to make some limited changes to the on-premises directory. The UserModifier roles allows the serice to update the Mail file and Mail serer fields in the Person documents of serice users. The GroupCreator and GroupModifier roles allow the serice to create and modify specific groups in the directory that are required for communication with the serice. The serice only modifies groups that it creates, neer groups that you create. SaaSLocalDomainSerers is a group used within the serice for replication of the directory between serers in the serice. It has a similar function to the LocalDomainSerers group used in on-premises Domino enironments. Do not create a group of this name in your directory. A directory that you synchronize must be a Domino directory replica on a directory synchronization serer. A directory synchronization serer cannot use directory assistance to access a synchronized directory on another serer. A synchronized directory s primary Notes mail domain must be specified in the Domain defined by this Domino Directory field in the Directory Profile. The Directory Profile is found by opening the directory and clicking Actions > Edit Directory Profile. The Access Control List (ACL) setting Enable Extended Access is not supported for use with synchronized directories. This setting, which is found by clicking Adanced in the Access Control List box, must be disabled if it is not currently disabled. Do not delete any directory that is configured for synchronization from the on-premises directory synchronization serers. Person documents Note the following requirements and recommendations for Person documents in a synchronized directory: Do not change the names of serice users in Person documents by manually editing the documents. Instead always initiate name changes through the Chapter 2. Planning to deploy the serice 23

32 Domino Administrator client. When the Domino Administrator client is used, the Administration Process can then make the changes throughout your enironment including replicating the change to your on-premises directory synchronization serers. A SmartCloud Notes user does not require a first name if proisioned through the SmartCloud Notes Administration interface. If a user is registered on-premises with a last name only, that one name will be correctly displayed in the SmartCloud Notes directory and in the mail file after user proisioning. In the Connections Cloud account settings and user accounts howeer, the last name is also used as the first name. For example, if you register a user with the last name HelpDesk, when you log on to the serice as an administrator and click User Accounts, the user s name is HelpDesk HelpDesk. Note: A user requires both a first name and last name if proisioned through the Connections Cloud integration serer. The first two alues in the FullName field (labeled User name) can only be a standard Notes hierarchical or flat name. For example, Samantha Daryn and Samantha Daryn/Renoations are allowed but not sdaryn@renoations.com. The Internet address field in the Person documents of serice users must contain a full alid Internet address for a domain that has been erified by the serice. An example of an Internet address is sdaryn@renoations.com. The Short name/userid field can also contain a alid Internet address for a domain that has been erified by the serice. You cannot specify an Internet address in this field during user registration. You can add an Internet address to this field after user registration is complete. If you do, add it as a secondary entry in the Short name/userid field; do not add the Internet address as the first entry in this field. You can add Person documents for external users at another company to a synchronized Domino directory. Then serice users within your company can use type-ahead and other addressing features to address mail to the external users. You can add Person documents for these external users in any way that you want. Howeer, serice users within your company must always hae Person documents created through the normal Domino Administrator client user registration. Set the field Format preference for incoming mail to Keep in sender s format for best performance and message fidelity. Group documents Note the following information about groups: Do not use the following names for groups that you create. These names are resered for the serice. LLNSerers LLNMailHubs Names that begin with Certifiers_ or SAAS Do not delete or edit the following groups. These are created and maintained by the serice. LLNSerers LLNMailHubs 24 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

33 Multiple directories If you synchronize multiple directories, they are combined into a single directory on serers in the serice. As a result, keep in mind the following requirements and recommendations: Each policy name must be unique across directories. If two policies hae the same name, the serice uses one only, which can cause unexpected, incorrect results. It is a good practice to make group names unique across synchronized directories. Unique group names are important for security if groups are used in the ACLs of mail files being transferred to the serice. If a name that matches two customer-created groups is used in a mail file ACL, the ACL determines access for members of both groups. If there are mail groups that hae the same name, users must choose which one to use each time they send mail to the group name. Using unique group names aoids this step. If you use Resource Reserations as part of calendar scheduling, it is best, but not required, to make site names unique across Domino domains. If two sites hae the same name, the serice lists resources from both sites under one site name. This situation can lead users to resere resources at the wrong site. See Technote for instructions on making site names unique. Extended Directory Catalog Using an extended directory catalog (EDC) in the serice in which multiple directories are aggregated is optional. Note the following important points about EDC use: The content of the following directory fields must be aggregated into the directory catalog: FirstName MiddleInitial LastName Location MailAddress Shortname MailDomain InternetAddress MessageStorage Members AltFullName AltFullNameLanguage GroupType To support resource reserations, Mail-in Database documents and the following fields must also be aggregated ResourceFlag ResourceType ResourceCapacity Aggregate all the directories to be used by the serice in the EDC, including the directories in which serice users are registered. Only Person, Group, and Mail-in Database documents in an EDC replicate to the serice. To replicate Policy, Policy Settings, Certifier, Cross-certificate, or Domain Chapter 2. Planning to deploy the serice 25

34 documents to the serice, the documents must be in a full Domino directory that is synchronized with the serice and used for proisioning. The serice has read-only access to an EDC and does not change the on-premises EDC replica during directory synchronization. Any users to be proisioned for the serice must therefore hae Person documents in an indiidual Domino directory that the serice can update. The primary Domino directory of your directory synchronization serers cannot be configured as an EDC. If the primary directory is currently configured this way, you must remoe the EDC configuration from it before configuring your enironment to connect to the serice. To do so, open the directory, go to the Configuration > Directory > Extended Directory Catalog iew, and delete all the documents from the iew. Then build the EDC in a separate database. Related tasks: Downloading and running the Domain Configuration tool on page 94 The Domain Configuration tool configures your on-premises serers to connect to your hosted IBM SmartCloud Notes serers. The serer configuration information that you proide in the Account Settings of SmartCloud Notes Administration is the data that is used to configure the connections. Related information: Technote How directory synchronization works A serer in the serice connects regularly to an on-premises directory synchronization serer to replicate on-premises directories. To proide failoer, you can set up two directory synchronization serers in the on-premises hub domain. When you configure the serice, you configure one as the primary directory serer and the other as the optional secondary directory serer. After the serice replicates successfully with the primary directory serer, it continues to use that serer as long as it is aailable. If the serer becomes unaailable, the serice attempts to replicate with the optional secondary directory serer. When the primary directory serer becomes aailable, the serice switches back to it. The frequency of replication aries, depending on serer load. The serice always initiates the replication. When you configure directory synchronization in IBM SmartCloud Notes Administration, you specify whether a directory is used for proisioning. A directory that is used for proisioning is a full Domino directory in which serice users are registered on-premises. When the serice replicates a directory that is designated as used for proisioning, it pulls on-premises information from a specific set of documents. The serice can also push information to the on-premises directory. For example, it pushes the serice users' mail serer and mail file names to the on-premises Person documents. You can select the option Do not use this Domino Directory for user proisioning when you configure a directory in SmartCloud Notes Administration. In this case, the serice pulls the contents of Person, Group, and Mail-in Database documents from the on-premises directory, but neer pushes changes to the directory. An Extended Directory Catalog is an example of a directory that is not used for proisioning. 26 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

35 The following tables proide additional information about documents replicated in directories that are used for proisioning. Table 7. Documents pulled from on-premises directories that are used for proisioning Document Comments Person Person documents for both on-premises users and users in the serice are pulled. The serice does not pull the contents of the Mail serer and Mail file fields in the Person documents of users in the serice because the serice controls the content of these fields. Note: All users in the serice must hae an address specified in the Internet address field in their Person documents, for example, A user cannot be proisioned for the serice without an Internet address. Group On-premises administrators manage all groups on-premises except the serer groups created by the serice operations within the serice. See the following table for more information about serer groups created by the serice. Mail-in database Policies and Policy Settings Some settings are controlled by the serice. For information, see the topic Using administratie policies and Policy settings supported in a hybrid enironment. Certifier Cross Certificate ECL Domain Vault Trust Certificate Account Table 8. Documents pushed to on-premises directories used for proisioning Document Comments Person Only the content of the Mail serer and Mail file fields in the Person documents of users in the serice are pushed on-premises. LLNSerers group This group contains the names of the mail and directory serers in the serice. LLNMailHubs group This group contains the names of mail hub serers in the serice that route mail to user mail serers in the serice and to the primary mail hub serers on-premises. Chapter 2. Planning to deploy the serice 27

36 Table 8. Documents pushed to on-premises directories used for proisioning (continued) Document Comments CustomerMailHubs group This group contains the names of the primary mail hub serers on-premises. If you change a mail hub serer, do not edit this group. Instead, change the serer through the Account Settings > Mail Routing Serer administration page. Then download and run the Domain Configuration Tool to update your on-premises configuration. Vault This is the document for the ID ault on the ID ault serer in the serice. The ID ault is used for ID backup and recoery. The initial directory synchronization also creates Connection documents in the directory of your primary mail hub serers to enable the serers to route mail to mail serers in the serice. The Connection documents are not replicated to the serice. How the serice resoles duplicate Person documents The serice can encounter duplicate Person documents within or across synchronized directories. In this case, the serice picks one to be the authoritatie ersion. To determine whether two Person documents are duplicates, the serice first compares their unique identifier (UNID) alues. If their UNID alues are the same the serice treats the documents as duplicates. If their UNID alues are not the same but the distinguished name alues are the same, the serice also treats the documents as duplicates. When duplicate Person documents are found, the serice chooses one to be the authoritatie document to use in the serice. If a duplicate Person document occurs between an extended directory catalog (EDC) and a Domino directory, the serice uses the document in the Domino directory. If the EDC document replicates to the serice first, it is the temporary authoritatie ersion. The Domino directory document becomes the authoritatie ersion when it replicates to the serice. If a duplicate Person document occurs within or across Domino directories, the serice chooses the Person document with a Domain field alue that matches the domain in the Directory Profile of its directory. If the Domain field in each document matches its Directory Profile domain, the serice uses the first Person document that it encounters. Note: If you aggregate Person documents that contain identical distinguished names into an EDC, the serice uses only the first one it encounters. Therefore each Person document in an EDC that represents a distinct user should hae a unique distinguished name. Select Yes for the Remoe duplicate users setting to preent the aggregation of duplicate user names into an EDC. For more information, see the topic in the Domino documentation about remoing duplicate user entries from a directory catalog. Related information: 28 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

37 Domino documentation Planning mail routing and mail settings Answer the questions in this topic to help you make decisions about mail routing and mail settings. About this task Table 9. Mail routing and mail settings questions Question Considerations Which serers will function as your mail hub serers in the on-premises hub domain? Mail hub serers in the on-premises hub domain handle the routing of all mail that serice users send to on-premises users and deices. The serers must hae sufficient hardware and network resources to handle this mail routing load. If serice users send mail to on-premises users who are registered in a different domain than the on-premises hub domain, the mail hub serers in the on-premises hub domain must be able to route mail to the other domains. You can use one or two mail hub serers. Use two for high aailability. For pilot deployments, one mail hub serer might suffice. Mail hub serers in the on-premises hub domain must be certified under the same parent organization certifier as your directory synchronization serers, passthru serers, and user mail serers in the serice. Public key checking must be disabled on the mail hub serers in the on-premises hub domain. For more information, see the topic Do you need to upgrade any mail serers? For more information, see Setting up mail hub serers in the on-premises hub domain on page 52. Mail hub serers in each Domino domain in which serice users are registered handle routing mail from your on-premises enironment to the serice users in the domain. Each on-premises serer that routes mail to the serice must run Domino Fix Pack 2 or a later ersion. Chapter 2. Planning to deploy the serice 29

38 Table 9. Mail routing and mail settings questions (continued) Question Considerations What Internet domains do you want to define in the serice? You use at least one Global Domain document to define the Internet domains that your company owns and that you want to use in the serice. Global Domain documents replicate to the serice during directory synchronization. The serice uses Global Domain documents only to determine the domains that a company owns. As part of serice configuration, you will erify ownership of the domains specified in Global Domain documents. Verification inoles creating a CNAME record in your domain DNS record. If you don t hae access to the DNS record, you will need to allow time for your Internet Serice Proider (ISP) to create the required CNAME record for you You can route mail between serice users and on-premises users or deices in foreign domains not associated with Domino mail serers. To define a foreign domain, you must create a Global Domain document in a new Domino directory that is not the primary Domino Directory of a Domino domain. Do you use Internet domain aliases in Global Domain documents? For more information, see the topics Preparing Global Domain documents on page 49 and Verifying Internet domains on page 97. Note: The serice does not support using Foreign Domain documents to route mail to external Internet domains through the serice. Domains specified in the Global Domain document field Alternate Internet domain aliases are not handled as alias domains by the serice. Instead, each domain in this field is listed and erified in the serice as a separate domain, similar to the domain specified in the Local primary Internet domain field. To enable a user to receie mail addressed to a domain in the Alternate Internet domain aliases field, you must specify the user s address for the domain in the Person document. For more information, see Adding multiple Internet addresses to Person documents on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

39 Table 9. Mail routing and mail settings questions (continued) Question When serice users send mail to external users on the Internet, do you want to use an on-premises SMTP serer to route the mail? Considerations By default, the serice routes mail that serice users address to external users. You can use a company-controlled SMTP serer to route the mail, instead. When you use your own serer, you can perform actions such as filtering and auditing before routing the mail. For more information, see the topic Preparing to use a company SMTP serer to route outbound Internet mail on page 54 You are responsible for routing inbound SMTP mail that is addressed to serice users. The mail must be routed to a mail hub serer in the Domino domain in which the serice user is registered. Do you want to use any of the optional mail settings the serice proides? You can limit the size of incoming messages, preent auto-forwarding of external messages, customize the display of IBM Notes document links in web client mail, configure mail retention in the trash folder, and control the deletion of older . For more information, see Configuring mail settings on page 154 Related concepts: Certifier requirements in a hybrid enironment on page 37 It is important to understand the following certifier requirements when planning a hybrid enironment. Version requirements for on-premises Domino serers on page 38 This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Related tasks: Preparing for mail routing on page 52 To prepare for mail routing between the serice and your on-premises enironment, first set up at least one mail hub serer in your on-premises hub domain. Then prepare to route mail from serice users and to serice users. Related information: Domino documentation Planning calendars and scheduling Answer the questions in this topic to help you understand and plan for the use of calendars and scheduling in the serice. Chapter 2. Planning to deploy the serice 31

40 About this task Table 10. Calendars and scheduling questions Question Considerations Do you want on-premises users to look up the free-time of serice users? When an on-premises user requests the free-time of a serice user, the request is sent to the serice user s mail serer. The following on-premises configuration is required: The on-premises user s mail serer must run the Calendar Connector (CalConn) serer task. An on-premises serer in the serice user s domain must send the request to the serice. This serer must be Domino Fix Pack 2 or a later ersion and must run the CalConn serer task. If the on-premises user making the request is in a different Domino domain than the serice user, the Calendar serer in the on-premises user s domain must be able to send the request to the Calendar serer in the serice user s domain. The Calendar serer in the serice user s domain then sends the free-time request to the serice user s mail serer. If the serice user is not in the on-premises hub domain, you must create a Connection document that enables serers in the domain to connect to the serice to send the free-time request. This same Connection document is also required to connect to the serice to route mail. This step is unnecessary for the on-premises hub domain because the Domain Configuration tool creates the required Connection document. 32 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

41 Table 10. Calendars and scheduling questions (continued) Question Considerations Do you want serice users to look up the free-time of on-premises users? When a serice user requests the free-time of an on-premises user, the serice user s mail serer sends the request to a mail hub serer in the on-premises hub domain. The following on-premises configuration is required to process the request: The CustomerMailHubs group, which includes the names of the on-premises mail hub serers, must replicate to the serice. This step proides the serice user s mail serer with the information necessary to connect to the mail hub serers. The Domain Configuration tool creates the group in the primary directory of the on-premises hub domain. If you do not synchronize this directory, you must copy the group to a directory that you do synchronize. If the on-premises user s domain is not the on-premises hub domain, a Calendar serer in the hub domain must be able to connect to the Calendar serer in the on-premises user s domain to forward the request. If the on-premises user information is aailable in the on-premises hub domain only through an extended directory catalog, the mail hub serers in the on-premises hub domain must use directory assistance to look up names in the directory catalog. Chapter 2. Planning to deploy the serice 33

42 Table 10. Calendars and scheduling questions (continued) Question Do you want serice users to resere rooms and resources when scheduling meetings? Considerations A serice user can schedule rooms and resources in on-premises Resource Reserations databases. The following on-premises configuration is required to process the request: You must synchronize the directory of the domain in which a Resource Reserations database is located. Synchronization replicates the Mail-in database documents that are required to route the reserations on-premises. When a serice user reseres a room or resource, the reseration is mailed to a mail hub serer in the on-premises hub domain. If the Resource Reserations database that contains the room or resource is in another domain, you must configure mail routing to the other domain. This requirement is similar to the requirement for routing mail to an on-premises user in another domain. To enable a serice user to look up the free-time of a room or resource, the serice user s mail serer must be able to connect to a mail hub serer in the on-premises hub domain. An on-premises serer must be able to look up the free-time in the Resource Reserations database and return it to the serice. These requirements are similar to the requirements to look up free-time of on-premises users. You can replicate the directory of the domain that contains a Resource Reseration database to the serice through a directory catalog. In this case, specific fields required for resource reserations must be aggregated in the catalog. Aoid the use of duplicate site names that are used for rooms and resources. If two sites hae the same name, the serice lists resources from both sites under one site name. This situation can lead users to resere resources at the wrong site. Related concepts: Example: Free-time requests between users in the on-premises hub domain on page 75 This example illustrates how free-time requests occur between a serice user and an on-premises user who are both registered in the on-premises hub domain. Example: Free-time requests between users in different domains on page 78 This example illustrates how free-time requests occur between an on-premises user in a secondary domain and a serice user in the on-premises hub domain. Related tasks: 34 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

43 Preparing for calendars and scheduling on page 73 You can prepare for on-premises users and serice users to look up each others free time when scheduling meetings. You can also prepare for serice users to resere resources in on-premises Resource Reserations databases. Planning free-time requests in a hybrid enironment When an on-premises user requests the free time of serice user, the on-premises user s mail serer makes a free-time request to the serice user s mail serer. When a serice user requests free time for an on-premises user, the serice user s mail serer makes a free-time request to an on-premises primary mail hub serer. Steps that occur when a serice user looks up free time for an on-premises user The following steps occur when a serice user looks up free time for an on-premises user whose mail serer is in the same domain as a primary mail hub serer: 1. The serice user s client sends a free-time request to the serice users mail serer. 2. The serice user s mail serer sends the free-time request to a primary mail hub serer on premises. 3. The primary mail hub serer sends the free-time request to the on-premises user s mail serer. 4. The on-premises user s mail serer looks up the on-premises users free time in its Free Time database. 5. The on-premises user's mail serer returns the free time to the serice user's mail serer. 6. The serice user's mail serer returns the free time to the serice user's client. The following steps occur when a serice user looks up free time for an on-premises user whose mail serer is in a different Domino domain than a primary mail hub serer: 1. The serice user's client sends a free-time request to the serice user's mail serer. 2. The serice user's mail serer sends the free-time request to a primary mail hub serer on premises. 3. The primary mail hub serer sends the free-time request to the Calendar serer for the Domino domain of the on-premises user. 4. The Calendar serer looks up the on-premises user's free time in its Free Time database. 5. The Calendar serer returns the user s free time to the primary mail hub serer. 6. The primary mail hub serer returns the free time to the serice user's mail serer. 7. The serice user's mail serer returns the free time to the serice user's client. Related concepts: Version requirements for on-premises Domino serers on page 38 This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Example: Free-time requests between users in the on-premises hub domain on page 75 This example illustrates how free-time requests occur between a serice user and Chapter 2. Planning to deploy the serice 35

44 an on-premises user who are both registered in the on-premises hub domain. Example: Free-time requests between users in different domains on page 78 This example illustrates how free-time requests occur between an on-premises user in a secondary domain and a serice user in the on-premises hub domain. Related tasks: Preparing for calendars and scheduling on page 73 You can prepare for on-premises users and serice users to look up each others free time when scheduling meetings. You can also prepare for serice users to resere resources in on-premises Resource Reserations databases. Resource reserations in a hybrid enironment Room and resource Mail-in Database documents replicated to the serice allow serice users to resere rooms and resources in an on-premises Resource Reserations database. Note: Each site in all the room and resource databases across all domains should hae a unique name. If multiple sites hae the same name, their resources are listed together under that name and users may inadertently resere a resource at an unintended site. For information on making site names unique, see Technote The following steps occur when a serice user reseres a room or resource: 1. To display sites, and the rooms and resources in each site, the serice user's mail serer looks up room and resource Mail-in Database documents in its directory. The Mail-in Database documents hae replicated from the on-premises Domino directory during directory synchronization. 2. To display the free time for the rooms and resources, the client submits a free time request for the period of the meeting to the serice mail serer. 3. The serice mail serer sends the free time request to a primary mail hub serer on-premises. 4. The primary mail hub serer looks up the aailable free time for the room or resource in its Resource Reserations database, or if the database is not local, routes the lookup to another serer. 5. The aailable times are returned to the serice mail serer, which returns them to the client. 6. When the user reseres a room or resource, the serice mail serer mails the reseration to the corresponding on-premises Mail-in Database document, which creates the reseration in the on-premises Resource Reserations database. Related concepts: Version requirements for on-premises Domino serers on page 38 This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Serice user requesting the free time of a resource on page 297 This picture illustrates a serice user requesting the free time of a resource at Renoations. Serice user resering a resource on page 299 This picture illustrates a serice user resering a resource. Related tasks: Preparing for calendars and scheduling on page 73 You can prepare for on-premises users and serice users to look up each others free time when scheduling meetings. You can also prepare for serice users to 36 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

45 resere resources in on-premises Resource Reserations databases. Certifier requirements in a hybrid enironment It is important to understand the following certifier requirements when planning a hybrid enironment. The OU certifier you proide for your serice mail serers must be under the same organization certifier as the passthru serers, directory synchronization serers, and primary mail hub serers. It can be at any leel below the organization certifier. This OU certifier must be unique and used only for the serice mail serers; the OU certifier cannot be used on-premises. It is important that you choose and create your serice mail serer OU certifier carefully. After you upload the OU certifier ID to the serice, you cannot change to an ID with a different certifier name. The certifier used for serice users must trust the serice mail serer OU certifier, and ice ersa. If any users are certified under a different organization than the OU certifier, you must create the required cross-certificates to establish trust. The cross-certificates must be replicated to the directory synchronization serers. The names of organization certifiers must be unique to a company; two companies in the serice cannot use the same organization certifier name because of the multi-tenant messaging architecture of a cloud enironment. The use of generic organization certifier names is discouraged. The names of the on-premises passthru serers, directory synchronization serers, and primary mail hub serers must all be under one organization certifier. Cross-certificates cannot be used to establish trust between these serers. It is acceptable to name these serers under organizational units (OUs) below the organization certifier. Though the passthru serers must be under the same organization certifier as the directory synchronization and primary mail hub serers, they should be in a separate Domino domain from those serers. You may be accustomed to using the same name for a Domino domain and an organization certifier, but there is no relationship between the two names. So it is acceptable to certify the passthru serers under your main corporate certifier (often the name of your company) but name the domain of the passthru serers something else. For example, the company Renoations initially has one, top-leel organization certifier, /Renoations. They create the on-premises passthru serers, directory synchronization serers, and mail hub serers under this certifier, for example: Passthru/Renoations, Dirhub/Renoations, Mailhub/Renoations. The passthru serers are in a unique Domino domain. They also create the OU certifier /SCN/Renoations to use as their serice mail serer certifier. This OU certifier is under the same organization certifier as the passthru, directory synchronization, and mailhub serers, as required. The company then purchases a second company that uses a different top-leel organization certifier, /Acme. They create cross-certificates to establish trust between the two certifiers. For more information on certifiers and cross-certificates, see the Domino documentation. Related information: Chapter 2. Planning to deploy the serice 37

46 Domino documentation Version requirements for on-premises Domino serers This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Table 11. Version requirements for on-premises Domino serers On-premises serer type Mail routing serers that connect directly to serice mail serers for mail routing. Administration serer (used by the Administration Process) for the Domino directory of the on-premises hub domain. Supported ersions IBM Domino Fix Pack 2 or later fix pack IBM Domino or later IBM Domino 9 Social Edition IBM Domino Fix Pack 2 or later fix pack IBM Domino or later IBM Domino 9 Social Edition Note: The Domino directory template must be at least the ersion proided with IBM Domino Fix Pack 2. Directory synchronization serers (if not the administration serer) Mail serers that request the free time of serice users Passthru domain serers Any ersion of Domino supported by IBM. IBM Domino Fix Pack 2 or later fix pack IBM Domino or later IBM Domino 9 Social Edition Any ersion of Domino supported by IBM. Use IBM Domino or later for fastest response time for connections from serers in the serice to on-premises serers. Related tasks: Preparing passthru serers on page 40 Install and set up at least one Domino serer to be used as a passthru serer through which the serice connects to serers in your on-premises hub domain. Setting up directory synchronization serers on page 45 In the on-premises hub domain, set up at least one Domino serer to be a hub serer for directory synchronization with the serice. Preparing for mail routing on page 52 To prepare for mail routing between the serice and your on-premises enironment, first set up at least one mail hub serer in your on-premises hub domain. Then prepare to route mail from serice users and to serice users. 38 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

47 Chapter 3. Preparing your enironment Perform the steps in this section to prepare your on-premises serers for a hybrid enironment. Perform these steps after you hae planned for the serice and before you configure the serice. Related tasks: Chapter 2, Planning to deploy the serice, on page 17 To plan for the IBM SmartCloud Notes serice, understand the features it offers, the deployment options that are aailable, and the planning considerations. Creating a certifier for your mail serers Create an IBM Domino organizational unit (OU) certifier to use for certification of your IBM SmartCloud Notes mail serers. Create an OU certifier that is unique in your company. For example, if you use the organization certifier /Renoations, you could create the OU certifier /SCN/Renoations. Then your mail serers hae names such as Mail1/SCN/Renoations and Mail2/SCN/Renoations. The certifier name is part of the mail serer names that IBM Notes client users see, so keep it short for better readability. Before you begin To ensure that the certifier you create complies with the general certifier requirements in a hybrid enironment, read the topic Certifier requirements in a hybrid enironment. Procedure 1. Create an OU certifier. For information, see the topic about creating an organizational unit certifier in the Domino documentation. 2. The certifiers of your serice users must trust the Organization certifier of the OU certifier you create, and ice ersa. If some serice users are certified under a different Organization certifier, create each necessary cross certificate on the directory synchronization serer to establish trust. The cross-certificates replicates to the serice during directory synchronization. For information, see the topic about creating a cross-certificate from a Notes certifier in the Domino documentation. Related tasks: Proiding a certifier ID file on page 92 As a part of preparing your on-premises enironment for a hybrid deployment, you create an IBM Domino organizational unit (OU) certifier for your IBM SmartCloud Notes serers. In this task, you proide an OU certifier ID file and password when you set up the hybrid enironment. Related information: Domino documentation Copyright IBM Corp

48 Preparing your network Prepare your network for connections between IBM SmartCloud Notes serers and on-premises serers. Configure inner and outer firewalls. Then set up a dedicated IBM Domino domain between the firewalls. The domain will function as a passthru serer domain through which connections from SmartCloud Notes serers to your on-premises serers occur. Preparing passthru serers Install and set up at least one Domino serer to be used as a passthru serer through which the serice connects to serers in your on-premises hub domain. About this task To proide failoer, install and set up two serers. If the serice is unable to connect to one serer, it tries the other. After the serice is successful in connecting to one serer, it continues to use it as long as it remains aailable. If a serer becomes unaailable, the serice attempts to connect to the other serer, and if successful, then continues to use that serer as long as it is aailable. The serice does not use Domino cluster failoer. Passthru serers handle the transfer of network packets and do not perform mail routing or replication. As such, they do not require significant disk space or processing speed. For security reasons, do not set up passthru serers in the on-premises hub domain that holds your directory synchronization serers and mail hub serers. Instead, install and set up the serers in a new unique Domino domain. The serers can be in separate unique domains. For optimum security, configure your corporate firewalls so that connections to the passthru serers occur in your corporate demilitarized zone. A passthru serer must be certified under the same parent organization certifier as the following serers: Directory synchronization serers in the on-premises hub domain Mail hub serers in the on-premises hub domain Your mail serers in the serice For the fastest response time for connections from the serice, install Domino or later serers. To optimize passthru serer performance, Domino proides the notes.ini setting passthru_connect_wait=1. This setting is useful for improing the response time when serice users request the free time of on-premises users. The Domain Configuration tool enables this setting on the Domino passthru serers for you. Public key checking should not be enforced on the passthru serers. Public key checking, which is controlled through the Compare public keys field in the Security tab of the Serer document, is disabled on Domino serers by default. Procedure 1. Install and set up at least one IBM Domino serer. Set up the serer as the first serer in the domain. During serer setup, select the option I want to use an existing certifier ID file. Then certify the new serer under the same organization certifier that is used to certify the directory synchronization serers and the mail hub serers in the on-premises hub domain. A certifier name is independent of a Domino domain name. In this case, the certifier name and the domain name are likely to be different. 40 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

49 For more information on installing and setting up serers, see the Domino documentation, 2. If required, create LAN Connection documents that enable the passthru serer to connect to the directory synchronization serers and mail hub serers in the on premises hub domain. For more information, see the topic on creating LAN Connection documents in the Domino documentation. What to do next Test that each passthru serer can resole the host name of each directory synchronization serer and mail hub serer in the on-premises hub domain. If a passthru serer cannot resole a host name, erify that required Connection documents are in place. Also erify that your firewall rules allow the passthru serer to access the serers. Record the Domino hierarchical name, DNS host name (recommended) or IP address, and Domino domain name of each passthru serer. You proide this information later when you configure the serice. Related concepts: Certifier requirements in a hybrid enironment on page 37 It is important to understand the following certifier requirements when planning a hybrid enironment. Related tasks: Planning network connections on page 19 Before preparing your enironment, answer questions described in this topic to help you make decisions related to network connectiity with the serice. Related information: Domino documentation Preparing the firewall Configure the corporate firewall to allow connections to and from the serice. About this task When configuring the firewall, specify the host names as described to minimize the risk of network attacks from the Internet. The risk of attack increases if you relax the host name rules. Configuring the firewall for inbound connections Configure the firewall to allow inbound connections from the serice to serers in your on-premises enironment. About this task Table 12. Firewall settings for inbound connections Protocol Port Source Target NRPC 1352 The IBM SmartCloud Notes addresses generated by the outer firewall of the serice. Contact your IBM Customer Serice Representatie for this information. Passthru serer host names, for example: pthru1.renoations.com pthru2.renoations.com Chapter 3. Preparing your enironment 41

50 Table 12. Firewall settings for inbound connections (continued) Protocol Port Source Target NRPC 1352 Passthru serer host names, for example: pthru1.renoations.com pthru2.renoations.com SMTP 25 The IBM SmartCloud Notes addresses generated by the outer firewall of the serice. Contact your IBM Customer Serice Representatie for this information. Host names of the on-premises directory synchronization serers and mail hub serers, for example: dirhub.renoations.com mailhub.renoations.com Optional SMTP host that routes mail to the Internet. The host is specified in SmartCloud Notes Administration at Account Settings > Management > Manage Routing to External Internet Domains. Related tasks: Preparing to use a company SMTP serer to route outbound Internet mail on page 54 You can configure a company SMTP host serer to route mail that serice users send to external users. Configuring the firewall for outbound connections Configure the firewall to allow outbound connections to the serice. About this task The following table describes the firewall settings required to allow connections from on-premises serers and clients to specific hosts in the serice. You can substitute *.collabser.com for the host names to represent all hosts in the serice. If your current firewall settings reference the original serice domain name, lotuslie.com, retain those settings and add the settings described in the table. In addition to allowing connections oer HTTPS port 443, you can allow connections oer HTTP 80. If you do, connections oer HTTP are redirected to HTTPS. Table 13. Firewall settings for outbound connections Protocol Port Host name NRPC 1352 North American data center: notes.na.collabser.com Asia Pacific data center: notes.ap.collabser.com European data center: notes.ce.collabser.com HTTPS 443 North American data center: notes.na.collabser.com mail.notes.na.collabser.com Asia Pacific data center: notes.ap.collabser.com mail.notes.ap.collabser.com European data center: notes.ce.collabser.com mail.notes.ce.collabser.com Applicable serer or client Domino serers IBM Notes clients IBM SmartCloud Notes web 42 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

51 Table 13. Firewall settings for outbound connections (continued) Protocol Port Host name HTTPS 443 North American data center: admin.notes.na.collabser.com Asia Pacific data center: admin.notes.ap.collabser.com European data center: admin.notes.ce.collabser.com HTTPS 443 North American data center: traeler.notes.na.collabser.com apps.na.collabser.com Asia Pacific data center : traeler.notes.ap.collabser.com apps.ap.collabser.com European data center: traeler.notes.ce.collabser.com apps.ce.collabser.com IMAP 993 North American data center: imap.notes.na.collabser.com Asia Pacific data center: imap.notes.ap.collabser.com European data center: imap.notes.ce.collabser.com IMAP 465 North American data center: submit.notes.na.collabser.com Asia Pacific data center: submit.notes.ap.collabser.com European data center: submit.notes.ce.collabser.com VP (Virtual Places - used for instant messaging) VP (Virtual Places - used for instant messaging) 1533 North American data center: im.na.collabser.com Asia Pacific data center: im.ap.collabser.com European data center: im.ce.collabser.com 1533 North American data center: webchat.na.collabser.com Asia Pacific data center: webchat.ap.collabser.com European data center: webchat.ce.collabser.com SMTP 25 North American data center: smtp.notes.na.collabser.com Asia Pacific data center: smtp.notes.ap.collabser.com European data center: smtp.notes.ce.collabser.com Applicable serer or client Web browser access to SmartCloud Notes Administration IBM Notes Traeler deices accessing the serice ia WiFi IMAP clients (receiing mail) IMAP clients (sending mail) IBM Notes clients that connect to the instant messaging community in the serice IBM SmartCloud Notes web clients that connect to the instant messaging community in the serice SMTP serers that route Internet mail to serice users Chapter 3. Preparing your enironment 43

52 Table 13. Firewall settings for outbound connections (continued) Protocol Port Host name FTP PASV (FTP) North American data center: ftp.notes.na.collabser.com Asia Pacific data center: ftp.notes.ap.collabser.com European data center: ftp.notes.ce.collabser.com Applicable serer or client Temporary requirement for clients that transfer mail files to the serice oer FTP FTP PASV (FTP) North American data center: ftp.na.collabser.com Asia Pacific data center: ftp.ap.collabser.com European data center: ftp.ce.collabser.com Hybrid enironments only Client that downloads journal files How NRPC connections are made in a hybrid enironment Connections from on-premises Notes clients and Domino serers to IBM SmartCloud Notes mail serers occur ia a proxy serer in the serice. Connections from SmartCloud Notes serers to on-premises serers occur ia a passthru serer in the on-premises passthru serer domain. For information on on-premises serer ersion requirements, see Version requirements for on-premises Domino serers. How on-premises serers and clients connect to the serice All Notes Remote Procedure Call (NRPC) connection requests that on-premises clients and serers make to serers in the serice occur oer TCP/IP port The requests are made ia a proxy serer in the serice, notes.na.collabser.com or notes.ap.collabser.com, depending on the data center your company uses. The proxy serer authenticates the requesting on-premises users and serers and then "proxies" the connection requests to the target mail serers in the serice. The proxy serer authenticates using the organizational unit (OU) certifier that you hae proided for certification of your mail serers. When you run the Domain Configuration tool on-premises, the tool creates a Connection document in the Domino directory of the on-premises hub domain that enables connections to the proxy serer. The Connection document contains the following alues for the Source and Destination fields: Source serer: * Source domain On-premises hub domain, for example, Renoations Destination serer: mail serers in the serice, for example, */SCN/Renoations. Optional network address: notes.na.collabser.com or notes.ap.collabser.com (proxy) 44 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

53 How serers in the serice connect to on-premises serers All connection requests that serers in the serice make to on-premises serers are handled by serers in the on-premises passthru serer domain. The passthru serer domain is a dedicated domain with its own Domino directory situated inside your corporate network demilitarized zone (DMZ). The passthru serers authenticate serers in the serice and allow passthru connections only for those serers with IDs that are certified by the OU certifier you proide. To optimize the speed of connections from the serice to on-premises serers, running Domino or later on the serer or serers in the passthru serer domain is recommended. Domino proides the notes.ini setting passthru_connect_wait=1 to optimize passthru serer performance. This setting is particularly useful for improing the response time of freetime requests from users in the serice to on-premises users. The Domain Configuration tool enables this setting on the passthru serers for you. When the Domain Configuration tool is run on-premises, the tool adds the following field alues to the Serer document of each passthru serer in the passthru serer domain Domino Directory. These alues enable connections from authenticated mail serers in the serice to pass through to directory synchronization serers and mail hub serers on-premises. Security - Passthru Use - Route through: mail serers in the serice, for example, */SCN/Renoations. Security - Passthru Use / Destinations allowed: On-premises directory synchronization serers and primary mail hub serers, for example, Directory1/Renoations; Mail1/Renoations The Domain Configuration tool also creates a Connection document in the Domino directory to each on-premises directory synchronization and primary mail hub serers follows: Source serer: Passthru serers, for example, Passthru1/Renoations; Passthru2/Renoations Source domain Passthru serer domain, for example, SCNPassthru Destination serer: Directory synchronization serer or primary mai hub serer, for example, Directory1/Renoations or Mail1/Renoations All tasks and schedules are disabled in each Connection document. Preparing for directory synchronization Set up at least one Domino serer in the on-premises hub domain to be a directory synchronization serer. Then prepare to replicate directories to the serice. Before you begin Before you prepare for directory synchronization, make the directory serices decisions described in the topic Planning directory serices on page 21. Setting up directory synchronization serers In the on-premises hub domain, set up at least one Domino serer to be a hub serer for directory synchronization with the serice. Chapter 3. Preparing your enironment 45

54 About this task To proide failoer, you can set up two directory synchronization serers in the on-premises hub domain. When you configure the serice, you configure one as the primary directory serer and the other as the optional secondary directory serer. After the serice replicates successfully with the primary directory serer, it continues to use that serer as long as it is aailable. If the serer becomes unaailable, the serice attempts to replicate with the optional secondary directory serer. When the primary directory serer becomes aailable, the serice switches back to it. Perform this procedure for each directory synchronization serer you plan to use. Procedure 1. Install and set up a Domino serer in the on-premises hub domain, or use an existing serer. The serer must comply with the following requirements: If the serer is the administration serer for the domain, the serer must be Domino Fix Pack 2 or a later ersion with the corresponding Domino Directory template. If the serer is not the administration serer, any supported ersion of Domino is allowed. The serer must be certified under the same top-leel Notes certifier as the mail hub serers in the on-premises hub domain, the passthru serers, and the mail serers in the serice. 2. Perform the following steps to disable public key checking on the serer and to gie the serer access to the LLNSerers group: a. Open the Serer document in the Domino Directory in edit mode. b. Click the Security tab. c. In the Compare public keys field in the Security Settings section, select Do not enforce key checking and click OK. d. Perform one of the following steps to gie the serer access to the LLNSerers group: Add LLNSerers to the Access serer field. Clear the users listed in all trusted directories check box and make sure that the Not access serer does not preent access to LLNSerers. When you configure the serice, the LLNSerers group is created in the Domino Directory of the on-premises hub domain when you run the Domain Configuration tool. e. Click Sae & Close. Related concepts: Version requirements for on-premises Domino serers on page 38 This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Certifier requirements in a hybrid enironment on page 37 It is important to understand the following certifier requirements when planning a hybrid enironment. Related tasks: Configuring directory synchronization on page 89 A directory serer in the serice has a replica of one or more on-premises IBM Domino directories. To support directory synchronization, proide the name of the primary serer and file path of at least one on-premises directory that you want to synchronize. The directory serer performs a regular pull and push replication of the directories to keep the contents of both the serice and the on-premises replicas 46 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

55 synchronized. Using the Pre-configuration Test tool to check your enironment on page 93 After you prepare your on-premises enironment but before you run the Domain Configuration tool to configure it to connect to the IBM SmartCloud Notes serice, download and run the SmartCloud Notes Hybrid Pre-configuration tool. This tool runs a series of tests to determine if the serers in your enironment are set up correctly. The tool proides a report that identifies any issues that might preent communication between your enironment and the serice. The tool does not change your configuration. Preparing to replicate Domino directories Prepare to replicate Domino directories in which serice users are registered. You might also want to replicate other Domino directories. Before you begin Read the topics Planning directory serices on page 21 and Requirements for synchronized directories on page 22 About this task You must replicate to the serice Domino directories in which users are registered whom you plan to proision for the serice. You can also replicate Domino directories that contain only Person documents of non-serice users. When you replicate these directories, serice users can look up the names and addresses of the non-serice users in the serice directory. The non-serice users can be: On-premises users registered in a Domino domain On-premises users in a foreign mail domain for whom you manually create Person documents External users in an external Internet domain for whom you manually create Person documents To define an internal foreign mail domain in the serice, you must create a Global Domain document. The document must be in a directory that is not the primary directory of the on-premises hub domain, and you must replicate this directory to the serice. If there are multiple directories of non-serice users, you might want to aggregate the directories into an extended directory catalog. Then you can replicate the directory catalog rather than each directory. To prepare to replicate a Domino directory to the serice, perform the steps in this procedure on each directory synchronization serer. Procedure 1. If the directory is not the primary directory of the on-premises hub domain, perform the following steps: a. Create a replica of the directory on each directory synchronization serer. Each replica of the directory must use the same path and file name on both directory synchronization serers. Chapter 3. Preparing your enironment 47

56 b. If you created the replica from a source replica on another serer, schedule regular replication of the directory between each directory synchronization serer and the source serer. If the directory contains users to be proisioned for the serice, schedule two-way replication. If the directory does not contain users to be proisioned for the serice, schedule one-way replication from the source serer to the directory synchronization serer. Scheduling replication from the directory synchronization serer to the source serer is optional. 2. Verify that a unique Domino domain is specified in the directory profile: a. Open the Domino Directory. b. Click Actions > Edit Directory Profile. c. Verify that the Domain defined by this Domino Directory field specifies a Domino domain that is unique within your company. Note: The Pre-configuration Test tool that you run to check your on-premises enironment during serice configuration also erifies the domain name. 3. If a directory contains users to be proisioned for the serice, make sure that the Internet address field in their Person documents has a alid address, for example, sdaryn@renoations. A alid Internet address contains the name of an Internet domain that is owned by your company, defined in a Global Domain document, and alidated by the serice. 4. If a directory contains users or deices from an internal foreign domain, make sure that Other Internet Mail is selected in the Mail system field of their Person documents. This setting is required for the serice to route messages addressed to these users to the on-premises mail hub serers. Related tasks: Preparing Global Domain documents on page 49 Prepare at least one Global Domain document to define the Internet domains that your company owns. Preparing to replicate an extended directory catalog An extended directory catalog (EDC) can be used to aggregate entries from multiple Domino directories and replicate the entries to the serice. An EDC is supported for read-only use in the serice. This procedure is useful only for companies that hae more than one Domino directory. About this task In an enironment with multiple Domino directories, aggregating the directories into an EDC improes directory lookup performance. Aggregating a Domino directory that contains serice users into an EDC is recommended for directory lookup performance. Howeer, you must also replicate the full Domino directory to the serice, separately. Although the use of multiple EDCs is supported, for ease of management, use one. To prepare to replicate an EDC to the serice during directory synchronization, perform the following steps. 48 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

57 Procedure 1. Set up the EDC to aggregate all the directories that you want to make aailable in the serice. For more information, see the topic on setting up an extended directory catalog in the Domino documentation. Note: The EDC must comply with the requirements specific to the serice. For example, specific fields must be aggregated into an EDC. For information, see the information about the EDC described in the topic Requirements for synchronized directories on page Create a replica of the EDC on each directory synchronization serer and on each mail hub serer in the on-premises hub domain. Also make sure that the directories aggregated in it are kept up-to-date by the Dircat task. 3. Verify that a unique Domino domain is specified in the directory profile: a. Open the EDC. b. Click Actions > Edit Directory Profile. c. Verify that the Domain defined by this Domino Directory field specifies a unique Domino domain for the directory. If necessary, add a domain name that is unique in your enironment to this field. Note: The Pre-configuration Test tool that you run to check your on-premises enironment during serice configuration also erifies the domain name. 4. To enable the EDC to be used for free-time lookups, set up your mail hub serers in the on-premises hub domain to use directory assistance to find the EDC. Directory assistance is not required on the directory synchronization serers or passthru serers. For information on directory assistance, see the Domino documentation. a. Create a directory assistance database on one primary mail hub serer. b. Create a directory assistance document in that database for the extended directory catalog. Configure the document to point to at least one replica of the EDC on a directory synchronization serer or primary mail hub serer. Configure the document to point to additional EDC replicas to proide failoer. c. If you use an additional primary mail hub serer, replicate the directory assistance database to that serer. Schedule regular replication of the directory assistance database between the two mail hub serers. Related information: Domino documentation Preparing Global Domain documents Prepare at least one Global Domain document to define the Internet domains that your company owns. About this task The Global Domain documents must be in synchronized Domino directories that replicate to the serice. When you configure the serice, you erify ownership of the domains that are defined in the replicated Global Domain documents. Global Domain documents are used in the serice only to define your Internet domains and not to route mail. Chapter 3. Preparing your enironment 49

58 Usually you can use Global Domain documents that already exist in production Domino directories. Follow the procedure in this topic to erify that they are configured correctly for the serice. In some situations, you must create a new Domino Directory manually from the pubnames.ntf template, add a new Global Domain document to it, and replicate the new directory to the serice. Otherwise, if you put the Global Domain document in the primary Domino directory for a domain, it can preent proper on-premises mail routing in the domain. Put a Global Domain document in a manually-created Domino directory to define a Foreign Domain that includes deices, such as printers or faxes. Typically, a Foreign Domain document is used on-premises to route requests to the deices. Also put a Global Domain document in a manually-created Domino directory if you want to use an asterisk (*) wildcard to define multiple subdomains below one root domain. The root domain is defined in a separate Global Domain document. When you erify the root domain during serice configuration, the subdomains are automatically erified, too. This approach is useful if there are many subdomains that do not include serice users. Note: If serice users are in a subdomain, you must specify the complete subdomain name in a Global Domain document. The subdomain can also be defined through a wildcard entry. Domains specified in the Global Domain document field Alternate Internet domain aliases are not handled as alias domains by the serice. Instead, each domain in this field is listed and erified in the serice as a separate domain, similar to the domain specified in the Local primary Internet domain field. To enable a user to receie mail addressed to a domain in the Alternate Internet domain aliases field, you must specify the user s address for the domain in the Person document. If multiple Global Domain documents specify the same domain, the serice remoes the duplicate domain occurrences. Perform the following steps to create or erify at least one Global Domain document. Procedure 1. Open the Domino directory in which you want to add or erify a Global Domain document. 2. Click Configuration and then expand the Messaging section. 3. Click Domains and perform one of the following steps: To erify an existing Global Domain document, select the document and click Edit Domain. To create a new Global Domain document, click Add Domain. 4. Specify the following fields on the Basics tab. Table 14. Basics tab of Global Domain document Field Domain type Global domain name Step Select Global Domain. Type any descriptie name. 50 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

59 Table 14. Basics tab of Global Domain document (continued) Field Global domain role Use as default Global Domain Step Select R5/R6/R7/R8. Select if you use more than one Global Domain document and you want this domain to be the default. 5. Ignore the Restrictions tab. The serice does not use information in this tab. 6. Verify that the following fields on the Conersions tab correctly define an Internet domain. Ignore the other fields in this tab; the serice does not use them. Table 15. Conersions tab of Global Domain document Field Local primary Internet domain Step Type a domain name, for example, renoations.com. To specify multiple subdomains at once, use an asterisk (*) as a wildcard. For example, if your company owns these subdomains: west.renoations.com east.renoations.com north.renoations.com type: *.renoations.com If you use a wildcard, you must specify the root domain in a separate Global Domain document. Note: If a serice user is in a subdomain, you must specify the complete subdomain name in a separate Global Domain document. Alternate Internet domain aliases Type any additional domain names, separated by a comma (,). For example, type renoations.org, renoations.net. Note: When you configure the serice, each domain in this field is listed as a separate domain to be erified. 7. Click Sae & Close. 8. Restart the serer. This step is not necessary if the Global Domain document is in a new directory created only for use with the serice. What to do next Prepare to replicate the directory that contains the Global Domain document to the serice. Related tasks: Adding multiple Internet addresses to Person documents on page 207 You can include multiple Internet addresses in a Person document. Chapter 3. Preparing your enironment 51

60 Preparing for mail routing To prepare for mail routing between the serice and your on-premises enironment, first set up at least one mail hub serer in your on-premises hub domain. Then prepare to route mail from serice users and to serice users. No configuration is required to route mail sent between serice users at your company. This mail is routed automatically within the serice. Setting up mail hub serers in the on-premises hub domain In the on-premises hub domain, set up at least one IBM Domino serer to be a hub serer for mail routing with the serice. Before you begin Make the mail routing decisions described in the topic Planning mail routing and mail settings on page 29. About this task When any serice user sends mail to any on-premises user or deice, the serice routes the mail to a mail hub serer in the on-premises hub domain. The mail hub serer then routes the mail to the final destination or next hop to the final destination, if required. To proide failoer, set up two mail hub serers in the on-premises hub domain. The serice attempts to route to the primary mail hub serer first, which is the serer with the name that comes first in alpha-numeric order. For example, if the two serer names are MailA/Renoations and MailB/Renoations, the primary serer is MailA/Renoations. If the two serers are Mail1/Renoations and Mail2/Renoations, the primary serer is Mail1/Renoations. If the serice is unable to route to the primary mail hub serer due to network or serer unaailability, it attempts to use the secondary serer. When the primary mail hub serer becomes aailable, the serice begins using it again after a period of time. The serice may use both serers simultaneously for brief interals. If there are serice users registered in the on-premises hub domain, the mail hub serer handles routing their mail to the serice. For information on installing and setting up Domino serers, see the Domino documentation. Procedure 1. Install and set up a Domino serer in the on-premises hub domain, or use an existing serer. The serer must comply with the following requirements: Domino ersion requirement: Fix Pack 2 or later ersion. Notes certifier requirement: The same top-leel organization certifier as the directory synchronization serers, passthru serers, and mail serers in the serice. 2. Perform the following steps to disable public key checking on the serer and to gie the serer access to the LLNSerers group: a. Open the Serer document in the Domino directory in edit mode. b. Click the Security tab. 52 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

61 c. In the Compare public keys field in the Security Settings section, select Do not enforce key checking and click OK. d. Perform one of the following steps to gie the serer access to the LLNSerers group: Add LLNSerers to the Access serer field. Clear the users listed in all trusted directories check box and make sure that the Not access serer does not preent access to LLNSerers. When you configure the serice, LLNSerers group is created in the Domino directory of the on-premises hub domain when you run the Domain Configuration tool. e. Click Sae & Close. What to do next Prepare for mail routing. Related concepts: Version requirements for on-premises Domino serers on page 38 This topic describes the IBM Domino ersion requirements for on-premises Domino serers. Certifier requirements in a hybrid enironment on page 37 It is important to understand the following certifier requirements when planning a hybrid enironment. Related information: Domino documentation Preparing to route mail from serice users Prepare to route mail from serice users to on-premises users and deices or to external users. Preparing to route mail from serice users to on-premises users and deices When serice users send mail to on-premises users or deices, the mail is routed to a mail hub serer in the on-premises hub domain. If recipients are in a different domain, you configure the routing to the final destination. Before you begin Make sure that you hae set up at least one mail hub serer in the on-premises hub domain. About this task When serice users address mail to any on-premises user or deice, the serice routes the mail to a mail hub serer in the on-premises hub domain. This routing is done automatically using Connection documents created when the Domain Configuration tool is run during serice configuration. If recipients are in a different domain, you are responsible for configuring routing to that domain. Recipients might be: On-premises users in other Domino domains. On-premises users in foreign domains who do not use Domino mail serers. On-premises deices in foreign domains, such as printers and faxes. Chapter 3. Preparing your enironment 53

62 For more information, see the topic Setting up Notes routing in the Domino documentation. Related concepts: Examples: Routing internal mail on page 60 These examples illustrate mail routing between serice users and on-premises users and deices. Related tasks: Preparing Global Domain documents on page 49 Prepare at least one Global Domain document to define the Internet domains that your company owns. Related information: Domino documentation Preparing to use a company SMTP serer to route outbound Internet mail You can configure a company SMTP host serer to route mail that serice users send to external users. About this task Skip this procedure if you want the serice to handle routing the mail that is sent to external users. In this case (default behaior), the serice filters the messages for irus and spam before routing them to the Internet. By using a company SMTP host serer for external routing, you can act on messages before routing them, for example, filter or audit messages. When you use this feature, the serice filters messages for iruses and spam and then routes them directly to your designated SMTP host serer. Messages addressed to any domain that is not an internal, serice-erified domain are routed to the SMTP host serer. The serice uses Transport Layer Security (TLS) to route mail to the SMTP host serer if the host serer uses TLS. The connection is made using STARTTLS oer SSL TCP/IP port 25. Procedure 1. Configure your SMTP host serer to accept mail from one of the following SMTP host serers in the serice: If you use the United States data center: smtp.notes.na.collabser.com If you use the Asia Pacific data center: smtp.notes.ap.collabser.com If you use the European data center: smtp.notes.ce.collabser.com For more information on this step if you use a Domino SMTP serer, see the topic about enabling a serer to receie mail sent oer SMTP routing in the Domino documentation. 2. Configure the corporate firewall to allow inbound connections oer port 25 from the serice SMTP host serer specified in the preious step. For more information, see the topic Configuring the firewall for inbound connections. 3. If specifying a maximum message size, configure your SMTP host serer to accept messages up to 100 MB in size, the maximum message size allowed by the serice. For more information on this step if you use a Domino SMTP serer, see the topic about restricting mail routing based on message size in the Domino documentation. 54 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

63 4. Configure your SMTP host serer to relay mail to external Internet domains. For more information on this step if you use a Domino SMTP serer, see the topic about setting inbound relay controls in the Domino documentation. 5. Configure your SMTP host serer to route mail to the Internet. For more information on this step if you use a Domino SMTP serer, see the topic about setting up SMTP routing to external Internet domains in the Domino documentation. What to do next When you complete the serice configuration, perform the procedure Specifying an SMTP serer to route mail to the Internet on page 160. Related concepts: Example: Routing mail from a serice user to an external user using a serice SMTP host on page 70 This example illustrates how mail is routed from a serice user to an external user on the Internet when the serice manages the routing. Example: Routing mail from a serice user to an external user using a company SMTP host on page 71 This example illustrates how mail is routed from a serice user to an external user on the Internet when a company SMTP serer routes the mail. Related information: Domino documentation Preparing to route mail to serice users Prepare mail serers in the Domino domains in which serice users are registered to route mail to the users. Preparing to route mail to serice users registered in the on-premises hub domain If serice users are registered in the on-premises hub domain, prepare to route mail to those users through the mail hub serers in the domain. Before you begin Prepare your on-premises mail hub serers. About this task If there are no serice users in the hub domain, skip this procedure. The mail hub serers in the hub domain route mail to serice users who are registered in the domain. Connection documents that the Domain Configuration tool creates when you configure the serice are used to route the mail. You specify settings for the mail hub serers to optimize mail routing performance. Mail sent from on-premises users in the on-premises hub domain to serice users in the domain is routed automatically. To route mail from on-premises users in other domains to the serice users in the on-premises hub domain, configure mail routing from the other domains to the on-premises hub domain. You can route mail from other Domino domains or foreign domains that do not include Domino mail serers. For more information, see the topic Setting up Notes routing in the Domino documentation. Chapter 3. Preparing your enironment 55

64 To route mail from external users on the Internet to the serice users in the on-premises hub domain, configure an SMTP serer to accept the mail. Then route the mail to a mail hub serer in the on-premises hub domain. You are responsible for configuring irus scanning and spam filtering on mail receied from the Internet. For more information, see the topic Configuring Domino to send and receie mail oer SMTP in the Domino documentation. Perform the steps in this procedure to optimize mail routing for each mail hub serer in the on-premises hub domain. Procedure 1. Customize the routing retry interal by performing the following steps on each mail hub serer: a. From the Domino Administrator client, open a serer in the domain. b. Click Configuration > Serer > Configurations. c. Create or edit a Configuration Settings document that applies to the mail hub serer. d. Click Router/SMTP > Restrictions and Controls > Transfer Controls. e. In the Initial transfer retry interal field, specify 1 minutes. 2. To allow the use of multiple transfer threads for mail routing, perform the following steps on each mail hub serer: a. Add the following setting to the serer notes.ini file: RouterAllowConcurrentXferToAll=1 b. Perform the following steps to limit the number of transfer threads used for routing to any single destination. This setting reduces the chance that routing to one destination oer a slow connection will monopolize transfer threads and preent routing to other destinations. 1) From the Domino Administrator, click Configuration > Serer > Configurations 2) Add or edit a Configuration Settings document that applies to the mail serer. 3) Click Router/SMTP > Restrictions and Controls > Transfer Controls. 4) In the Maximum concurrent transfer threads field, specify 4. Note: These steps allow the use of multiple transfer threads when routing mail to any destination, not only to the serice. After users are proisioned for the serice, monitor mail routing. Ensure that the setting does not negatiely affect the performance of routing to destinations other than the serice. Related concepts: Examples: Routing internal mail on page 60 These examples illustrate mail routing between serice users and on-premises users and deices. Examples: Routing external mail on page 68 These examples illustrate routing mail between serice users and external users oer the Internet. Related information: Domino documentation 56 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

65 Preparing to route mail to serice users in a secondary domain If serice users are in a secondary Domino domain (a domain that is not the on-premises hub domain) prepare to route mail to the users through mail hub serers in the secondary domain. About this task Skip this procedure if all serice users are in the on-premises hub domain. To configure mail routing to serice users in a secondary domain, create required Connection documents in the Domino directory of the domain, as described in this procedure. Also configure settings to optimize mail routing performance, as described in this procedure. The steps in this procedure enable mail sent from on-premises users in the secondary domain to be routed to serice users also in the domain. To route mail from on-premises users in other domains to the serice users in the secondary domain, configure mail routing from the other domains to the secondary domain. You can route mail from other Domino domains or foreign domains that do not include Domino mail serers. For more information, see the topic Setting up Notes routing in the Domino documentation. To route mail from external users on the Internet to the serice users in the secondary domain, configure an SMTP serer to accept the mail. Then route the mail to a mail hub serer in the secondary domain. For more information, see the topic Configuring Domino to send and receie mail oer SMTP in the Domino documentation. You are responsible for configuring irus scanning and spam filtering on mail receied from the Internet. Procedure 1. Install and set up at least one Domino serer in the domain to be a mail hub serer, or use an existing serer. Serers that route mail to the serice must be Domino Fix Pack 2 or a later ersion. 2. Create the following Connection documents in the Domino directory of the serice user domain. These Connection documents enable serers to connect and route mail to the serice. Table 16. Connection document used to connect to the serice Field Value Additional information Basics - Connection type Local Area Network None Basics - Source serer * None Basics - Source domain Name of the serice user domain, for example, PowerRenoations Specify the same alue for the Source and Destination domains. Basics - Use the ports Appropriate TCP/IP port None Basics - Usage priority Normal None Basics - Destination serer *mail_serer_certifier For example, if your serice mail serer certifier is /SCN/Renoations, specify */SCN/Renoations. Basics - Destination domain Name of the serice user domain, for example, PowerRenoations Specify the same alue for the Source and Destination domains. Chapter 3. Preparing your enironment 57

66 Table 16. Connection document used to connect to the serice (continued) Field Value Additional information Basics - Optional network address notes.na.collabser.com or notes.ap.collabser.com, depending on the data center that your company uses. Replication/Routing - Disabled None Replication task Replication/Routing - None None Routing task Schedule Disabled None DNS host name of the proxy serer in the serice. Table 17. Connection document used to route mail from mail serers in the on-premises domain to mail hub serers in the serice. Field Value Additional information Basics - Connection type Local Area Network None Basics - Source serer Basics - Source domain Name of a local mail hub serer or mail hub serer group in a serice user domain to route mail to the serice, for example, Mailhub2/Renoations or HubMailGroup. Other serers in the domain must be able to route mail to this serer or group. Name of the serice user domain, for example, PowerRenoations If you specify a group: The group name must occur before the name LLNMailHubs alphabetically. For example, use HubMailGroup but not MailGroupHub. The group name should not be CustomerMailHubs, which is a group that already exists for use in the serice. The group type must be Serers only. The members must be the names of serers to route mail to the serice. Specify the same alue for the Source and Destination domains Basics - Usage priority Normal None Basics - Destination serer LLNMailHubs None Basics - Destination domain Name of the serice user domain, for example, PowerRenoations. Specify the same alue for the Source and Destination domains Basics - Optional network address notes.na.collabser.com or notes.ap.collabser.com, depending on the data center that your company uses. Replication/Routing - Disabled None Replication task Replication/Routing - Mail routing None Routing task Schedule Enabled None DNS host name of the proxy serer in the serice. 58 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

67 Table 18. Connection document used to messages from mail hub serers in the serice to serice user mail serers Field Value Additional information Basics - Connection type Local Area Network None Basics - Source serer LLNMailHubs This is the group of mail hub serers in the serice. Basics - Source domain Name of the serice user domain, for example, PowerRenoations Specify the same alue for the Source and Destination domains. Basics - Usage priority Normal None Basics - Destination serer LLNSerers This is the group of mail and directory serers in the serice. Basics - Destination domain Name of the serice user domain, for example, PowerRenoations Specify the same alue for the Source and Destination domains. Basics - Optional network Leae blank None address Replication/Routing - Disabled None Replication task Replication/Routing - Mail routing None Routing task Schedule Enabled None 3. Perform the followings steps to gie each serer access to the LLNSerers group. a. Open the Serer document in the Domino Directory for the domain. b. Click the Security tab. c. Perform one of the following steps: Add LLNSerers to the Access serer field. Clear the users listed in all trusted directories check box and make sure that the Not access serer does not preent access to LLNSerers. 4. Customize the routing retry interal by performing the following steps on each mail hub serer: a. From the Domino Administrator client, open a serer in the domain. b. Click Configuration > Serer > Configurations. c. Create or edit a Configuration Settings document that applies to the mail hub serer. d. Click Router/SMTP > Restrictions and Controls > Transfer Controls. e. In the Initial transfer retry interal field, specify 1 minutes. 5. To allow the use of multiple transfer threads for mail routing, perform the following steps on each mail hub serer: a. Add the following setting to the serer notes.ini file: RouterAllowConcurrentXferToAll=1 b. Perform the following steps to limit the number of transfer threads used for routing to any single destination. This setting reduces the chance that routing to one destination oer a slow connection will monopolize transfer threads and preent routing to other destinations. Chapter 3. Preparing your enironment 59

68 1) From the Domino Administrator, click Configuration > Serer > Configurations 2) Add or edit a Configuration Settings document that applies to the mail serer. 3) Click Router/SMTP > Restrictions and Controls > Transfer Controls. 4) In the Maximum concurrent transfer threads field, specify 4. Note: These steps allow the use of multiple transfer threads when routing mail to any destination, not only to the serice. After users are proisioned for the serice, monitor mail routing. Ensure that the setting does not negatiely affect the performance of routing to destinations other than the serice. Related concepts: Examples: Routing internal mail These examples illustrate mail routing between serice users and on-premises users and deices. Examples: Routing external mail on page 68 These examples illustrate routing mail between serice users and external users oer the Internet. Related information: Domino documentation Examples: Routing internal mail These examples illustrate mail routing between serice users and on-premises users and deices. Example: Routing mail between users in the on-premises hub domain This example illustrates how mail is routed between a serice user and on-premises user when both are registered in the on-premises hub domain. Table 19. Serers used in this example Serer Mail1/Renoations Mailhub/Renoations Passthru1/Renoations Mail1/SCN/Renoations Description On-premises user s mail serer in the on-premises hub domain, Renoations Mail hub serer in the Renoations domain On-premises passthru serer in the SCNPassthru domain used for inbound connections from the serice. Serice user s mail serer in the Renoations domain. How mail is routed from the on-premises user to the serice user When the on-premises user addresses mail to the serice user, the following steps occur to route the mail. 1. The on-premises users s mail serer, Mail1/Renoations, routes the mail to the on-premises hub serer, Mailhub/Renoations. 2. Mailhub/Renoations routes the mail to a mail hub serer in the serice, connecting through a proxy serer in the serice. Connection documents created by the Domain Configuration tool are used to route the mail. 60 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

69 3. The mail hub serer in the serice routes the mail to the serice user s mail serer, Mail1/SCN/Renoations. A Connection document created by the Domain Configuration tool is used to route the mail.. Routing mail from an on-premises user to a serice user when both users are in the on-premises hub domain How mail is routed from the serice user to the on-premises user When the serice user sends mail to the on-premises user, the following steps occur to route the mail. 1. The serice user s mail serer, Mail1/SCN/Renoations, routes the mail to a mail hub serer in the serice. 2. The mail hub serer in the serice routes the mail to the on-premises mail hub serer, Mailhub/Renoations. The mail hub serer connects through the on-premises passthru serer, Passthru1/Renoations, in the SCNPassthru domain. 3. The on-premises mail hub serer, Mailhub/Renoations, routes the mail to the on-premises user s mail serer, Mail1/Renoations. Chapter 3. Preparing your enironment 61

70 . Routing mail from a serice user to an on-premises user when both users are in the on-premises hub domain Example: Routing mail between users in a secondary domain This example illustrates how mail is routed between a serice user and an on-premises user when both users are registered in a Domino domain that is not the on-premises hub domain. Table 20. Serers used in this example Serer Mail2/Renoations Mailhub2/Renoations Mailhub/Renoations Passthru1/Renoations Description On-premises user s mail serer in the PowerRenoations domain Mail hub serer in the PowerRenoations domain Mail hub serer in the on-premises hub domain, Renoations On-premises passthru serer in the SCNPassthru domain used for inbound connections from the serice 62 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

71 Table 20. Serers used in this example (continued) Serer Mail2/SCN/Renoations Description Serice user s mail serer in the PowerRenoations domain How mail is routed from the on-premises user to the serice user When the on-premises user sends mail to the serice user, the following steps occur to route the mail. 1. The on-premises users s mail serer, Mail2/Renoations, routes the mail to the mail hub serer in the PowerRenoations domain, Mailhub2/Renoations. 2. Mailhub2/Renoations routes the mail to a mail hub serer in the serice. Mailhub2/Renoations connects through a proxy serer in the serice. Connection documents that a company administrator creates in the PowerRenoations directory are used to route the mail. 3. The mail hub serer in the serice routes the mail to the serice user s mail serer, Mail2/SCN/Renoations. A Connection document that a company administrator creates in the PowerRenoations directory is used to route the mail. Chapter 3. Preparing your enironment 63

72 . Routing mail from an on-premises user to a serice user when both users are in a secondary Domino domain. How mail is routed from the serice user to the on-premises user When the serice user sends mail to the on-premises user, the following steps occur to route the mail. 1. The serice user s mail serer, Mail1/SCN/Renoations, routes the mail to a mail hub serer in the serice. 2. The mail hub serer in the serice routes the mail to the mail hub serer in the Renoations domain, Mailhub/Renoations. The mail hub serer in the serice connects through the on-premises passthru serer, Passthru1/Renoations, in the SCNPassthru domain. 3. Mailhub/Renoations routes the mail to the mail hub serer in the PowerRenoations domain, Mailhub2/Renoations. 64 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

73 A Connection document created by the company administrator is used to route the mail. 4. Mailhub2/Renoations routes the mail to the on-premises user s mail serer, Mail2/Renoations.. Routing mail from a serice user to an on-premises user when both users are in a secondary domain. Example: Routing mail between users in different Domino domains This example illustrates how mail is routed between a serice user registered in the on-premises hub domain and an on-premises user registered in a secondary domain. Chapter 3. Preparing your enironment 65

74 Table 21. Serers used in this example Serer Mail2/Renoations Mailhub2/Renoations Mailhub/Renoations Passthru1/Renoations Mail1/SCN/Renoations Description On-premises user s mail serer in the PowerRenoations domain Mail hub serer in the PowerRenoations domain Mail hub serer in the Renoations domain, which is the on-premise hub domain and the serice user s domain. On-premises passthru serer in the SCNPassthru domain used for inbound connections from the serice Serice user s mail serer in the Renoations domain How mail is routed from the on-premises user to the serice user When the on-premises user sends mail to the serice user, the following steps occur to route the mail. 1. The on-premises users s mail serer, Mail2/Renoations, routes the mail to the mail hub serer in the PowerRenoations domain, Mailhub2/Renoations. 2. Mailhub2/Renoations routes the mail to the mail hub serer in the serice user s domain, in this case, the serer Mailhub/Renoations in the Renoations domain. Connection documents created by a company administrator are used to route the mail. 3. Mailhub/Renoations routes the mail to a mail hub serer in the serice. Mailhub/Renoations connects to the serice through a proxy serer in the serice. Connection documents that the Domain Configuration tool created in the Renoations domain directory are used to route the mail. 4. The mail hub serer in the serice routes the mail to the serice user s mail serer, Mail1/SCN/Renoations. A Connection document that the Domain Configuration tool creates in the Renoations domain directory is used to route the mail. 66 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

75 . Routing mail from an on-premises user in a secondary domain to a serice user in the on-premises hub domain. How mail is routed from the serice user to the on-premises user When the serice user sends mail to the on-premises user, the following steps occur to route the mail. 1. The serice user s mail serer, Mail1/SCN/Renoations, routes the mail to a mail hub serer in the serice. 2. The mail hub serer in the serice routes the mail to the on-premises mail hub serer in the Renoations domain, Mailhub/Renoations. The mail hub serer in the serice connects through the on-premises passthru serer, Passthru1/Renoations, in the SCNPassthru domain. Chapter 3. Preparing your enironment 67

76 3. The on-premises mail hub serer, Mailhub/Renoations, routes the mail to the mail hub serer in the PowerRenoations domain, Mailhub2/Renoations. Connection documents that the company administrator creates are used to route the mail. 4. Mailhub2/Renoations routes the mail to the on-premises user s mail serer, Mail2/Renoations.. Routing mail from a serice user in the on-premises hub domain to an on-premises user in secondary Domino domain. Examples: Routing external mail These examples illustrate routing mail between serice users and external users oer the Internet. 68 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

77 Example: Routing mail from an external user to a serice user This example illustrates how mail is routed from an external user on the Internet to a serice user. In this example: The external user is in the zetabank.com domain. The external SMTP serer is smtp.zetabank.com. The on-premises SMTP serer is smtp.renoations.com. The serice user is in the renoations.com Internet domain and in the Renoations Domino domain. The on-premises hub domain is Renoations. The on-premises mail hub serer is Mailhub/Renoations. The serice user s mail serer is Mail1/SCN/Renoations. When the external user from the zetabank.com domain sends mail to the serice user in the internal domain renoations.com, the following steps occur to route the mail. 1. The external SMTP serer, smtp.zetabank.com, routes the mail to the on-premises SMTP serer, smtp.renoations.com, oer the Internet. 2. smtp.renoations.com receies the mail, scans it for iruses and spam, and then routes the mail to the on-premises mail hub serer, Mailhub/Renoations, in the Renoations Domino domain. A company administrator configures the routing to Mailhub/Renoations. 3. Mailhub/Renoations routes the mail to a mail hub serer in the serice oer NRPC. Mailhub/Renoations connects through a proxy serer in the serice. Connection documents created by the Domain Configuration tool are used to route the mail. 4. The mail hub serer in the serice routes the mail to the serice user s mail serer, Mail1/SCN/Renoations. A Connection document created by the Domain Configuration tool is used to route the mail. Chapter 3. Preparing your enironment 69

78 . Routing mail from an external user to a serice user Example: Routing mail from a serice user to an external user using a serice SMTP host This example illustrates how mail is routed from a serice user to an external user on the Internet when the serice manages the routing. In this example: The external user is in the zetabank.com domain. The external SMTP serer is smtp.zetabank.com. The serice user is in the renoations.com Internet domain. The serice user s mail serer is Mail1/SCN/Renoations. 70 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

79 When the serice user sends mail to the external user in the zetabank.com domain, the following steps occur to route the mail. 1. The serice user s mail serer, Mail1/SCN/Renoations, routes the mail to an SMTP serer in the serice. 2. The SMTP serer in the serice routes the mail to a mail hygiene serer in the serice. 3. The mail hygiene serer scans the mail for iruses and spam and then routes the mail to the external SMTP serer, smtp.zetabank.com, oer the Internet.. Serice routing mail from a serice user to an external user Example: Routing mail from a serice user to an external user using a company SMTP host This example illustrates how mail is routed from a serice user to an external user on the Internet when a company SMTP serer routes the mail. In this example: The external user is in the zetabank.com domain. Chapter 3. Preparing your enironment 71

80 The external SMTP serer is smtp.zetabank.com. The on-premises SMTP serer is smtp.renoations.com. The serice user is in the renoations.com domain. The serice user s mail serer is Mail1/SCN/Renoations. When the serice user addresses mail to the external user in the zetabank.com domain, the following steps are taken to route the mail. 1. The serice user s mail serer, Mail1/SCN/Renoations, routes the mail to an SMTP serer in the serice. 2. The SMTP serer in the serice routes the mail to a mail hygiene serer in the serice. 3. The mail hygiene serer in the serice scans the mail for iruses and spam and then routes the mail to the on-premises SMTP serer, smtp.renoations.com. 4. The on-premises SMTP serer, smtp.renoations.com, filters and audits the mail, and then routes the mail to the external SMTP serer, smtp.zetabank.com. 72 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

81 . Company-controlled SMTP serer routing mail from a serice user to an external user Preparing for calendars and scheduling You can prepare for on-premises users and serice users to look up each others free time when scheduling meetings. You can also prepare for serice users to resere resources in on-premises Resource Reserations databases. Before you begin Read Planning calendars and scheduling on page 31 to understand how calendars and scheduling works in the serice and the requirements to use it. For more information on IBM Domino scheduling, see the Domino documentation. Chapter 3. Preparing your enironment 73

82 Procedure 1. Perform the following tasks to prepare for free-time requests between serice users and on-premises users: Make sure that any on-premises serer that will request free-time of serice users runs Domino Fix Pack 2 or a later ersion. Disable public key checking on any on-premises serer that will request free-time of serice users. On the Security tab of the Serer document, in the Compare public keys field, select Do not enforce key checking. Verify that the CalConn serer task is specified in the SererTasks line in the notes.ini file of each on-premises mail serer and Calendar serer that will request free time of serice users. The task uses CPU or memory resources only when handling free-time requests. In a multi-domain enironment, perform the following additional steps to enable serice users to request free-time of on-premises users: If on-premises users are not in the on-premises hub domain, make sure the primary directory of the on-premises hub domain has a domain document that specifies a Calendar serer for the domain of the on-premises users. If a directory catalog is used in the on-premises hub domain, make sure that mail hub serers in the domain are configured to use directory assistance to look up names in it. If you do not synchronize the primary Domino directory of the on-premises hub domain, copy the CustomerMailHubs group in it to a synchronized directory. Keep the group type as Serers only. This step must be done after you configure the serice and run the Domain Configuration tool, because the tool creates the group initially. In a multi-domain enironment, perform the following additional steps to enable on-premises users to request the free-time of serice users: If the serice users are not in the on-premises hub domain, create a Connection document in the primary directory of the serice users domain that enables mail serers in the domain to connect to the serice to send the free-time request. If you configure mail routing from the serice user domain to the serice, this step is complete as part of that configuration. If the on-premises users are in a different domain than the serice users, make sure the primary directory of the on-premises user domain has a domain document that specifies the Calendar serer for the domain of the serice users. 2. Perform the following steps to prepare for serice users to resere rooms and resource in an on-premises Resource Reserations database: Synchronize the directory of the domain in which a Resource Reserations database is located. If a Resource Reserations database is not in the on-premises hub domain, configure mail routing from the on-premises hub domain to the other domain. To enable a serice user to look up the free-time of a room or resource, make sure a serer in the on-premises hub domain can look up free-time in the Resource Reserations database or can connect to a serer that can. If the directory of the domain that contains the Resource Reserations database is aggregated in a directory catalog, specify the following settings in the Extended Directory Catalog configuration document: 74 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

83 Include the following field names in the Additional fields to include field: ResourceFlag, ResourceType, and ResourceCapacity In the Include Mail-In Databases field, select Yes. Remoe duplicate site names that are used for rooms and resources across directories. If two sites hae the same name, the serice lists resources from both sites under one site name. This situation can lead users to resere resources at the wrong site. See Technote for instructions on making site names unique. What to do next Related tasks: Preparing to replicate an extended directory catalog on page 48 An extended directory catalog (EDC) can be used to aggregate entries from multiple Domino directories and replicate the entries to the serice. An EDC is supported for read-only use in the serice. This procedure is useful only for companies that hae more than one Domino directory. Downloading and running the Domain Configuration tool on page 94 The Domain Configuration tool configures your on-premises serers to connect to your hosted IBM SmartCloud Notes serers. The serer configuration information that you proide in the Account Settings of SmartCloud Notes Administration is the data that is used to configure the connections. Related information: Domino documentation Technote Example of integrating a secondary domain with the serice Example: Free-time requests between users in the on-premises hub domain This example illustrates how free-time requests occur between a serice user and an on-premises user who are both registered in the on-premises hub domain. Table 22. Serers used in this example Serer Mail1/Renoations Mailhub/Renoations Passthru1/Renoations Mail1/SCN/Renoations Description On-premises user s mail serer in the on-premises hub domain, Renoations Mail hub serer in the Renoations domain On-premises passthru serer in the SCNPassthru domain used for inbound connections from the serice. Serice user s mail serer in the Renoations domain. On-premises user requesting free time of serice user When the on-premises user requests the free-time of the serice user, the following steps occur to process the request: 1. The on-premises user s mail serer, Mail1/Renoations, looks up the name of the serice user s mail serer, Mail1/SCN/Renoations, in the Renoations directory. Chapter 3. Preparing your enironment 75

84 2. Mail1/Renoations sends the free-time request to Mail1/SCN/Renoations. Mail1/Renoations runs the CalConn serer task. A Connection document created by the Domain Configuration tool in the Renoations domain directory enables Mail1/Renoations to send the request through the proxy serer in the serice. 3. Mail1/SCN/Renoations looks up the user s free time in its Free Time database and returns it to Mail1/Renoations.. On-premises user requesting free-time of serice user when both are in the on-premises hub domain. Serice user requesting free time of on-premises user When the serice user requests the free-time of the on-premises user, the following steps occur to process the request: 1. The serice user s mail serer, Mail1/SCN/Renoations, looks up the name of the on-premises user in the serice directory and determines that the user s mail serer is on-premises. 2. Mail1/SCN/Renoations sends a free-time request to the mail hub serer, Mailhub/Renoations, in the on-premises hub domain. 76 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

85 Mail1/SCN/Renoations finds the names of all serers in the CustomerMailHubs and attempts to fetch free-time for each one until it succeeds when trying Mailhub/Renoations. The Domain Configuration tool creates the group in the directory of the on-premises hub domain and the group replicates to the serice during directory synchronization. Connection documents created in the serice at time of customer creation enable Mail1/SCN/Renoations to connect to Mailhub/Renoations through the serer Passthru1/Renoations. 3. Mailhub/Renoations sends the request to the on-premises user s mail serer, Mail1/Renoations. 4. Mail1/Renoations looks up the user s free time in its Free Time database and returns it to Mailhub/Renoations. 5. Mailhub/Renoations returns the free time to Mail1/SCN/Renoations.. Serice user requesting free-time of on-premises user when both are in the on-premises hub domain. Chapter 3. Preparing your enironment 77

86 Example: Free-time requests between users in different domains This example illustrates how free-time requests occur between an on-premises user in a secondary domain and a serice user in the on-premises hub domain. Table 23. Serers used in this example Serer Mail2/Renoations Mailhub2/Renoations Mailhub/Renoations Passthru1/Renoations Mail2/SCN/Renoations Description On-premises user s mail serer in the PowerRenoations domain Calendar serer for the PowerRenoations domain Mail hub serer and Calendar Serer for the on-premises hub domain, Renoations On-premises passthru serer in the SCNPassthru domain used for inbound connections from the serice Serice user s mail serer in the Renoations domain On-premises user requesting free time of serice user When the on-premises user requests the free-time of the serice user, the following steps occur to process the request: 1. The on-premises user s mail serer, Mail2/Renoations, looks up the serice user s mail serer in a local directory catalog. 2. Mail2/Renoations sends a free-time request to Mailhub2/Renoations, the Calendar Serer for the PowerRenoations domain. Both serers run the CalConn serer task. 3. Mailhub2/Renoations sends the request to Mailhub/Renoations, the Calendar Serer for the Renoations domain. Mailhub/Renoations runs the CalConn serer task. 4. Mailhub/Renoations sends the requests to the serice user s mail serer, Mail1/SCN/Renoations. A Connection document created by the Domain Configuration tool in the Renoations domain directory enables Mailhub/Renoations to send the request through the proxy serer in the serice. 5. Mail1/SCN/Renoations looks up the user s free time in its Free Time database and returns it to Mailhub/Renoations. 6. Mailhub/Renoations returns the free time to Mailhub2/Renoations. 7. Mailhub2/Renoations returns the free time to Mail2/Renoations. 78 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

87 . On-premises user in secondary domain requesting free-time of serice user in on-premises hub domain Serice user requesting free time of on-premises user When the serice user requests the free-time of the on-premises user, the following steps occur to process the request: 1. The serice user s mail serer, Mail1/SCN/Renoations, looks up the name of the on-premises user in the serice directory and determines that the user s mail serer is on-premises. 2. The serice user s mail serer, Mail1/SCN/Renoations, sends a free-time request to the mail hub serer, Mailhub/Renoations, in the on-premises hub domain. Mail1/SCN/Renoations finds the names of all serers in the CustomerMailHubs and attempts to fetch free-time for each one until it succeeds when trying Mailhub/Renoations. The Domain Configuration tool Chapter 3. Preparing your enironment 79

88 creates the group in the directory of the on-premises hub domain and the group replicates to the serice during directory synchronization. Connection documents created in the serice at time of customer creation enable Mail1/SCN/Renoations to connect to Mailhub/Renoations through the serer Passthru1/Renoations. 3. Mailhub/Renoations, the Calendar Serer for the Renoations domain, sends the request to Mailhub2/Renoations, the Calendar Serer for the PowerRenoations domain. 4. Mailhub2/Renoations sends the request to Mail2/Renoations, the on-premises user s mail serer. 5. Mail2/Renoations looks up the user s free time in its Free Time database and returns it to Mailhub2/Renoations. 6. Mailhub2/Renoations returns the free time to Mailhub/Renoations. 7. Mailhub/Renoations returns the free time to Mail1/SCN/Renoations. 80 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

89 . Serice user in on-premises hub domain requesting free-time of on-premises user in a secondary domain. Helping serice users connect to application serers in secondary domains Serice users can connect to on-premises IBM Domino serers to open applications. If the application serers are in the same Domino domain as your primary mail hub serers, serice users see them listed in the Open Application window in IBM Notes. If the application serers are in a secondary domain, use an External Domain Network Information (EDNI) document. Then run the GETADRS program to enable the secondary domain serers to be listed in the Open Application window. In this case, users click Other in the window to see the serers listed. Chapter 3. Preparing your enironment 81

90 Create an EDNI document for each secondary domain in the Domino directory of the primary mail hub serer domain. Then schedule the GETADRS program to run regularly on one serer in the primary mail hub serer domain. GETADRS pulls the names and addresses of each serer from the secondary domain into Response documents to the EDNI document. To determine how to connect to a serer in the secondary domain, a serer in the serice uses the Response document for that serer. The EDNI document and Response documents do not replicate to the mail serers in the serice. Rather, the serers in the serice look them up on one of your primary mail hub serers. EDNI documents make it easier for users to connect to application serers, but they are not required. If you do not use EDNI documents, Connection documents and bookmarks used preiously to connect to the serers still work after users are proisioned for the serice. Users can also connect to the serers by typing the serer names in the Open Application window. For more information, see the topic on setting up external domain lookups in the Domino documentation. Related information: Domino documentation 82 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

91 Chapter 4. Configuring the serice After you hae prepared your on-premises enironment, configure the serice to work with your enironment. Related tasks: Chapter 3, Preparing your enironment, on page 39 Perform the steps in this section to prepare your on-premises serers for a hybrid enironment. Perform these steps after you hae planned for the serice and before you configure the serice. Roadmap to configuring a hybrid enironment When you configure a hybrid enironment, you establish connections between your on-premises IBM Domino serers and IBM SmartCloud Notes serers. To help you accomplish this task, a Domain Configuration tool is proided for you that makes the necessary configuration changes to your enironment, based on information you proide. During configuration you also proide a certifier ID for your SmartCloud Notes mail serers and you enable the serice to erify ownership of at least one Internet domain. Before you begin Before you configure a hybrid enironment, perform the procedures in Preparing your enironment. Also make sure that IBM has created the SmartCloud Notes account for your company, and that you hae completed the task Logging on as the first company administrator. The following table describes the tasks required to configure a hybrid enironment and includes links to topics that describe the corresponding procedures. Table 24. Tasks to configure a hybrid enironment Task Estimated time to complete How to confirm completion Complete a checklist to make sure all prerequisite tasks are done and to record information you will proide to configure account sesttings. For more information, see Completing a checklist to prepare for configuration on page 87. Varies, depending how many required tasks are complete. Reiew the worksheet for accuracy and completeness. Copyright IBM Corp

92 Table 24. Tasks to configure a hybrid enironment (continued) Task Estimated time to complete How to confirm completion Configure account settings by performing the following tasks in any order. Account settings proide the information about your on-premises enironment that is required by the Domain Configuration tool. Proiding a certifier ID Specifying a passthru serer Specifying a mail routing serer Creating a base name for your mail serer Specifying a Domino Directory synchronization serer Use the Pre-configuration Test tool to check that your on-premises enironment is prepared to be configured for the SmartCloud Notes serice. Check that the account settings are accurate and then enable the settings. This information is used when the Domain Configuration tool runs, so it is important that it is accurate. Download and run the Domain Configuration tool. The tool uses the information proided in account settings to edit the Domino directories of the on-premises hub domain and the on-premises passthru domain. The edits allow the serers in the serice and your on-premises serers to connect to each other and to perform directory synchronization and mail routing minutes, total Confirm that there is a checkmark next to each setting in the Account Setup window in SmartCloud Notes Administration minutes, after you hae completed the form. Time depends on how many tests run, which aries according to the amount of information proided. A report displays, listing the tests that were performed, and identifying issues that need to be resoled. 10 minutes Confirm that the Account Setup window in the SmartCloud Notes Administration interface displays the text Prepare for account actiation and the text Select Domain Configuration Tool minutes Confirm that the tool displays a success message. Note: If the tool does not run successfully, you must inestigate and resole any issues before continuing. Do not proceed until the tool runs successfully. 84 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

93 Table 24. Tasks to configure a hybrid enironment (continued) Task Estimated time to complete How to confirm completion Confirm that directory synchronization has completed. Directory synchronization replicates to the serice some of the documents in the Domino directories that are configured for synchronization. These include Global Domain documents, at least one of which is required by the serice for Internet domain erification. The corporate firewall must allow inbound connections oer port 1352 so that the serice can connect to a directory synchronization serer and initiate replication. After directory synchronization has completed, erify at least one Internet domain name by creating a CNAME record for it to which the SmartCloud Notes serice can connect. The time for the initial directory synchronization to complete aries depending on the number of directories replicated and the network bandwidth. For example, replicating one directory oer a fast connection might take 2-6 hours. Replicating multiple directories or replicating oer slower connections might take 3-5 days.. It can take from a few minutes or a few hours to as long as 48 hours to erify domain ownership. If you do not hae the authority to create a CNAME record for your domain, extra time may be required to contact your domain hosting serice and hae them create the record for you. Confirm that the Account Setup window in the SmartCloud Notes Administration interface displays the message Directory synchronization is complete. Confirm that the Internet Domain Verification window in the SmartCloud Notes Administration interface indicates that at least one domain is erified. After you hae erified at least one Internet domain, Actiate your account. Run configuration tests to erify that your on-premises enironment is configured correctly to work with the serice. After the CNAME record is created, it may take time for your hosting serice to replicate it to the Internet. The CNAME record must replicate to the Internet so that the serice can connect to it. 5 minutes Confirm that the Account Setup window in the SmartCloud Notes Administration interface indicates that the account has been successfully actiated. 2-5 minutes Confirm that no errors are shown in the Configuration Test window. Chapter 4. Configuring the serice 85

94 Table 24. Tasks to configure a hybrid enironment (continued) Task Estimated time to complete How to confirm completion Check network connections from on-premises serers to SmartCloud Notes serers minutes Confirm a successful authenticated connection to a mail serer. The corporate firewall must allow outbound connections oer TCP/IP port Issue a Vault Trust Certificate to enable the Notes IDs of proisioned users to be uploaded to a SmartCloud Notes ID ault minutes After a user is proisioned for SmartCloud Notes, confirm that the Notes ID of the user is uploaded to the ID ault. Logging on as the first company administrator An IBM Customer Serice Representatie creates the IBM SmartCloud Notes account for your company. This step creates a company administrator account under a name and address proided by your company. IBM sends an to the address confirming your purchase. To actiate the account for your company, follow the URL link in this and log on to the IBM Connections Cloud website as the company administrator. About this task Perform the following steps to actiate the account for your company and log on as the first company administrator. Procedure 1. Open the that was sent to the company administrator address confirming your purchase. 2. Click the URL link in the , to open the Registration page. 3. Perform the following steps on the Registration page: a. Create and confirm a serice logon password. Important: The address that is shown is the logon name for the company administrator account. Be sure to remember it and the new password. b. Select a country, language, and time zone. c. Read the terms of use and priacy practices information, and if you agree to them, click I accept the Terms of Use. d. Click Submit. e. Log on using the company administrator logon and new password. Results You are now logged on to your home page. To log on in the future, go to What to do next Configure the SmartCloud Notes serice, if IBM is not configuring it for you. 86 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

95 Completing a checklist to prepare for configuration Before you prepare account settings and configure the serice, complete the checklist in this topic to erify that all prerequisite tasks are complete. About this task Table 25. Tasks to complete before you configure the serice Task Configure the corporate firewall to allow connections to and from the serice. For information, see Preparing the firewall on page 41. Prepare a primary synchronization serer, and optionally, a secondary synchronization serer. For information, see Setting up directory synchronization serers on page 45. Prepare at least one Domino directory to replicate to the serice. For information, see Preparing to replicate Domino directories on page 47. Optionally, prepare an Extended Directory Catalog (EDC) to replicate to the serice. For information, see Preparing to replicate an extended directory catalog on page 48. Prepare a primary passthru serer, and optionally, a secondary passthru serer. For information, see Preparing passthru serers on page 40. Corresponding information to proide in account settings Not applicable The hierarchical serer name of each serer, for example, Dirhub/Renoations The file path to the directory file name, relatie to the data directory on the synchronization serer, for example, dir\names.nsf The file path to the EDC file name, relatie to the data directory on the synchronization serer, for example, dir\edc.nsf The host name or IP address of a serer, for example, passthru.renoations.com The hierarchical name of the serer, for example, Passthru/Renoations The Domino domain of the serer, for example, SCNPassthru Complete? Chapter 4. Configuring the serice 87

96 Table 25. Tasks to complete before you configure the serice (continued) Task Prepare a primary mail hub serer, and optionally, a secondary mail hub serer. For information, see Setting up mail hub serers in the on-premises hub domain on page 52. Create an OU certifier to use to name your mail serers in the serice. For information, see Creating a certifier for your mail serers on page 39. Decide on a base name for users mail serers in the serice. The base name combines with the mail serer OU certifier to form the serer names. Prepare Global Domain documents to define the Internet domains owned by your company. For information, see Preparing Global Domain documents on page 49. Determine who will create the CNAME records in your domain hosting serice that are used to erify ownership of your company Internet domains. For information, see Verifying Internet domains on page 97 To prepare to use the Domain Configuration tool, find an IBM Notes client or IBM Domino Administrator client that can connect to each directory synchronization serer, mail hub serer, and passthru serer. Make sure the ID file you use with the client has Administrator access to these serers. For information, see Downloading and running the Domain Configuration tool on page 94. Corresponding information to proide in account settings The host name or IP address of a serer, for example, mailhub.renoations.com The hierarchical name of the serer, for example, Mailhub/Renoations The Domino domain of the serer, for example, Renoations A local file path to the certifier ID file The base name, for example, Mail, which is the default alue Not applicable Not applicable Not applicable Complete? A list of Internet domains to be erified is generated from the documents and displayed in SmartCloud Notes Administration. 88 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

97 Configuring your hybrid account settings Perform the tasks in this section to configure a hybrid enironment, one in which the IBM SmartCloud Notes serice is integrated with IBM Domino serers at your company site. About this task Make sure that IBM has created the SmartCloud Notes account for your company and that you hae actiated it by logging on to the serice as the first company administrator. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the "Welcome to SmartCloud Notes!" window, select Hybrid Enironment, and then click Set Up My Account. 5. In the next window, click Continue. Results You are now ready to begin completing the information in the hybrid Account Settings. Configuring directory synchronization A directory serer in the serice has a replica of one or more on-premises IBM Domino directories. To support directory synchronization, proide the name of the primary serer and file path of at least one on-premises directory that you want to synchronize. The directory serer performs a regular pull and push replication of the directories to keep the contents of both the serice and the on-premises replicas synchronized. About this task In addition to specifying a primary serer, you can specify a secondary serer that you synchronize for high aailability purposes. Each directory synchronization serer must hae a local replica of each Domino directory that you proide. You can also specify an extended directory catalog (EDC) to be synchronized. Howeer, if you do, make sure to select the option Do not use this directory for user proisioning. The EDC is a read-only composite of information from your other directories; the serice receies information from it but does not update it. For additional information about how Domino directories remain synchronized in a hybrid enironment, read Planning directory synchronization. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. Chapter 4. Configuring the serice 89

98 4. In the naigation pane, click Directory Sync Serer. 5. Click Add Domino Directory. The name of the directory is displayed in the Directory serer column. 6. In the field Primary directory serer name, specify the name of the serer on which your Domino directory resides, such as Directory1/Renoations. Ifyou are adding a secondary serer, specify the name of the serer in the field Optional: Secondary directory serer name instead. 7. In the field Domino Directory database file name, specify the file path of the Domino directory or EDC. 8. If the directory is an EDC or any other directory that is not used for user proisioning, select Do not use this Domino Directory for user proisioning. 9. Repeat steps 5 through 8 for each additional Domino directory that you want to synchronize with hosted directory serers. You can return to this window to add subsequent directories after you hae saed this information. 10. Click Sae. 11. Optional: To edit the name of a directory serer, return to this window and click the serer link. What to do next Complete the task Specifying a mail routing serer. Specifying a mail routing serer IBM SmartCloud Notes serers and on-premises IBM Domino serers route mail to each other. Proide the name of one or more Domino serers to use as the on-premises mail routing serer. You can use the same serers to perform mail routing and directory synchronization or use separate serers for each function. Although only one serer is required, for high aailability designate two serers. Both the primary and the secondary mail serers must be in the same domain. About this task To proide failoer, set up two mail hub serers in the on-premises hub domain. The serice attempts to route to the primary mail hub serer first, which is the serer with the name that comes first in alpha-numeric order. For example, if the two serer names are MailA/Renoations and MailB/Renoations, the primary serer is MailA/Renoations. If the two serers are Mail1/Renoations and Mail2/Renoations, the primary serer is Mail1/Renoations. If the serice is unable to route to the primary mail hub serer due to network or serer unaailability, it attempts to use the secondary serer. When the primary mail hub serer becomes aailable, the serice begins using it again after a period of time. The serice may use both serers simultaneously for brief interals. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. From the naigation pane, click Mail Routing Serer. 5. In the field Primary Domino mail serer name, specify the name of your on-premises Domino mail serer, such as Mail1/Renoations. 90 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

99 6. Optional: In the field Optional Secondary Domino mail serer name, proide the name of a second mail serer, such as Mail2/Renoations. 7. In the field Domino domain name, specify the name of the on-premises Domino domain. Remember, both the primary and the secondary mail serers must be in the same domain. 8. Click Sae. What to do next Complete the task Creating a base name for your mail serer. Creating a base name for your mail serers IBM SmartCloud Notes serer names are created with a name that you proide as a base name, and are then numbered sequentially. For example, if your base name is Mail, and your organizational unit (OU) certifier is SCN/Renoations, then your SmartCloud Notes serer names are Mail1/SCN/Renoations, Mail2/SCN/Renoations, and so on. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. From the naigation pane, click Mail Serer Base Name. 5. Enter a base name for your mail serers. 6. Click Sae. What to do next Complete the task Specifying a passthru serer. Specifying one or more passthru serers All connections from the serice to on-premises serers are directed through an IBM Domino passthru serer. For high aailability, set up at least two passthru serers for failoer to preent mail routing delays if a serer is unaailable. Before you begin Make sure that you hae installed and set up one or more passthru serers by following the steps in the topic Preparing the passthru serer domain. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. From the naigation pane, click Passthru Serer. 5. In the Primary passthru serer name field, specify the passthru serer, such as PassthruMain/Renoations. Chapter 4. Configuring the serice 91

100 6. In the Internet host name or IP address field, specify the Internet host name, such as pthru1.renoations.com. Specify a host name rather than an IP address, if possible. Then if the IP address changes, you do not need to reconfigure this setting. 7. In the Domino domain name field, specify the name of the Domino domain, such as RenoationsFirewall. 8. Optional: In the Optional secondary passthru serer name field, proide the name of a serer to use in the case of failoer. 9. Optional: Proide the Internet host name or IP address for the secondary serer. 10. Click Sae. What to do next Complete the task Proiding a certifier ID. Proiding a certifier ID file As a part of preparing your on-premises enironment for a hybrid deployment, you create an IBM Domino organizational unit (OU) certifier for your IBM SmartCloud Notes serers. In this task, you proide an OU certifier ID file and password when you set up the hybrid enironment. Before you begin Make sure that you hae created a unique first-leel organization unit (OU) certifier using the steps in Creating a certifier for your mail serers. Before you upload an ID file, make sure that you hae selected the correct file. After you upload the ID file, you cannot switch to an ID with a different certifier name. Make sure that you hae read the topic Certifier requirements in a hybrid enironment. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. From the naigation pane, click Certifier ID File. 5. Browse to the certifier ID file you created for your hybrid enironment. 6. If this file has a password, type the password in the Certifier password field. 7. Click Upload. What to do next Complete the task Using the Pre-configuration Test tool to check your enironment on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

101 Using the Pre-configuration Test tool to check your enironment After you prepare your on-premises enironment but before you run the Domain Configuration tool to configure it to connect to the IBM SmartCloud Notes serice, download and run the SmartCloud Notes Hybrid Pre-configuration tool. This tool runs a series of tests to determine if the serers in your enironment are set up correctly. The tool proides a report that identifies any issues that might preent communication between your enironment and the serice. The tool does not change your configuration. Before you begin To perform this task you must hae Administrator access and Full Remote Console access to the serers you are testing. The thoroughness of this test depends on the completeness of the information you proide. Howeer, if you do not know the answer, you can leae fields blank. Do not use a irtual priate network (VPN) connection. This tool performs firewall tests, so you must run it from an IBM Notes client computer inside your firewall. About this task When you download this tool, it contains the information that you hae entered in your Hybrid Account Setup up to this point. For instance, it might list your mail hubs, but not your passthru serers, if you hae not yet entered that information. You can update the information using the IBM Notes client. Howeer, if you update the information this way, the information is used only when you run the test; it is not passed back to the SmartCloud Notes serers. You will hae to return to the Hybrid Account Setup to enter the information there as well. Alternatiely, you can update the information in the Hybrid Account Setup and then download a fresh copy of the tool that includes all of the updated information. The more information you proide, the more complete your test results are. Howeer, you can leae a field blank if you do not know the correct information. Run the tool as many times as needed, resoling issues identified before running it again. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. From the naigation pane, click Pre-configuration Test Tool. 5. Click Download to download the file. 6. Agree to the terms and conditions for the pre-configuration test application, and then click Continue. 7. Follow the steps in the resulting screen to download the file lieserercheck.nsf and sae it in your local Notes data directory. 8. From the Notes client, open the tool by clicking File > Open > IBM Notes Application, and then selecting lieserercheck.nsf. 9. Follow the on-screen instructions that the tool displays, including checking the information displayed there. 10. Click Run Test. Chapter 4. Configuring the serice 93

102 11. Reiew the report and address any on-premises issues reported by the tool. 12. Optional: If you change your enironment, rerun the test. 13. Optional: Make any necessary changes to the information in the tool, and then click Run Test. What to do next After you are satisfied that your enironment is prepared, complete the task Reiewing your setup and enabling your account. Reiewing your setup and enabling your account Before you can download and run the Domain Configuration tool, all of the required hybrid account setup information must be complete. When you check the status of the information you proided, any incomplete items are identified. Before you begin Complete these tasks in any order. Specifying the Domino directory serer Specifying a mail routing serer Creating a base name for your mail serer Specifying a passthru serer Proiding a certifier ID Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the naigation pane, click Account Setup. 5. For any items that hae not been configured, click the corresponding task in the naigation pane, and proide the information that is requested. 6. When the status of all items shows successful completion, click Enable my account. What to do next Complete the task Downloading and running the Domain Configuration tool. Downloading and running the Domain Configuration tool The Domain Configuration tool configures your on-premises serers to connect to your hosted IBM SmartCloud Notes serers. The serer configuration information that you proide in the Account Settings of SmartCloud Notes Administration is the data that is used to configure the connections. Before you begin Before you can download and run the Domain Configuration tool for the first time, all of the required Account Settings information must be complete. To confirm that 94 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

103 all of the required information is aailable, complete the task Checking the status of your hybrid account setup. If any information is incomplete, proide the missing information. The IBM Notes client from which the tool is run must be able to connect to the passthru serers in the passthru domain. The client must also be able to connect to the directory synchronization and mail hub serers in the on-premises hub domain. Firewall rules at your company might preent connections from systems inside the firewall to the passthru serers. In this case, use a Notes client running on a system connected outside the firewall. Allow a direct connection to the passthru serers, and through them, connect to the serers in the on-premises hub domain. If you are configuring the serice for the first time, to make sure your on-premises enironment is prepared, complete the task Using the pre-configuration tool to check your enironment. About this task You run the Domain Configuration tool when you first configure the serice to interoperate with your on-premises enironment. You also run the tool after the initial configuration. Run the tool again if you change a serer configuration in Account Settings or if you correct a configuration problem in your on-premises enironment. If you are performing the initial serice configuration, the Domain Configuration tool includes pre-configuration options you can use to test your on-premises enironment before you actually configure it. No changes are made to your enironment as a result of these tests. Pre-configuration Test - Runs the same series of pre-configuration tests as the SmartCloud Notes Hybrid Pre-configuration tool (lieserercheck.nsf). If you did not complete the task Using the pre-configuration tool to check the status of your hybrid account setup, you can run those tests now. The tool then proides a report that identifies configuration issues that you can address before configuration. Pre-configuration Report - Simulates the configuration, and proides a report of the configuration changes that would be made to your enironment during the actual configuration process. After you run the Domain Configuration tool, a detailed report lists the changes that were made to your on-premises serer configuration. Typical changes include: Allowing SmartCloud Notes serers sufficient access to your Domino directories to perform directory synchronization Creating connection documents to support serer passthrough and mail routing to SmartCloud Notes serers Modifying serer configuration documents to allow passthrough access to these serers Setting a serer enironment ariable Note: Do not edit the directory content added by the tool. For example, do not edit changes to the ACL or to Connection documents. Doing so preents proper operation of the serice. Refer to the report generated by the tool to see the exact directory changes the tool makes Chapter 4. Configuring the serice 95

104 Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the naigation pane, click Domain Configuration Tool. 5. Follow the steps in the window that opens to download the file liesererconfig.nsf, and sae it in your local Notes data directory. If you are trying to oerwrite a preiously downloaded copy, and you get the error message File is in use from your browser, it means that the IBM Notes client has the old copy of liesererconfig.nsf open. If that does not seem to be the case, close Notes or use a different filename. 6. From the Notes client using an ID that has Manager access to your Domino directory, click File > Open > IBM Notes Application, and then select the liesererconfig.nsf file. 7. Optional: Select Pre-configuration Test to run a series of pre-configuration tests based on information proided in the Hybrid Account Settings. a. Make any changes to your configuration enironment, based on information in the report. b. To correct any account settings information, return to the SmartCloud Notes Administration windows where you first entered the hybrid account setup information, and make the corrections. c. Repeat steps 4 and 5 to download a new copy of liesererconfig.nsf. 8. Optional: Select Run a Pre-configuration Report to simulate the configuration that will occur. No changes are made to your enironment. 9. If all of the information is correct, select Configure Serers, and then click Begin. 10. Reiew the resulting detailed report so that you know the changes that the tool made to your on-premises serer configuration. Optionally, print the report for reference later. Note: If you failed to sae the original report, the file liesererconfig.log in your Notes data directory contains the same information. This log file is in English only. Running the tool again does not produce an identical report because the report lists the changes that were made when the tool runs. During a second run no changes are made. 11. Allow time for the Domino directory changes to replicate to other serers in your enironment. What to do next If you must run the tool again to make sure that your setup is still correct, perform steps 1-5 to get a new copy of liesererconfig.nsf. When troubleshooting any communication issues with the serice, running the tool is a good way to check whether anything has been changed, and whether you must return to the preious settings. When you are satisfied that your enironment is set up correctly after the initial serice configuration, complete the task Verifying Internet domain names in a hybrid enironment. 96 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

105 Verifying Internet domains Internet domain name erification is a standard industry practice among domain hosting serices to confirm domain name ownership and to preent abuse of user accounts. You need to erify only the domain names that correspond to Internet addresses of users that you are proisioning. Before you begin Complete the tasks Downloading and running the Domain Configuration tool and Preparing Global Domain documents. Also make sure that directory synchronization has completed to replicate the Global Domain documents to the serice. About this task There are different methods to erify domain names. The serice uses a CNAME record for this purpose by requiring you to create a CNAME record to proe ownership. Your domain hosting serice should proide instructions for creating a CNAME record; howeer, if they do not, contact them directly. A CNAME record is an entry in the Domain Name System that is used to define a host name alias for an Internet domain. To proe ownership of a domain, you sign in to your domain hosting serice and use the DNS Management settings to create a temporary CNAME record for the domain. Then the serice uses the alias in the CNAME record to query your domain. A successful query proes that you were able to create the CNAME record and therefore that you own the domain. If you do not hae the authority to create a CNAME record for your domain, extra time may be required to contact your domain hosting serice and hae them create the record for you. Verifying a root domain also erifies any subdomains of it that are listed. For example, erifying renoations.com erifies west.renoations.com if listed in the Internet Domain Verification window. After you erify a root domain, no other company can use it or any subdomain of it. You can perform this procedure een if you are in the process of switching domain hosting serices. The list of Internet domain names that populate the Internet Domain Verification window is deried from your on-premises Global Domain documents. These documents replicate during directory synchronization of your on-premises serer with the serice serers. If the list is incomplete or includes unwanted Internet domains, edit your Global Domain documents on premises to include the correct domain name information. After directory synchronization has completed, return to this window and erify that the correct domain names are listed. Procedure 1. Log on to using the address and password of a user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the naigation pane, click Internet Domain Verification. Chapter 4. Configuring the serice 97

106 5. In the Internet Domain Verification window, click Verify Ownership next to the domain to erify. 6. Sign in to your domain hosting serice and use the DNS management settings to create a new CNAME record. Use the information that is shown in the Internet Domain Verification window to create the CNAME record. Put the unique key that is shown into the first field of the CNAME record. The name of this field aries by endor, but it is sometimes named prefix or alias. Put collabser.com into the second field of the CNAME record. This field is sometimes named destination or target host. 7. After you create the CNAME record, click Begin Verification to begin erification of the domain. The unique key continues to be shown in the Internet Domain Verification window until erification completes successfully. Results To erify domain ownership, the serice uses the alias in the CNAME record to query your domain. For example, if the CNAME key is domino-1jkkiaojd-rules and your domain name is renoations.com, the serice queries domino-1jkkiaojd-rules.renoations.com. If erification is not successful, check that the unique key shown exactly matches the one added to the CNAME record. If the alues are different, do not restart erification. Rather, update the CNAME record with the correct key and simply wait again for erification to complete. Domain erification can take up to 48 hours, although usually it takes much less time. If after 48 hours domain erification has not completed, click Restart Verification. Restarting erification generates a new unique key and you must then replace the old key with the new key in the CNAME record. Only restart erification if 48 hours hae passed since you clicked Begin Verification. After a domain is erified, you can remoe the CNAME record you created. What to do next Perform the task Actiating your account on page 99. Related tasks: Downloading and running the Domain Configuration tool on page 94 The Domain Configuration tool configures your on-premises serers to connect to your hosted IBM SmartCloud Notes serers. The serer configuration information that you proide in the Account Settings of SmartCloud Notes Administration is the data that is used to configure the connections. Preparing Global Domain documents on page 49 Prepare at least one Global Domain document to define the Internet domains that your company owns. 98 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

107 Actiating your account After you hae set up and configured your on-premises enironment by downloading and running the Domain Configuration tool, you must actiate your account. When your account is actiated, your on-premises serers can connect to the IBM SmartCloud Notes serers, and the SmartCloud Notes serers can connect to your on-premises serers. Before you begin Ensure that you hae completed the task Verifying Internet domain names. Procedure 1. Log on to using the address and password of a user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Click Actiate My Account. What to do next Running configuration tests Make sure that the serers in the serice can connect to your on-premises serers by completing the task Checking network connections from the serice to on-premises serers. After you run the Domain Configuration tool, erify that serers in the serice can connect to your on-premises serers. Before you begin Make sure that you hae completed Downloading and running the Domain Configuration tool and Actiating your account. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the naigation pane, click Configuration Test, and then click Run Tests. 5. Correct any problems that are reported and click Run Tests again. What to do next If your network connections are not working: Make sure that the information that you proided in the Account Settings is correct, and that there are no typographical errors. Make sure that you completed all of the preparation tasks in the section Preparing your enironment for a hybrid deployment. Make sure that all of your on-premises serers are running. Chapter 4. Configuring the serice 99

108 Completing the configuration After you hae completed the account setup for your organization, perform the tasks in this section to complete the configuration. Checking network connections from on-premises serers to the serice After you run the Domain Configuration tool, check that your on-premises serers are reaching the IBM SmartCloud Notes serers by using the trace command. Before you begin Make sure that you hae completed these tasks: Downloading and running the Domain Configuration tool Checking network connections from the serice to on-premises serers About this task To determine the name of your SmartCloud Notes serers, use the format basename1/ou/o, using the base name you proided when you completed the account settings. Remember that if you used Mail (the default) as the base name, then your mail serers are named Mail1, Mail 2, and so on. When you run this trace, you get an authentication error, which is an expected error. Reiew the lines that follow the error to determine if the connection was successful. Procedure 1. From an on-premises primary mail hub serer, type the following command into the Domino serer console, based on the mail base name, your organizational unit, and organization name: trace basename1/ou/o For example: trace Mail1/scn/reno 2. Reiew the results of the trace command to make sure that they include the confirmation Connected to serer basename1/ou/o. Results The following sample output shows a successful trace. > trace Mail1/scn/reno Determining path to serer MAIL1/SCN/RENOV Aailable Ports: TCP Checking normal priority connection documents only... Allowing wild card connection documents... Local network connection document found for */scn/reno Verifying address for LMAIL1/SCN/RENOV on TCP Connected to serer MAIL1/SCN/RENOV Connecting to MAIL1/SCN/RENOV oer TCP Using address for MAIL1/SCN/RENOV on TCP Error connecting to serer MAIL1/SCN/RENOV: Serer error: You are not authorized to use the serer Connected to serer MAIL1/SCN/RENOV Attempting Authenticated Connection Compression is Disabled Encryption is Enabled In the sample output, the error receied when attempting to connect to MAIL1/SCN/RENOV is the expected response because SmartCloud Notes serers 100 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

109 do not allow unauthenticated connections. Howeer, these lines show that the subsequent authenticated connection was successful and indicates that the on-premises serers are successfully communicating with SmartCloud Notes: Connected to serer MAIL1/SCN/RENOV Attempting Authenticated Connection Compression is Disabled Encryption is Enabled Issuing a Vault Trust Certificate You must issue a Vault Trust Certificate from a parent certifier of serice users Notes ID files to the certifier of the serice ID ault. This step is a prerequisite for user proisioning. Before you begin After you hae configured your company account settings, wait for directory synchronization to replicate the serice ID ault document to your on-premises directory. You can confirm that replication has completed in SmartCloud Notes Administration. Click Account Settings, and then click Directory Sync Serer. Under Sync Status, the status should be OK. Make sure you hae a local copy of the certifier ID file of the parent certifier that you will use to create the Vault Trust Certificate. For example, to issue a Vault Trust Certificate that applies to the user Samantha Daryn/Renoations, make sure you hae a local copy of the certifier ID file for the /Renoations certifier. About this task If users are certified under an organizational unit (OU) certifier, you can use either the OU certifier or the top-leel certifier to issue the Vault Trust Certificate. For example, if users are certified under the OU /North/Renoations, issue a Vault Trust Certificate from either /North/Renoations or /Renoations. If your serice users are certified under different top-leel organization certifiers, you must issue a Vault Trust Certificate for each organization. For example, if some serice users are certified under the organization /Renoations and others are certified under the organization certifier /ZetaBank, issue a Vault Trust Certificate from both organizations. The Vault Trust Certificate certifies that the parent certifier of Notes user ID files trusts the serice ID ault to store the ID files. ID files must be in the ault for administrators to reset the ID passwords for Notes client users. ID files must also be in the ault for web client users and mobile client users to be able to sign, encrypt, and decrypt messages. Although all user IDs under the parent certifier that issues the Vault Trust Certificate are authorized for storage in the serice ID ault, only the IDs of serice users can be uploaded to the ault. For more information about Vault Trust Certificates, see the information about ID ault trust in the IBM Domino documentation. Perform the following steps to issue a Vault Trust Certificate. Chapter 4. Configuring the serice 101

110 Procedure 1. Log on to a Domino Administrator client that you use for on-premises Domino serer administration. 2. Open an on-premises hub serer that you use for directory synchronization. 3. Click the Configuration tab and then click Security > ID Vaults. Note: If you do not see the ID Vaults iew, you must upgrade the Domino directory on the serer to the template ersion for fix pack 2 or later. 4. Select the ID Vault document for the serice ID ault. The format of the document name is /IDVault_customernumber, for example /IDVault_ Click Tools > ID Vaults > Manage. If a window that describes the ID ault is shown, click Next. 6. Select the task Add or remoe organizations that trust the ault and then click Next. 7. Click Add or Remoe. 8. Under Aailable organizations, select a certifier of your serice users. 9. Click Add to add the certifier to Organizations that trust the ID ault, and click OK. The certifier is now shown under Organizations. 10. Click Next and click Configure to confirm the change. 11. At the Choose a Certifier prompt, browse for and select the certifier ID file of the certifier, for example cert.id, and click OK. 12. Proide the certifier password and click OK. 13. In the You hae successfully completed the management of the Notes ID ault window, click Done. 14. From the Configuration tab, click Security > Certificates > Certificates. Expand Vault Trust Certificates and erify that there is a Vault Trust Certificate issued by the parent certifier to the ID ault. Note: The Vault Trust Certificate is created on the administration serer for the directory. If you issued the certificate on a serer that is not the administration serer, the certificate will be isible on that serer after it replicates from the administration serer. Results The Vault Trust Certificate replicates to the serice during directory synchronization. Related information: Domino documentation 102 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

111 Chapter 5. Customizing serice settings After you configure the serice to integrate with your on-premises enironment, optionally customize serice settings to suit your needs. About this task You can customize settings before or after you onboard users. Enabling the accessible experience for the web client You can submit a request to enable the accessible experience for the web client for eeryone in your organization. Mail, Calendar, Contacts, and Preferences features proided with this experience are all accessible. About this task Accessibility features help users who hae a disability, such as restricted mobility or limited ision, to use information technology products successfully. Another accessible experience for the web client is the desktop ultra-light mode. For more information on this mode, see the topic about web client accessibility features in the user documentation. Both accessible experiences are supported on a computer using Mozilla Firefox 24+ ESR or higher. See the IBM Human Ability and Accessibility Center for more information about the commitment that IBM has to accessibility. Procedure To enable the accessible experience for the web client for all users in your organization, contact Support. Related information: Web client accessibility features Support Setting up administration notifications Set up the serice to send notifications that report when specific types of errors occur in the serice. About this task Directory synchronization errors are the types of errors that are reported, currently. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. Copyright IBM Corp

112 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings. 5. Click Notifications. 6. In the Send administrator notifications to these addresses box, type each address to send notifications to. Specify any Internet-formatted address, either internal or external to the serice. For example, type 7. Optional: To send a test notification to each new or changed address, select Send test notification to newly added addresses. 8. Select the language to use in the notifications. 9. In the Reminder interal field, specify how frequently to resend notifications that are related to the same error. Acceptable alues are 1-7days. 10. Click Sae. Results If a directory synchronization error occurs in the serice, an that is formatted as follows is sent: Sender: SmartCloud Subject: message summary[scn-dirsyncnotify] Body: message details Restricting access to groups The body of the proides a link to a page in SmartCloud Notes Administration Account Settings that proides more information about the error. Note: If you select the Send test notification to newly added addresses, a test with the subject New administration address added [SCN-admintest] is sent to each new or changed address. If an expected test notification is not receied, erify that the address is specified correctly. No error message is shown if the cannot be deliered. Add a Readers list to a group to restrict access to it. For example, a Readers list comes in handy if you hae a large mailing group that you want to allow only a few users to send mail to. About this task 1. Right-click the group in the directory and then click Document Properties. 2. Click the Security tab (fourth tab). 3. In the Who can read this document field, clear the All readers and aboe box. 4. Add the names that you want to allow access to the group. 5. Add the following groups to the access list: (Required) SaaSLocalDomainSerers. Granting access to this group allows the group to replicate to replicas of the directory in the serice. (Recommended) LocalDomainSerers (Recommended) LocalDomainAdmins 104 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

113 Using administratie policies 6. Make a minor edit to the group. This step ensures that the change to the group replicates to the serice. If you use administratie policies on premises, you can apply many of those same policy settings to serice users as well. Administratie policies enable all users to hae the same working experience. There are two types of policies, organizational and explicit. An organizational policy automatically assigns settings to all people within an organization or organizational unit. You cannot use this type of policy for serice users because an organizational policy with a few pre-defined settings is already used within the serice. To assign policies to serice users, use an explicit policy. In this type of policy, you use the Policy Assignment field to assign users to the policy. If you use an organizational policy on premises and want to apply the settings to users in the serice, create an explicit policy that mirrors the on-premises organizational policy. For example, the fictitious Renoations Corporation has an organizational policy on-premises that applies to anyone in the Renoations organization. Because it is an organizational policy, anyone whose hierarchical name includes */Renoation, such as Samantha Daryn/Renoations, is assigned this policy. The Renoations organizational policy cannot be used for users in the serice. Therefore, the administrator creates an explicit policy, named Reno-Explicit, that includes policy settings identical to the settings that are in the on-premises Renoations organizational policy. Next, the administrator adds the name */Renoations as a name in the Policy Assignment field. This way, users who hae /Renoations in their name are automatically assigned this policy. Note: The serice does not support assigning policies by specifying the policy name in a user's Person record in the Domino directory. If you are using this kind of policy model, you must switch to a direct assignment in the Policy document itself. Although most settings in policies are supported in the serice, there are a few restrictions. If you plan to use explicit policies for your serice users, read about policy settings restrictions before you do. If you are unfamiliar with administratie policies, see the topics on policies in the Configuring users and serers section of the IBM Domino documentation. Related information: IBM Domino documentation Creating policies for serice users To ensure that users in the serice hae the same experience as on-premises users, you can create explicit policies. Any organizational policies that you might be using on premises are not supported. Before you begin Read the following topics: Using administratie policies Chapter 5. Customizing serice settings 105

114 Policy settings restrictions on page 114 About this task Use these general steps to create explicit policies that mirror your on-premises policies. If you include policy settings that are pre-defined for all users in the serice, or that are not supported, the serice ignores the settings. Important: If you plan to support multiple domains in your organization, use a naming conention that includes the domain name when you create any of your policy documents. Supporting multiple domains essentially means that multiple names.nsf files from different company domains are synced to the serice. Therefore, it is critical that all Policy Settings documents and all master Policy documents hae unique names. For more information about creating policies, see the IBM Domino 9 documentation. Refer to the topics on policies in the section on configuring users and serers. For information about IBM Notes Traeler policy settings, see the topic on creating a Notes Traeler policy settings document in the Notes Traeler documentation. Procedure 1. Identify the policies that you are currently using in your on-premises policies. 2. Note any settings in the current policy that hae restrictions when used in the serice. 3. Use the information that you identified in the preious steps to create an explicit policy. 4. To assign the policy, add the names of users or groups from the directory to the Policy Assignment field of the Policy document. Or, type a wildcard entry to represent all names in an organization, for example, */Renoations. Note: The serice does not support assigning policies by specifying the policy name in a user's Person record in the Domino directory. If you are using this kind of policy model, you must switch to a direct assignment in the Policy document itself. What to do next You cannot open a serice policy to iew the settings. Howeer, to iew a detailed summary of the effectie policy settings, use the Policy Viewer in the Domino Administrator client. You can iew a policy synopsis for a selected user or group. Related information: IBM Domino documentation Creating an IBM Notes Traeler policy settings document Creating an archiing policy settings document To use policies to set up mail file archiing for IBM Notes clients, you use both Archiing Policy Settings documents and Archie Criteria Settings documents. 106 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

115 Before you begin Create an explicit policy to use with the serice. For more information, see the topics Using administratie policies on page 105 and Creating policies for serice users on page 105. Make sure that you hae at least Editor access to the Domino Directory and one of these roles: PolicyCreator role to create a settings document; PolicyModifier role to modify a settings document. About this task In the cloud, mail archiing is always run on the Notes client. The source mail file to archie must be a local mail replica or managed mail replica on the client. The destination archie database can be created on the client or on an on-premises serer. Users cannot create archies on the cloud serers. When Archie Settings are configured, Notes users can select File > Application > Archie to archie local replicas of their mail files. If you do not configure Archie Settings, users can still click Archie Settings in the application properties box to archie a mail file. The information proided here applies only to Notes clients. Archie Settings do not apply to web client users. Note the following additional information: This procedure applies to archiing mail that is in the cloud. To presere an archie of an on-premises mail file, you must archie the contents before the user moes to cloud mail. Users in the cloud cannot create local archies of on-premises mail files. As a best practice, remoe on-premises mail files after users moe to the cloud. Archiing policy settings do not apply to non-mail databases. Procedure 1. Open the explicit policy that you created in the Domino Directory. 2. In the Setting Type section, next to Archiing, click New. 3. On the Basics tab, complete these fields: Name. Enter a name that identifies the users or the settings themseles. Description. Enter a description of the settings. 4. Optional: Under Archiing Options, choose one of the following options if you want to prohibit archiing. The default is to allow both. Prohibit archiing. Use this option to prohibit all archiing. The Allow Calendar Cleanup check box displays. It is selected by default but you can deselect if you choose to preent users from performing calendar cleanup functions. Sae the document. Prohibit priate archiing criteria. Use this option to prohibit users from creating priate archie settings or modifying the archie settings that are defined in this settings document. 5. Under Archiing will be performed on, choose User's local workstation. Archiing cannot be performed on a serer. 6. Under Archiing source database is on, choose Local. The mail file to be archied must be a local replica or managed mail replica on the client. 7. Under Destination database is on, choose one of the following options: Chapter 5. Customizing serice settings 107

116 Local. Use this option to create the mail archie database on the user's local client. Specific serer Use this option to create the mail archie database on an on-premises serer. Specify the name of the on-premises serer. You must gie users Create access to this serer. Do not select Mail serer. The destination database cannot be on the cloud mail serer. 8. On the Selection Criteria tab, do one or more of the following steps: Click New Criteria to create a new Archie Criteria Settings document. Then, click Add Criteria and select your newly-defined criteria document. See the topic Creating an archie criteria settings document on page 110 for instructions on specifying details of the criteria in the new document. Click Add Criteria, and then choose one or more Archie Criteria Settings documents to add to your archiing settings. These settings must comply with the information in the topic Creating an archie criteria settings document. Click Remoe Criteria, and then choose one or more Archie Criteria Settings document to remoe from your archiing settings. 9. Click the Logging tab. Under Archie Logging, enable the field Log all archiing actiity into a log database to log archiing actiity to a log database (the default). 10. Optional: Change any of the following fields if you want to change the location of the log directory and log file name. Table 26. Fields used to specify the log directory and file name Field Log Directory Log Prefix Log Suffix Number of characters from original file name Action The default is archie. Enter a new name if you want to change it. The default is the letter l, followed by an underscore (_). Enter a new prefix if you want to change it. The default is.nsf. Enter any other suffix that you would like to use. The default is 50. To change the default, enter the number of characters you want to use from the user's mail file name to create the archie log name. 11. In the field Include document links to archied documents, choose one of the following options: Enable this field to include links to archied documents in the log (default). If you include links, users can open archied documents from within the log database. Disable the field to exclude links to archied documents in the log. If you exclude links, users must open the archie database to iew archied documents. 12. On the Schedule tab, for the field Specify a client-based scheduled archie, choose one of the following options: Enable this field to set up a schedule for client-based archiing, and then specify the schedule by completing Step 13. Disable this field and continue to Step 14. No archiing schedule is set for the users; howeer, users can still set their own archiing schedule. 108 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

117 13. Optional: If you enabled Specify a client-based scheduled archie, complete one or more of these fields. Table 27. Fields used to define an archie schedule for an end user Field Allow users to modify schedule Frequency Run at Eery week on Action Users modify the default schedule to set their own schedule. Choose one: Daily and then select the days of the week on which to archie. Weekly (default) and then choose the day of the week on which to archie. Specify the time. The default is 12:00 PM. Note: The Notes client must be running for scheduled archiing to occur. When Weekly is set, specify the day. The default is Tuesday. 14. Also on the Schedule tab, under Location, specify the Locations from which to archie. Any Location -- to archie from any Location. Specific Location -- and then specify one or more Locations. 15. On the Adanced tab, complete these fields: Table 28. Adanced tab fields Field Delete a document only when the criteria can delete all responses as well Action Do one of these: Enable (default) to ensure that a document is deleted only when the document's response documents meet archiing criteria and can also be deleted. Use this option to preent orphaned documents in hierarchical iews. Disable the field to delete documents without prior checking of response documents. Note: This setting does not apply to Calendaring and Scheduling documents which are always enabled to preent accidental "orphaning." Chapter 5. Customizing serice settings 109

118 Table 28. Adanced tab fields (continued) Field Maximum document retention selection is: Action Specify for all users to whom the policy applies, the number of days, months, or years that comprise the maximum retention period for deleting and archiing documents. If priate archiing is enabled, and a maximum retention setting is in effect, users cannot define criteria with a scope that is larger than the maximum retention setting. For example, assume the maximum retention is set to two years. Users can define criteria that selects documents created, modified, accessed, or expired up to 24 months. An error is generated if users try to sae criteria whose scope is greater than 24 months (two years). Use customer-generated expiration field: Customer generated expiration field name: Click to enable administrators to define their own field name for an archie document expiration date. Specify a field name for the expiration date of archied documents. Any archie criteria that selects documents based on expiration date now uses the field name specified here. 16. Sae the document. Creating an archie criteria settings document: Use an archie criteria settings document to define a set of criteria to be used by an archiing policy settings document when you archie an IBM Notes user's mail documents. Before you begin See the task Creating an archiing policy settings document on page 106. This procedure is part of that task. Make sure that you hae at least Editor access to the Domino directory and one of these roles: PolicyCreator role to create a settings document; PolicyModifier role to modify a settings document. Procedure 1. Open the Settings iew in the Domino Directory. 2. Select the Archie policy settings document for which you want to create archie criteria settings, and then click Edit Settings. 3. Click the Selection Criteria tab, and then click New Criteria. 4. Proide the following information on the Basics tab. 110 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

119 Table 29. Basics tab fields Field Name Description Enable archie criteria Action Enter a name that identifies the archie criteria. When you add criteria to an archie policy settings document, this name appears in the selection box. This name also appears in the user's mail folder outline under Actions > Archie. Enter a description of the criteria. Choose one of the following options: Enable the check box to use this archie criteria. Disable the check box if you are creating archie criteria to use later. 5. For How should documents be archied? choose one: Copy old documents into archie database; then clean up database. Use this option to archie (copy) documents to the archie database and then clean up (delete or reduce those documents) from the user's mail database. Clean up database without archiing. Use this option to delete documents from the user's mail database without copying them into an archie database. Use this setting to enforce document-retention policies that delete all documents after a specified time. 6. If you chose to copy old documents for How should documents be cleaned up? choose one: Delete older documents from the database. Use this option to delete copies of archied documents that remain in the user's mail database. Reduce the size of the documents in the database. Use this option to truncate copies of the archied documents that remain in the user's mail database. 7. For Which documents should be cleaned up? specify the criteria that determines which documents are candidates for archiing. Choose one of the following options: Older than. Use this option to specify the date the archie criteria settings document was created as the start date for the document retention period. Documents that are created before this date are eligible for archiing. Not accessed in more than. Use this option to specify documents not opened in the specified time frame. Do not use this option unless the database property Maintain Last Accessed is set. If this property is not set, the criteria does not find any documents to archie. Specify a time period. Not modified in more than. Use this option to specify documents that hae not been modified in the specified time frame (default). Then specify a time period. This setting is recommended. With expiration date older than. Use to specify documents that are marked as expired. A document is eligible for archiing if it has an expiration date earlier than the specified date. 8. Do not complete the fields in the Archie By View/Folder section of the document. 9. Optional: Click the Destination tab and change any of these fields. Chapter 5. Customizing serice settings 111

120 Table 30. Destination tab fields Field Archie Directory Archie Prefix Archie suffix Number of Characters from original file name Action The default is archie. Enter a new name if you want to change it. The default is the letter a, followed by an underscore (_). Enter a new prefix if you want to change it. The default is.nsf. Enter a different suffix for the archie database name if you want to use a suffix other than NSF. The default is 50. To change the default, enter the number of characters to use from the user's mail file name to create the archie database name. Note: Click the link Preiew an example to see the result of your choices before you sae the archie criteria settings. 10. Sae the document. Policy precedence When multiple policies apply to a user and there is a setting conflict, precedence rules determine which setting alue is applied. Note: There are some policy settings that are enforced in the cloud that you cannot oerride with on-premises policy settings. For more information, see the topics on policy settings restrictions. You can create multiple policies that are assigned to different groups of users. For example, you could hae a separate policy for each of the following users: All users in an organization, for example, /Renoations. All users in an organizational unit, for example, /Boston/Renoations All users in a group in the directory, for example, Admin Group Renoations Indiidual users Note: Use the fewest number of policies and settings documents as possible to aoid complexity. In addition, aoid assigning indiidual users to policies, wheneer possible. When a user is assigned to more than one policy for which a setting conflicts, often you want the setting for the policy with the narrowest assignment scope to take precedence. For example, you might create one policy for your entire organization, /Renoations, that sets the Warning Period for password expiration to 10 days. Then, you might create another policy assigned to /Boston/Renoations that sets a Warning Period of 20 days. You want /Boston/Renoations policy to take precedence so that a user under /Boston/Renoations has the 20 day warning period. In traditional on-premises Domino enironments, you use the Organizational type policy to assign settings based on organization name hierarchy. In that case, the policy with the most specific scope in the hierarchy takes precedence automatically. For example, /Boston/Renoations automatically takes precedence oer /Renoations. 112 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

121 In the cloud, only Explicit policies (sometimes referred to as dynamic policies) are supported. You can use them to create the equialent of Organizational policies, howeer. To do so, create an Explicit policy and gie it a hierarchical name, for example, /Renoations or /Boston/Renoations. Assign users to it by specifying a wildcard hierarchical name in the Policy Assignment field, for example, */Renoations or */Boston/Renoations. In the cloud, the hierarchically named policy with the narrowest scope does not automatically hae precedence. Instead, it is important to use the Policy Precedence alue to specify that order of precedence. To specify precedence, use the Policies > Dynamic Policies iew in the directory. The lower the precedence alue, the higher the precedence. For example, assume the policies in the following table, each with a different Warning Period for password expiration specified in Security Settings. Table 31. Policies with a different password expiration warning period Policy name Policy assignment Policy precedence Warning period /Renoations Admins Group /Boston/Renoations Renoations Admin Group */Boston/ Renoations 1 5 days 2 20 days /Renoations */Renoations 3 10 days Someone who is assigned to all three policies has a warning period of 5 days because the /Renoations Admins Group policy has the lowest Policy Precedence alue, 1. Someone who is under /Renoations and /Boston/Renoations but is not a member of the Renoations Admins Group, has a warning period of 20 days, because the Policy Precedence alue 2 is lower than 3. Inherit and Enforce settings. Each field in a policy settings document has Inherit and Enforce fields that are not selected, by default. These two settings can be used with hierarchically named policies to oerride policy precedence for specific settings. For example, assume the following policy configuration: Table 32. Policies with Inherit and Enforce settings Policy name Policy assignment Policy precedence Warning period Required Password quality /Renoations Renoations 1 5 days 7 Admins Group Admin Group /Boston/ */Boston/ 2 20 days 7 (Inherit) Renoations Renoations /Renoations */Renoations 3 10 days 8 (Enforce) A user who is assigned to the /Boston/Renoations and /Renoations policies but not the /Renoations Admins Group policy, gets a Required Password Quality of 8. The Inherit alue (from the Security Settings document for /Boston/ Renoations) and the Enforce alue from the (Security Settings document for /Renoations) cause the password quality to be deried from the /Renoations policy, een though /Boston/Renoations is listed with precedence. The Warning Period is still determined by the precedence of the /Boston/Renoations policy and so is 20 days. Chapter 5. Customizing serice settings 113

122 The Inherit and Enforce alues are ealuated only for multiple, hierarchically-named policies within one hierarchy. So, a user who belongs to all three policies, gets the Required Password Quality 7 because the /Renoations Admins Group policy has precedence and the Enforce alue on the /Renoations policy does not apply. Don't set alue field. Select Don't set alue next to a setting to cause it to be ignored during precedence ealuation. This field is used to preent an unintended default setting from taking precedence oer a customized setting in a policy with less precedence. For example, in a Security Settings document, the default Required Password Quality is 8. Assume you want to enforce a higher alue for your entire organization. You would set the higher alue in the Security Settings document that is associated with a policy assigned to the organization. Then, for Security Settings documents that are associated with all other policies that hae higher precedence, select Don't set alue for Required Password Quality. Then, the default alue, 8, is ignored in those documents. Use Don't set alue as a general rule for all settings that you want to derie from a policy with lower precedence. Related concepts: Policy settings restrictions Most policy settings are supported for serice users. Howeer, there are a few restrictions to be aware of before you assign serice users to an explicit policy. Policy settings restrictions Most policy settings are supported for serice users. Howeer, there are a few restrictions to be aware of before you assign serice users to an explicit policy. Archiing Settings restrictions Archie Settings policies are used to set standard archiing behaior for IBM Notes client users. In the cloud, mail archiing is always run on the Notes client. The source mail file to archie must be a local mail replica or managed mail replica on the client. The destination archie database can be created on the client or on an on-premises serer. Users cannot create archies on the cloud serers. Related tasks: Creating an archiing policy settings document on page 106 To use policies to set up mail file archiing for IBM Notes clients, you use both Archiing Policy Settings documents and Archie Criteria Settings documents. Desktop Settings restrictions Desktop Settings are supported in on-premises policies for serice users, but with a few restrictions. The serice enforces the following settings, found on the Mail tab, for all users in the serice. The serice ignores these settings in an on-premises policy. Note: For information on using Desktop Settings to enable managed mail replicas, see Using Desktop Settings to configure managed mail replicas on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

123 Table 33. Desktop Settings that apply to all users in the serice Settings in the Mail tab Value Description Use local mail.box to send messages (faster) Enable upgrade of all local NSFs to latest ODS ersion Enable serer to poll for new mail and trigger replication on notification of new mail 1 The client uses a local outgoing mail box for sending mail from the user interface. The client replicator transfers the sent messages from the local mail box to the mail box on the serer. The alue indicates how many messages need to be queued in the local mail box before triggering the replicator to transfer them to the serer. Disable (default) Enable Local replicas are not updated automatically Proides the fastest performance. Registration Settings restrictions You can use Registration Settings in a policy for registering users on-premises. These settings are not used in the serice, howeer. Mail Settings restrictions Mail Settings are supported in on-premises policies for serice users, but with a few restrictions. Chapter 5. Customizing serice settings 115

124 Table 34. Mail Settings restrictions Settings Delete documents in the user's Trash folder after how many hours setting on the Mail > Basics tab Restriction The policy setting controls automatic deletion in local mail file replicas on IBM Notes clients. To control when documents are automatically deleted from the Trash in mail files on cloud serers, do not use a policy. Instead, use the following serice setting: SmartCloud Notes Administration > Account Settings > Management > Configure Mail Retention in the Trash Folder > Retain deleted messages for how many days? The alue must be days. If you do not specify a alue, documents are automatically deleted from the Trash folder on mail files on cloud serers after 14 days. For more information, see the topic "Configuring how long mail remains in the Trash folder." In the Delete documents in the user's Trash folder after how many hours policy field, specify a alue that is equialent to the serice setting. For example, if you specify 21 days as the serice deletion interal, specify 504 hours in the policy. When you keep the policy setting and serice setting the same, documents in Trash are automatically deleted from local mail file replicas and mail file replicas on cloud serers at the same interal. If you do not specify a serice setting explicitly and accept the default serice deletion interal of 14 days, set the policy setting alue to the equialent alue, 336 hours. List of trusted websites for images in MIME messages setting on the Mail > Basics tab IBM inotes This setting is not supported in the cloud. The serice ignores any alues specified in this field. Some of these settings, which apply to web client users, relate to features that are not supported in the serice. Related tasks: Configuring how long mail remains in the Trash folder on page 156 When a user deletes a message from a mail file on a cloud serer or the serice automatically deletes an older message, the message is moed to the Trash folder where it remains for 14 days, by default. After 14 days, the message is permanently deleted. You can change how long deleted mail remains in the Trash folder. You can also preent users from emptying the Trash folder themseles. Related information: Comparison tables of features between IBM Notes, IBM inotes and IBM SmartCloud Notes web 116 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

125 Security Settings restrictions Security Settings are supported in on-premises policies for serice users, but with the restrictions described in the following table. Table 35. Security Settings restrictions Settings ID Vault tab Password Management > Password Management Basics tab, Password Expiration Settings Password Management > Custom Password Policy tab Keys and Certificates tab Restrictions The ID ault settings are enforced by the serice and ignored in on-premises policies. The serices enforces the following settings for the ID ault in the serice: Assigned Vault: A name deried from customerid Forgotten password help text: Contact your administrator for help (default) Enforce password change after password has been reset: Yes Allow automatic ID downloads: No Allow ID downloads for: 5 days If you want to enable Notes ID password expiration, you must do so through SmartCloud Notes Administration. An on-premises Security Settings policy can be used only to enable password expiration warnings that notify users when password expiration approaches. For important details on how to use Security Settings to enable password expiration warnings, see the topic Setting password expiration for Notes IDs. You can use SmartCloud Notes Administration to enable password synchronization. When serice login passwords change, this feature allows Notes ID passwords to change to match. If you enable this feature, do not make custom password requirements in a policy more restrictie than the serice login password requirements. For more information, see the topic Enabling password synchronization. The serice does not support key rolloer for Notes IDs. The serice therefore ignores the alues of fields in the Default Public Key Requirements and User Public Key Requirements sections of Security Settings. Related tasks: Setting password expiration for Notes IDs on page 126 For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Enabling password synchronization on page 128 When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. Chapter 5. Customizing serice settings 117

126 Roaming Settings restrictions Roaming Settings in a policy are not supported. The serice does not support roaming. Notes Traeler Settings restrictions IBM Notes Traeler Settings are supported in on-premises policies for serice users. Be aware of the default settings and policy restrictions within the serice. For detailed information about Notes Traeler Settings in policies, see the topic on creating a Notes Traeler policy settings document in the Notes Traeler 9 documentation. Note: Security Settings can determine which deices and deice ersions can connect to the serice. For information on supported deices and operating systems, see the IBM SmartCloud Notes client requirements. The following table describes the Notes Traeler policy settings that the serice enforces. You cannot use an on-premises policy to change the setting alues. Table 36. Notes Traeler Settings that the serice enforces Setting Enforced alue Require deice password Enabled Require deice password > Prohibit ascending, descending and repeating sequences (Apple deices only) Prohibit deices incapable of security enablement Although passwords are required, you can customize some password settings. For more information, see the table that follows this one. Note: Apple 5S and higher deice users choose whether to enable the fingerprint identity sensor. If they enable the sensor, they are not required to enter the deice password when they unlock the deice. They are still prompted for the deice password when they power on the deice and at least once eery 48 hours. Apple does not yet proide an API function that enables administratie control oer the use of the fingerprint identity sensor. Note: Windows Tablet requires a deice password of at least eight characters. The password must include at least three of the following types of characters: upper case, lower case, number, special character. Enabled This setting is always enabled in the serice. Therefore, ascending, descending and repeating sequences are not allowed. A sequence is three or more consecutie numbers or characters. Enabled In general, this setting applies only to older mobile deices that do not support security enablement. For supported deices, see the IBM SmartCloud Notes client requirements. 118 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

127 Table 36. Notes Traeler Settings that the serice enforces (continued) Setting Enforced alue Deice Access Require approal for deice access (disabled) Maximum Attachment Size Allowed - Administrator Number of deices to allow per user before approal is required (1) Optional: Addresses to notify when approal action is pending (none) Android: no limit* Windows Mobile and Nokia Symbian^3: 4 MB limit. When the combined attachment size exceeds the limit, attachments are remoed from s that are synced to the deice. Apple: no limit* BlackBerry 10: no limit* Windows Phone, Windows Tablet: no limit* *The serice always syncs attachments to the deices The following password Security Settings are used by default in the serice. Passwords are required but you can use an on-premises policy to customize these settings. Note: Apple 5S and higher deice users choose whether to enable the fingerprint identity sensor. If they enable the sensor, they are not required to enter the deice password when they unlock the deice. They are still prompted for the deice password when they power on the deice and at least once eery 48 hours. Apple does not yet proide API function that enables administratie control oer the use of the fingerprint identity sensor. Table 37. Security Settings used by default in the serice Setting Require deice password > Minimum password length Require deice password > Require alphanumeric alue Require deice password > Auto lock period (maximum) Require deice password > Wrong passwords before wiping deice Default alue in the serice 4 Disabled 30 minutes Disabled There is no Security Settings tab for Android deices in Domino directory templates ersion or earlier. For these template ersions, the serice applies Apple deice security settings to Android deices. Android deices do not support all of the Apple deice security policy settings, just the following ones: Require deice password Require alphanumeric alue Minimum password length Chapter 5. Customizing serice settings 119

128 Auto lock period (maximum) Wrong passwords before wiping deice Prohibit deices incapable of security enablement * * Compliance requires Android OS 2.2 or later with the Notes Traeler Deice Administrator feature enabled by the user. The Deice Administrator feature was added in Android 2.2. There is no Security Settings tab for BlackBerry, Windows Phone, and Windows Tablet deices in Domino directory templates ersion 9.0 or earlier. For these template ersions, the serice applies the following Apple deice security settings to BlackBerry, Windows Phone, and Windows Tablet deices: Require deice password Require alphanumeric alue Minimum password length Auto lock period (maximum) Wrong passwords before wiping deice Related tasks: Managing IBM Notes Traeler deices on page 272 For each user with an IBM Notes Traeler subscription, you can iew information about the user's mobile deice. You can also wipe the deice to remoe sensitie data from it, for example, if the deice is lost or stolen. Related information: Creating an IBM Notes Traeler policy settings document Client requirements Using Desktop Settings to configure managed mail replicas In a hybrid enironment, use Desktop Policy settings to enable managed mail replicas. Managed mail replicas helps ensure that IBM Notes users in the serice hae quick, local access to their mail when connected or disconnected from the network. Before you begin Enable managed mail replicas through a Desktop Settings document that is assigned to a policy. Read about using administratie policies to understand the requirements for assigning policies to users in the serice. Note: Best practice is to configure managed mail replicas before you proision users. If you use this approach, you can resole any managed mail replica issues ahead of user proisioning. About this task Managed mail replicas are aailable beginning with Notes They proide the following adantages to Notes users in the serice and are recommended: They are created automatically on the clients. They are used automatically when the client Location is configured to connect to the mail serer. Replication between managed mail replicas and serer-based mail replicas occurs automatically and in the background. 120 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

129 When clients are connected to the serer, user mail actions are done on the local managed mail replicas. Users are not interrupted by network I/O or replication operations between the client and serer. They proide users with local access to preiously synchronized mail when the client is disconnected from the network. The following tables describe the most important settings in a Desktop Settings document to consider when you configure managed mail replicas. For settings not shown, the default settings are generally good to use. Table 38. Managed mail replicas: Desktop Settings > Mail > Mail Settings Setting Local mail file Mail file location Use local mail.box to send messages (faster) Value to set Created managed replica or Conert local replica to managed replica (Required) On serer (Required) 1 (Required) How to apply this setting Applicability Comments Set alue wheneer modified Set alue wheneer modified At managed mail replica creation or conersion. When the mail application is opened. When mail is sent. Conerting a local replica to a managed replica allows your company to standardize on managed replicas. The Notes client automatically uses the local copy after it is created. At other times, the client uses the serer. The serice enforces this setting, regardless of the alue that is specified here. A sent mail message is placed in the local mail.box and sent in the background. Chapter 5. Customizing serice settings 121

130 Table 39. Managed mail replicas: Desktop Settings > Mail > Managed Replica Settings Setting Amount of free space required before cache is created Value to set alue Mb How to apply this setting Applicability Comments Set alue wheneer modified When the managed mail replica is created. Type a alue that you choose. Setting field to a alue such as 1,000 (1 Gb) ensures that a managed replica does not use the remaining free space on initial creation. If you do not specify a alue, no free space check is done. Table 40. Managed mail replicas: Desktop Settings > Mail > Client Settings Setting Auto-retriee document setting Enable serer to poll for new mail and trigger replication on notification of new mail Value to set Enable document without attachment Enable (Required) How to apply this setting Applicability Comments When a truncated (partial) document is opened. When the client is notified that new mail is receied on the serer. If setting is not enabled, users are prompted to retriee truncated documents. Table 41. Managed mail replicas: Desktop Settings > Preferences > Replication > Default settings for a local replica Setting Create a full-text index for faster searching Value to set Enable Encrypt replicas Locally encrypt How to apply this setting Applicability Comments Set alue wheneer modified Set alue wheneer modified When the managed mail replica is created. When the managed mail replica is created. The setting is optional. The setting is optional. 122 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

131 Table 42. Managed mail replicas: Desktop Settings > Preferences > Replication > Default replication schedule Setting All settings Value to set Schedule as you normally do. How to apply this setting Applicability Comments When the Notes Client is open Table 43. Managed mail replicas: Desktop Settings > Preferences > Mail Setting Check for new mail Mail checking internal Value to set Not necessary Any alue How to apply this setting Applicability Comments The Enable serer to poll for new mail and trigger replication on notification of new mail setting enables this behaior. Specify any alue. The Enable serer to poll for new mail and trigger replication on notification of new mail controls this behaior. Results It is possible for users to see the following message after they are proisioned when managed mail replicas are enabled: Access to this serer has been restricted due to excessie load. Creating many managed mail replicas simultaneously can degrade serer performance. For this reason, the serice controls the number of managed mail replicas that can be created simultaneously on a mail serer in the cloud. If a mail serer in the cloud reaches the limit, a user can see this error on the Replication and Sync page during initial replication of the managed mail replica. This error reflects a temporary condition. If the mail serer cannot create the initial managed mail replica, it tries to create it again automatically at the next replication schedule interal or when the client is restarted. A user who sees this error can open and use the serer-based mail file in the meantime. One way to open the mail file is to click File > Open > IBM Notes Application and browse to the serer and mail file replica. Related concepts: Using administratie policies on page 105 If you use administratie policies on premises, you can apply many of those same policy settings to serice users as well. Administratie policies enable all users to hae the same working experience. Chapter 5. Customizing serice settings 123

132 Configuring logins Related information: Managed mail replicas explained Reset passwords, manage password expiration periods, set up federated identity management, restrict logins to an IP range, and enable application passwords. Resetting serice login passwords Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. About this task Reset passwords when userd forget their passwords, or when the password might be compromised. Users that log in by clicking Use My Organization's Login are using a federated identity and can reset their passwords only by following their company's process. If administrators enable password synchronization, when users change their serice login passwords, they can also use the new passwords to log in to the IBM Notes client. Follow these steps to reset any user's password: Procedure 1. Click Administration > Manage Organization. 2. Click User Accounts. 3. Select the arrow next to the user that needs the password changed. 4. Select Reset password and enter the new password. This password is a temporary password that the user enters the next time that they log in. At that time, the user is asked to create a password. You can also reset the password by editing the user account. Click the appropriate user name in User Accounts and enter a new password in the Account Login tab. 5. Notify the user of the password change. The user is not automatically notified that the password was reset. Make sure to communicate this change to the user, along with the new password if needed. What to do next Administrators can enable security settings to enforce password expiration through System Settings > Security. When s user logs in with an expired password, the user is prompted to reset that password. Setting serice login password expiration By default, serice login passwords do not expire. Enforcing a password expiration period helps ensure that passwords are changed frequently. Administrators can set a password expiration interal for all users. 124 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

133 Procedure 1. Click Administration > Manage Organization 2. Click Security. 3. Click Edit Settings in the Password Settings section. Select the number of days before a password expires, how the password can be reset, and add password reset support for your users. Managing Notes IDs You can reset Notes ID passwords, set Notes ID password expiration, and synchronize Notes ID passwords with serice login passwords. Resetting passwords for Notes IDs Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. About this task This procedure applies only to passwords associated with Notes ID files used with Notes clients, and not to serice login passwords. Procedure 1. Log on to using the address and password of a SmartCloud Notes user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Under Aailable actions for this user, click Reset IBM Notes Password. 8. Enter a new password, and then click Sae Changes. The password must be at least eight characters in length. Chapter 5. Customizing serice settings 125

134 9. Proide the new password to the user in a way that complies with your company security policies. Results After you complete this procedure, the user can log on to a SmartCloud Notes serer from an IBM Notes client using the new password. After logging on with the new password, the user is prompted to change the password. Note: If the Wrong Password prompt is displayed, tell the user to re-enter the new password that you proided. If that step does not sole the problem, tell the user to delete the local ID file and then re-enter the password. The user has fie days from the time you reset a password to use the password to log on to a SmartCloud Notes mail serer and download the new password to the Notes client. If the 5-day limit is exceeded, the user sees the following message and you must reset the password again: Contact your company administrator to hae your Notes ID password reset. Related concepts: Notes IDs and passwords on page 130 When users connect to their mail serers in the cloud with IBM Notes clients and Notes IDs, they are authenticated using Notes Remote Procedure Call (NRPC) authentication. Related tasks: Resetting serice login passwords on page 124 Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. Setting password expiration for Notes IDs For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Enabling password synchronization on page 128 When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. Setting password expiration for Notes IDs For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Before you begin For information on how this feature interacts with the password synchronization feature, see Enabling password synchronization on page 128. About this task You must enable password expiration through SmartCloud Notes Administration. An on-premises Security Settings policy can be used only to enable password expiration warnings that notify users when password expiration approaches. 126 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

135 If users click File > Security > User Security, the Password must be changed by field does not show the password expiration date. Perform the following procedure to set password expiration for Notes IDs. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Click Password Management 5. Click Enable password expiration for IBM Notes clients. 6. Enter the number of days a password can be used before it expires. The minimum alue for this setting is 30 days; the maximum is 3650 days. 7. Optional: To warn users when password expiration approaches in a hybrid enironment: Note: Perform these steps only if you complete the preious steps to enable password expiration in the serice. Enabling a warning period for serice users without enabling password expiration in the serice produces unexpected results and is not supported. a. Create an explicit group policy for serice users. For more information, see Creating policies for serice users on page 105. Note that if the policy is also assigned to any on-premises users who are not in the cloud, password expiration will be enabled for those users as well, with the specified change interal and warning period. b. In a Security Settings document that is assigned to the group policy, specify the following settings in the Password Management > Password Management Basics tab. Table 44. Security settings required for password expiration warnings Setting Enforce Password Expiration Required Change Interal Warning Period Value Notes Only The expiration period that you specified in Step 6. The number of days before password expiration at which the user receies an expiration warning message. Results When password expiration is first enabled, the passwords of all current users expire on a random basis after the expiration period, regardless of when the passwords were last changed. For example, if the expiration period is 90 days, all current users are prompted to change their passwords on a random basis when first authenticating after the 90-day expiration period. The passwords of new users also expire on a random basis after the expiration period. If you configured a warning period through policy settings, users receie password expiration warnings. Users who are logged in when this setting becomes effectie are not prompted to change the password during the current login session. Chapter 5. Customizing serice settings 127

136 Users might experience a lag time of a few seconds between the time they change their password and authentication. This lag occurs while the updated ID is synchronizing with the ault. If the synchronization does not complete, authentication can fail. In that case, users can wait a few minutes, and then try again. If the synchronization continues to fail and the user cannot access the client, reset the Notes ID using SmartCloud Notes Administration. What to do next You might want to communicate the following information to your users: How often they will be prompted to reset their passwords. What to do if authentication fails after they change their passwords. Related concepts: Using administratie policies on page 105 If you use administratie policies on premises, you can apply many of those same policy settings to serice users as well. Administratie policies enable all users to hae the same working experience. Related tasks: Resetting passwords for Notes IDs on page 125 Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. Enabling password synchronization When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. About this task Password synchronization benefits users who are actie users of both the web and Notes clients by allowing them to use one password for both clients. After you enable password synchronization, when users change their serice login passwords, the new passwords are added to the Notes ID files in the ID ault. Users can then use the new passwords the next time they log in to the serice from the Notes client. Password synchronization occurs wheneer users change their serice login passwords. Users can change the serice login passwords at any time through Connections Cloud My Account Settings. They also change the passwords: After they log in to the serice for the first time with temporary passwords; After they log in to the serice after an administrator resets their serice login passwords; After they log in to the serice when serice login password expiration is enabled and their passwords expire. Before you enable password synchronization, be aware of the following information: The feature does not apply to users who log in to the serice with a federated identity that your organization defines. Synchronization occurs in one direction: from the serice login password to the Notes ID password. Changing the Notes ID password does not change the serice login password. 128 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

137 When serice login passwords change, Notes client users are not required to use the new passwords. Their old passwords remain alid until they use the new passwords to log in to the serice from the Notes client. Because the continued use of the old password preents ID synchronization with the ID ault, as a best practice, recommend to users that they use the new passwords on the Notes client. Synchronization occurs after Notes clients are connected to the serice. Notes client users can change their Notes ID passwords, either by choice or because you enable the Password Expiration setting in SmartCloud Notes Administration and their passwords expire. When Notes users change the Notes ID passwords, the serice login passwords do not change automatically. Howeer, users can use Connections Cloud My Account Settings to change the serice login passwords to match the new Notes ID passwords. If you enable password expiration for Notes IDs, a Notes ID password might expire before a user logs in to Notes with a new serice login password. In this case, the user can log in to the Notes client with the old Notes ID password but the user is prompted to change the password when opening mail or another application. At this point the user can proide the new serice login password. If you use an on-premises policy to specify Notes ID password requirements for serice users, as a best practice, do not make the requirements more restrictie than the serice login password requirements. If the Notes ID password requirements are more restrictie, a password that is acceptable for the serice password can be unacceptable for Notes. For example, if the policy requires that passwords be 10 characters and a user's serice login password is only 8 characters, the serice login password cannot be used for Notes. Serice login passwords must: Include at least eight characters Include at least one non-alphabetic character and four alphabetic characters Include no more than two repeated characters Be different from the preious eight passwords Not include the user's gien name, surname, or address Not include the space character Note: Although serice login passwords can be any length, Notes ID passwords must be 63 or fewer characters. If you use password synchronization, tell users to use serice login passwords that are within the 63 character limit so they can be used for the Notes ID, too. To enable password synchronization, complete the following procedure. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Click Password Management. 5. In the Password Synchronization section of the page, select Enable password synchronization. 6. Click Sae. Chapter 5. Customizing serice settings 129

138 Results When users change their serice login passwords, they can use the new passwords to log in to the Notes client. If users change the Notes ID password, the serice login password does not change automatically. What to do next Notify users that the feature is enabled. Recommend that when they change the serice login passwords that they use the new passwords to log in to the Notes client. Related tasks: Resetting serice login passwords on page 124 Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. Setting serice login password expiration on page 124 By default, serice login passwords do not expire. Enforcing a password expiration period helps ensure that passwords are changed frequently. Administrators can set a password expiration interal for all users. Related information: Federated identity management Notes IDs and passwords When users connect to their mail serers in the cloud with IBM Notes clients and Notes IDs, they are authenticated using Notes Remote Procedure Call (NRPC) authentication. In serice-only enironments, and in hybrid enironments that do not use on-premises security policy settings to configure password requirements, Notes ID passwords must be at least eight characters. Passwords must also hae a password quality of 8, on a quality scale of 0 (weakest) to 16 (strongest). Password quality refers to the required character complexity of passwords. In hybrid enironments, you can use on-premises security policy settings to control password requirements. By default, Notes ID passwords do not expire and keeping this default behaior is recommended. Neertheless, you can configure a password expiration interal of from 30 to 3650 days through the SmartCloud Notes Administration interface. In hybrid enironments, you do not control password expiration through an on-premises policy, but you can use a policy to enable a warning to be displayed to users when their passwords are due to expire. If users forget their Notes ID passwords, company administrators can use the SmartCloud Notes Administration interface to reset the passwords to temporary alues. The users use the temporary passwords to log in to the serice from a Notes client and then are prompted to change the passwords. The Notes shared login feature is supported in hybrid enironments. This feature allows users to log in to Microsoft Windows and then use the Notes client without proiding a Notes ID password. A benefit of this feature is there are no Notes ID passwords to use or remember. 130 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

139 The Notes client can connect automatically to the cloud serice instant messaging community and to cloud serice Actiities through the client sidebar. (Access to serice Actiities requires a collaboration subscription). After users log on to the serice mail serer from the Notes client, a single-sign on capability enables them to access these cloud serices during the session without proiding their cloud serice account login credentials. A Notes client can be configured to connect to both on-premises and cloud instant messaging serers or Actiities serers through the sidebar. In this case, users must proide their cloud serice login credentials to access the cloud serers. Related tasks: Resetting passwords for Notes IDs on page 125 Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. Setting password expiration for Notes IDs on page 126 For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Limitations when Notes IDs are not in the ault There are adantages to using and storing IBM Notes ID files in a ault in the serice. All Notes client users hae a Notes ID, which is automatically uploaded to the ault at some point after the client connects to the serice. Users who will not use a Notes client to access the serice are not a required to hae a Notes ID. Howeer, these users are limited if they do not hae a Notes ID in the serice ault. Serice users who will use only the web client, and who do not hae a Notes ID stored in the ault, cannot perform secure mail operations (signing mail, and reading or sending encrypted mail). These limitations also apply to IBM Notes Traeler and BlackBerry smartphone users. If your users do not now and neer hae had a Notes ID, and they do not need to perform secure operations, then they do not require Notes IDs. If, howeer, they preiously had a Notes ID, but it will not be stored in the serice ault, then these additional limitations apply: If the mail file is transferred to the serice without an imported Notes ID, then users cannot read old encrypted messages if there are any. Administrators cannot reset the Notes password Notes ID password resets and ID recoery are not aailable. If the user's name changes, the user's Notes name cannot be changed. If you are transferring mail files of users who currently hae a Notes ID, users can import their Notes ID into the mail file before you transfer mail files. The Notes ID is uploaded to the ault the first time a user performs a secure mail operation, such as sending signed mail or reading encrypted mail. Alternatiely, users can use the web client to upload the ID file to the serice after they hae been proisioned, or administrators can upload ID files. If a user has a Notes ID, but the Notes ID is not stored in the ault in the serice, you cannot rename the user. If howeer, you want to be able to rename a user, but do not want to store the user's Notes ID in the ault, you can modify the user's Person document to reflect that the user will not use a Notes ID file again. Then, you can rename the user on premises using the Rename feature in the Domino Chapter 5. Customizing serice settings 131

140 Administrator client. To allow renames to succeed, remoe the following items from the user's Person document in the Domino Directory on a serer that you synchronize with the serice: Certificate CertificateExpiration CertificateIssuer Related tasks: Uploading a Notes ID to the ault on page 269 In a hybrid enironment, if a serice user has an IBM Notes ID file, the ID must be stored in the ID ault in the serice. In some cases, for users who hae a Notes ID, but who will not use the Notes client, you might need to upload the Notes ID to the ault manually. If it is not stored in the ault, web client, Notes Traeler, and BlackBerry smartphone users cannot perform secure mail operations. Other limitations also apply, as outlined in this topic. Setting up federated identity management When you set up federated identity management, users log on to the serice using your on-premises authentication mechanism. About this task Federated identity management proides the following benefits: It allows your company to control the type of authentication and authentication options. For example, you might restrict access to specific networks, use VPN connections, define custom password strength or password expiration periods, use smartcards, or require two-factor authentication. Users can use their familiar, on-premises credentials to access the cloud serice. While users are logged on to the on-premises identity proider, they can access a cloud serice without being re-prompted for credentials. After you implement federated identity management, you must accommodate users of mobile apps. If all of your mobile users hae one or more IBM mobile apps such as Connections, Chat, Meetings, or most ersions of IBM Notes Traeler, you hae the following options: Set up an additional, separate federated identity management endpoint for the IBM mobile apps. For more information about this, see the Flow models section of SAML federated identity concepts on page 133. Use the partial authentication type when setting up federated identity management, which allows you to specify a group of users to whom federated identity management does not apply. In this case, you would specify your mobile deice users. For more information about the partial authentication type, see the Authentication types section of SAML federated identity concepts on page 133. Use application passwords. For information about application passwords, see Enabling application passwords on page 139. All other mobile apps must use application passwords when federated identity management is implemented. Notes Traeler ersion or greater for Android is an exception to the rule. It can connect to the same federated identity management system that non-mobile apps use. 132 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

141 Note: Users to whom federated identity management applies cannot connect to the serice with IMAP clients or FTP clients. SAML federated identity concepts Learn about the federated identity process as implemented in the cloud serice, the flow models that are supported, and the authentication types. Oeriew of the process using SAML Cloud serices rely on SAML to proide the SSO serices. In this implementation, your organization is the identity proider, and the cloud serice is the serice proider. You can use either SAML 1.1 or SAML 2.0. As the identity proider, your organization authenticates users. The authentication can be by a login with a user name and password, or by some other method. For mobile apps, the authentication must be by a login with user name and password. When a user gains access to your intranet and attempts to use a cloud serice, a SAML assertion is sent from your organization to the SAML endpoint in the cloud serice. The SAML assertion securely identifies the user. The cloud serice uses the SAML assertion to decide whether the user can access it. Flow models Two flow models exist in federated identity management. One model is the identity proider initiated model (IdP-initiated), and the other is the serice proider initiated model (SP-initiated). Mobile apps use the SP-initiated model. Normally, the SP-initiated flow model is not aailable in SAML 1.1 because SAML 1.1 does not support Identity Proider Discoery Profile. Howeer, the cloud serices use a hybrid ersion of SP-initiated that allows both SAML 1.1 and SAML 2.0. As a result, Identity Proider Discoery Profile is not required by cloud serices, and is not implemented. The cloud serices implement the Browser/POST profile that is used in SAML 1.1 and is compatible with the Web Browser SSO profile in SAML 2.0. Other profiles are not supported at this time. The following outlines describe the two flows: IdP-initiated 1. The user gains access to your intranet ia your organization's authentication mechanism. 2. The user naigates to a web page on your intranet that contains a link to a cloud product such as Connections Cloud or SmartCloud Notes web. 3. The user clicks the link. 4. The SSO process is initiated. A SAML assertion is sent to the cloud endpoint ia HTTP POST. If the user has a alid account, access is granted. 5. The user interacts with the cloud product. SP-initiated hybrid 1. The user naigates to the cloud serice login page. 2. The user clicks Use My Organization's Login. Chapter 5. Customizing serice settings 133

142 3. The user enters the address that is associated with the user s account. 4. The cloud serice looks up the address and then redirects the user to your organization s authentication mechanism. 5. The flow continues from Step 4 of the IdP-initiated model. The SP-initiated hybrid flow model also applies to mobile apps. Before using a mobile app, the user must do a one-time setup of the mobile app to use a cloud serer. The setup process is different for each mobile app; instructions are included in the documentation of each app. The following outline describes the flow for mobile apps: SP-initiated hybrid for mobile apps 1. A mobile app initiates a connection to a cloud serice. 2. The cloud serer looks up the address and then responds with the mobile login URL of your organization s mobile authentication mechanism. 3. The mobile client issues a basic authentication request to the mobile login URL with the user's address and password. 4. If the basic authentication is successful, a SAML assertion is returned to the mobile app. 5. The mobile app sends the SAML assertion to the cloud endpoint ia HTTP POST. If the user has a alid account, access is granted. 6. The mobile user interacts with the cloud product. Authentication types Four types of federated identity management are aailable: Federated, Modified, Partial, and Non-federated. By default, all users in your organization are assigned the Non-federated type unless you enable one of the other types. Federated Users must authenticate with your organization before they can access cloud serices. Users do not hae a user name or password in the cloud user account. If they go to the serice login page, they must click Use My Organization's Login. The Federated type applies to all users in your organization. The Federated type is conenient for your users who normally work from the office. They can log on to your system and use cloud serices without needing a separate user name and password combination. Howeer, if any of your users work from home or work while traeling, your directory serers must be accessible from the Internet. Also, because your users cannot log in with a name and password that is defined in the serice, serices such as chat and IMAP are not aailable. If you choose the Federated type, you must implement the SP-initiated flow model. Modified Users hae the option of authenticating with your organization before accessing the cloud-based serices, or using a name and password defined in the serice to log on. The Modified type applies to all users in your organization. 134 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

143 The Modified type allows your users to access cloud serices from the Internet, but you do not need to make your directory serers accessible from the Internet. Your users can use the single sign-on serices when they are in the office, and the cloud serice login when they are outside the office. Partial Each user in your organization is assigned one of the preiously listed types: Non-federated, Federated, or Modified. If you do not specify a type for a particular user, the user is assigned the Non-federated type. Use the Partial type if you hae one group of users who normally work in the office, and another group of users who normally work from home or who trael frequently. For example, the office workers can be assigned the Federated type, and the traeling sales team can be assigned the Modified type. You can also use the Partial type to group users by the serices that are aailable to them. Users with the Federated type do not hae access to chat or POP/IMAP, but users of the Modified type do hae access to chat and POP/IMAP. If you choose the Partial type, you must implement the SP-initiated flow model to support users with the Federated type. Non-federated The login for the cloud serice is independent of, and separate from, your organization's login procedure. Users must log on using the name and password defined in the serice to use the cloud-based serices. The Non-federated type is the default type, and is the simplest and easiest type to set up because it requires no action on your part. After one of the federation types is implemented, you can change to one of the other types by contacting your customer serices representatie. The customer serices representatie will adise you on the process. If you are using the Partial type, you can change indiidual users from one type to another without the need to contact your customer serices representatie. Preparing for federated identity management The difficulty of getting your system ready for federated identity management depends on both the state of your system, and on your knowledge and experience with SAML, SSO, LDAP, and related technologies. Before contacting your IBM customer serice representatie to enable federated identity management, reiew the following checklist: Choose the ersion of SAML that you want to use. You can use either SAML 1.1 or SAML 2.0. Choose the type of federation that you want to employ: Federated, Modified, or Partial. See the topic SAML federated identity concepts for more information. Reiew the IdP-initiated flow model and the SP-initiated hybrid flow model. See the topic SAML federated identity concepts for more information. Implement SAML on your web serer. You can use Tioli Federated Identity Manger, OpenSAML, Actie Directory Federation, or some other federated identity manager. Chapter 5. Customizing serice settings 135

144 If you are setting up federated identity for users of mobile apps, create a second endpoint that accepts basic authorization. The mobile apps work with the SP-initiated flow model only. Retriee or create the priate/public key pair that will be used in digital signatures. Integrate your directory serer with your SAML serice. Administration is easier if all of your users are on the same directory serer. Implement and test the SAML Browser/POST profile in either SAML 1.1 or SAML 2.0. Create a dummy serice proider and conduct an IdP-initiated single sign-on test to make sure that eerything is working correctly. Create a SAML metadata file to transmit your identity proider metadata to the IBM customer serice representatie. If you are using SAML 1.1, you hae the option of transmitting most of the information in an or by some other means that you negotiate with the IBM customer serice representatie. Howeer, in this case you must transmit the public key inside a Jaa keystore. Enabling federated identity management When your system is ready for testing with the cloud system, contact an IBM customer serices representatie. Before you begin Before you start the enablement process, reiew the following list: 1. Implement and test a federated identity management system that uses SAML. Make sure that your system is configured to send the user s address as the subject in a SAML assertion. 2. Test your system to make sure that it is configured for the type and flow model that you hae chosen. See the topic SAML federated identity concepts for more information. 3. Complete the checklist in the topic Preparing for federated identity management Procedure To enable federated identity management: Send an to cloudcsg@us.ibm.com. In the , request to hae federated identity management enabled for your organization. An IBM customer serices representatie will contact you with instructions and proide details of the process. What to do next After federated identity management is enabled, notify users of IBM mobile apps such as Traeler, Chat, or Meetings that they must generate application passwords. Users enter the application password instead of their regular login passwords when logging in with a mobile app. In the notification, include the following link, which has instructions for generating application passwords: apps.na.collabser.com/help/topic/com.ibm.cloud.welcome.doc/ logins_application_passwords.html Configuring the Sametime rich client for SAML and downloading Your users can chat using the IBM Sametime Connect rich client. 136 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

145 About this task If your organization uses a standard login, your users can use any standalone Sametime Connect client at ersion or later. They can also use the embedded ersion in Notes 9.0 or later. If your users log in with your organization's authentication credentials and use SAML token authentication for federated identity management, you can create a pre-configured installation package for Sametime Connect or for Notes. SAML support in Sametime and in Notes uses the Form based user/password login type. Alternatiely, Users can download the SAML-enabled Sametime client that is aailable in SmartCloud and configure it themseles. Instructions to do this are in the user help imb_download_saml.html. Howeer, users will need SAML IDP information from you to complete the configuration. Procedure To create a pre-configured installation package: 1. Locate the plugin_customization.ini file. The file is in one of the following locations, depending on the operating system: Windows Inside the deploy folder of the package root. RedHat Linux Inside the RedHat.rpm package at one of the following locations: For Sametime Connect: \opt\ibm\sametime\framework\rcp\deploy For Notes: \opt\ibm\notes\framework\rcp\deploy MacOS Inside sametime-*.pkg\contents\deploy. 2. Add the following configuration lines in the plugin_customization.ini file, based on your company's Sametime community and SAML IDP information. Note: To fit the width of this page, some records are shown on more than one line. In the plugin_customization.ini file, each record is a single line. # ";" is used to separate multiple communities com.ibm.collaboration.realtime.community/saml_communities=<sametime community serer host name> # IDP serer url com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp= <SAML authentication login URL> # login type of IDP serer com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.type=form # html tag id or tag name of the user name field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.usernam <form_username_field_id> <form_username_field_name> # html tag id or tag name of the user password field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.passwor <form_password_field_id> <form_password_field_name> # html tag id or tag name of the submit field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.submit. <form_submit_field_id> <form_submit_field_name> # Optional. The default alue is "false". If "true", all on-premises communities are deleted com.ibm.collaboration.realtime.community/<sametime community serer host name>.primary=false Chapter 5. Customizing serice settings 137

146 # Optional. The default alue is "false". if "true", the SmartCloud community can be # remoed from the communities preference page com.ibm.collaboration.realtime.community/<sametime community serer host name>.editable=false Sample: Note: To fit the width of this page, some records are shown on more than one line. In the plugin_customization.ini file, each record is a single line. com.ibm.collaboration.realtime.community/saml_communities=im.na.collabser.com com.ibm.collaboration.realtime.community/ im.na.collabser.com.idp= PartnerId= TARGET= com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.type=form com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.username.tag=intranet_id com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.password.tag=password com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.submit.tag=ibm-submit 3. Replace the existing plugin_customization.ini file in the Sametime installation package or in the Notes installation package with the file that you updated. 4. Distribute the updated Sametime installation package or Notes installation package to your users. The SAML configuration information is automatically populated when your users install the client. Note: The installation package that you distribute to Mac users must be digitally signed by IBM. Before distributing the installation package to Mac users, your modified plugin_customization.ini file to support@collabser.com. A signed installation package will be created and returned to you. Restricting the IP address range To ensure that users log in from an approed network connection, administrators can define an approed range of IP addresses. About this task By restricting the IP addresses that hae access to your organization, you proide a leel of protection against user's credentials being stolen or phished. If IP ranges are restricted to your network, an attacker would need to authenticate to the serer from within your network to access any stolen credentials. If your company uses SMTP, POP or imap protocols, restrictions are not applied. Also, restrictions are not applied to SmartCloud Notes Notes Remote Procedure Calls (NRPC). Procedure 1. Click Administration > Manage Organization 2. Click Security. 3. Click Add Range in the IP Address Ranges section to enter the beginning and ending IP addresses. You must specify the IP address at which you are currently logged in. Results Enabling IP address restrictions might block mobile user access to your organization. For example, Blackberry users must authenticate through a Blackberry Enterprise Serer (BES) which authenticates both the mobile deice and the user. Because the IP address for the authenticated user is that of the BES serer, 138 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

147 IP address restrictions can block access, depending on the range specified. Use VPN tools on the mobile deice to route traffic to your organization using your network What to do next You can use IP address restrictions as a secondary authentication mechanism in combination with SAML single sign-on authentication. Enabling application passwords Application passwords can be used to proide a secure login for applications that do not support forms-based authentication. For example, they can be used to access applications that require passwords on a mobile deice or for organizations that use federated identity and serice login passwords are not used. When you enable application passwords, you also hae the option of requiring the use of application passwords, and of allowing mobile users to bypass IP restrictions. About this task If you require an application password, then the serice login password is disabled for the application, and users must log in using the application password. For example, users would be required to use the application password to log in to the serice on a mobile deice or in a browser. Howeer, they could still use the serice login password to log in to the serice web site and for other applications. If you do not require an application password, then users can continue to log in from a browser, for example, using their serice login password. If you allow mobile users to bypass IP restrictions, application passwords proide an additional layer of password strength. This is due in part to their length (16 characters) and because they are generated using a strong random number generator. If a mobile deice is lost or stolen, you can then disable the IP restriction bypass which preents access to the application outside your organization's designated IP range. Note: If you enable application passwords and select the Ignore IP range restrictions for applications setting to allow users to bypass IP restrictions, the setting does not apply to Windows Phone or Windows Tablet users. If you restrict login to a specific IP range, Windows Phone and Windows Tablet users must log in from network locations within the range. You can also disable the use of application passwords at any time. Then, if users hae created an application password, the application cannot be accessed because the password is no longer effectie. Tip: Users can also preent access to the application by reoking their application password, which they can do at any time. Organizations that do not use federated identity can disable the use of the standard serice password for mobile applications. Procedure 1. Select Administration > Manage Organization. 2. In the naigation pane, under System Settings, click Security. 3. Under Password Settings, click Edit Settings. Chapter 5. Customizing serice settings 139

148 4. Select Allow users to generate application passwords. 5. Select any of the following options that apply, and then click Sae Changes. Table 45. Application Password Options Option Expiration Ignore IP range restrictions for applications Require applications to use application passwords to access this site Result Select a password expiration interal or select No expiration if you do not want application passwords to expire. Users will be able to access applications from outside the organization's designated IP range. Howeer, they cannot access it using the serice login, they must use an application password instead. For more information about specifying IP address ranges, refer to Restricting the IP address range on page 138 This option restricts the supported authentication flow to application passwords. It preents users from logging to this site using their serice login password. This option does not display for organizations that use federated identity. Results After you enable this feature, users can create and manage application passwords in My Account Settings in the serice. General information about how users manage their application passwords is listed here. If enabled, users can generate an application password for the IBM Notes Traeler. Application passwords can be shared across mobile products, including IBM Traeler, IBM Sametime, and Connections Cloud. If you did not select the option Require applications to use application passwords to access this site, then using an application password is optional for users. Howeer, if you hae IP range restrictions enabled, they will not be able to log in using their serice password unless they are within the IP range. Application passwords are generated by the serice when requested by users. The generated passwords displays to the user only once, and cannot be recoered. Users can reoke and generate a new application password at any time. There is no limit to the number that can be generated. Passwords are generated using cryptographically strong random number generator. They are 16 characters long, and not case sensitie. Users should enter the password once into their deice and allow the deice to sae the password. If there are ten failed login attempts, the account is locked for three minutes. What to do next If you selected Applications must use the generated password to access this site, or if you allowed users to bypass the specified IP range, instruct them to generate application passwords. For information on how users generate application passwords see Application passwords for mobile access. 140 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

149 Authentication methods by client The following table lists the authentication methods supported for each type of IBM SmartCloud Notesclient. Table 46. Authentication methods by SmartCloud Notes client Authentication method Supported clients Cloud serice account identity and SmartCloud Notes web password IMAP clients IBM Notes Traeler deices FTP client that is used to connect to the integration serer to download journal files or to upload change files to manage user accounts SAML Federated Identity SmartCloud Notes web Cloud serice account identity with application password NRPC Research in Motion data center authentication Notes Traeler Android and higher client Notes Traeler deices IBM Notes BlackBerry deices that access the serice through Hosted BlackBerry subscriptions Password rules by authentication method The following table summarizes the password rules and settings for each supported IBM SmartCloud Notes client. Table 47. Password rules and settings by authentication method Authentication method Password rules Password expiration 1 Password changes Cloud serice account identity and password SAML Federated Identity At least eight characters At least four alphabetic characters At least one non-alphabetic character No spaces No more than two consecutie characters No match of any of the eight preious passwords Cannot contain user name or address Controlled by company Disabled by default Administrators can enable a password expiration interal of 30, 60, 90, 180, or 365 days. Controlled by company By administrator By user Controlled by company Chapter 5. Customizing serice settings 141

150 Table 47. Password rules and settings by authentication method (continued) Authentication method Password rules Password expiration 1 Password changes Cloud serice account identity and application password NRPC 16 characters (non-case sensitie) In serice-only enironments, and in hybrid enironments that do not use policy security settings to configure password requirements, IBM Notes ID passwords must be at least eight characters and hae a password quality of 8, on a password quality scale of 0 (weakest) to 16 (strongest). Disabled by default Administrators can enable Disabled by default Administrators can enable through SmartCloud NotesAdministration Password changes not allowed Administrators or users can reoke passwords and users then generate new ones By administrator By user Configuring the name finder 1 While it may seem that requiring passwords to expire proides more security, most security experts beliee the opposite is true. Password expiration often leads to the use of simpler, more easily-guessed passwords, and to users writing down passwords to remember them. A better policy is to use more complex password phrases that do not expire, wheneer possible. In addition to proiding better security, this policy also reduces the number of help desk calls generated from users who forget their eer-changing passwords. Complete this procedure to configure how users find names in a directory. Before you begin Read the topic Standard and Adanced Name Finder options on page 145for details about and a comparison of the Standard and Adanced name finder options. If you plan to use the Show user photos option to show photos that are stored in an on-premises Domino directory, complete the procedure Adding photos to Person documents on page 147. If you plan to use the Browse corporate hierarchy feature without the Use ranked sort order option, assign corporate hierarchy categories to Person documents in the on-premises directory. For more information, see the topic about categorizing users by corporate hierarchy in the IBM Domino documentation. 142 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

151 If you plan to use the Use ranked sort order option, use the Domino Japanese Extension (DJX) tool to customize the on-premises directory to support it. About this task The name finder settings control how users find names in a directory. For example, the settings are used when users find names by clicking the To link in a new mail message or the Required link in a new meeting initation. Name Finder settings are not related to type ahead addressing, the feature that automatically finds matches to names that users type in address fields. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings. 5. Click Name Finder. 6. Select options, as described in the following table: Option Basic Description The name finder lists all names in a directory, in alphabetical order by surname. Users type the first few characters of the surname they are looking for, and the cursor moes to the first matching name. From there, users can use the scroll bar to find the name. This setting is the default and it applies to Notes users and web client users. Basic Quick Search Only The name finder shows no names in a directory, initially. Users type the first few characters of a gien name or surname and click Search. The name finder then shows directory entries whose surnames or gien names begin with the characters searched for. For example, a search for Jack can return the names Jackie Roberts or Tony Jackson but not Tony Blackjack. This setting proides more flexibility for finding names in large directories. This setting applies to Notes users and web client users. Chapter 5. Customizing serice settings 143

152 Option Standard Adanced Description Users search for names and search results show directory entries that match. Unlike the Basic and Basic Quick Search Only options, users can sort the search results and see details about the user entries that are returned in search results. This search capability applies to web client users only. Users get the name finder capabilities of the Standard option. In addition, they are able to narrow search results by manager, department, job title, location. This option is aailable for hybrid enironments only. Show user photos This search capability applies to web client users only. Search results show user photos. In serice-only enironments, the photos come from IBM Connections Cloud user profiles. In hybrid enironments, the photos can come from IBM Connections Cloud user profiles or from Person documents in an on-premises directory. To use an on-premises directory, clear the Use SmartCloud Engage photos field. This option is aailable when you select the Standard or Adanced options. Browse corporate hierarchy The feature applies to web client users only. Users can browse a directory by hierarchy categories that you assign to Person documents in an on-premises Domino directory. This option is aailable for hybrid enironments when you select the Standard or Adanced options. Browse corporate hierarchy > Used ranked sort order The feature applies to Notes users and to web client users. Users can browse a directory by ranked categories that you define in an on-premises Domino directory by using the Domino Japanese Extension (DJX) tool. This option is aailable for hybrid enironments when you select the Standard or Adanced options. The feature applies to Notes users and to web client users. 144 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

153 Results The change usually takes effect within 15 minutes or less. Related information: Domino documentation Standard and Adanced Name Finder options The Standard and Adanced Name Finder configuration options proide seeral features to help users to find names in directories. The Standard option is aailable for serice-only enironments and hybrid enironments. The Adanced option is aailable for hybrid enironments only. The following table compares the features that are proided by each option. All of these features are aailable for the web client. The features currently aailable for the IBM Notes client are the browse features only. When you enable the Standard or Adanced option, the Basic Quick Search Only search option is put in effect for Notes client users. Table 48. Comparison of the Standard and Adanced Name Finder configuration options Feature Standard Name Finder Adanced Name Finder Name search Search conditions to narrow the results of name searches Users can search by: First name Last name Notes full name Internet address Short name Alternate name Phonetic name Not aailable Users can search by: First name Last name Notes full name Internet address Short name Alternate name (if alue populated in directory) Phonetic name (if alue populated in directory) Users can narrow name searches by: Manager Department Job Title Location Each condition added narrows results further. These fields must be populated in Person documents in the on-premises directory. Maximum search results returned Chapter 5. Customizing serice settings 145

154 Table 48. Comparison of the Standard and Adanced Name Finder configuration options (continued) Feature Standard Name Finder Adanced Name Finder Sort entries in search results All users can sort results by: All users can sort results by: Last name, first name Last name, first name First name, last name First name, last name Directory Directory Show details about names in search results Show user photos from IBM Connections Cloud user profiles in search results Shows user photos from on-premises Person documents Browse entries in a directory by categories that are defined by use of the Domino Corporate Hierarchy feature Users in hybrid enironments can sort results by the following information, if the corresponding fields are populated in Person documents: Manager Job Title Department Location All users can see the following details: User name Internet address Domain Directory Users in hybrid enironments can see seeral additional details, if the fields are populated in Person documents. This feature requires users to hae a collaboration subscription in addition to a SmartCloud Notes subscription. Aailable in hybrid enironments only and requires a change to the Domino directory design to support photos in Person documents. Aailable in hybrid enironments for directories with Person documents that are assigned corporate hierarchy categories. For more information, see the topic about categorizing a user by corporate hierarchy in the Domino documentation. Users can sort results by the following information, if the corresponding fields are populated in Person documents: Manager Job Title Department Location All users can see the following details: User name Internet address Domain Directory Users can see seeral additional details, if the fields are populated in Person documents. This feature requires users to hae a collaboration subscription in addition to a SmartCloud Notes subscription. Requires a change to the Domino directory design to support photos in Person documents. Aailable for directories with Person documents that are assigned corporate hierarchy categories. For more information, see the topic about categorizing a user by corporate hierarchy in the Domino documentation. 146 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

155 Table 48. Comparison of the Standard and Adanced Name Finder configuration options (continued) Feature Standard Name Finder Adanced Name Finder Browse entries in a directory by ranking Aailable in hybrid enironments. You use the Domino Japanese Extension tool (DJX) to configure the directory to support this option. You use the Domino Japanese Extension tool (DJX) to configure the directory to support this option. Related information: Domino documentation Adding photos to Person documents In a hybrid enironment, you can enable the Name Finder Show user photo option to use photos in the IBM Domino directory. Before you do, add photo fields to the directory design and then add photo image files to the directory. About this task Make the changes described in this procedure to a synchronized directory that replicates to the serice. Procedure 1. Make a backup copy of your pubnames.ntf file. 2. From IBM Domino Designer, open pubnames.ntf. 3. Click Shared Elements > Subforms. 4. Double-click the $PersonInheritableSchema subform. 5. Create a field called Photo: a. In the Basics tab, click Create > Field. b. In the Name field of the properties box, type Photo. IntheType field, select RichTextLite. c. Click the second tab of the properties box and complete the following fields: In the Only allow field, select Thumbnail. Select Resize Thumbnail Image, in pixels. In the Width field, select 85. In the Height field, select 74. In the Image attachment name field, type ContactPhoto. d. Click the sixth tab of the properties box. Clear the following Hide paragraph from fields to ensure they are not selected so that the field is isible: Notes R4.6 or later Web browsers Mobile e. Select the new Photo field. In the Objects panel, click the onchange eent and add the following code to it: Sub Onchange(Source As Field) Dim ws As New NotesUIWorkspace Dim uidoc As NotesUIDocument Dim doc As NotesDocument Chapter 5. Customizing serice settings 147

156 Set uidoc = ws.currentdocument Set doc = uidoc.document Call doc.replaceitemvalue("photomodified", Now()) End Sub 6. At the bottom of the $PersonInheritableSchema subform, create a hidden field called PhotoModified: a. In the Basics tab, click Create > Field. b. In the Name field of the properties box, type PhotoModified. IntheType field, select Date/Time. c. Click the second tab of the properties box and complete the following fields: Select DisplayTime. In the Show field, select Hours and minutes. In the Time zone field, select Adjust time to local zone. 7. Sae and close the subform. 8. Replace the design of your directory database with the new ersion of the pubnames.ntf template. 9. To add a photo to a Person document, open the Person document in the directory, click the photo field that you created, select the image file, and sae the document. What to do next Enable the Name Finder option Show user photos and do not select Use SmartCloud Engage photos. Related tasks: Configuring the name finder on page 142 Complete this procedure to configure how users find names in a directory. Basic name finder illustration The following pictures illustrate finding names in a directory when the Basic name finder option is enabled. 148 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

157 Basic Quick Search Only name finder illustration The following pictures illustrate finding names in a directory when the Basic Quick Search Only name finder option is enabled. Chapter 5. Customizing serice settings 149

158 150 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

159 Standard name finder illustration The following pictures illustrate finding names in a directory when the Standard name finder option is enabled. Chapter 5. Customizing serice settings 151

160 Adanced name finder illustration The following pictures illustrate finding names in a directory by narrowing search results when the Adanced name finder option is enabled. 152 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

161 Browse corporate hierarchy name finder illustration The following pictures illustrate browsing a directory to find names when the Browse corporate hierarchy option is used with the Standard or Adanced name finder. Chapter 5. Customizing serice settings 153

162 Configuring mail settings There are seeral settings related to mail that you configure from SmartCloud Notes Administration. Changing the size limit for incoming messages The serice does not delier inbound messages that are larger than 100MB, by default. You can specify a different inbound message size limit. The limit applies to all mail that is sent to users in the serice. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Management. 5. Under Limit Message Size, specify the size limit for incoming messages. Preent automatic forwarding of messages You can preent users from using mail rules to automatically forwarding to external addresses. About this task Users can create mail rules that include the action send copy to, which automatically forwards a copy of the to other users. Select this option so that mail addressed to users in domains that are not owned by your company are ignored when the message is forwarded. Users can still forward to any address manually. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 154 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

163 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Management. 5. Under External Forwarding, select Do not allow automatic forwarding to external addresses. Specifying how Notes links display in the web client You can specify how IBM Notes links, such as doc links, application links, and iew links, display in web client . Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Management. 5. Under Link Style, select how Notes document, iew, and application links display when users read mail in a browser: Table 49. Link Style Options and Icons Style Web links only Description The default. Uses web addresses ( In , the address displays as an Internet icon: Document link View link Application link Notes links only Uses Notes URLs (notes://...). In , the address displays as a Notes icon: Document link View link Application links Note: A web client user can open this style of link only if the target is located in the serice. For example, a web client user cannot open a link to an application on an on-premises serer. Notes and web links Uses both web and Notes addresses, and includes both icons to represent each link. Example of a link to a document: Chapter 5. Customizing serice settings 155

164 Configuring how long mail remains in the Trash folder When a user deletes a message from a mail file on a cloud serer or the serice automatically deletes an older message, the message is moed to the Trash folder where it remains for 14 days, by default. After 14 days, the message is permanently deleted. You can change how long deleted mail remains in the Trash folder. You can also preent users from emptying the Trash folder themseles. Before you begin In a hybrid enironment that includes IBM Notes clients, you can use an on-premises Mail Settings policy to specify automatic deletion from the Trash folder on local mail file replicas. For more information, see the topic Mail Settings restrictions on page 115. About this task Documents that are deleted from the Trash folder cannot be recoered. While deleted mail is in the Trash folder, users can restore it to its original folder. The Trash folder can contain a maximum of 32,768 messages. If this limit is reached, each message added to the Trash folder causes a message that has been in the Trash folder the longest to be permanently deleted. This deletion occurs een if a message has been in the Trash folder less time than the specified deletion interal. Premature deletion from Trash stops when either manual or automatic deletion of messages causes the number of messages in the Trash folder to fall below the limit. This behaior is not common but can occur in mail files where many messages are frequently receied and deleted. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Management. 5. Under Configure Mail Retention in the Trash Folder, complete these fields to manage mail in the Trash folder. Table 50. Trash Folder Mail Retention Settings Option Retain deleted messages for how many days? Description Enter a number from The default alue is 14. If you decrease an interal that was preiously set, then all messages that meet the new criteria are deleted. For example, if you decrease the interal from 20 days to 16 days, then mail in the Trash folder older than 16 days is deleted. 156 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

165 Table 50. Trash Folder Mail Retention Settings (continued) Option Allow users to empty the Trash folder Description When this option is selected, users can permanently delete messages from the Trash folder by clicking Empty Trash or by selecting a message and deleting it. This option is enabled by default. To preent users from deleting mail from the Trash folder, deselect the option. Then, mail remains in the Trash folder for the duration specified in Retain deleted messages for how many days? before being permanently deleted. Note: If you preent users from deleting mail in the Trash, IBM Notes client users can still delete mail from the Trash on local mail replicas. Howeer, the deletion does not carry oer to the serer mail file replicas. Deleting older and meetings You can reduce the size of mail files and improe usability by automatically deleting older messages and meetings. By default, messages and meetings remain indefinitely unless users delete them. About this task When you enable deletion, you can: Control how many days messages and meetings remain before they are processed for deletion. Exclude messages in user-created folders from automatic message deletion. Send reports of automatically deleted messages and meetings to specific user addresses. Exclude the mail files of specific users from the automatic deletion. Non-mail documents added by web client users, such as Person documents, are not deleted. Messages that are flagged for follow-up are not deleted, except for messages that are flagged by the sender before being sent, which are deleted. When deletion is enabled, the serice takes the following steps to delete older messages and meetings: 1. Messages that are older than the Delete after how many days? alue are moed temporarily to a folder created by the serice. Meetings are moed to the temporary folder when it is longer than the specified number of days since the meetings occurred. Repeat meetings are processed based on the date of the last meeting. 2. The default name of the folder to which deleted messages and meetings are moed temporarily is *To Be Deleted*. You can specify a different name. Users can preent messages in this folder from being deleted by moing them to a folder that is exempted from automatic deletion. 3. Messages and meetings are moed weekly from the temporary folder location to the Trash folder. The serice staggers this processing so that not all mail files Chapter 5. Customizing serice settings 157

166 are processed at the same time. Users can preent messages and meetings in the Trash folder from being deleted by moing them to a folder that is exempted from automatic deletion. 4. Messages and meetings are deleted from the Trash folder after 14 days, by default. You can use the Retain deleted messages for how many days? setting in the Configure Mail Retention in the Trash Folder section of the Management window to change the number of days messages remain in the Trash folder. After messages are deleted from the Trash folder, they cannot be recoered. The alue of Delete after how many days? plus the alue of Retain deleted messages for how many days? determine when messages are deleted from mail files. For example, if the alue of Delete after how many days? is 365 and the alue of Retain deleted messages for how many days? is 90, messages are permanently deleted from mail files after one year and three months (455 days). Perform the following steps to enable and configure automatic deletion of older . Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Management. 5. Under Delete Older , select Enable deletion. 6. Use the following settings to specify how to manage older deletion: Table 51. Mail Deletion Settings Option Delete after how many days? Keep that is filed in folders. Keep only if it is in one of these folders or their subfolders Description Specify the number of days messages remain before being processed for deletion. If no alue is specified, 14 days is the default alue. Select this option to preent mail that is stored in all user-created folders from being deleted. Select this option to keep mail only messages in specific folders or subfolders from being deleted. In the Exempt Folders box, specify the folder names, one name per line. To specify a single subfolder, enter parentfolder\subfolder. For example, enter Suppliers\Tools to preent messages in the \Tools subfolder from being automatically deleted, but to allow messages in the Suppliers parent folder and any other of its subfolders to be deleted. 158 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

167 Table 51. Mail Deletion Settings (continued) Option Folder name Description Specify the name of a folder to temporarily store messages that are targeted for deletion. If the folder does not exist, the serice creates it. Messages remain in this folder for a week and then are moed to the Trash folder. If you do not specify a folder name, the name *To Be Deleted* is used. Send report of the number of s deleted to the following addresses Do not delete the of the following users List the addresses of users you want to receie deletion reports. List the names of users you want to exempt from mail deletion. Enabling the ActieX control for Internet Explorer users The Internet Explorer ActieX control proides mail enhancements to IBM SmartCloud Notes web users who use Internet Explorer. About this task You enable use of the ActieX control through SmartCloud Notes Administration Account Settings. ActieX is disabled by default to allow and encourage more secure web browser configurations. If you enable ActieX to proide additional mail features to Internet Explorer users, be aware that doing so might result in less secure browser configurations. If you enable ActieX, when users who use Internet Explorer log in to the SmartCloud Notes serice, they see prompts that allow them to install the ActieX control. The prompts refer to the ActieX control as the IBM inotes control. After users install the control, they can do the following tasks: Make SmartCloud Notes web the default client through Preferences. Send from Windows Explorer, the desktop, or the Start menu. Create new messages by clicking a Mailto:// link from external web pages. Select multiple files to attach to an , detach and sae multiple attachments, open attachments by double-clicking without haing to sae them first, and drag multiple attachments to Windows Explorer or the desktop. Copy an image to the clipboard and then press Ctrl+V or click the image icon in the message toolbar to paste the image into an . Note: Running Internet Explorer in Protected Mode can preent users from being able to sae attachments, drag attachments from mail to the desktop, or set the default mail client. For information about options to resole this issue and about Protected Mode, see IBM Technote One option is to resole the issue by adding the mail serer or domain as a trusted site. If you use this option, as the trusted site, specify notes.<dc>.collabser.com (where dc is your data center) or *.collabser.com. Users might occasionally be prompted to install updates to the ActieX control when enhancements to the control are deployed in the serice. If users do not Chapter 5. Customizing serice settings 159

168 install an update, features that require the control are no longer aailable during the current session. Users are prompted again to install the update when they next log in to the serice. Complete the following steps to enable all web users who use Internet Explorer to download and use the ActieX control. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings. 5. Click & Calendar Options. 6. Select Enable ActieX attachment control. Related information: IBM Technote Specifying an SMTP serer to route mail to the Internet By default, the serice routes mail that serice users send to external users oer the Internet. You hae the option to route this mail through a company-controlled SMTP host serer instead. Before you begin Prepare your on-premises enironment. For more information, see Preparing to use a company SMTP serer to route outbound Internet mail on page 54. About this task Skip this procedure if you want the serice to handle routing the mail that is sent to external users. In this case (default behaior), the serice filters the messages for irus and spam before routing them to the Internet. By using a company SMTP host serer for external routing, you can act on messages before routing them, for example, filter or audit messages. When you use this feature, the serice filters messages for iruses and spam and then routes them directly to your designated SMTP host serer. Messages addressed to any domain that is not an internal, serice-erified domain are routed to the SMTP host serer. The serice uses Transport Layer Security (TLS) to route mail to the SMTP host serer if the host serer uses TLS. The connection is made using STARTTLS oer SSL TCP/IP port 25. Perform the following steps to specify the name of your SMTP host serer in Account Settings. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 160 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

169 4. Click Account Settings > Management. 5. In the SMTP serer field under Manage Routing to External Internet Domains, enter an SMTP host name to use for routing. 6. Click Sae. Preparing to use custom mail file templates You can apply a custom mail file template to mail files of serice users. The template must meet design requirements that minimize the risk and impact to your users and to the serice. You submit the template for approal to an IBM Software Serices for Collaboration representatie. About this task The template design deelopment can be done in-house or through a contract with a third-party deeloper or an IBM representatie. A short professional serices engagement with IBM Software Serices for Collaboration is required to approe a custom template. A custom mail file template allows you to customize the design of user mail files. It is also used to customize the mail file access of new mail files to enable administrators or serer-based agents to access them. Customized mail file access is strongly recommended; without it only mail file owners and mail file delegates can access mail files. The following steps outline the high-leel tasks and identify who is responsible for deeloping and applying a custom template. Procedure 1. Customer Contacts an IBM Software Serices for Collaboration representatie to procure a statement of work. This step should be done as soon as it is determined that the business requires a custom mail template. This prior notice ensures that they are prepared to alidate the template soon after receiing it 2. Deeloper Reiews the design requirements for custom mail templates. To be approed for use with the serice, a custom mail template must meet specific design requirements. For example, a custom template must contain specific design elements from the standard mail template of a IBM Notes ersion supported by the serice. For information about template design requirements, see the wiki article SmartCloud Notes Template Validation Requirements. 3. Deeloper Designs and implements the template changes in the on-premises enironment. When preparing a custom template that is already in use, the deeloper should: Assess and document the current customizations. Compare each customization to the standard mail template. Determine whether each is still needed or if it can be deleted. If a customization is still needed, determine whether it requires modification. Document the requirements for the new ersion of the custom template. 4. Customer Tests the template in the on-premises enironment. You are responsible for testing the template in your company enironment to ensure that it functions as intended. Chapter 5. Customizing serice settings 161

170 5. Customer s a request to customization.analyzer@collabser.com to be set up for the Mail Analyzer application. The should include the Customer ID and also be sent to the IBM Software Serices for Collaboration representatie. The customer receies a confirmation when setup is complete. The Mail Analyzer application is used to do preliminary checks of the custom template. 6. Customer After receiing notification that the Mail Analyzer application setup is complete, the customer s the custom template to customization.analyzer@collabser.com to perform an automated analysis. The customer receies an summary of the results. This step can be repeated as often as needed during the deelopment and testing cycle. 7. Customer Submits the template to an IBM representatie for a final manual alidation. Template alidation requires a short professional serices engagement with IBM Software Serices for Collaboration. 8. IBM representatie Validates the template and report results to the customer. This step ensures that the template meets the template alidation requirements. The IBM representatie sends the customer a short, written report summarizing the assessment, and indicating approal or rejection. 9. IBM representatie Loads the template to the serice, after approal of the template. 10. Company administrator Applies the template to user accounts. When the template is approed, a company administrator for the serice uses SmartCloud Notes Administration to apply the template to the accounts of new or existing users. Alternatiely, the template can be applied through the integration serer and a user proisioning change file. For more information, see the topic on creating user proisioning change files in the integration serer documentation. Related tasks: Preparing customized mail file ACLs on page 168 An important reason to customize mail file access is to allow administrators or serer-based agents to access mail files. Without customized mail file access, only mail file owners and mail file delegates can access mail files. Configuring mail file templates on page 164 Configure which mail file templates can be applied to user mail files and configure a mail file template to use by default. Changing user mail file templates on page 246 You can change the mail file template assigned to a user. For example, change the mail template if the IBM Notes client of a user is upgraded to a new ersion. Related information: Integration serer documentation Handling execution security alerts caused by custom templates The serice signs a custom mail file template with a unique customer signature. IBM Notes users that use a custom mail file template see an execution security alert if the Execution Control List (ECL) on the client does not allow access to the signature. 162 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

171 About this task The first time Notes users authenticate with the serice after the application of a custom template, they see an execution security alert. The alert states that the template signer, customerid LotusLie Template Signer/customercertifier, is attempting to perform an ECL update action. Selecting Start trusting the signer preents all future alerts for the template signature. For more information about execution security alerts, see the topic about the execution control list in the Domino documentation. In a hybrid enironment, you can preent the security alerts by using a Security Settings document that is assigned to an explicit policy. To do so, perform the following steps before you deploy the custom template: Procedure 1. Read the topic on using administratie policies to understand the requirements for using policies with the serice. 2. From the Domino Administrator, open a serer with the directory in which you want to configure the policy. 3. Select the People & Groups tab, and then open the Settings iew. 4. Choose one of the following options: To add a Security Settings document, click Add Settings > Security, and type a name for the new document. To edit an existing Security Settings document, click Edit Settings. 5. Click the Execution Control List tab. 6. In the Admin ECL field, click Edit. 7. Click Add. 8. Type */customercertifier, where customercertifier is the name of the certifier that you uploaded to the serice and that is used to name your mail serers in the serice. For example, type */SCN/Renoations. 9. Select the certifier name that you added, select the allowed access leels, and click OK. You must select Workstation security and then select Access to Workstation Security ECL. If you are unsure which other access leels to allow, select the same access leels that are specified for Notes Template Deelopment. 10. In the Update Mode field, select Refresh. 11. In the Update Frequency field, select When Admin ECL Changes. 12. Click Sae & Close. 13. Make sure that the Security Settings document is assigned to an explicit policy that is used for users in the serice. 14. Before you deploy the custom template, allow time for the policy change to replicate to the serice. Related concepts: Using administratie policies on page 105 If you use administratie policies on premises, you can apply many of those same policy settings to serice users as well. Administratie policies enable all users to hae the same working experience. Related information: Chapter 5. Customizing serice settings 163

172 Domino documentation Configuring mail file templates Configure which mail file templates can be applied to user mail files and configure a mail file template to use by default. About this task The serice proides standard mail file templates to apply to user mail files. Custom mail file templates that are designed for your company and approed by an IBM Software Serices for Collaboration representatie might also be aailable for use. Apply the mail file template after user proisioning. Procedure 1. Log on to as a user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. From SmartCloud Notes Administration, click Mail Templates. 5. Perform any of the following template management tasks. Table 52. Mail template management tasks Task Steps Additional information Select a mail template to apply to new user accounts by default. Download a template to make design changes to it. Remoe a custom template from the list of aailable templates. 1. Click Custom Mail Templates or Standard Mail Templates. 2. Select a template. 3. Click Set as default 1. Click Custom Mail Templates or Standard Mail Templates. 2. Select a template. 3. Click Download. 1. Click Custom Mail Templates. 2. Select a template. 3. Click Delete Selected. If you do not select a default template, the most recent English ersion of the standard template is used as the default. You can change the mail template after you add a new user, as necessary. When the design changes are complete, you must submit the template to an IBM Software Serices for Collaboration representatie for approal before it can be applied to user mail files. Remoe a template if it is no longer used. If you remoe a template that is currently assigned to a user, you should assign a new one. Be careful when remoing a template. If you change your mind, you must contract the serices of IBM Software Serices for Collaboration to add it back. 164 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

173 Related tasks: Changing user mail file templates on page 246 You can change the mail file template assigned to a user. For example, change the mail template if the IBM Notes client of a user is upgraded to a new ersion. Preparing to use custom mail file templates on page 161 You can apply a custom mail file template to mail files of serice users. The template must meet design requirements that minimize the risk and impact to your users and to the serice. You submit the template for approal to an IBM Software Serices for Collaboration representatie. Viewing assigned mail file templates on page 247 You can iew the mail file template that is assigned to a serice user. Using extension forms files to customize the look of the web client You can use an extension forms file to customize the isual theme, fonts, the action bar, and other aspects of the web client. For example, you can add graphics, change colors, and add new menu items. Before you begin Read the topic Extension forms file requirements on page 167. Note: IBM reseres the right to disable any extension forms file that causes a degradation in the serice. About this task Deploying an extension forms file in the serice requires a brief serice contract with an IBM Software Serices for Collaboration representatie. The representatie alidates extension forms files to ensure that they comply with requirements that reduce risk to your users and to the serice. Once approed, the IBM representatie uploads the extension forms file to the serice for your use. You can deploy more than one extension forms file and apply each to different users. Extension forms files must be based on the IBM inotes 9.0 Social Edition forms9_x.ntf template that is downloaded from the serice. To deploy an extension forms file in the serice, perform the following steps. Procedure 1. Download the extension forms template or a currently deployed extension forms file from the serice: a. Log in to the serice as an administrator. b. If your account has the user role, click Admin > Manage Organization. c. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. d. Click Extension Forms Files. e. Perform one of the following steps: To use the default design as a starting point, click Extension Forms Templates and download the template file. To download an extensions forms file that is already deployed, select the file in the Extension Forms File page and click Download. Chapter 5. Customizing serice settings 165

174 2. If you download the extension forms template in the preious step, use the template to create the extension forms file. 3. To transfer changes in an extension forms file currently used at your company to the extension forms file used in the serice: Assess and document the design changes in the on-premises extension forms file. Note any design changes that are no longer needed and can be deleted. Determine whether the remaining design changes in the on-premises extension forms file are supported in the serice or need modification. Document the changes to the new extension forms file that are required. 4. Make the design changes to the extension forms file to be used in the serice. 5. Test the design changes on an IBM Domino inotes serer in the on-premises enironment: Note: You might want to install and set up a test serer for this purpose. a. In a Mail Settings document applied to a policy, click IBM inotes and in the Basics tab, add the name of the extension forms file to the Extension Forms File Name field. This step is needed only if the extension forms file name is not Forms9_x.nsf, or if you want to use a policy to enable the forms file for specific users. b. Use the following serer command to flush the serer database cache: dbcache flush c. Copy the extension forms file to the inotes directory under the serer data directory. d. Use the following serer command to stop and restart the HTTP task: tell http restart e. Start a web browser and clear the browser cache. f. Test the changes from the browser. 6. Submit the extension forms file to an IBM Software Serices for Collaboration representatie for alidation. The IBM representatie alidates the extension forms file and sends you a summary report that indicates whether the extension forms file is approed. After it is approed, the IBM representatie uploads the extension forms file to the serice. What to do next Assign the extension forms file to users. Related tasks: Assigning extension forms files to users on page 248 After an IBM representatie uploads an approed extension forms file to the serice, you can assign the forms file to users. Extension forms file enable you to customize the isual theme, fonts, the action bar, and other aspects of the web client. Preparing to use custom mail file templates on page 161 You can apply a custom mail file template to mail files of serice users. The template must meet design requirements that minimize the risk and impact to your users and to the serice. You submit the template for approal to an IBM Software Serices for Collaboration representatie. 166 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

175 Extension forms file requirements Before you deelop an extension forms file to customize the web client, be aware of the requirements. You can use multiple extension forms files, each applied to different sets of users. Extension forms files must be based on the IBM inotes 9.0 Social Edition forms9_x.ntf template that you download from the serice. Extension forms files can reference only mail files within the IBM SmartCloud Notes serice. In particular, they cannot reference IBM Notes databases on on-premises serers or images on web serers outside the serice. Customization must be self-contained. Any resources, such as images, style sheets and JaaScript, must be included in the Extension Forms File. References to external sources are not allowed. Customization such as ActieX controls or Jaa classes where the source code cannot be inspected are also not allowed. Local encryption must be disabled on extension forms file databases: 1. From Notes, open the extension forms file database. 2. Click File > Application > Properties. 3. Click Encryption Settings. If the text Current encryption strength : None is shown in the dialog box, the database is not encrypted. If the database is encrypted, complete the remaining steps. 4. Click Do not locally encrypt this database. 5. Close the extension forms file database. 6. Open the database. A progress bar is shown as the database is unencrypted. 7. Repeat steps 2 and 3 to erify that the database is unencrypted. You can use an extension forms file to make the following types of changes to the web client: Modify the isual theme in the following ways: Oerride CSS styles. Oerride gradient fill color specifications. Replace images. New images must be in the extension forms file. Add fonts to the rich text editor that is used when users create messages, calendar entries, and so forth. Add fields to documents such as mail messages and calendar entries. Add, remoe, or modify items in the action bar menu. Use global settings to extend the session information, for example, oerride a preference setting or read a profile note field. Add JaaScript code to the document sae function to erify items when documents are saed or sent. You can customize the following subforms in an extension forms file: Table 53. Subforms that can be customized Subform Custom_Common_Utils Custom_CSS Purpose Adds functions that are called from Custom_JS. Adds new CSS styles. Chapter 5. Customizing serice settings 167

176 Table 53. Subforms that can be customized (continued) Subform Purpose Custom_JS Contains callback functions to use to add or remoe action bar items, add code when pages are displayed or submitted. This subform is used for forms that use an older architecture. Most of the code uses the newer forms, howeer a few older forms remain. Custom_JS_Edit Adds fonts to the rich text editor. Custom_Name_Lite The code to display names in Korean format. Custom_Page_Dictionary Adds new ariable alues for use with the Custom_CSS subform. Custom_WelcomePage Adds choices for the Welcome Page. Custom_Page_Dictionary Adds ariable alues that are aailable for use in the Custom_CSS subform. Custom_xxx_Dictionary These custom dictionary subforms are included with each main area form, Mail, Calendar, ToDo, and so forth, to allow easier inclusion of new NotesFields and NotesVars. Custom_LazyLoad_Subforms Adds custom code to the lazy load table. Custom_Logout Adds custom code that runs on logout. Custom_About Displays the forms file ersion and a user-specified file ersion number in the client console log when the client starts. Custom_SessionInfo Add items to the inotes session info object. Preparing customized mail file ACLs An important reason to customize mail file access is to allow administrators or serer-based agents to access mail files. Without customized mail file access, only mail file owners and mail file delegates can access mail files. About this task To customize mail file access, modify the access control list (ACL) in a custom IBM Notes mail file template. Then, apply the custom template to the new mail files when you proision users for the serice. Using a custom mail file template requires a short serice contract with IBM Software Serices for Collaboration to approe and upload the template to the serice. Note: If you transfer mail files to the serice, you must modify the ACLs on the indiidual mail files before you transfer the files. When you proision users whose mail files are transferred, the ACL in a custom mail file template is ignored. For additional ACL requirements specific to transferring mail files, see the topic about preparing mail file ACLs before mail file transfer. Important: It is important to customize mail file ACLs before users are proisioned. After users are proisioned, you can no longer use the ACL to change access to their mail files. At that point, the mail file ACL is changed only indirectly in the following circumstances: 168 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

177 A user is gien access to a mail file through mail file delegation. A user's name changes, which causes the name to change in the mail file ACL. (Renaming a group does not update a group name in the ACL.) Note the following additional restrictions to ACLs of mail files in the serice: You cannot use the following ACL group entries that are seen in traditional IBM Domino enironments: LocalDomainAdmins, LocalDomainSerers, and OtherDomainSerers. If you add these entries, they are stripped from ACLs. To allow administrators to access mail files, add a group to the directory that includes their names, and then add the group to mail file ACLs. Editor access is the highest leel of access that is allowed for any ACL entry. If you gie a user or group Manager or Designer access, the access is lowered to Editor. The user or group does not become a mail file delegate. The mail file owner always has Editor access and you cannot change this access. You can gie another user or group Editor access. In this case, they become mail file delegates, by default. You can preent people with Editor access from becoming delegates. To do so, assign them the [ExcludeDelegate] role in the ACL. You can use the following types of ACL entries: Person, Person group, Serer group, Mixed group, orunspecified. Serer type entries are not allowed. If you add them, they are stripped from ACLs. You can allow an on-premises serer-based agent to run on mail files. Doing so requires that you add the serer that runs the agent to a group in your directory, then add the group to mail file ACLs as type Serer group or Mixed group. For additional requirements, see the wiki article on using serer-based agents in a SmartCloud Notes hybrid enironment. You cannot customize the -Default- and Anonymous entries. These entries are always set to No Access. To use a custom mail file template to modify mail file ACLs, add entries that are enclosed in brackets []to the ACL of the custom mail file template. The ACLs of the new mail files in the serice inherit the entries in brackets. For example, to gie Editor access to the group SCN Administrators, add [SCN Administrators] to the ACL, select Editor access and the type Person group or Mixed group.ifyou apply the custom mail file template when you proision Samantha Daryn/Renoations with a brand new mail file in the serice, her mail file ACL includes the following entries: -Default- (No Access) Anonymous (No Access) Samantha Daryn/Renoations (Editor) SCN Administrators (Editor) SaaSLocalDomainSerers 1 Mail1/SCN/Renoations 2 1 This group is resered for use in the serice. Do not create a group by this name on-premises, or a group that begins with the characters SaaS. 2 This entry is the name of a user's home mail serer in the serice. Related tasks: Preparing mail file ACLs before mail file transfer on page 212 Before mail files are replicated to the staging serer, prepare the mail file ACLs to set mail file access. Chapter 5. Customizing serice settings 169

178 Configuring mail file templates on page 164 Configure which mail file templates can be applied to user mail files and configure a mail file template to use by default. Preparing to use custom mail file templates on page 161 You can apply a custom mail file template to mail files of serice users. The template must meet design requirements that minimize the risk and impact to your users and to the serice. You submit the template for approal to an IBM Software Serices for Collaboration representatie. Related information: Using serer-based agents in a SmartCloud Notes hybrid enironment SmartCloud Notes Template Validation Requirements Enabling busytime details in calendars You can enable IBM Notes users and web client users to see busytime details in calendars. About this task If you enable this feature, when users schedule a meeting or use a group calendar, they can click a block of busytime in someone's calendar to see details about the calendar entry. Users can see calendar details only if users grant them this access to their calendars. The following types of detailed information can be seen: Type of calendar entry, for example, meeting or appointment Optionally assigned calendar category Meeting chair Location Room This feature is disabled, by default. When it is disabled, users can still see the blocks of time when users are busy, they just cannot see details about those blocks of time. Complete the following steps to enable busytime details. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings. 5. Click & Calendar Options. 6. In the Calendar Details section, select Enable calendar detail collection. Results When Notes client users and web client users schedule a meeting or use a group calendar, they can click a block of busytime in a calendar to see details if they are gien the access to do so. Users control who can see their calendar information and whether detailed calendar information is isible or only users' aailability. To control access to their calendars, web client users click Preferences > Delegation > 170 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

179 Schedule. Notes users click More > Preferences then Access and Delegation > Access to Your Schedule. Configuring instant messaging Use the Instant Messaging settings in IBM SmartCloud Notes Administration to specify whether to enable an instant messaging community in clients automatically. Instant messaging enables users to chat with and see the aailability of other users in the serice. You can automatically enable use of the serice instant messaging community. For web users, you can automatically enable an on-premises IBM Sametime community managed by your company. About this task By default, web users automatically connect to the instant messaging community in the serice if the Enable instant messaging preference is selected on the client. By default, IBM Notes or later clients automatically connect to the instant messaging community in the serice if the clients are installed with the Sametime (integrated) option. Users are also logged on to the community automatically. You can change the default setting and allow web users to instead connect automatically to an on-premises Sametime community at your company site. You must use a Sametime Proxy Serer (IFR1 or later) and configure it to support this capability. Notes clients can also connect to an on-premises community if you configure the clients to connect to the community yourself. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings 5. Click Instant Messaging. 6. In the Instant Messaging Integration window, select an option described in the following table and then click Sae. If you switch from one option to another, the serice pushes the change to the clients immediately. Chapter 5. Customizing serice settings 171

180 Table 54. Instant messaging configuration options Option Result - web users Result - Notes Enable the serice instant messaging community for IBM Notes and SmartCloud Notes web users Enable an on-premises IBM Sametime community for SmartCloud Notes web users Disable instant messaging integration Web users are logged on to the serice instant messaging community if they perform the following steps from the Inbox: 1. Click More > Preferences 2. Under Instant messaging, select Enable instant messaging. Multiple communities are not supported. Web users can connect to an on-premises Sametime community managed by your company after you configure the on-premises enironment. Web users cannot use instant messaging. Notes users who use Notes or later installed with the Sametime (integrated) option are logged on to the serice instant messaging community. The connection to the serice community oerwrites any pre-existing embedded connection to an on-premises Sametime community. Notes clients are not affected by this option. To enable them to access the serice instant messaging community, manually configure the clients to connect to the community. Notes users can use instant messaging, but you must configure the clients manually to connect to communities. Notes users can use instant messaging, but you must configure the clients manually to connect to communities. Configuring the web client to connect to an on-premises Sametime community Complete this procedure to configure IBM SmartCloud Notes web clients to connect to an IBM Sametime community at your company site. Before you begin The following Sametime serer components must be installed on-premises. For instructions, see the Sametime documentation. Sametime Serer 8.0.2, or Sametime Community Serer 8.5 or later. For installation instructions, see the Sametime documentation. Sametime Proxy Serer 8.5.2IFR1. For installation instructions, see the Sametime documentation. The Sametime Proxy Serer requires the latest hot fix, which is aailable on IBM Fix Central. The hot fix includes installation instructions. This link retriees the list of fixes for Sametime IFR1 for all operating systems; find the latest fix for the Sametime Proxy Serer on the operating system you use. Note: The Sametime System Console is not used in this deployment. 172 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

181 About this task Allowing the web client to connect to the on-premises Sametime community requires that users be able to access the Sametime Proxy Serer from the same location where they access SmartCloud Notes. If your organization chooses to restrict access to the Sametime Proxy Serer to users inside the corporate network, then all users must connect to that corporate network in order to access Sametime functionality in SmartCloud Notes. If your organization wants to allow users to access Sametime functionality in SmartCloud Notes from locations outside the corporate network, you must ensure that requests to are correctly forwarded to the Sametime Proxy Serer, regardless of where they originate. To support external connections, the following requirements must be satisfied: Serer_name must be listed in the public DNS (domain name serer). The firewall must allow connections to Serer_name on Port_number. You must create network routes that allow connections to reach the Sametime Proxy Serer. Procedure 1. Configure the on-premises Sametime Proxy Serer to allow connections from the SmartCloud Notes domain by completing the following steps: a. On the computer where the Sametime Proxy Serer is installed, open the stproxyconfig.xml file that is stored in the deployment manager's profile: The deployment manager's stproxyconfig.xml file is typically located in the following directory: WebSphere_AppSerer_install_root/profiles/Deployment_Manager_Profile_Name/ config/cells/cell_name/nodes/node_name/serers/stproxyserer/ For example, on IBM AIX or Linux: /opt/ibm/websphere/appserer/profiles/dmgr/config/cells/stproxycell1/nodes/ STProxyNode1/serers/STProxySerer On Microsoft Windows: C:\Program Files\IBM\WebSphere\AppSerer\profiles\dmgr\config\cells\ STProxyCell1\nodes\STProxyNode1\serers\STProxySerer b. In the stproxyconfig.xml file, look for the closing </serer> tag and add the following statement immediately after it: <domainlist>your_organization_domain_name,smartcloud_notes_domain_name </domainlist> Specify your own organization's domain name for Your_organization_domain_name. To determine the SmartCloud Notes domain your company uses, open the Inbox and look at the domain name that is shown in the browser URL. For example, in the following browser URL, the SmartCloud Notes domain is notes.na.collabser.com: Note: The serer, mail, is not part of the domain name. Specify one of the following alues for the SmartCloud_Notes_domain_name: If you use the North America data center: notes.na.collabser.com If you use the Asia Pacific data center: notes.ap.collabser.com For example, if the Renoations company uses the North America data center, the statement looks like the following line: <domainlist>renoations.com,notes.na.collabser.com</domainlist> Chapter 5. Customizing serice settings 173

182 c. Copy the new statement so you can use it again, and then sae and close the file. d. On the same computer, open the copy of the stproxyconfig.xml file that is stored in the Sametime Proxy Serer's profile: The Sametime Proxy Serer node's copy of stproxyconfig.xml file is typically located in the following directory: WebSphere_AppSerer_install_root/profiles/Sametime_Proxy_Profile_Name/ config/cells/cell_name/nodes/node_name/serers/stproxyserer/ For example, on IBM AIX or Linux: /opt/ibm/websphere/appserer/profiles/stpappprofile/config/cells/ STProxyCell1/nodes/STProxyNode1/serers/STProxySerer On Microsoft Windows: C:\Program Files\IBM\WebSphere\AppSerer\profiles\STPAppProfile\config\ cells\stproxycell1\nodes\stproxynode1\serers\stproxyserer The Sametime Proxy Serer's path looks ery similar to the deployment manager's path, but references the Sametime_Proxy_Profile_Name instead of the Deployment_Manager_Profile_Name. e. Add the same new statement to the Sametime Proxy Serer's copy of the stproxyconfig.xml file (after the closing </serer> tag as before), and then sae and close the file. f. Restart the Sametime Proxy Serer. 2. If web clients do not hae VPN access to the Sametime Proxy Serer, proide external access to the serer. 3. If your Sametime serer restricts access to certain types of clients, allow access to web clients by adding the following alue to the VPS_ALLOWED_LOGIN_TYPES setting in the [Config] section of the sametime.ini file: 14A4 For more information, see Technote Complete the following steps to enable the serice to connect to the on-premises community: a. Log on to the serice as an administrator. b. Click Administration > Manage Organization. c. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. d. Click Account Settings. e. Click Instant Messaging. f. Click Enable an on-premises IBM Sametime community for SmartCloud Notes web users. g. Proide the Sametime Proxy Serer URL, for example, stproxy01.renoations.com. 5. Instruct Internet Explorer users to modify the browser trusted sites list as follows: a. Click Tools > Internet Options b. Click Security. c. In the Select a Zone to iew or change security settings section, click Trusted sites and then click Sites. d. Add the following sites to the Websites box: *.lotuslie.com *.collabser.com 174 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

183 In addition, add the Sametime Proxy Serer URL, for example: 6. Instruct users to complete the following steps from their SmartCloud Notes web Inbox: a. Click More > Preferences b. Click Instant messaging > Enable instant messaging. Related information: Sametime documentation Manually configuring Notes clients to connect to the serice instant messaging community If you performed the procedure Configuring instant messaging and selected the option Enable an on-premises IBM Sametime community for SmartCloud Notes web users or the option Disable instant messaging integration, IBM Notes clients are not configured automatically to connect to the instant messaging community in the serice. This topic describes how to configure Notes clients to connect to the serice instant messaging community yourself if you selected either of these options. Before you begin Notes must be installed with the Sametime (integrated) option selected. About this task Perform this procedure for any of the following reasons. You want to allow Notes clients to connect to the serice instant messaging community. You want to allow Notes clients to connect to an on-premises Sametime community and to the serice instant messaging community. You will configure the serice instant messaging community as a secondary community. Note: To proide dual-community enablement, the on-premises IBM Sametime serer must be configured to support IBM Sametime Standard clients. You must purchase the Sametime Standard license separately, as the SmartCloud Notes entitlement supports IBM Sametime Entry only. You want to allow some, but not all, Notes or later clients to connect to the serice community as the primary community. If you want all Notes or later clients to connect to the serice instant messaging community as the primary community, instead perform the procedure Configuring instant messaging and select the option Enable the serice instant messaging community for IBM Notes and SmartCloud Notes web users. Perform the following steps to configure a Notes client to connect to the serice instant messaging community. Procedure 1. Start Notes. 2. Click File > Preferences. 3. Click Sametime. 4. Click Serer Communities. Chapter 5. Customizing serice settings 175

184 5. Perform the following steps to add the serice instant messaging community to the sidebar: a. Click Add New Serer Community. b. Complete the fields in the Add Sametime Serer Community window as described in the following table, and then click OK. Tab Field Field alue Not applicable Serer community type Sametime Not applicable Serer community name Proide a name that identifies the new community. Log in User name Serice login name, for example, sdaryn@renoations.com Log in Password SmartCloud Notes web logon password Do not specify the Notes client login password. Log in Use token based single Do not select sign on Serer Host serer im.na.collabser.com (if your company uses the North American data center) im.ap.collabser.com (if your company uses the Asia Pacific data center) im.ce.collabser.com (if your company uses the European data center) Serer Serer community port 1533 Serer Send keep alie signal after the following number of seconds 60 (default) Connection Connection Direct connection (default) Options Use this serer for Select (default) awareness status lookup Options Use canonical names for status lookup Do not select (default) 6. If the client also connects to an on-premises community, make sure the serice community is not the default community. 7. Click OK to sae your changes. Instant messaging features The table in this topic summarizes the instant messaging features that are aailable through the serice instant messaging community. Note: If IBM Notes clients connect to an on-premises IBM Sametime community and to the serice community, the ersion of Sametime that is used on-premises determines the features that are aailable for both communities. 176 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

185 Table 55. Features supported by the serice instant messaging community Feature Aailable Not aailable Online presence status; aailability status icons; custom status message Automated geographic awareness Telephony status Set alerts when users are aailable; priacy lists, selectie do not disturb Business card display X The web client shows online presence status for names in the sidebar but not for names in documents or iews. This limitation does not apply if an on-premises Sametime community is used. X The name and address are displayed but not other information, such as title and telephone number. X X X Primary, frequent, and recent contact list iews In a hybrid enironment, the name and address are taken from the serice user account rather than from the customer Domino directory. X There is a 500-contact limit. Public groups are not supported. The web client supports only the primary contact list. Initiate chats with users not X in your contact list Security-rich one-on-one text X chat and multi-way text chat. Rich text formatting; spell X check; emoticons and emoticon palettes Time and date stamps; chat history Log in to multiple communities X The web client does not support chat history. X Supported by Notes clients only. Chapter 5. Customizing serice settings 177

186 Table 55. Features supported by the serice instant messaging community (continued) Feature Aailable Not aailable Screen capture tool; file transfers Instant screen share Zero-download browser chat client Online meetings Voice and ideo Community collaboration features, such as instant polls, broadcast chats, and persistent group chat Mobile use Telephony integration X Supported by Notes clients only. Note: To proide dual-community enablement, the on-premises IBM Sametime serer must be configured to support IBM Sametime Standard clients. You must purchase the Sametime Standard license separately, as the SmartCloud Notes entitlement supports IBM Sametime Entry only. X Supported by web clients only. X X X X X X Configuring IMAP access You can allow users to access IBM SmartCloud Notes from third-party clients using IMAP. IMAP access is disabled by default, but you can enable it for all users or only for specific users. Before you begin To allow IMAP access on a per user basis, you add the text item SaaSAllowIMAP=alue to the user's Person document in the Domino Directory on a serer that you synchronize with the serice. There are a number of ways you can do this. For example, you can add a field to the Person document, or you can add an item element to a note. If you are unfamiliar with the methods used to add a text item to a form in the Domino Directory, see the information about customizing the Domino Directory template in the Reference section of the Domino documentation. Note: Users who hae Author rights to their Person document can enable IMAP for themseles by setting the field SaaSAllowIMAP to 2. To preent this, on the Adanced tab of the Field Properties dialog for the SaaSAllowIMAP field, set the Security Options to Must hae at least Editor access to use. 178 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

187 About this task After you enable IMAP access, serice users can configure their mail clients for IMAP access using information proided by the serice. The following IMAP clients are supported: Apple Microsoft Outlook 2003, 2007 Thunderbird Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click IMAP Access. 5. Select one of the following, and then click Sae: Enable IMAP for all users. If you select this option, you do not need to complete any further steps. Enable IMAP for specific users only. If you select this option, you hae enabled IMAP access for your organization. Continue to the next step to customize your on-premises Domino Directory so that you can specify IMAP access for indiidual users. Disable IMAP for all users. If you select this option, no users hae IMAP access and you do not need to complete any further steps. 6. From the Domino Administrator client, open the Domino Directory, on an on-premises Domino serer whose directory you synchronize with the serice. 7. For each user you want to specify IMAP access, add a TYPE_TEXT item named SaaSAllowIMAP to their Person document with either of the following alues: "2" -- to allow IMAP access. If you later change access from specific users to all users, no additional steps are needed to allow these users to continue to hae access. "3" -- to deny IMAP access. A user who is denied access using this alue will be denied access under all circumstances. If you later change access from specific users to all users, this user will continue to hae no access. An example of an agent that assigns the alue "2" is FIELD SaaSAllowIMAP := "2" Note: If you hae enabled IMAP access for all users, any alue other than "2" or "3" defaults to allowing access. Results If you enabled IMAP for all users, then serice users can set up their IMAP clients for IMAP access to SmartCloud Notes mail. If you added the text item to the Domino Directory, during directory synchronization, the serers in the serice are updated with the new information. Users cannot enable IMAP access and set up their IMAP mail clients until the synchronization is complete. Related reference: Chapter 5. Customizing serice settings 179

188 IMAP client limitations There are a few limitations when using an IMAP client to access IBM SmartCloud Notes. Related information: Domino documentation Setting up IMAP clients IMAP client limitations There are a few limitations when using an IMAP client to access IBM SmartCloud Notes. Folder limitations The following restrictions apply to folders used with IMAP: A single folder name cannot exceed 64 bytes. An unlimited number of nested folders is allowed, but the combined length of all nested folder names (including delimiters) cannot exceed 129 bytes. View limitations The serice proides IMAP clients access to folders in user mail files but not to iews. The Drafts, Sent, and Trash iews in mail files therefore are not aailable through IMAP clients. To work around this limitation, IMAP client users can create folders that correspond to these iews and put messages in the folders instead. IBM Notes or web client users must open these folders to see the messages in them. Return receipt The serice does not support the use of return receipts with IMAP clients. If you request a return receipt and the recipient opens the message using the IBM Notes or web client, no return receipt is generated. Logging actiity in journal files You can log different types of actiity in journal files that you then download from the serice. Before you begin Before you complete this procedure, you must request integration serer enablement from an IBM Connections Cloud customer serices representatie (CSR). When you do so, you proide an account identity to use to connect to the FTP site to download the journal files. You are notified when your enablement request is complete. For more information, see Requesting integration serer enablement in the Connections Cloud integration serer documentation. About this task The following types of journal files are aailable for Notes: Notes mail deliery, which records each message that serice users send. 180 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

189 Notes client session, which records each attempt to log in to the serice from a Notes client to access an application such as mail or the company directory. The journal serice produces gzip-compressed journal files about eery 24 hours. You use an FTP client to download the journal files from the IBM Connections Cloud integration site. Files are remoed from the integration site after seen days. Journal files are aailable for other Connections Cloud serices, as well. For more information, see the Connections Cloud journaling documentation. After you are notified that your request for integration serer enablement is complete, complete the following steps to enable journaling through SmartCloud Notes Administration. Procedure 1. Log on to the serice as an administrator. 2. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 3. Click Account Settings. 4. Click Journaling Options. 5. Select any of the following options to specify the type of journal files to generate: Notes mail deliery Notes client sessions 6. Click Sae. What to do next You can begin downloading journal files in about 24 hours. Related information: Connections Cloud journaling documentation Downloading journal files You can begin to download journal files about 24 hours after you enable journaling. Before you begin Request integration serer enablement, then enable journaling options in SmartCloud Notes administration. For more information, see Logging actiity in journal files on page 180. Make sure that your corporate firewall allows outbound connections to the following hosts oer FTP port 990 and FTP PASV port range : North America data center: ftp.na.collabser.com Asia Pacific data center: ftp.ap.collabser.com European data center: ftp.ce.collabser.com Chapter 5. Customizing serice settings 181

190 Procedure 1. From an FTP client, specify the following connections settings: Setting Host Protocol Value If you use the United States data center: ftp.na.collabser.com If you use the Asia Pacific data center: ftp.ap.collabser.com If you use the European data center: ftp.ce.collabser.com FTP Port 990 Encryption User and password Implicit FTP oer TLS Account name and password that is used to connect to the FTP site. 2. Connect to the FTP host. 3. Change to the journal directory. 4. Select and download the following files: If you enabled Notes mail journaling, download files named <date>.notesmail.txt.gz If you enabled Notes client session journaling, download files named<date>.notes_nrpc_session.txt.gz. <date> is the file creation date. Related tasks: Configuring the firewall for outbound connections on page 42 Configure the firewall to allow outbound connections to the serice. Related information: Integration serer documentation Format of the Notes mail journal file A Notes mail journal file records each message that users send. File name The name of the compressed file that you download is <date>.notesmail.txt.gz, where <date> is the file creation date, in YYYY-MM-DD format. For example: NOTESMAIL.txt.gz. Syntax Each record in a Notes mail journal file conforms to the following syntax: date user name (id=customerid, customerid=customerid) performed ACTION [on object (type=type, id=objectid, name=name, customerid=customerid)] [targeted at (type=type, id=targetid, name=name, customerid=customerid)] with outcome OUTCOME [REASON][(EXTRA)] Each record in a journal file is contained in a single line. Parameters date 182 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

191 A date and time, for example, T13:23: One of the following alues is logged: The date and time that a user sends a message to another user at the company The date and time that a message failed to be deliered to a user at the company The date and time that a user sends a message to an external user at another company name The user s Notes name, if an internal user sends the message, for example, CN=Samantha Daryn/O=Renoations. An Internet address, if an external user sends the message. customerid The unique number that identifies the company subscription in the serice. ACTION SENT_MAIL TYPE The type of object or target. The object type is always MAIL_MESSAGE. The target type is always RECIPIENT. OBJECTID The unique identifier of the mail message that is sent. name The name of the OBJECTID or the TARGETID. The name for the OBJECTID is always MAIL. The name for the TARGETID is the address of the recipient. TARGETID The unique identifier for the recipient. This alue is always null because the address specified in the name parameter uniquely identifies the recipient. OUTCOME The result of the action, either SUCCESS or FAILURE. If the outcome of an eent is FAILURE, the reason is gien. The reason is in uppercase and can be multiple words separated by underscores. For example: FAILURE USER_NOT_FOUND. EXTRA Contains the size of the message in kilobytes. Examples Note: The following example records are shown on multiple lines. In the journal file, each record is a single line. 1. Samantha Daryn sends a message to another internal user at the company, Allie Singh. Allie receies the message T19:03: user CN=Samantha Daryn/O=Renoations (id= , customerid= ) performed SENT_MAIL on object (type=mail_message, id=<off0ebf61d.5caad94f-on85257a Chapter 5. Customizing serice settings 183

192 name= MAIL, customerid= ) targeted at (type=recipient, id=, name= CN=allie customerid= ) with outcome SUCCESS (size= 1 ) 2. Samantha Daryn sends a message to another internal user at the company, Allie Singh. Allie s name is not found in the directory and the message is not deliered T15:02: user CN=Samantha Daryn/O=Renoations (id= , customerid= ) performed SENT_MAIL on object (type=mail_message, id=<of0645eb2c.8b339fe8-on00257a9b.0054f a9b.0054f726@localdomain>, name= MAIL, customerid= ) targeted at (type=recipient, id=, name= CN=allie singh/o=renoations@renoations.com, customerid= ) with outcome FAILURE RECIPIENT NOT FOUND IN COMPANY DIRECTORY (size= 2 ) 3. Samantha Daryn sends a message oer the Internet to an external user, branney@zetabank.com T15:02: user CN=Samantha Daryn/O=Renoations (id= , customerid= ) performed SENT_MAIL on object (type=mail_message, id=<of8e758e11.39c4d326-on00257a9b A9B @LocalDomain>, name= MAIL, customerid= ) targeted at (type=recipient, id=, name= branney@zetabank.com, customerid= ) with outcome SUCCESS (size= 1 ) Format of the Notes client session journal file A Notes client session journal file records information about each IBM Notes client login session within the serice. File name The name of the compressed file that you download is <date>.notes_nrpc_session.txt.gz, where <date> is the file creation date, in YYYY-MM-DD format. For example: NOTES_NRPC_SESSION.txt.gz. Syntax Each record in a Notes client session journal file conforms to the following syntax: date user name (id=customerid, customerid=customerid) performed ACTION [on object (type=type, id=objectid, name=name, customerid=customerid)] [targeted at (type=type, id=targetid, name=name, customerid=customerid)] with outcome OUTCOME [REASON][(EXTRA)] Each record in a journal file is contained in a single line. Parameters date The date and time a Notes client user logs in to the serice or attempts to log in, for example, T13:23: name The user s Notes name, for example, CN=Samantha Daryn/O=Renoations customerid The unique number that identifies the company subscription in the serice. ACTION NRPC_SESSION 184 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

193 TYPE The type of object or target. The object type is always NRPC_SESSION. The target type is always USER. OBJECTID A unique session ID name The name of the OBJECTID or the TARGETID. The name for the OBJECTID is always NRPC_SESSION. The name for the TARGETID is the user s Notes name, for example, CN=Samantha Daryn/O=Renoations. TARGETID The unique identifier for the user. This alue is always null because the name parameter uniquely identifies the user. OUTCOME The result of the action, which is always SUCCESS. EXTRA The following information is proided: Number of databases accessed Number of documents that are read and written Time to connect to the serice, in seconds The client ersions being used Examples Note: The following example records are shown on multiple lines. In the journal file, each record is a single line. 1. Samantha Daryn logs in to the mail serer in the serice successfully from Notes T14:35: user CN=Samantha Daryn/O=Renoations(id= , customerid= ) performed NRPC_SESSION on object (type=nrpc_session, id=02e31600, name= NRPC_SESSION, customerid= ) targeted at (type=user, id=, name= CN=Samantha Daryn/O=Renoations, customerid= ) with outcome SUCCESS (DBs accessed= 1, docs read= 0, docs written= 0, connect time= 302, client ersion= 90010,) Chapter 5. Customizing serice settings 185

194 186 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

195 Chapter 6. Onboarding users Onboarding refers to all the steps that are done to get users up and running with mail files and mail serers in the cloud. Before you begin Before you onboard users, configure the serice and, optionally, customize serice settings. Choosing a client deployment strategy Choose a strategy for deploying clients in the serice. Before you begin Complete the following tasks: Deciding whether to use the Notes client on page 188 and Deciding whether to transfer mail files on page 189. About this task The following table describes common client deployment strategies. Table 56. Common strategies for deploying clients Strategy Additional information New mail files SmartCloud Notes web and mobile clients only New mail files Notes, SmartCloud Notes web, and mobile clients This option is the quickest and least expensie. All users can quickly use the web client and mobile clients to access their mail. Users who decide that they want to use the IBM Notes client can do so when it is conenient, and can continue to use cloud mail in the meantime. This option causes the least disruption for users and is typically less time consuming than transferring mail files. This option might be a good one to choose if current Notes clients meet the serice requirements and do not need to be upgraded. Notes client users can export contacts from current mail files and import them into new mail files. Notes client users can access on-premises archies of their original mail files. The use of managed mail replicas can boost performance for Notes client users. Copyright IBM Corp

196 Table 56. Common strategies for deploying clients (continued) Strategy Transferred mail files and Notes clients for some users New mail files and SmartCloud Notes web and mobile clients for other users Transferred mail files for all users A mixture of Notes, SmartCloud Notes web, and mobile clients Additional information This option allows some critical users such as executies and managers to continue to use the Notes client and to continue to work with current and past mail file content. This option can be more time consuming to deploy, depending on the quantity and size of the mail files that are transferred. Your company sets up a IBM Domino staging serer and uses IT resources to prepare mail files. This option is the most expensie and time consuming but can be the least disruptie for users, especially if Notes client upgrades are not required. Deciding whether to use the Notes client IBM SmartCloud Notes web is the mail client that is aailable automatically to all IBM SmartCloud Notes users through a browser. Before you prepare to onboard users, decide whether you want them to use the optional IBM Notes client in addition to or instead of SmartCloud Notes web. About this task For the following reasons, many companies decide to use SmartCloud Notes web and not the Notes client: Users get access to new features automatically as they are aailable in the serice. IT departments sae money by aoiding the need to upgrade and maintain Notes clients. SmartCloud Notes web is easy to use and the interface is similar to that of recent ersions of IBM inotes and Notes. There might be little or no training needed. Most Notes clients features are aailable in SmartCloud Notes web. A recommended approach is to start all users in the serice with SmartCloud Notes web. After users become familiar with it, you hae a better sense of which users, if any, still need the Notes client. The following table describes some reasons to use the Notes client, as well as alternatie options. Table 57. Reasons you might use the Notes client Reason Users need access to IBM Domino applications on-premises. Considerations and alternaties The Notes Browser Plug-in is an alternatie option to the Notes client. This plug-in proides access to on-premises Notes applications through a browser. 188 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

197 Table 57. Reasons you might use the Notes client (continued) Reason Users need access to mail when disconnected from the network. Considerations and alternaties Currently, only the Notes client supports local, disconnected access to mail. Local mail file access is proided through managed mail replicas (in hybrid enironments) or standard local mail file replicas (in serice-only enironments). Internet connections are slow. Users are starting with new mail files in the serice and want access to old mail archied on-premises. Users want features that are aailable only with the Notes client. In hybrid enironments, users want to manage (be delegates for) the mail files of on-premises users. Before you choose the Notes client for this reason, consider that with the increased use of mobile deices, some users might no longer require offline access through notebooks or desktops. In hybrid enironments, users with slow Internet connections, for example, users with limited bandwidth connections, see better performance if they use managed mail replicas on Notes clients. In serice-only enironments, these users benefit from using standard local mail file replicas on Notes clients. Currently, accessing mail that is archied on-premises requires a Notes client. For a feature comparison, see the technote Comparison tables of features between IBM Notes, IBM inotes, and IBM SmartCloud Notes web. Managing on-premises mail files of users who are not proisioned for the serice requires the Notes client. Related tasks: Using Desktop Settings to configure managed mail replicas on page 120 In a hybrid enironment, use Desktop Policy settings to enable managed mail replicas. Managed mail replicas helps ensure that IBM Notes users in the serice hae quick, local access to their mail when connected or disconnected from the network. Related information: Technote: Comparison tables of features between IBM Notes, IBM inotes & IBM SmartCloud Notes web Notes Browser Plug-in IBM SmartCloud Notes client requirements Deciding whether to transfer mail files An important aspect of planning to moe to the serice is deciding whether to start with new IBM Notes mail files or to transfer current mail files. Chapter 6. Onboarding users 189

198 About this task You can combine approaches. For example, you might create new mail files for a majority of users and transfer the mail files of remaining users. There are a seeral adantages to starting users with brand new mail files in the serice: Users can begin to use the serice quickly because the steps to prepare and transfer mail files are unnecessary. No company IT resources are required to prepare mail files for transfer. If you hae users who infrequently use past mail and calendar entries, or if your company mail retention policy is to retain mail for only a short period, a new mail file might not be an inconenience. Notes client users can export contacts and selected calendar entries from their original mail files to a Calendar (.ics) file, and then import the entries into their new mail files after they are proisioned. In some cases, it might be important to transfer mail files. For example, you might want to transfer the mail files of users such as company executies or managers who work heaily with past and current mail messages and calendar eents. You can pay for the serices of a professional transfer manager to work with your company to transfer mail files. The transfer manager can be an IBM Software Serices for Collaboration representatie or an IBM Certified Business Partner. The transfer manager performs tasks such as helping you to prepare mail files and to deelop a transfer schedule. The transfer manager also sets up an on-premises IBM Domino serer that is proided by your company to use as a staging serer for the transfer. When you transfer mail files, you can choose whether to transfer full mail files or to selectiely transfer just some of the content. Selectie transfer is helpful for expediting the transfer of large mail files and also for preenting large mail files from exceeding the mail file quota in the serice. When you use selectie transfer, you specify which of the following types of content to transfer: Contacts (Requires Preferences > Contacts > Enable Synchronize Contacts on the Replication and Sync tab to be selected in the mail file before the transfer.) Mail rules Group calendars Draft documents Calendar eents, optionally including eents up to 365 days in the past Messages, optionally including messages sent and receied up to 365 days in the past. To Do's, optionally including To Do's with due dates up to 365 days in the past The following content is always transferred: Preferences settings Embedded Notes IDs Folders, which can be empty after the transfer if content is older than the transfer criteria 190 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

199 Preparing for onboarding You decide whether and how to presere data that is not transferred. For example, you might retain the original on-premises mail files. The original files and transferred files hae different replica IDs and do not replicate. Related tasks: Preparing for mail file transfer on page 209 If you configure the serice as a hybrid enironment, as part of onboarding, you hae the option to transfer users on-premises mail files to the serice. Before you transfer mail files, complete the tasks to prepare. To prepare for onboarding, complete these tasks to prepare users, clients, and mail files. Before you begin Before you prepare for onboarding, complete the following tasks: Chapter 4, Configuring the serice, on page 83 Choosing a client deployment strategy on page 187 About this task Table 58. Tasks to prepare for onboarding Task Create a detailed proisioning schedule and require your project team to sign off on it. Prepare communications and training. Deelop a method to track proisioning. Request remoal of trial accounts. Why the task is important This step ensures that proisioning happens in planned stages that take into account factors such as pilot users, work schedules, geographic locations, and clients used. This step allows for a smooth transition to the serice and reduces help desk calls. This step helps you understand at what stage users are at in the transition to the cloud and is also useful for proiding status reports to executie management. Proisioning can fail for users who hae trial accounts. Additional information Delegates of mail files must proisioned to manage mail files of proisioned users. For more information see Mail file delegation on page 208. Preparing communications and training on page 206 Contact Support to determine whether users at your company hae trial accounts. Complete? Chapter 6. Onboarding users 191

200 Table 58. Tasks to prepare for onboarding (continued) Task In hybrid enironments, if users will not use the IBM Notes client with the serice, erify that the users hae Notes ID files to which they or administrators hae local access. Customize mail file access. Familiarize yourself with password requirements for logging in to the serice In hybrid enironments only, erify that users Person documents comply with serice requirements. (Optional) In hybrid enironments only, configure multiple Internet addresses for users (Optional) Ensure that a custom mail template is uploaded to the serice, if you plan to use one. Why the task is important Though not required,notes ID files enable users to sign , read encrypted , and to recall mail messages. ID files are typically required to enable administrators to change users' Notes names. This step is required if you want to allow people who are not the owners of mail files to access mail files without being delegates. Typically this access is proided by adding a customer-specific administrator group to mail file ACLs. The password requirements might be different from ones that are currently used in your on-premises enironment. This step helps to ensure a smooth transition to the serice. This step applies only if users hae more than one Internet address, for example, if users hae two addresses as a result of a company merger. You can apply the custom template during user proisioning so that users see the custom design when they first use the serice. Additional information Limitations when Notes IDs are not in the ault on page 131 Importing your Notes ID Uploading a Notes ID to the ault on page 269 Preparing customized mail file ACLs on page 168 Password rules by authentication method on page 141 See the section about Person documents in the topic Requirements for synchronized directories on page 22. Adding multiple Internet addresses to Person documents on page 207 See Preparing to use custom mail file templates on page 161. Complete? 192 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

201 Table 58. Tasks to prepare for onboarding (continued) Task (Optional) Set up batch user proisioning with the integration serer. Prepare for specific clients. Why the task is important This step allows you to use comma-separatedalue (CSV) files to proision batches of users. There are special considerations for each type of client that can be used with the serice. Additional information See the section on user proisioning and identity management in the Integration serer documentation. Preparing for the web client Preparing for Notes Traeler deices on page 195 Preparing for Notes clients on page 196 Preparing for IMAP clients on page 202 Complete? Preparing for the web client Before you proision users who will access IBM SmartCloud Notes using the web client, prepare for the web client. Before you begin Read about the web client. About this task Table 59. Tasks to prepare for the web client Task Prepare for onboarding. Reiew the supported browsers and browser ersions, decide which to use, and upgrade browsers if necessary. Why the task is important There are tasks to prepare that apply to all or most clients. Using a supported browser ersion ensures the best experience for your users. Additional information Preparing for onboarding on page 191 SmartCloud Notes web requirements Complete? Chapter 6. Onboarding users 193

202 Table 59. Tasks to prepare for the web client (continued) Task If users currently use IBM inotes, compare the features that are supported for SmartCloud Notes web. Assess network capacity. If the Notes client is used with shared login enabled, but the client won't be used in the cloud, disable the shared login feature before you proision users. (Optional) Deploy an extension forms file to customize the web client Disable on-premises IBM inotes login redirection, if used. Why the task is important Most IBM inotes features are supported in the cloud. Making your users aware of the few differences can reduces help desk calls and improe user satisfaction. This step ensures that your site has the network capacity to support the number of web client users you plan to hae This step enables administrators or web client users to upload Notes ID files to the ault in the serice manually after proisioning. Use an extension forms file if you want to customize the isual theme, fonts, the action bar, and other aspects of the web client. This step ensures that users are not redirected to their on-premises mail serers after the moe to the cloud. Additional information Technote: Comparison tables of features between IBM Notes, IBM inotes & IBM SmartCloud Notes web Network capacity for the web client on page 20 An ID enabled for shared login cannot be uploaded to the serice ID ault manually by a web client user or an administrator. It can only be uploaded automatically through the use of a Notes client. For more information on shared login, see the Securing section of the Domino documentation. Using extension forms files to customize the look of the web client on page 165 For information on Using inotes IBM inotes redirect, see the Domino documentation. An IBM Software Serices for Collaboration representatie can proide a custom redirector for cloud login. Complete? 194 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

203 Preparing for Notes Traeler deices Before enabling users to use IBM Notes Traeler mobile deices with the serice, prepare your enironment and the deices. Before you begin Read about Notes Traeler deices. About this task Before you proision users with a Notes Traeler subscription, complete the tasks in the following table to prepare. Table 60. Tasks to prepare for Notes Traeler deices Task Prepare for onboarding. Ensure that your firewall configuration allows deices to access the serice oer WiFi. Reiew the Notes Traeler deice memory and operating system requirements. If you plan to use BlackBerry 10 deices, first erify that your wireless carrier supports the minimum operating system leel that is required in the cloud. Enable cookies in deice browsers. Reiew Notes Traeler deice policy settings. Why the task is important There are tasks to prepare that are not client-specific. Connections to hosts in the serice oer Port 443 are required for WiFi access. Using a mobile deice that complies with these requirements ensures the best experience for your users. Some carriers might not support the minimum required Blackberry 10 operating system leel. Cookies must be enabled to connect to the serice and to sync mail on deices. Be aware of policy settings that the serice enforces that might be different than your current settings. Also, optionally customize settings. Additional information Preparing for onboarding on page 191 Configuring the firewall for outbound connections on page 42 Notes Traeler requirements for the cloud. Notes Traeler requirements for the cloud. Notes Traeler Settings restrictions on page 118 Using administratie policies on page 105 Complete? Chapter 6. Onboarding users 195

204 Table 60. Tasks to prepare for Notes Traeler deices (continued) Task Reiew deice limitations in the cloud. (Optional) Enable application passwords. Why the task is important This step makes you aware of any changes that users might see after the moe to the cloud. This step is required only if your company enables full federated identity authentication and Android deices that run Notes Traeler or a higher are not used. Additional information Notes Traeler Troubleshooting, known limitations, and restrictions. Enabling application passwords on page 139 Setting up federated identity management on page 132 Complete? Preparing for Notes clients Use of the IBM Notes client to connect to the serice is optional. If you want your users to use the Notes client, understand the steps to prepare. Before you begin Read about the Notes client on page 11 and decide whether to use it. About this task Skip this task is you do not plan to use the Notes client. Table 61. Tasks to prepare for the Notes client Task Prepare for onboarding. Compare the features that are supported for the on-premises client to the featured that are supported in the cloud. Why the task is important There are tasks to prepare that apply to all or most clients. Most features are also supported in the cloud, but there are some differences to be aware of. Additional information Preparing for onboarding on page 191 Technote: Comparison tables of features between IBM Notes, IBM inotes & IBM SmartCloud Notes web Complete? 196 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

205 Table 61. Tasks to prepare for the Notes client (continued) Task Ealuate your currently deployed clients. If necessary, upgrade to newer ersions of the client. Why the task is important A ersion of Notes (Standard configuration) that is supported in the cloud is required. Additional information To ensure a smooth transition, leae plenty of time to complete client upgrades, and, if necessary, related hardware upgrades, before you proision users for the cloud. Complete? There are arious upgrade methods aailable, including desktop push technology, Notes Smart Upgrade, and end-user controlled upgrades.. Technote: SmartCloud Notes client requirements Upgrade Central: Planning your upgrade to IBM Notes and Domino 9.0 Social Edition Search for Using Notes Smart Upgrade in the IBM Domino documentation. Chapter 6. Onboarding users 197

206 Table 61. Tasks to prepare for the Notes client (continued) Task In hybrid enironments, configure managed mail replicas Why the task is important Managed mail replicas are recommended to proide Notes users quick, local access to their mail when connected or disconnected from the serice. Additional information Use an on-premises policy to configure managed mail replicas. Complete this step before you proision users so that you can resole any issues specific to this feature ahead of time. Complete? Assess network capacity (Optional) Use a custom mail file template to customize the mail file design. In hybrid enironments, reiew policy settings This step ensures that your site has the network capacity to support the number of Notes client users that will connect to the cloud. If you prepare a custom mail file template in adance, you can apply the custom template during user proisioning so that users' first experience with the cloud is with the custom design. Be aware of policy settings that the serice enforces that might be different than your current settings. Also, optionally customize settings. For more information, see Using Desktop Settings to configure managed mail replicas on page 120. Note: In serice-only enironments, users can get similar benefits by creating local replicas of their mail files after they are proisioned. Network capacity for the Notes client on page 20 A short contract with IBM Software Serices for Collaboration is required to test and approe the template design. For more information on requirements and steps, see Preparing to use custom mail file templates on page 161. Using administratie policies on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

207 Table 61. Tasks to prepare for the Notes client (continued) Task (Optional) In hybrid enironments, if you are not transferring mail files, export contacts, and calendar entries that hae future dates. (Optional) In hybrid enironments, if you are not transferring mail files, create mail archies on-premises before the moe to the cloud. (Optional) Install the IBM Connections Actiity Plug-in Why the task is important After users moe to the cloud, they can import the contacts and calendar entries into their new mail files. Mail archies proide users with access to old mail content after the moe to the cloud. Note: Users cannot create local archies of their on-premises mail after the moe to the cloud. If your company purchases a collaboration subscription, this step proides access to cloud Actiities from the Notes client sidebar. Additional information Exporting calendar entries allows users to sae calendar entries in local.ics files. After users are proisioned, they can import the files into their new mail files in the serice. Contacts are imported along with the saed calendar entries. For more information, see the topic about exporting and importing calendars in the Notes client help. You can use Domino policies to archie mail. For information, see the topic about understanding mail archiing and policies in the IBM Domino documentation. Alternatiely, you can use a third-party archiing application. Connecting to cloud Actiities through the Notes client sidebar on page 202 Complete? How the Client Configuration tool configures the Notes client To set up the IBM Notes client for use with the serice, users download and run the Client Configuration tool (config.nsf) from their workstations. The tool performs the following configuration checks and tasks on the client. Checks for the following information: The client is a ersion supported for IBM SmartCloud Notes access. The config.nsf file contains information needed to perform the configuration. The downloaded data is less than 24 hours old. If it is older than 24 hours, an message informs users. They can continue to use the tool if they choose. Confirms that the user is logged in using the ID that they will use in the serice. Chapter 6. Onboarding users 199

208 Performs other small consistency tests, such as checking that the current Location document can be located. Creates a wildcard Connection document that the client will use to connect to a mail serer in the serice through the proxy serer in the serice. The serer name in the Connection is */your_certifier, where your_certifier is the name of the OU certifier you proided for your mail serers during serice configuration. If the user is already using the Notes ID that they will use in the serice, tests connectiity to their new mail serer on port If the user has a mail file that is being transferred, confirms that their old and new mail files can be located. Note: If the tests confirm that the user's mail file has already been transferred successfully using replication, then the tool does not attempt to find the old mail file, which might hae already been deleted. If the tool needs to close the Notes client to force a download of the user ID file, it attempts to find an Offline location: If an Offline location is found, the tool switches to it to preent the client from doing a final replication when it closes. If no Offline location is found, the tool creates an Offline location (named Offline) for this purpose. If a location named Offline already exists, but is not suitable for configuration purposes, a the tool creates a location named Temporary location for cloud mail setup - safe to delete. Note: If the tool closes the Notes client for reasons other than to download the Notes ID an Offline location is not needed. Creates a Location document called SmartCloud for username, or updates it if it already exists and is incorrect. If the user has an existing mail file that is being transferred, the tool locates existing bookmarks that point to the on-premises mail file and changes them to point to the replica of the mail file in the serice. If the user has Location documents that point to the on-premises mail file, the tool updates the location documents to point to the new SmartCloud Notes mail file. For example, if the user has a working Office Location document, it changes to a irtual duplicate of the cloud Location document. If the user has Connection documents (Contacts > Adanced iew) that restrict which locations can be used, and the list includes the current location, then the tool updates those connections to allow the cloud location document. This is necessary so that users can continue to access on-premises application serers using the new cloud location. If the user has Account documents (Contacts > Adanced iew) that restrict which locations can be used, and one of the locations is the current location, the tool updates the Account documents so that they can be used from the cloud location. If the user has an existing mail file that will be transferred, but the transfer has not yet taken place, the tool replicates the existing on-premises mail file with serice mail file. If this succeeds, the field LLNMigrated=1 is set in the Calendar Profile document, which signals that another replication is not needed. The tool then sends to LLNStatusUpdates adising of the successful transfer. LLNStatusUpdates is a mail-in database that can be used by IBM support or the administrator who is managing the on-premises deployment. 200 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

209 If the user has an existing mail file that will be transferred, and there is a local mail file, the tool replicates the local mail file with the serice mail file. Depending on the configuration tasks that hae been completed at this time, the tool might shut down the Notes client. If so, a message informs the user, and proides instruction for what to do next (for example, restart Notes and enter the password for your SmartCloud Notes ID, to download the ID file). Again note that sometimes the shutdown is done for purposes other than downloading an ID file. Downloading Notes client software and other entitled software You can easily access the IBM Software Download Center to download IBM Notes and other software to which your company is entitled. Software entitlement is goerned by the serice Terms of Use and applicable License documents. About this task You can access the site if you hae the Administrator account role. You can use the site to download software before or after user subscriptions are actiated. To access the Download Center, complete the following steps: 1. Log in to the serice as an administrator. 2. Click Apps > Downloads and Setup. 3. In the Software Entitlements section, click View aailable software to get to the Download Center. 4. In the Software Downloads page, type the partial or full name of the entitled software in the Find by search text box. Then, click the search icon. Chapter 6. Onboarding users 201

210 Search filter options are aailable to narrow product results by language and operating system. For more information, see Technote Related information: Technote Connecting to cloud Actiities through the Notes client sidebar Users with collaboration subscriptions in addition to SmartCloud Notes subscriptions are automatically logged in to the cloud Actiities serer through the Actiities sidebar. About this task The Actiities sidebar must be installed on the client. To install the Actiities sidebar in Notes or later 8.5x ersions, select the IBM Connections Notes installation option. To install the sidebar in IBM Notes 9.0 Social Edition or later ersions, install the IBM Connections Plug-ins. For more information, see the wiki article Where is the Actiities Sidebar for Notes 9.0 Social Edition? Actiities integration is not supported for Notes Preparing for IMAP clients If you plan to use IMAP clients, complete these tasks to prepare. Before you begin Read about IMAP clients. About this task Table 62. Tasks to prepare for IMAP clients Task Why this task is important Additional information Complete? Prepare for onboarding. There are tasks to prepare that apply to all or most clients. Preparing for onboarding on page SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

211 Table 62. Tasks to prepare for IMAP clients (continued) Task Verify that users hae a supported IMAP client installed. Be aware of the IMAP client limitations. Open the firewall ports that are required for IMAP access. Enable IMAP access in IBM SmartCloud NotesAdministration. Why this task is important Using a supported client is required because it proides the best experience for users. This information can help with troubleshooting. Ports 993 and 465 must be open to allow connections to the serice ia IMAP. IMAP access is not enabled by default. Additional information IMAP client requirements IMAP client limitations Configuring the firewall for outbound connections on page 42 Decide whether to enable IMAP access for all users or for specific users. To enable IMAP access for specific users requires time to make necessary edits to the on-premises directory. For more information, see Configuring IMAP access on page 178. Complete? Preparing to use BlackBerry deices If you plan to use BlackBerry deices that are supported by a Hosted BlackBerry Serices subscription, complete these tasks to prepare. Before you begin Read about BlackBerry deices with a Hosted BlackBerry Serices subscription on page 12. About this task Table 63. Tasks to prepare for BlackBerry deices Task Prepare for onboarding. Why this task is important There are tasks to prepare that apply to all or most clients. Additional information Preparing for onboarding on page 191 Complete? Chapter 6. Onboarding users 203

212 Table 63. Tasks to prepare for BlackBerry deices (continued) Task Verify that this subscription supports the BlackBerry deices that you want to use. Plan for time that is required to accept and process the Research in Motion terms of use agreement. Why this task is important The Hosted BlackBerry Serices subscription does not support BlackBerry 10. This step must be complete before you can proision users and can take three to four weeks. Additional information An IBM SmartCloud Notes for Hosted BlackBerry Serices subscription enables users to access the serice through BlackBerry deices that run operating system ersions 4.0 through 7.x. Users who use BlackBerry 10 deices require SmartCloud Traeler for Notes subscriptions instead. For more information about deice requirements for each of these subscriptions, see the client requirements. After your company purchases a Hosted BlackBerry Serices subscription, you must accept the Research in Motion terms of use agreement. Then, wait for an IBM representatie to indicate that your subscription setup is complete. Complete? 204 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

213 Table 63. Tasks to prepare for BlackBerry deices (continued) Task Ensure that deices are set up to use an Enterprise data plan. Be aware of the BlackBerry deice settings that are enforced in the serice, such as password requirements. BlackBerry browser is not supported Why this task is important An enterprise data plan is required to actiate the BlackBerry deices for the serice. These setting requirements might be different from ones that are currently implemented at your company. You can notify users if this behaior is different from what they are accustomed to. Additional information If users currently use personal plans such as BlackBerry Internet Serice, they must conert to enterprise data plans. Allow time for users to contact the phone company to make the change and to set up the new plans on their deices. Users should know that they can no longer use personal accounts in the cloud. When users switch from personal plans to enterprise plans, you are likely to see increased costs that are associated with purchasing the new plans and with data usage. If your current policies are different from the cloud policies, communicate this change to users. For more information, see Settings enforced for BlackBerry smartphones. Access to web applications in your corporate intranet or on the Internet through the deice is not supported. Complete? Settings enforced for BlackBerry smartphones This topic describes the settings that the serice currently enforces for BlackBerry smartphones. Table 64. Settings enforced for BlackBerry smartphones Policy Value Allow users to send outbound messages No through serices other than IBM SmartCloud Notes Chapter 6. Onboarding users 205

214 Table 64. Settings enforced for BlackBerry smartphones (continued) Policy Value The maximum size of a single natie (KB) attachment that can be downloaded to a smartphone The total size of all natie attachments that can be uploaded from a smartphone The maximum size of a single natie attachment that can be uploaded from a smartphone (Bytes) (Bytes) Allow users to disable smartphone No passwords Password pattern checks At least 1 alphabetic character and 1 numeric character Number of days after which a smartphone 90 password expires and the smartphone prompts the user to set a new password The number of minutes of inactiity allowed before the smartphone is locked and the user must proide a password to unlock it. Minimum smartphone password length Smartphone password required The number of preious passwords that are preented from being used as new passwords Reset smartphone to factory default settings when smartphone is wiped Allow users to place calls while the smartphone is locked 30 8 characters Yes 8 Yes Yes Preparing communications and training Prepare a communications and training plan to help your users, administrators, and help desk personnel make the transition to the serice. About this task Prepare to communicate to your users the benefits of the serice, the changes to expect, and the steps to take to make the transition. Ensure that your help desk personnel are aware of the communications plan and are prepared to help users follow instructions that are proided in it. For seeral client-specific sample communications to use as a starting point, see the wiki article Preparing communications about the transition to SmartCloud Notes. Consider use of the following training resources to help users, help desk personnel, and administrators become familiar with the clients and features aailable with the serice: Preparing training for IBM SmartCloud Notes wiki article Technote : Comparison tables of features between IBM Notes, IBM inotes & IBM SmartCloud Notes web IBM Multimedia Library for IBM Notes, affordable and proen resource for Notes client training 206 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

215 Getting started with SmartCloud Notes clients, getting started resources that are proided through the wiki Adding multiple Internet addresses to Person documents You can include multiple Internet addresses in a Person document. About this task Domains specified in the Global Domain document field Alternate Internet domain aliases are not handled as alias domains by the serice. Instead, each domain in this field is listed and erified in the serice as a separate domain, similar to the domain specified in the Local primary Internet domain field. To enable a user to receie mail addressed to a domain in the Alternate Internet domain aliases field, you must specify the user s address for the domain in the Person document. Specify one Internet address when you register the user. This address is added to the Internet address field of the Person document in the directory. After registration, add any additional addresses as secondary alues in the Short name/user ID field in the Person document. You can use the Alternate Internet domain aliases field in a Global Domain document to define an Internet domain. If you do, a user can only receie addressed to the domain if the domain address is added to the Person document, either during or after user registration. Related tasks: Preparing Global Domain documents on page 49 Prepare at least one Global Domain document to define the Internet domains that your company owns. Mail file quota Currently a size limit (quota) of 25 GB is enforced on the mail files of users who were proisioned before Noember 22, 2014; the mail file size limit of users who are proisioned after this date is 50 GB. An exception is the mail files of SmartCloud Notes Entry users, whose mail files hae a 1 GB limit. The sizes of the following mail file elements are factored into the quota calculation: design elements documents iew index Domino Attachment and Object Store (DAOS) element white space attachments Full-text index size is not a factor in the quota calculation. Users do not receie warning notifications if they are approaching their mail quota. Howeer, web client users and Notes client users can see how close they are to quota by clicking the quota status bar that is shown near their name in the mail file. Chapter 6. Onboarding users 207

216 When a user s mail file quota is reached, the user cannot receie mail and the sender of a message receies a deliery failure notification. Some clients continue to allow mail to be sent when quota is reached, as described in the following table. When a user with an oer-quota mail file sends a message that cannot be deliered, the user does not receie a deliery notification failure. The serice retries sending the deliery failure notification for about a day, and if not successful, deletes the notification. Table 65. Send mail behaior when quota is reached Client Sending mail without saing a copy Sending mail and saing a copy Notes Mail is sent. Mail is sent but not saed. web client Mail is sent. Mail is not sent or saed. Notes Traeler Not supported. Mail is not sent. Mail stays in the Outbox and the client tries to resend. BlackBerry smartphone Mail is sent. Mail is not sent. Mail stays in the Sent folder and can be resent later. Mail file delegation Using delegation preferences, users can allow other users to manage their mail, calendar, contacts, and to do items. Depending on which client is used, there are some differences in how delegation works with IBM SmartCloud Notes. Notes client Delegation works in the following way for users who access their mail using the IBM Notes client: To set up delegation, users set a Mail > Access & Delegation preference. Once set, this preference applies to both the Notes client and the web client. In the Notes client, users can also delegate management of their Calendar, Contacts, and To Do tasks. A delegate cannot assign other delegates to a mail file. In a hybrid enironment, delegates must be proisioned for the serice to manage a mail file in the serice. After delegates are proisioned, they can manage mail for both proisioned users with mail files in the serice and on-premises users who hae mail files on company serers. Users whose mail files are on company serers cannot manage a mail file in the serice. If your on-premises enironment includes delegates who manage mail for other users, consider proisioning the delegates first. After delegates are proisioned, they can manage mail for both proisioned users and for on-premises users who hae mail files on company serers. Web client Delegation works in the following way for users who access mail using the web client: To set up delegation, users set a Delegation user preference. Once set, this preference applies to both the Notes client and the web client. 208 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

217 Transferring mail files In the web client, users can also delegate management of their Calendar, Contacts, To Do tasks, and Notebook. A delegate cannot assign other delegates to a mail file. In a hybrid enironment, delegates who are proisioned for the serice can only manage the mail files of other proisioned users; once proisioned, they cannot manage an on-premises mail file. Conersely, a person whose mail file is on a company IBM Domino serer cannot manage the mail file of a proisioned user. Reassigning delegation after a user name change If a delegate s Notes user name changes, then the owner of the mail file must reassign delegation to the new name. Doing so updates the mail file ACL (access control list) with the new name, which allows the user access to the database. Related tasks: Changing a Notes user name on page 255 In a hybrid enironment, you use the Domino Administrator client on-premises to change a user's Notes name. The steps initiate a series of administration process requests. As a conenience to your users, their current mail files can be transferred to the serice before they are proisioned. Transferring mail files is optional. Before you begin Complete the tasks Deciding whether to transfer mail files on page 189 and Choosing a client deployment strategy on page 187 About this task Transfer mail files before you proision users. Essentially, the transfer process moes the current on-premises mail files to new mail serers in the cloud. If you transfer mail files, users continue to hae access to their original mail after they are proisioned for the serice. Users continue to use their existing Notes IDs after switching to the serice. As a result, they can continue to access priate content such as encrypted mail data. Note: Mail file folders with a type set to priate rather than shared (the default type) are not transferred to the serice. This limitation applies only to the priate folders themseles. The messages within the folders are transferred, and they are isible in the All Documents iew in the mail file. Preparing for mail file transfer If you configure the serice as a hybrid enironment, as part of onboarding, you hae the option to transfer users on-premises mail files to the serice. Before you transfer mail files, complete the tasks to prepare. Preparing the staging serer To prepare for mail file transfer, mail files are replicated to an on-premises IBM Domino serer, referred to as the staging serer. You must perform steps to prepare and set up the staging serer. Chapter 6. Onboarding users 209

218 Setting up a Domino staging serer: You proide an IBM Domino serer on-premises to use as a staging serer for the mail file transfer. About this task To aoid the risk of impacting production systems during user proisioning, use a dedicated serer that is not used in your production enironment. If you choose to use a production serer, the following requirements are in addition to any resources required by production workloads. If you do choose an existing serer to use as the staging serer, select one that does not hae any mail file replicas. The minimum requirements for the staging serer are as follows: A 32-bit Domino serer ersion or later on any supported ersion of Microsoft Windows. Dual Core Intel / AMD CPU 2GBRAM Aailable local storage of up to double the data olume for users that are being processed at any one time. Space is required for the mail files as well as encrypted copies of the mail files. For information about installing and setting up Domino serers, see the Domino documentation. Mail files can be transferred ia FTP or remoable storage. Remoable storage can be a Network Attached Storage (NAS) deice or a USB deice. Your transfer manager indicates which type is aailable to you. Note the following requirements for remoable storage: For NAS transfers, the staging serer requires an aailable Gigabit Ethernet network port, for optimum performance. For USB deice transfer, see the USB deice hardware requirements that are described in the web page What is Media Data Transfer Serice? Related information: What is Media Data Transfer Serice? Domino documentation Register a serer ID for the staging serer: Register a serer ID, and optionally an administrator ID, for the staging serer. Gie mail serers access to the staging serer. About this task The staging serer requires access to your mail serers. To aoid the need for cross-certification, register the serer ID under a certifier that your mail serers trust. If access to mail serers in your enironment is granted through a serer-specific organizational unit (OU) wildcard, register the staging serer under that OU. Then, the staging serer has access to the mail serers automatically. For example, if your 210 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

219 mail serers are registered under /SERVER/RENOVATIONS and access to them is controlled through the wildcard entry */SERVER/RENOVATIONS, you might register the staging serer ID as SCNSTAGING1/SERVER/RENOVATIONS. For more information, see the topic on registering a serer in the Domino documentation. Procedure 1. Register the serer ID with a common name of your choice, for example, SCNSTAGING1. 2. Optional: To use a dedicated ID to administer the staging serer rather than one used in your production enironment, register a new ID file within the trust hierarchy of the staging serer ID. 3. Open the Serer document of each mail serer in the Domino directory in which the mail serer is registered. Click the Security tab. Make sure that the Access serer field allows the staging serer at least Reader access. Add the staging serer to the Trusted serers field. This access allows the scheduled agents in the onboarding tools to access the mail serers. 4. Delete the Serer document for the newly created staging serer from the directory. The new serer will be set up in its own domain. Related information: Domino documentation Enabling the staging serer to receie client configuration status reports: The transfer manager creates documents in the Domino directory that allow the Notes client configuration tool to mail status messages to the staging serer. About this task Users run the Notes client configuration tool to configure a Notes client to connect to the serice. The tool mails a status message to the staging serer. To enable routing of these messages, the transfer manager completes the following steps. Procedure 1. Open the Domino Directory of your on-premises mail hub domain. 2. Perform the following steps to create a Mail-In Database document: a. Click Configuration > Messaging > Mail-In Databases and Resources. b. Click Add Mail-In Database. c. In the Mail-in name field, type the required name, LLNStatusUpdates. d. In the Description field, type a description, for example, OTT. e. Leae the Internet Address field blank. f. In the Internet message storage field, select No Preference. g. In the Domain field, type the Domino domain of the staging serer, for example, SCNStaging. h. In the Serer field, type the name of the staging serer, for example SCNSTAGING1/SERVER/RENOVATIONS. i. In the File name field, type the file name of your OTT database, for example ott.nsf. Chapter 6. Onboarding users 211

220 j. In the Encrypt incoming mail field, select No. k. Click Sae & Close. 3. Click Connections > Add Connection, and create a Connection document to route mail from this domain to the domain SCNStaging. Preparing mail file ACLs before mail file transfer Before mail files are replicated to the staging serer, prepare the mail file ACLs to set mail file access. Procedure 1. Make sure that the staging serer has Author access to each mail file that will be transferred. Serer access to mail files is often controlled through a wildcard ACL entry, for example, */SERVER/RENOVATIONS, or a group, for example, LocalDomainSerers. 2. Make sure that the mail file access is set as you want it to be for use in the serice. For important information about ACL requirements, see Preparing customized mail file ACLs on page Make sure that each mail file ACL has no more than 74 customer-defined roles. To see the roles in an ACL, click File > Application > Access Control > Roles. 4. Disable the Enforce a consistent ACL across all replicas of this database setting in the ACL of each mail file. To do so, you can use the Manage ACL tool aailable in the Domino Administrator, as described in the following steps. Or you can use a procedure that has been established in your enironment. a. From the Domino Administrator, click the Files tab. b. Select multiple mail databases to be proisioned. c. Click Database > Manage ACL. d. In the Manage Multiple ACLs dialog box, click Adanced. e. Select Modify Consistent ACL setting > Do not enforce a consistent ACL. Preenting local database encryption in new mail file replicas Preent sending the local database encryption setting to new replicas. About this task The transfer manager copies replicas of mail files to the import serer in the serice. Use of local database encryption on the staging serer replicas preents this step. Perform the following steps on each mail file to preent propagation of local database encryption to the replicas on the staging serer. Procedure 1. From IBM Notes, click File > Replication > Options for this Application. 2. Click Send. 3. To disable propagation of database encryption to new replicas, clear the field Send changes in local security property to other replicas. Importing IDs into mail files If users will not use the IBM Notes client with the serice and their Notes ID files are not embedded in their mail files, you might want to hae them import the ID files into their mail files before the mail files are transferred to the serice. 212 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

221 About this task This step enables user ID files to be uploaded to the ID ault in the serice easily after user proisioning. Users require an ID in the ault to perform such actions as reading encrypted mail and to enable administrators to change their Notes names. Users might already hae ID files that are embedded in their mail files, in which case this procedure is not necessary. Importing the ID file before you transfer mail files is not required. Alternatiely, users can import their ID files themseles after they begin to usethe serice. In addition, administrators can upload user ID files to the serice ault after users are proisioned. If you want to import ID files before you transfer mail files, tell users to complete the following steps. Note: Users who use the Notes shared login feature cannot perform this procedure because they do not hae the required passwords that are associated with their ID files. Procedure 1. Log on to IBM inotes 2. Make sure that your ID is not smart card enabled. 3. Click Preferences, and then click Security. 4. Click Import Notes ID. 5. Locate your ID file and type your password as prompted. Results Related tasks: Proisioning users and mail files on page 224 If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. Uploading a Notes ID to the ault on page 269 In a hybrid enironment, if a serice user has an IBM Notes ID file, the ID must be stored in the ID ault in the serice. In some cases, for users who hae a Notes ID, but who will not use the Notes client, you might need to upload the Notes ID to the ault manually. If it is not stored in the ault, web client, Notes Traeler, and BlackBerry smartphone users cannot perform secure mail operations. Other limitations also apply, as outlined in this topic. Scanning mail files for iruses Before you replicate mail files to the staging serer, scan them for iruses using a irus program that is compatible with the serice. This step is optional but gies you control oer how to handle and communicate any issues with iruses. The serice also scans for iruses as part of preparing for mail file proisioning. Transferring mail files with help from an IBM partner You can hire a certified IBM partner or IBM Software Serices for Collaboration to help you transfer IBM Notes mail files to the cloud. Before you begin Complete the tasks in the section Preparing for mail file transfer on page 209. Chapter 6. Onboarding users 213

222 About this task The person who helps you is known as the transfer manager. A company administrator and the transfer manager work together to complete the following steps. Contact an IBM representatie directly for in-depth information. 1. Establish a transfer schedule. 2. Prepare for mail file transfer. Preparing includes setting up a IBM Domino staging serer, to which mail files are replicated prior to being transferred to the cloud. 3. Use the Onboarding Planning Tool (OPT) to do quality checks that alidate that on-premises mail files and Person documents comply with cloud requirements. 4. Replicate mail files to the staging serer. 5. Create a mail file transfer request. The transfer manager performs this step. The request specifies a transfer method (NAS/USB or FTP) and downloads an encryption key to the staging serer that is used to encrypt the mail files before transfer. If FTP is the transfer method, the request also generates and FTP user account and password to be used to upload files to the IBM data center. 6. Transfer mail files to a data center. If NAS/USB is the transfer method, ship the files to the data center. Otherwise, use an FTP client to upload the files to the data center. 7. Import the mail files into the serice so that they are ready for proisioning. The transfer manager performs the step. 8. Proision users. The company administrator performs this step. Related information: IBM software serices for collaboration How the transfer manager creates a mail file transfer request After the mail files are replicated to the staging serer, the transfer manager creates a Control document to initiate a mail file transfer request. Before you begin A Customer Serice Representatie must create a user account for the transfer manager, and assign the account a role that is required specifically to perform this procedure. About this task The transfer manager performs the following steps to create a Control document. Procedure 1. In SmartCloud Notes Administration, click User Proisioning with Mail File Transfer. 2. Click New Control Document. 3. Enter the required information, including Transfer Method, which is either NAS (Network Attached Storage) or FTP (File Transport Protocol). 4. If you select FTP as the transfer method: a. In the Transfer Size field, specify the total size of the files to be transferred in this batch. The size must be no greater than the size shown in the FTP Aailable field, which is the space aailable for new requests. Do not underestimate the 214 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

223 size. It is better to oerestimate the size to ensure that there is enough space allocated on the serer for this request. The FTP Resered fields shows the space resered for all actie requests. b. Specify a password for the FTP account. 5. Click Submit. 6. Click Download Key. Results An encryption key is downloaded to the on-premises staging serer. If FTP is the transfer method, an account name is displayed, for example, _ An account is created on the FTP serer in the serice and assigned that account name and the specified password. What to do next The transfer manager uses the downloaded key to encrypt the mail files on the staging serer. Transferring mail files to the serice data center After the transfer manager creates the mail file transfer request and encrypts the mail files, the company administrator transfers the mail files to the serice data center. The customer uses the transfer method that is specified in the transfer request. Transferring mail files using a remoable storage deice: If the transfer manager specifies NAS/USB as the transfer method in the transfer request, a remoable storage deice is used to transfer the batch of mail files. This transfer method is required if the total size of the files being transferred is greater than 250 GB. To transfer using this method, the transfer manager copies the mail files from the staging serer to the remoable storage deice. The files are encrypted during the process. The company administrator is then responsible for securely shipping the deice to the designated serice data center. What to do next After the transfer manager imports the mail files into the serice, proision the users. Related tasks: Proisioning users and mail files on page 224 If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. Uploading mail files to an FTP serer: The transfer manager can specify FTP as the transfer method in the transfer request. If so, you use an FTP client to upload the mail files to an FTP serer in the serice. Before you begin Uploading the mail files to the FTP serer requires an FTP client. This procedure describes how to use FileZilla Client ersion 3 to upload the files. FileZilla is a free Chapter 6. Onboarding users 215

224 FTP client that is subject to the terms and conditions of the GNU General Public License agreement. If you use a different FTP client, it must support implicit SSL/TLS oer FTP, passie data transfer, and SSL session reuse. Make sure that the firewall used by your FTP client computer allows outbound connections oer port 990 and oer the port range You can restrict these firewall rules to the client computer and the FTP serer. The transfer manager must complete the following steps before you upload the mail files: Use an encryption key downloaded from the serice to encrypt the mail files. Gie you the host name of the FTP serer in the serice, and the account name and password to use to connect to the serer. Note: Your transfer manager might complete these steps for you. About this task The FTP serer accepts only encrypted connections using implicit SSL/TLS oer FTP and it supports only the passie transfer mode. Use of the passie transfer mode allows the FTP client to initiate both the control and data connections. The FTP serer does not support actie transfer. Procedure 1. Perform the following steps to create a site entry for the FTP serer on FileZilla Client: a. Start FileZilla. b. Click File > Site Manager. c. In the Site Manager window, click New Site and enter a name for the site, for example, Mail transfer. d. In the General tab of the Site Manager window, complete the fields as described in the following table. Field Host Port Protocol Encryption Login Type User Password Value Host name of the FTP serer that the transfer manager gae you Blank FTP - File Transfer Protocol Require implicit FTP oer TLS Normal FTP serer account name that your transfer manager gae you, for example, _ Account password that your transfer manager gae you e. In the Transfer Settings tab of the Site Manager window, select Passie as the Transfer mode. f. Click OK. 2. Performs the following steps to upload the encrypted batch of mail files to the FTP serer: a. From FileZilla, click File > Site Manager. 216 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

225 b. Select the site you created. c. Click Connect. If you see errors indicating that the login is incorrect and that the client cannot connect to the serer, ask your transfer manager to reset the FTP password for your account. After you receie the new password from the migration manager, in the site entry you created, replace the original password with the new password. Then try uploading the batch of mail files again. d. In the "Unknown certificate" window, examine the certificate that is shown. If you trust that the certificate is alid, select Always trust certificate in future sessions, and click OK. If you select this option, in the future you do not see the "Unknown certificate" window when connecting to the serer. e. In the Local site panel, go to the folder on the staging serer in which the encrypted mail files are stored. f. Select the files that you want to upload and then drag or copy them to the Remote site panel. The files can be placed only in the top-leel directory. Space in this directory is allocated specifically for your company. g. In the bottom of the FileZilla window, click Successful Transfers and confirm that the transfer was successful. h. To disconnect from the FTP serer, at the top of the FileZilla window, click Serer > Disconnect. Note: If there is a period of inactiity after connecting FileZilla to the FTP serer, FileZilla is disconnected. In this case, you might see the error messages A record packet with illegal ersion was receied and Disconnected from serer: Connection aborted. These messages do not indicate a problem. Use the Site Manager menu option again to reconnect to the serer. Results The following steps occur to establish the connection between FTP client and serer: 1. The client initiates a connection to the FTP serer oer port The serer alidates the client credentials. 3. The client switches to passie mode (PASV). 4. The serer selects a port in the range and returns the port to the client to use for secure data transfer. 5. The client initiates a second secure connection to the port returned by the serer. The following sample output proides an example of messages seen on the FTP client when connecting to the FTP serer. You might see different output depending on the FTP client you use. See the table that follows the sample output for an explanation of the more important messages. Status: Resoling address of ftp.notes.na.collabser.com Status: Connecting to : (See table) Status: Connection established, initializing TLS... Status: Verifying certificate... Status: TLS/SSL connection established, waiting for welcome message... Response: 220 LotusLie FTP upload serer Command: USER _ Response: 331 Please specify the password. Command: PASS ******** Response: 230 Login successful. Chapter 6. Onboarding users 217

226 Command: SYST Response: 215 UNIX Type: L8 Command: OPTS UTF8 ON Response: 200 Always in UTF8 mode. Command: PBSZ 0 Response: 200 PBSZ set to 0. Command: PROT P Response: 200 PROT now Priate. Status: Connected Status: Retrieing directory listing... Command: PWD Response: 257 "/" Command: TYPE I Response: 200 Switching to Binary mode. Command: PASV (See table) Response: 227 Entering Passie Mode (74,220,123,77,235,42).(See table) Command: LIST (See table) Response: 150 Here comes the directory listing. Response: 226 Directory send OK. Status: Directory listing successful Table 66. Explanation of important messages in the example FTP connection output Message Explanation Status: Connecting to : The initial connection using port 990 is established. Command: PASV Response: 227 Entering Passie Mode (74,220,123,77,235,42). Command: LIST If you see an error here, erify that port 990 is open on the firewall for outbound connections. Client switches to passie mode to prepare the data channel. Serer returns the IP address for the FTP serer ( ) and the port (235*256+42=60202) The directory listing is initiated. If you see an error here, erify that port range is open on the firewall for outbound connections. Proisioning users What to do next The transfer manager must click Upload Complete in the Control document associated with this transfer. After the transfer manager imports the mail files into the serice, proision the users. Related tasks: Proisioning users and mail files on page 224 If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. Proisioning users adds IBM SmartCloud Notes subscriptions to user accounts in the serice. After users are proisioned, they can begin to access their mail in the cloud. 218 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

227 Before you begin Before you proision users, Prepare for onboarding. Optionally, transfer mail files. Proisioning users without transferring mail files This procedure adds an IBM SmartCloud Notes subscription to a user account and creates a new mail file for the user on a mail serer in the cloud. You can also add optional subscriptions purchased by your company. Before you begin Prepare for onboarding to ensure that all required preparation is complete. If you are proisioning a new user at your company, make sure that you first register the user on-premises. Your company might purchase a bundled subscription that allows you to enable serices independently. For example, you might be able to enable Connections and Meetings serices for users before you enable the IBM SmartCloud Notes ( ) serice. To enable other serices separately, create the user accounts through the IBM Connections Cloud User Accounts page. When you complete the procedure in this topic, all bundled serices are enabled. About this task If your on-premises enironment includes delegates who manage mail for other users, consider proisioning the delegates first. After delegates are proisioned, they can manage mail for both serice users and on-premises users whose mail files are still on company serers. Users whose mail files are on company serers cannot manage the mail of a serice user. The first step in proisioning users is searching the serice directory for the names of the users that you want to proision. To proision users, you select their names from the search results. If you are proisioning many users, it is likely that you will repeat this search-then-proision step. As an alternatie to this procedure, you can use the Connections Cloud integration serer to proision many users at once. Note: If you are transferring mail files to the serice during user proisioning, do not perform this procedure. Instead, refer to the procedure Proisioning users and mail files on page 224. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. In the Proisioning section of the SmartCloud Notes Administration window, click User Proisioning. Note: Do not click User Proisioning with Mail File Transfer. 5. Display the names of the users to proision. In the Search box, type the beginning characters of any of the following user alues: Distinguished name, for example, Samantha Daryn/Renoations. Chapter 6. Onboarding users 219

228 Internet address, for example, Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Select one user or multiple users to whom you want to assign the same subscription settings. Optionally, search again and select additional names. The preiously selected names remain selected. 7. Click Proision Selected. 8. In the Proisioning Options window, select subscriptions for the user. You must select a SmartCloud Notes subscription. Other optional subscriptions may be aailable. When you are done, click Next. Table 67. Subscription fields Subscription field Mail Collaboration Bundled Other Description Select a SmartCloud Notes subscription. Alternatiely, select a bundled subscription, if aailable. If aailable, optionally select a collaboration subscription. Alternatiely, select a bundled subscription, if aailable. If aailable, select a bundled subscription that includes both a SmartCloud Notes subscription and a collaboration subscription. If aailable, optionally select add-on subscriptions. 9. Select an optional extension forms file for the web client and a mail template for the IBM Notes client: a. Optional: If an extension forms file is aailable for your company, you see the Select Extension Forms File option. To apply an extension forms file to web clients, select a forms file. An extension forms files proides a customized experience for the web client. Extension form files are aailable only if your company implements them. b. In the Select Mail Template section, the default mail template is selected. If you want to apply a different template to the user mail files, click Select next to the template name. 220 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

229 If the Notes client is used, select a template ersion that is compatible with the Notes client ersion that is used. Click Next to scroll through the list of aailable templates until you find the correct one. If the Notes client is not used, select the latest template ersion in the language that you want to use. To see only custom mail templates deeloped for your company, click Hide Standard Mail Templates. If you select a custom mail file template, after proisioning is complete, the design of the Inbox folder is applied to any custom mail folders created by your company. c. Click Next. 10. In the Proide an initial password section, proide a temporary password that complies with the requirements that are shown. Users proide this password when they log in to the serice for the first time with a web browser. After logging in, they are prompted to create new passwords. This password is a different password than the one associated with a Notes client ID file or any on-premises HTTP password. If users you are proisioning already use the serice through another subscription, they continue to use their current passwords, and do not use this password. If your company uses federated identity management, users do not proide this password. Instead, they use the Use My Organization's Login page to proide a password that allows them to authenticate using a company security application. 11. Click Next and reiew your selections. Note the password that is shown in the Initial Password field because you must proide it to each user who is new to the serice. 12. Click Confirm to open the User Proisioning Requests page. Reiew the list of users again, and when you are ready to proision them, click Request Proisioning. As users are added to the proisioning queue, the User Proisioning Requests page remoes their names from the list. The page shows the percentage of requests that are complete because they are added to the proisioning queue and the number that remain to be processed. The names of any users who cannot be added to the proisioning queue are listed with error messages. Resole errors and repeat the steps to proision the users. Missing user Internet addresses and directory synchronization problems are examples of errors that can preent a user from being added to the proisioning queue. To cancel proisioning of any users that are not yet processed, click Cancel. 13. When the proisioning request is complete, click Return to User Proisioning. What to do next After users are successfully added to the proisioning queue, check user proisioning status to determine when proisioning is complete or if any proisioning errors occur. When users are listed in the Proisioning Status page as Done and in the Pending state, help users get started with the serice. Related tasks: Chapter 6. Onboarding users 221

230 Checking user proisioning status on page 229 After you proision users, check the status of their IBM SmartCloud Notes subscriptions. Helping users get started on page 230 After user proisioning is complete, help users get started with their mail in the cloud. Related information: Integration serer and subscription proisioning for Smartcloud Notes hybrid users Registering a new user on-premises To proision a user in a hybrid enironment, the user must be registered in an on-premises IBM Domino directory. If a user you are proisioning is new at your company, perform this procedure to register the user on-premises. Before you begin You can apply a policy to the user so that the policy is in effect when the user is proisioned for IBM SmartCloud Notes. To do so, create an explicit policy before you continue. Then, select the policy during this procedure. If you do not apply a policy during user registration, you can apply it later. For more information, see Using administratie policies on page 105. The Domino directory in which you register the user must be configured as a synchronized directory that is used for user proisioning. For more information, see Configuring directory synchronization on page 89. Procedure 1. From an on-premises Domino Administrator client, open a serer that is in the Domino domain in which you want to register the user. 2. Click the tab People & Groups. 3. Click Tools and click People > Register. 4. Use any of the following methods to specify the certifier to use to certify the new user ID. If you are prompted to proide a password for the certifier that you want to use, enter the password. Otherwise, click Cancel. Click Certifier ID, select the certifier ID, and click OK. Click Use the CA Process and select the certifier. Note: There must be a trust relationship between this certifier and the OU certifier you uploaded to the serice to certify your mail serers. For example, if your mail serer OU certifier is /SCN/Renoations, there is an automatic trust relationship if the user ID certifier is /Renoations. Howeer, if the user ID certifier is /Zetabank, you must create cross-certificates to establish trust. 5. Complete the following fields in the Basics tab of the Register Person window. Field Registration Serer Value The name of the serer to use to register the user. The domain Domino directory for this serer must be configured as a synchronized directory that is used for user proisioning. 222 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

231 Field First name, Middle name, Last name Value The user's name. If you plan to use the integration serer to proision users, a first name and a last name are required. Otherwise, only a last name is required. If you specify a last name only, after the user is proisioned, the one name is displayed in the SmartCloud Notes directory and in the mail file. Howeer, in Connections Cloud account settings and user accounts, the name is also the first name. For example, if you register a user with the last name HelpDesk, when you log on to the serice as an administrator and click User Accounts, the name is shown as HelpDesk HelpDesk. Short name A short ersion of the name that is generated automatically. You can change the default alue. You cannot enter an address here. Password A password for the Notes ID. Password Options Password Quality Scale Mail system Encryption Strength Set internet password (optional). The serice does not use the Internet password. Howeer, it might be required for access to on-premises web applications. IBM Notes Select this option regardless of the type of client you plan to use with the serice. Explicit policy Enable roaming for this person Create a Notes ID for this person (Optional) Select an explicit policy to apply to the user. Organizational policies are not supported. Do not select this option. Roaming is not supported. Select. 6. Select the Adanced box in the Register Person window. 7. Click Mail and complete the fields that are displayed to create a required, temporary on-premises mail file. When the user is proisioned for the serice, a new mail file is created in the serice. Make a note of the location of the temporary mail file; after user proisioning is complete you can delete it. 8. Click Address and complete the fields that are described in the following table. Field Internet address Value to specify The user's Internet mail address, for example, sdaryn@renoations.com. Chapter 6. Onboarding users 223

232 Field Internet domain Address name format; Separator Value to specify The domain portion of the user's Internet address, for example, renoations.com. The domain must be one that is erified by the serice. Select options to determine the format of the Internet address. 9. Click ID info and complete the fields that are described in the following table. Field Create a Notes ID for this person Certifier ID Public key specification License type Location for storing user ID Value to specify Select this option. Confirm the certifier to use to create the ID. There must be a trust relationship between this certifier and the certifier you proided to certify your mail serers in the serice. Select one of the listed specifications. Select North American or International. The license type determines the type of ID file that is created. It affects encryption of sent and receied mail and of data. North American is the stronger type. Select any of the following options: In Domino directory to store the ID file as an attachment in the Person document. In file to store the ID in a file that you proide to the user. In Notes ID ault to store in an on-premises ID ault. This option is useful only to retriee the ID during initial setup of a Notes client on-premises. After the client connects to the serice, the ID is uploaded to the ID ault in the serice. Then, the on-premises ID ault is no longer used. 10. Optional: Click Groups and assign the user to groups in the Domino directory. 11. Click the green check mark to add the user to the registration queue. 12. Select the Registration Queue and click Register. Results A Person document for the user is added to the Domino directory of the registration serer. After the Person document replicates to the serice during directory synchronization, a company administrator can proision the user from the User Proisioning window of SmartCloud Notes Administration. To proision the user, the administrator first searches for the user name. Proisioning users and mail files If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. 224 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

233 Before you begin Prepare for onboarding and transfer mail files. Your company might purchase a bundled subscription that allows you to enable serices independently. For example, you might be able to enable Connections and Meetings serices for users before you enable the IBM SmartCloud Notes ( ) serice. To enable other serices separately, create the user accounts through the IBM Connections Cloud User Accounts page. When you complete the procedure in this topic, all bundled serices are enabled. About this task As an alternatie to this procedure, you can use the Connections Cloud integration serer to proision many users at once. You must proision users within 60 days from the time their status shows Ready to Proision. After 60 days the status changes to Cancelled and the users and their mail files must be transferred to the serice again in a new batch. If your on-premises enironment includes delegates who manage mail for other users, consider proisioning the delegates first. After delegates are proisioned, they can manage mail for both serice users and on-premises users whose mail files are still on company serers. Users whose mail files are on company serers cannot manage the mail of a serice user. After proisioning is complete, the design of the Inbox folder is applied to custom mail file folders. Custom folders are user-created folders or company-created folders from a custom template that is used in the serice. The mail template specified during user proisioning controls the design of the mail file in the serice. Tip: After you proision users who will use only the web client and whose IBM Notes ID files were attached to the transferred mail files, tell the users to sign or encrypt a mail message after logging on to the serice for the first time. That step triggers the upload of their ID files to the ID ault in the serice. When doing so, they may need to proide the Notes ID password. After the ID is uploaded to the ID ault, they are no longer prompted for that password when signing or encrypting mail. Perform the following steps to proision users and mail files: Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click User Proisioning with Mail File Transfer. A Control Document created by the transfer manager, who has the Data Transfer Manager role, is shown for each batch of users. Each Control Document shows the status for that batch of users. When all proisioning of users in a batch is either completed or cancelled, the Control Document shows the status Complete. Chapter 6. Onboarding users 225

234 5. When any Control document shows the status Ready, click the Users tab to see a list of user names that are ready to be proisioned. Note: Each user's Internet mail address is shown. If a user is new to IBM Connections Cloud, the address is also the identity used to log in to the serice from a browser at If a user already has another Connections Cloud subscription, the log in identity is the current alue of the field in the Account Login tab of the Connections Cloud user account. 6. Select one or more users whose status shows Ready to Proision Note: If a user status shows Error, work with your transfer manager to resole the problem, and then wait for the status to change to Ready to Proision. 7. Optional: Click Proisioning Estimate to see an estimate of the time it will take to proision the selected users. The estimate is based on the size of the mail files in this request and on the number of requests in the queue. 8. Click Proision Selected. 9. In the Proisioning Options window, select subscriptions for the user. You must select a SmartCloud Notes subscription. Other optional subscriptions may be aailable. When you are done, click Next. Table 68. Subscription fields Subscription field Mail Collaboration Bundled Other Description Select a SmartCloud Notes subscription. Alternatiely, select a bundled subscription, if aailable. If aailable, optionally select a collaboration subscription. Alternatiely, select a bundled subscription, if aailable. If aailable, select a bundled subscription that includes both a SmartCloud Notes subscription and a collaboration subscription. If aailable, optionally select add-on subscriptions. 10. Select an optional extension forms file for the web client and a mail template for the IBM Notes client: a. Optional: If an extension forms file is aailable for your company, you see the Select Extension Forms File option. To apply an extension forms file to web clients, select a forms file. An extension forms files proides a customized experience for the web client. Extension form files are aailable only if your company implements them. b. In the Select Mail Template section, the default mail template is selected. If you want to apply a different template to the user mail files, click Select next to the template name. If the Notes client is used, select a template ersion that is compatible with the Notes client ersion that is used. Click Next to scroll through the list of aailable templates until you find the correct one. If the Notes client is not used, select the latest template ersion in the language that you want to use. 226 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

235 To see only custom mail templates deeloped for your company, click Hide Standard Mail Templates. If you select a custom mail file template, after proisioning is complete, the design of the Inbox folder is applied to any custom mail folders created by your company. c. Click Next. 11. In the Proide an initial password section, proide a temporary password that complies with the requirements that are shown. Users proide this password when they log in to the serice for the first time with a web browser. After logging in, they are prompted to create new passwords. This password is a different password than the one associated with a Notes client ID file or any on-premises HTTP password. If users you are proisioning already use the serice through another subscription, they continue to use their current passwords, and do not use this password. If your company uses federated identity management, users do not proide this password. Instead, they use the Use My Organization's Login page to proide a password that allows them to authenticate using a company security application. 12. Click Next and reiew your selections. Note the password that is shown in the Initial Password field because you must proide it to each user who is new to the serice. 13. Click Confirm to open the User Proisioning Requests page. Reiew the list of users again, and when you are ready to proision them, click Request Proisioning. As users are added to the proisioning queue, the User Proisioning Requests page remoes their names from the list. The page shows the percentage of requests that are complete because they are added to the proisioning queue and the number that remain to be processed. The names of any users who cannot be added to the proisioning queue are listed with error messages. Resole errors and repeat the steps to proision the users. Missing user Internet addresses and directory synchronization problems are examples of errors that can preent a user from being added to the proisioning queue. To cancel proisioning of any users that are not yet processed, click Cancel. Results User proisioning with mail file transfer creates replicas of user mail files on the mail serers in the serice. At the next directory synchronization with on-premises serers after user proisioning is complete, the Person documents in the on-premises Domino directory are updated to show the new mail serer names and mail file path. When the staging serer application detects the name of the new SmartCloud Notes mail serer in the Person document, it deposits a welcome in a user's original, on-premises mail file. You can customize the content of this notification. The notification should include suitable links for your users to use to log on to the serice for the first time. For example, you might include or a link to a logon page used by your company. Chapter 6. Onboarding users 227

236 A user can run the Notes client configuration tool to configure a Notes client to connect to the serice. In this case, the tool initiates a final replication between the on-premises mail file replica and the replica in the serice after client configuration is complete. If a user does not use the Notes client, the staging serer application initiates the final replication when it detects the name of the new SmartCloud Notes mail serer in the Person document. What to do next After users are successfully added to the proisioning queue: Track the status of mail file proisioning by returning to the Users tab in the Control Document and refreshing the page or using the Status field filter. Check user proisioning status to determine when proisioning is complete or if any proisioning errors occur. Related concepts: Mail file delegation on page 208 Using delegation preferences, users can allow other users to manage their mail, calendar, contacts, and to do items. Depending on which client is used, there are some differences in how delegation works with IBM SmartCloud Notes. Related tasks: Managing IBM Notes Traeler deices on page 272 For each user with an IBM Notes Traeler subscription, you can iew information about the user's mobile deice. You can also wipe the deice to remoe sensitie data from it, for example, if the deice is lost or stolen. Managing BlackBerry smartphones on page 274 After actiating a user s BlackBerry smartphone, perform any of the following tasks to manage it. Checking user proisioning status on page 229 After you proision users, check the status of their IBM SmartCloud Notes subscriptions. Related information: Using Connections Archie Essentials Integration serer Deleting on-premises mail files After users hae set up clients to complete the proisioning process, the staging serer application creates Administration Process requests to delete on-premises mail files. About this task The requests, called "Approe File Deletion," are put in the Pending Administrator Approal iew in your on-premises Administration Requests database where they await your approal. Do not approe a deletion request immediately. Instead, wait at least a few days to ensure that the user proisioning is complete before approing the deletion. Decommissioning on-premises mail serers Once an on-premises IBM Domino mail serer is no longer proiding mail serice to users, you can decommission the serer using your standard processes. 228 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

237 Checking user proisioning status After you proision users, check the status of their IBM SmartCloud Notes subscriptions. Before you begin Complete one of the following procedures: Proisioning users without transferring mail files on page 219 Proisioning users and mail files on page 224 Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. In the Proisioning section of the SmartCloud Notes Administration window, click Proisioning Status. 5. Display the names of the users whose status you want to check. In the Search box, type the beginning characters of any of the following user alues: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. In the Status field, select one of the following options: Chapter 6. Onboarding users 229

238 Option In Progress Done Error Description Show all users in the search results who are in the process of being proisioned. The serice is setting up mail files and doing other steps to prepare user accounts. Users that are shown in this iew cannot use the SmartCloud Notes serice yet. Note: It is possible for user accounts to be in a Held state. This state can be seen only in IBM Connections Cloud user accounts by clicking Home and then User Accounts. The Held state indicates that serice is performing routine checks. It does not indicate that there is a problem. Do not delete and then re-add the account. Resolution often takes a few hours or less; howeer, on some occasions it can take a few days. If you are concerned that the Held state is not changing, contact customer support. Show all users in the search results who are successfully proisioned. The serice has finished preparing the mail files and accounts of these users, and the users can use the serice. One of the following states is shown for each user: Pending: This state indicates that a user has not yet logged in to the SmartCloud Notes serice and accepted the terms of use. Actie: this state indicates that a user has logged in to the serice and accepted the terms of use. Show all users in the search results who cannot be proisioned because of an error. If you see a user in this state, contact support to help you resole the error. What to do next Helping users get started When users are listed in the Proisioning Status page as Done and in the Pending state, help users get started with the serice. Related tasks: Helping users get started After user proisioning is complete, help users get started with their mail in the cloud. After user proisioning is complete, help users get started with their mail in the cloud. 230 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

239 Before you begin Check user proisioning status; users in the Pending state are ready to begin to use the serice. Proiding account information to users After you add a IBM SmartCloud Notes subscription to user account, proide the user with the information that is required to log in to the serice. Before you begin Complete the procedure Checking user proisioning status on page 229 and erify that users are listed in the proisioning status page as Done and in the Pending state. About this task Users must log in to the serice from a browser within 30 days after being assigned a SmartCloud Notes subscription. After logging in, users can begin to use the web client immediately. Users who want to use the IBM Notes client must download and run the SmartCloud Notes client configuration tool to connect the client to the mail serer in the serice. This tool is aailable within the serice after logging in from a browser. A ersion of the Notes client that is supported by the serice must be installed and set up. The Notes client is aailable for download from the IBM Notes product page. A SmartCloud Notes subscription includes a license for the client. Note: If a user sees the error ID in ault has expired download time when attempting to connect to the serice for the first time from a Notes client, reset the Notes ID password and instruct users to log in again with the new password. Users whose on-premises mail files are transferred to the serice receie a welcome in their original, on-premises mail file. The welcome contains content that is customized for your company. Procedure 1. Proide the following information to each user: The login URL The web login name The alue of the field in the Account Login tab of the user's Connections Cloud user account. To see user accounts, log in to the serice as an administrator, click Administration > Manage Organization, and click User Accounts. The temporary password -- The first time users log on, they use a temporary password that is created for them at the time their account is created. They are asked to change this password the first time they log on. 2. If you use a hybrid enironment, you may also need to proide the Notes ID file to a user who is using the Notes client for the first time. Chapter 6. Onboarding users 231

240 Results When users log in from the browser, they are presented with the Account Updates form. They must click Submit to complete the user registration and actiate their account. What to do next Help users get started with the clients they will use in the cloud. Related tasks: Getting started with the web client Complete the following tasks to help users get started with the web client. Getting started with the Notes Traeler deices on page 233 Complete the following tasks to help users get started in the cloud with IBM Notes Traeler deices. Getting started with the Notes client on page 237 If the IBM Notes client is used with the serice, complete the following tasks to help users get started. Getting started with IMAP clients on page 237 If IMAP clients are used, complete the following tasks to help users get started with them. Getting started with the web client Complete the following tasks to help users get started with the web client. Before you begin Complete the procedures Proiding account information to users on page 231 and Preparing for the web client on page 193. About this task Table 69. Getting started with the web client Task Point users to the web client documentation. Why this task is important Additional information Complete? Users can refer to the documentation as they begin using the client. SmartCloud Notes web documentation Prepare to troubleshoot any login problems. If any user has trouble logging in to the serice, you can quickly resole the problem. See Technote : SmartCloud Notes user cannot log on 232 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

241 Table 69. Getting started with the web client (continued) Task (Optional) If instant messaging is enabled for your company, make sure that users also enable it in client preferences. Why this task is important Instant messaging must be enabled in client preferences and in SmartCloud Notes Administration. Additional information To enable instant messaging in the web client, users click More > Preferences > Instant Messaging and select Enable instant messaging. Complete? (Optional) In hybrid enironments, install and configure the IBM Notes Browser Plug-in The plug-in allows web client users to access Notes applications on on-premises Domino serers. For information on configuring instant messaging in SmartCloud Notes Administration, see Configuring instant messaging on page 171. Notes Browser Plug-in requirements Notes Browser Plug-in documentation for the serice Getting started with the Notes Traeler deices Complete the following tasks to help users get started in the cloud with IBM Notes Traeler deices. Before you begin Complete the procedures Proiding account information to users on page 231 and Preparing for Notes Traeler deices on page 195. About this task Table 70. Getting started with Notes Traeler deices Task If you did not add the Notes Traeler add-on subscription during user proisioning, add it now. Why this task is important This subscription must be added for users to access their mail in the cloud through mobile deices that are supported by the Notes Traeler serice. Additional information Adding a Notes Traeler subscription to a user account on page 234 Complete? Chapter 6. Onboarding users 233

242 Table 70. Getting started with Notes Traeler deices (continued) Task Uninstall any preious Notes Traeler accounts from deices. Remoe user accounts from any on-premises Notes Traeler serers. Point users to the Notes Traeler documentation. (Optional) On the Apple iphone, recommend that users enable the Ask Before Deleting setting. Prepare to troubleshoot. Why this task is important This step preents deices from attempting to continue to get mail from an on-premises serer. This step preents the on-premises serers from attempting to connect to mail files in the serice to which they no longer hae access. The documentation describes how to get started with each of the supported deices. This setting helps preent users from deleting messages by mistake. You can quickly resole any problems. Additional information Remoing user accounts from on-premises Notes Traeler serers on page 235 Notes Traeler documentation On the phone, select Settings > Mail, Contacts, Calendars > Ask Before Deleting Refer to the following section of the Notes Traeler documentation: Troubleshooting, known limitations, and restrictions Complete? Related tasks: Managing IBM Notes Traeler deices on page 272 For each user with an IBM Notes Traeler subscription, you can iew information about the user's mobile deice. You can also wipe the deice to remoe sensitie data from it, for example, if the deice is lost or stolen. Adding a Notes Traeler subscription to a user account To enable a user to connect to the serice through a mobile deice supported by IBM Notes Traeler, add the subscription to the user s account. About this task The following steps describe how to add a subscription to the account of a user who already has a Notes Traeler subscription. You can also add the subscription when you first add the user account. For information about adding user accounts, see the topic Administering user accounts. 234 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

243 Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the arrow next to a user's name and select Edit User Account. 5. Click Next. 6. In the Subscription Add-ons section, select the Notes Traeler subscription. 7. Click Sae. What to do next The user can now set up the mobile deice to connect to the serice. For information, see thenotes Traeler documentation. After the user sets up the deice to connect to the serice, if you use a hybrid enironment, remoe the user s account from any on-premises Notes Traeler serers. Related tasks: Chapter 7, Administering user accounts, on page 243 Though IBM is responsible for the administration and maintenance of the mail serers, there are tasks that you perform through an administration interface at Related information: Notes Traeler Remoing user accounts from on-premises Notes Traeler serers After a user sets up a deice to connect to the serice, if you use a hybrid enironment, remoe all accounts the user has on on-premises IBM Notes Traeler serers. About this task To remoe users on-premises Notes Traeler accounts, deny users access to the on-premises Notes Traeler serer as described in the topic " Restricting access using serer document access fields." Then delete the users from the Notes Traeler serer. In addition, remoe any preious on-premises Notes Traeler client software or account from mobile deices. Restricting access using serer document access fields: Deny serice users access to on-premises IBM Notes Traeler serers. Procedure 1. From the Domino Administrator client, select the IBM Notes Traeler Serer document. 2. Click Edit Serer. 3. Click the IBM Notes Traeler tab. 4. Populate either the Access Serer or Not Access Serer field with the names of users and groups. Chapter 6. Onboarding users 235

244 Users defined as Domino 'Full Access Administrators' hae access regardless of how the Not Access Serer or Access Serer fields are configured. Users denied access to Domino through the Domino Not Access Serer or Access Serer fields under the Security tab of the serer document cannot access Notes Traeler. Table 71. Serer access fields Field Access Serer Not Access Serer Description Select the option users listed in all trusted directories to allow access to Notes Traeler only to people that hae person documents in either the primary directory of this serer or any secondary directories that trusted credentials using Domino directory assistance. You can also select indiidual names of users and groups to allow access to this Notes Traeler serer. A blank entry means that all users can access Notes Traeler except any who are listed in the Not Access Serer field. Select the names of users and groups that should be denied access to this Notes Traeler serer. A blank entry means that no users are denied access. Note: Entering names in the Access Serer field automatically denies access to those names not listed. 5. Click Sae & Close. What to do next Delete users from on-premises Notes Traeler serers. Deleting a user from Notes Traeler serers: Remoe serice users from all on-premises IBM Notes Traeler serers. Procedure 1. Run the following command: tell traeler delete * <username> 2. Run the following command: tell traeler security delete * <username> Note: If the user has already been deleted from the Domino directory, then the full user name must be specified. For example: tell traeler delete * "CN=John Doe/OU=Raleigh/O=IBM" The preious two steps should completely remoe the user, but you can erify with these additional steps: 3. Open the Notes Traeler administration application and erify that there are no entries for the user. 4. Open ntsclcache.nsf and erify that there are no entries for the user. 236 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

245 Getting started with the Notes client If the IBM Notes client is used with the serice, complete the following tasks to help users get started. Before you begin Complete the procedures Proiding account information to users on page 231 and Preparing for Notes clients on page 196. About this task Table 72. Getting started with the Notes client Task Point users to the documentation. Prepare to troubleshoot any problems. (Optional) If users exported contacts and calendar entries from their original mail files, import the entries into the new mail files in the cloud. (Optional) Manually configure the client to connect to the serice instant messaging community. Why this task is important Users require instructions to download and run the client configuration tool to connect to a mail serer in the cloud. If a user has trouble connecting the Notes client to the cloud mail serer, you can quickly resole the problem. If mail files are not transferred to the serice, this step enables users to presere their existing calendar and contacts. One reason to do this is if you want users to be able to connect to both an on-premises community and the serice community. Additional information For more information, see the Notes section of the IBM SmartCloud Notes user documentation. For complete documentation on using Notes, see the help that comes with the client. Technote: Could not connect to serer when running IBM SmartCloud Notes lieconfig application (config.nsf) For more information, see the topic about exporting and importing calendars in the Notes client help. Manually configuring Notes clients to connect to the serice instant messaging community on page 175 Complete? Getting started with IMAP clients If IMAP clients are used, complete the following tasks to help users get started with them. Chapter 6. Onboarding users 237

246 Before you begin Complete the procedures Proisioning users on page 218 and Configuring IMAP access on page 178. About this task Table 73. Getting started with IMAP clients Task Point users to the documentation. Why this task is important Additional information Complete? The documentation describes how to get started with each supported IMAP client. Enabling IMAP access Read the documentation on IMAP client limitations. This information can be helpful with troubleshooting. IMAP client limitations Getting started with BlackBerry deices If BlackBerry deices supported by a Hosted BlackBerry Serices subscription are used, complete the following tasks to begin using the deices with the serice. Before you begin Complete the procedures Proiding account information to users on page 231 and Preparing to use BlackBerry deices on page 203. About this task Note: If BlackBerry 10 deices are used, see Getting started with the Notes Traeler deices on page 233, instead. Accepting the Research In Motion terms of use An authorized person from your company must accept the Research In Motion terms of use. This person receies an notification with instructions that include a link to the terms of use document. About this task After you accept the Research in Motion terms of use, you must wait to receie a notification from an IBM Customer Serice Representatie indicating that your company s BlackBerry subscription setup is complete. You must receie this notification before you can add BlackBerry subscriptions to user accounts. Related tasks: Preparing to use BlackBerry deices on page 203 If you plan to use BlackBerry deices that are supported by a Hosted BlackBerry Serices subscription, complete these tasks to prepare. Adding a BlackBerry subscription to a user account To enable a user to connect to the serice through a BlackBerry smartphone, add a SmartCloud Notes for Hosted BlackBerry Serices subscription to the user account. 238 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

247 Before you begin Before you can add BlackBerry subscriptions to user accounts, you must receie a notification from an IBM Customer Serice Representatie that the subscription for your company has been set up. About this task The following steps describe how to add the subscription to the account of a user that is already proisioned for SmartCloud Notes. You can also add the subscription during user proisioning. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the arrow next to a user's name and select Edit User Account. 5. Click Next. 6. Under Subscription Add-ons, select SmartCloud Notes for Hosted BlackBerry Serices. 7. Click Next and then Finish. Related tasks: Proisioning users on page 218 Proisioning users adds IBM SmartCloud Notes subscriptions to user accounts in the serice. After users are proisioned, they can begin to access their mail in the cloud. Remoing user accounts from an on-premises BlackBerry Enterprise Serer If your company uses a hybrid enironment and you hae transferred user mail files to the serice, before you actiate deices for the serice, remoe all accounts users hae from any on-premises BlackBerry Enterprise Serers, and then wipe the user deices. If you do not complete these steps, obsolete on-premises information can be proided to the serice. Completing these steps is also important to preent on-premises serers from consuming resources by repeatedly attempting to access mail files in the serice to which they no longer hae access. About this task For information on remoing accounts, see BlackBerry Knowledge Base document KB Related information: BlackBerry Knowledge Base document KB04169 Actiating a user's BlackBerry smartphone After you add a BlackBerry subscription to a user account, the user's smartphone must be actiated to enable it to be used with the serice. Before you begin The user's wireless carrier plan must be an Enterprise plan rather than a Personal plan. A smartphone cannot be actiated for the serice when a Personal plan is used. Chapter 6. Onboarding users 239

248 Complete the procedures Adding a BlackBerry subscription to a user account on page 238 and Remoing user accounts from an on-premises BlackBerry Enterprise Serer on page 239. About this task To begin the actiation process, a one-time actiation password is created in the serice. You can create this actiation password, or the user can create it. After creation of the actiation password, the user's smartphone is ready to be actiated. To actiate the smartphone, the actiation password and the user's serice Internet address are entered on the smartphone using the Enterprise Actiation option. The following steps are performed to actiate a user's smartphone. You can perform these steps, or the user can perform them as described in Using your BlackBerry smartphone with SmartCloud Notes. Procedure 1. If the smartphone has been used before, perform the following steps. a. Back up any existing data. For instructions, see the BlackBerry Knowledge Base article How to back up the data on a BlackBerry smartphone. b. Wipe the smartphone. For instructions, see the BlackBerry Knowledge Base article How to delete all data and applications from the BlackBerry smartphone using the Wipe Handheld option. 2. To begin the actiation process, perform the following steps to create an actiation password: a. Log on to the serice as an administrator. b. If your account has the user role, click Admin > Manage Organization. c. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. d. Under User and Groups, click Users. e. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 240 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

249 f. Click the user's name in the search results. g. Click Manage BlackBerry Smartphone. h. Click Actiate Now, create a one-time actiation password, and then click Set Password. Note: Alternatiely, the user can create the actiation password through the serice web site. 3. To actiate the smartphone, refer to the following table and perform the steps that are shown for the operating system (OS) ersion of the smartphone. Actiation can take from a few minutes to an hour, depending on the size of the mail file. After performing these steps, look for the Actiation Complete message on the smartphone, which indicates that actiation is successful. OS ersion OS4, OS5 Steps to actiate 1. From the Home screen of the smartphone, click Manage Connections and then enable your Mobile Connection. 2. From the Home screen of the smartphone, click Options > Adanced Options > Enterprise Actiation. 3. Enter your SmartCloud Notes Internet address, for example sdaryn@renoations.com. 4. Enter the actiation password. 5. Click the track ball and select Actiate. Note: Leae the Actiation Serer Address field blank, if you see it. OS6, OS7 1. From the Main screen of the smartphone, click Options > Deice > Adanced System Settings > Enterprise Actiation. 2. Enter the SmartCloud Notes Internet address, for example sdaryn@renoations.com. 3. Enter the actiation password. 4. Click the Actiate button. 4. If you backed up data before actiating, restore the data now. For information, see the BlackBerry Knowledge Base article How to use BlackBerry Desktop Software to restore data to a BlackBerry smartphone from a backup file. Related tasks: Proiding documentation to your BlackBerry smartphone users on page 242 BlackBerry smartphone users with a hosted BlackBerry subscription can actiate and manage their smartphones themseles using options aailable through the serice website at To help users perform these tasks and to troubleshoot problems, point them to the user documentation. Ensuring that mail encryption is aailable for BlackBerry smartphone users To encrypt and sign mail with a BlackBerry smartphone, a user s IBM Notes ID file must be uploaded to the ID ault in the serice. Chapter 6. Onboarding users 241

250 About this task A Notes ID file is uploaded to the ID ault automatically under the following circumstances: A user connects to the serice with a Notes client. The ID is uploaded to the ault at some point afterward. An ID is imported in the user s mail file and the mail file is transferred to the serice. The ID is uploaded to the ault during user proisioning. If neither circumstance applies, administrators can use SmartCloud Notes Administration to upload an ID file to the ault. After the ID file is uploaded, the smartphone prompts the user for the password. After that point, the user no longer proides a Notes password. The user proides only the smartphone password. Related tasks: Uploading a Notes ID to the ault on page 269 In a hybrid enironment, if a serice user has an IBM Notes ID file, the ID must be stored in the ID ault in the serice. In some cases, for users who hae a Notes ID, but who will not use the Notes client, you might need to upload the Notes ID to the ault manually. If it is not stored in the ault, web client, Notes Traeler, and BlackBerry smartphone users cannot perform secure mail operations. Other limitations also apply, as outlined in this topic. Proiding documentation to your BlackBerry smartphone users BlackBerry smartphone users with a hosted BlackBerry subscription can actiate and manage their smartphones themseles using options aailable through the serice website at To help users perform these tasks and to troubleshoot problems, point them to the user documentation. About this task BlackBerry smartphone users can perform the following tasks themseles: Actiate a smartphone Reactiate a smartphone to correct a problem Actiate a different smartphone Wipe a smartphone Instructions for performing these tasks can be found in the Using your BlackBerry smartphone with SmartCloud Notes section of the user documentation. Note: For information on using a BlackBerry 10 deice, see the Notes Traeler documentation for SmartCloud Notes. Related information: Using your BlackBerry smartphone with SmartCloud Notes Notes Traeler documentation 242 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

251 Chapter 7. Administering user accounts Though IBM is responsible for the administration and maintenance of the mail serers, there are tasks that you perform through an administration interface at About this task You must hae the Administrator role assigned in a user account to perform most administration tasks. An exception is resetting the serice login password for a user account, which can also be performed by someone with the Admin Assistant role. Best practices for maintaining your on-premises enironment Follow these best practices to help ensure that your on-premises enironment remains properly configured to work with the serice. Table 74. Best practices for maintaining your on-premises enironment Best practice More information Run the Configuration Test tool about once a month. This tool detects problems with your on-premises configuration that can preent proper operation of the serice. If an error in your on-premises configuration is reported, after you fix the problem that caused the error, download and run a new copy of the Domain Configuration tool on-premises. Running the tool can fix many problems with your on-premises configuration. Follow the guidelines for maintaining on-premises Domino serers. Do not delete or modify the following entries in the ACL of any synchronized directory: Entries for your on-premises directory synchronization serers The LLNSerers group entry The SaaSLocalDomainSerers group entry. Do not edit the CustomerMailHubs group For more information, see the topics Running configuration tests on page 99 and Downloading and running the Domain Configuration tool on page 94. For more information, see the serer maintenance checklist topic in the Domino documentation. The Domain Configuration tool creates these ACL entries. Download and run the tool to ensure that these ACL entries are correct. If these ACL entries are missing or modified, directory synchronization fails and user proisioning fails. Change on-premises hub serers through administration Account Settings. For example, change a mail hub serer through the Account Settings > Mail Routing Serer administration page. Then download and run the Domain Configuration Tool to update your on-premises configuration. Copyright IBM Corp

252 Table 74. Best practices for maintaining your on-premises enironment (continued) Best practice More information Do not delete or edit the following groups that the serice creates in a synchronized directory: LLNSerers LLNMailHubs CustomerMailHubs Do not create groups with the following names: LLNSerers LLNMailHubs CustomerMailHubs These groups are created and maintained by the serice. These names are resered for use in the serice. Do not create groups with names that begin with Certifiers_ or SAAS. Disable the adanced ACL setting Enable Extended Access in any synchronized Domino directory. To moe a synchronized directory to another serer or to change the file name of a synchronized directory, follow the correct procedure. To delete a synchronized directory, follow the correct procedure. If this setting is enabled, directory synchronization fails. If the directory is used for proisioning, user proisioning fails. Follow these steps: 1. Moe the directory or change the file name on-premises. If you are moing the directory, from Notes select File > Replication > New Replica to create a replica at the new location. 2. In the Directory Sync Serer Configuration page of SmartCloud Notes Administration, update the existing entry for the directory to match the new on-premises serer location or file name. Important: Do not delete the existing entry and create a new one. If you do, all directory documents are deleted and then re-created, a process that can take multiple days to complete. 3. Download and run the Domain Configuration tool. To delete a synchronized directory, follow these steps: Note: If you are moing a directory, do not delete it. 1. In the Directory Sync Serer Configuration page of SmartCloud Notes Administration, open the entry for the directory and click Remoe. 2. Download and run the Domain Configuration tool. 3. Delete the directory on-premises. 244 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

253 Table 74. Best practices for maintaining your on-premises enironment (continued) Best practice More information In enironments with multiple Domino domains that use policies, do not use the same policy name in more than one domain directory. In enironments with multiple Domino domains, do not a use the same group name in more than one synchronized directory. In enironments with multiple Domino domains that use Resource Reserations, do not use the same site name in more than one domain. If two policies hae the same name, the serice uses one only, which can cause unexpected, incorrect results. The Domain Configuration tool warns you when duplicate policy names are found. If a group name in a mail file ACL matches two on-premises groups, the one ACL entry controls access for members of both groups. If mail groups hae the same name, users must choose which one to use each time they send mail to the group name. Using unique group names aoids this step. The Domain Configuration tool warns you when duplicate group names are found. If sites in two domains hae the same name, the serice lists resources from both sites under one site name. This situation can lead users to resere resources at the wrong site. See Technote for instructions on making site names unique. Keep public key checking disabled on the following on-premises serers: Mail hub serers that route mail directly to the serice Mail serers of on-premises users that look up the free-time of serice users Continue to use your on-premises SMTP gateway serer to route incoming mail. For mail hub serers that route directly to the serice, configure the retry interal and multiple transfer threads for optimum mail routing performance. The Domain Configuration tool warns you when duplicate site names are found. If public key checking is not disabled, mail routing and free-time lookups fail. To disable public key checking on a serer: 1. Open the Serer document in the Domino directory in edit mode. 2. Click the Security tab. 3. In the Compare public keys field in the Security Settings section, select Do not enforce key checking then click OK. When users on the Internet send mail to serice users, the mail is sent to an on-premises SMTP serer. From there it is routed to the serice oer NRPC. If the SMTP serer is not aailable, serice users cannot receie mail from the Internet. For more information, see the topic Preparing to route mail to serice users on page 55 For more information, see Preparing to route mail to serice users registered in the on-premises hub domain on page 55 and Preparing to route mail to serice users in a secondary domain on page 57. Chapter 7. Administering user accounts 245

254 Changing user mail file templates You can change the mail file template assigned to a user. For example, change the mail template if the IBM Notes client of a user is upgraded to a new ersion. Before you begin Make sure that users are offline when you change their templates. About this task When you change a user's mail file template, custom folders in the mail file inherit the design of the Inbox folder. Custom folders are user-created folders or company-created folders from a custom template that is used in the serice. Note: If you change the languages of a user's IBM SmartCloud Notes subscription, you then also need to change the language of the mail file template. Procedure 1. Log on to using the address and password of a SmartCloud Notes user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Select the name of each user to change to a specific template. You can search for and select more names; preiously selected names remain selected. 7. Click Apply Mail Template. 8. Select the template to use. 9. Click Apply Mail Template. 10. Click Confirm. 11. Click Continue. 246 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

255 Related information: Integration serer and user proisioning change files Viewing assigned mail file templates You can iew the mail file template that is assigned to a serice user. About this task If only the template ID displays in the field, the template assigned to the user has been remoed from the template repository. Although the user's mail file is not affected, you should assign a new template. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Look in the Mail Template field, which includes the following information: Name Version Language Template ID number Related concepts: Language ersions of the standard mail file template on page 248 The mail file template supported in the serice is the IBM Notes Standard 8.5 template (STDR85Mail). This topic lists the languages in which this template is proided. Chapter 7. Administering user accounts 247

256 Related tasks: Configuring mail file templates on page 164 Configure which mail file templates can be applied to user mail files and configure a mail file template to use by default. Language ersions of the standard mail file template The mail file template supported in the serice is the IBM Notes Standard 8.5 template (STDR85Mail). This topic lists the languages in which this template is proided. English (en) Arabic (ar) Catalan (ca) Czech (cs) Danish (da) German (de) Greek (el) Finnish (fi) French (fr) Hebrew (he) Hungarian (hu) Italian (it) Japanese (ja) Korean (ko) Dutch (nl) Norwegian (no) Polish (pl) Portuguese (pt) Portuguese, Brazil) (pt_br) Russian (ru) Sloak (sk) Sloenian (sl) Swedish (s) Thai (th) Turkish (tr) Chinese, China (zh_cn) Chinese, Taiwan (zh_tw) Spanish (es) Assigning extension forms files to users After an IBM representatie uploads an approed extension forms file to the serice, you can assign the forms file to users. Extension forms file enable you to customize the isual theme, fonts, the action bar, and other aspects of the web client. 248 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

257 About this task You can assign extension forms files to users explicitly. You can also assign extension forms files to users implicitly by setting a default extension forms file. The following topics describe how to use IBM SmartCloud Notes Administration to assign extension forms files. You can also use user proisioning change files and the IBM Connections Cloud integration serer. For more information, see the integration serer section of the Connections Cloud documentation. Related tasks: Using extension forms files to customize the look of the web client on page 165 You can use an extension forms file to customize the isual theme, fonts, the action bar, and other aspects of the web client. For example, you can add graphics, change colors, and add new menu items. Related information: IBM Connections Cloud documentation Setting a default extension forms file Optionally set a default extension forms file that applies to all current and future web client users who are not explicitly assigned an extension forms file. Before you begin An IBM representatie must upload the approed extension forms file to the serice. About this task If you do not specify a default extension forms file, users without an explicit extension forms file see the default serice behaior. The default serice behaior is similar to IBM inotes 9.0. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Extension Forms Files. 5. Select the forms file and click Set as Default. Results The change takes effect the next time web client users log in to the serice. In the list of files in the Extension Forms Files page, the text [default] is shown after the file name. The file is also shown in the Defaults page, in the Default Extension Forms File section. To see whether a user uses the default forms file, from SmartCloud Notes Administration, click Users and select the name of the user. If the user uses the default extension forms file, the alue of the Forms extension field is Default (forms file), where forms file is the name of the default extension forms file. Chapter 7. Administering user accounts 249

258 You can disable a default extension forms file and reert to the default serice behaior. To do so, perform this procedure and in the last step select None in the files list and click Set as Default. The extension forms file remains aailable and you can re-enable it as the default at any time. Explicitly assigning an extension forms file to many current users You can assign a forms file to all current users, to users who are explicitly assigned a different extension forms file, or to users who are not explicitly assigned an extension forms file who use the default behaior. Before you begin An IBM representatie must upload the extension forms file to the serice. About this task To apply an extension forms file during user proisioning, see the user proisioning topics, instead. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Extension Forms Files. 5. Select the extension forms file to assign and click Apply to Users. Note: To remoe an explicit forms file assignment and reert to the default forms file or the default serice behaior, select None [default]. 6. Perform the steps in the following table that correspond to your objectie. Table 75. Steps to assign an extension forms file to many users Objectie Assign to all users in the serice. Note: An alternatie approach is to set a default extension forms file. A default file is used by all current and future users who are not assigned an extension forms file explicitly. Assign to all users who are not currently assigned to the selected forms file. Assign to all users who are not explicitly assigned an extension forms file. Steps Click Apply to > All users. 1. Click Apply to > Users of a different extension forms file. 2. Select the current extension forms file of the users. 1. Click Apply to > Users of a different extension forms file. 2. Select None (default). 7. Click Apply. 250 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

259 Results If you click Cancel or close the window before the changes are complete, the change is cancelled only for users not yet processed. The extension forms file changes take effect the next time the web client users log in to the serice. If you click Users from SmartCloud Notes Administration and select the name of a user, the Forms extension field shows the extension forms file. Related tasks: Proisioning users without transferring mail files on page 219 This procedure adds an IBM SmartCloud Notes subscription to a user account and creates a new mail file for the user on a mail serer in the cloud. You can also add optional subscriptions purchased by your company. Proisioning users and mail files on page 224 If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. Explicitly assigning an extension forms file to indiidual current users You can explicitly assign an extension forms file to indiidual current users. The explicit assignment oerrides the default behaior for your company. Before you begin An IBM representatie must upload the extension forms file to the serice. About this task To apply an extension forms file during user proisioning, see the user proisioning topics, instead. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. Display the names of the users to whom you want to assign the forms file. In the Search box, type the beginning characters of any of the following user alues: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations Chapter 7. Administering user accounts 251

260 Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations Ted Amado Search results can include a maximum of 1000 names. 6. Select the names of the users from the search results. 7. Click Apply Extension Forms File. 8. Select the file and click Apply. Results If you click Cancel or close the window before the changes are complete, the change is cancelled only for users not yet processed. The extension forms file changes are isible the next time the user uses the web client to log in to the serice. If you click Users from SmartCloud Notes Administration and click a user name to see details about the user, the Forms extension field shows the extension forms file. To remoe an explicit extension forms file assignment, repeat the procedure and in the last step select None in the list of file names and click Apply. Users then use the default extension forms file, if specified, or the default serice behaior. Related tasks: Proisioning users without transferring mail files on page 219 This procedure adds an IBM SmartCloud Notes subscription to a user account and creates a new mail file for the user on a mail serer in the cloud. You can also add optional subscriptions purchased by your company. Proisioning users and mail files on page 224 If you are transferring user mail files to the serice with the assistance of an IBM partner, after the transfer manager imports a batch of users and mail files into the serice, you can proision the users for IBM SmartCloud Notes. Resetting serice login passwords Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. About this task Reset passwords when userd forget their passwords, or when the password might be compromised. Users that log in by clicking Use My Organization's Login are using a federated identity and can reset their passwords only by following their company's process. If administrators enable password synchronization, when users change their serice login passwords, they can also use the new passwords to log in to the IBM Notes client. 252 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

261 Follow these steps to reset any user's password: Procedure 1. Click Administration > Manage Organization. 2. Click User Accounts. 3. Select the arrow next to the user that needs the password changed. 4. Select Reset password and enter the new password. This password is a temporary password that the user enters the next time that they log in. At that time, the user is asked to create a password. You can also reset the password by editing the user account. Click the appropriate user name in User Accounts and enter a new password in the Account Login tab. 5. Notify the user of the password change. The user is not automatically notified that the password was reset. Make sure to communicate this change to the user, along with the new password if needed. What to do next Administrators can enable security settings to enforce password expiration through System Settings > Security. When s user logs in with an expired password, the user is prompted to reset that password. Resetting passwords for Notes IDs Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. About this task This procedure applies only to passwords associated with Notes ID files used with Notes clients, and not to serice login passwords. Procedure 1. Log on to using the address and password of a SmartCloud Notes user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer Chapter 7. Administering user accounts 253

262 This search does not match the following alues: Emarie Klein/Renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Under Aailable actions for this user, click Reset IBM Notes Password. 8. Enter a new password, and then click Sae Changes. The password must be at least eight characters in length. 9. Proide the new password to the user in a way that complies with your company security policies. Results After you complete this procedure, the user can log on to a SmartCloud Notes serer from an IBM Notes client using the new password. After logging on with the new password, the user is prompted to change the password. Note: If the Wrong Password prompt is displayed, tell the user to re-enter the new password that you proided. If that step does not sole the problem, tell the user to delete the local ID file and then re-enter the password. The user has fie days from the time you reset a password to use the password to log on to a SmartCloud Notes mail serer and download the new password to the Notes client. If the 5-day limit is exceeded, the user sees the following message and you must reset the password again: Contact your company administrator to hae your Notes ID password reset. Related concepts: Notes IDs and passwords on page 130 When users connect to their mail serers in the cloud with IBM Notes clients and Notes IDs, they are authenticated using Notes Remote Procedure Call (NRPC) authentication. Related tasks: Resetting serice login passwords on page 124 Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. Setting password expiration for Notes IDs on page 126 For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Enabling password synchronization on page 128 When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. 254 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

263 Changing a Notes user name In a hybrid enironment, you use the Domino Administrator client on-premises to change a user's Notes name. The steps initiate a series of administration process requests. Before you begin Important: Read the topic Rules to follow when you change a Notes name on page 257. It is important to understand these rules before you continue. About this task After you initiate a rename on-premises, the change replicates to the serice. Then, the rename is initiated for the serers in the serice as well. This process changes the Notes user name, but does not change the name in the Connections Cloud user account. You or the user change the name in the user account. Procedure 1. From the IBM Domino Administrator client, on a serer whose directory you synchronize with serers in the serice, perform the steps that correspond to your goal. Table 76. Steps to change a user's names Goal You want to change any of the following names: Common name, for example, change Samantha Daryn/Renoations to Samantha Brown/Renoations Alternate name Short name Steps Tools > People > Rename > Change Common Name For more information, see the topic about renaming a Notes user's common or alternate name in the Domino documentation. Important: If you want to change multiple names for one user, do so in one rename operation. If you want to change a name and the Internet address, do so as part of one rename operation. You want to change the certifier portion of the name. For example, change Samantha Daryn/Renoations to Samantha Daryn/PowerRenoations. Optionally, you also want to change any of the following alues: Common name Alternate name Short name Internet address Tools > People > Rename > Request Moe to New Certifier For more information, see the topic about moing a user name in the name hierarchy in the Domino documentation. Important: If you want to change the certifier name and other names or the Internet address for one user, do so as part of one rename operation. 2. Optional: If you changed the common name or Internet address, optionally edit the user account to match: Chapter 7. Administering user accounts 255

264 Note: Users can change their common names themseles by editing the My Account Settings page. Users cannot change their own login addresses. a. Log on to the serice as an administrator. b. If your account has the user role, click Admin > Manage Organization. c. Click User Accounts, click the arrow next to the account to edit, and select Edit User Account. d. In the User Information tab, update one or both of the name fields. e. If you changed the Internet address, in the Account Login tab, optionally update the field to match the new address. The field seres only as the identity used to log in to the serice from a browser; the SmartCloud Notes serice uses the Internet address field in the Person document to determine the Internet address for mail routing. Results The following table proides an estimate of the time required to complete each type of name change and how to determine whether the change is complete. Table 77. Rename time estimate and erification Type of name change Rename completion Notes name change The Notes name change is usually complete in about a day. Howeer, because renaming is a multi-step sequential process, a delay in any step can cause the rename to take longer. While the name is being changed, the current user name remains alid. When a rename is complete, the change is isible in the following places: Directories 1,2, database ACLs, and groups that include the name on serers in the serice and on-premises serers. Web client naigation pane and new mail messages. The User name field in the Notes client login window. The user's mail file ACL. The Users page in SmartCloud Notes Administration. 2 1 New short name or alternate name is isible here. 2 New Internet address is isible here. User account name change The change occurs immediately after an administrator or user edits the user account. A new name and login address display the next time that the user logs in from a browser. What to do next If the name of a mail file delegate changes, the mail file owner must reassign delegation to the new name. Doing so updates the mail file ACL to allow the delegate access under the new name. 256 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

265 Related information: Domino documentation Rules to follow when you change a Notes name When you change a user s Notes name, you must follow these rules. If you want to change multiple parts of a user's name, do so in one rename request. Do not issue one request to change a common name and then a separate request to change a certifier name. For example, change Samantha Daryn/Renoations to Samantha Brown/Power Renoations with one rename request. To change both a user's name and Internet address, change the Internet address as part of the rename request. Do not issue a rename request for the name change and then edit the Person document separately to change the Internet address. Neer start a second rename until the first rename is complete, for example, if you make a mistake in a rename request. Wait until the first rename is complete and the user accesses the serice under the first changed name before you rename the user again. If the first rename is not complete, fields with names that begin with AdminpOld remain in the Person document. Neer change the Notes name by editing the name manually in the Person document. Instead, always initiate the name change through the Domino Administrator client. When you use the Domino Administrator client, the Administration Process makes the changes throughout your enironment and required directory changes can replicate to the serice during directory synchronization. Neer rename a user who is being proisioned or whose mail is being transferred to the serice. Wait until the user accesses the SmartCloud Notes serice at least one time under the current name before you rename the user. If a rename does not complete within a reasonable amount of time, contact SmartCloud Notes Support. Do not remoe the user account, the SmartCloud Notes subscription, or the Person document and attempt to re-create a user. After you start a rename of a Notes client user, tell the user not to switch to a Location document that refers to an on-premises mail serer. Doing so can cause the user to accept the new name on-premises rather than in the serice, which is not allowed. Neer rename a user at the same time that you change the user s Domino domain. If the user has a Notes ID file and uses it in the serice, the ID file must be stored in the serice ID ault before you rename the user. To determine whether a user ID is stored in the ault, open SmartCloud Notes Administration, click Users, search for the user page, and look at the Notes ID file field. If the ID is not in the ault, an administrator can upload the ID file to the ault manually from the user page in SmartCloud Notes Administration. If the rename includes a moe to a different certifier, erify that the directory contains a Vault Trust Certificate issued from the new certifier (or an ancester of the certifier) to the serice ID ault. If such a certificate does not exist, create one and wait for directory synchronization to replicate it to the serice before you rename the user. A web client user, Notes Traeler user, or BlackBerry user can hae a Notes ID file that is neer used in the serice and that is not stored in the serice ID Chapter 7. Administering user accounts 257

266 ault. Before you rename a user such as this, either upload the ID to the ault or delete the public key information from the following fields in the user s Person document: Certificate CertificateExpiration CertificateIssuer If the name of a mail file delegate changes, the mail file owner must reassign delegation to the new name. Doing so updates the mail file ACL to allow the delegate access under the new name. Related tasks: Uploading a Notes ID to the ault on page 269 In a hybrid enironment, if a serice user has an IBM Notes ID file, the ID must be stored in the ID ault in the serice. In some cases, for users who hae a Notes ID, but who will not use the Notes client, you might need to upload the Notes ID to the ault manually. If it is not stored in the ault, web client, Notes Traeler, and BlackBerry smartphone users cannot perform secure mail operations. Other limitations also apply, as outlined in this topic. Issuing a Vault Trust Certificate on page 101 You must issue a Vault Trust Certificate from a parent certifier of serice users Notes ID files to the certifier of the serice ID ault. This step is a prerequisite for user proisioning. Changing an Internet address Use this procedure to change a user's Internet address if you are not also changing the user's Notes name. About this task There are two places that an Internet address is used. The SmartCloud Notes serice uses the Internet address in the Person document for Internet addressing and deliery. In addition, there is an Internet address in the field in the serice user account. This address is the account identity used to log in to the serice with any subscription from a browser. Changing the alue of the field to match the new Internet address in the Person document proides a consistent experience for the user. Important: If you are changing both the Notes name and Internet address, complete the steps for changing a Notes user name, instead. Procedure 1. To change the Internet address in the on-premises Domino directory if you are not also changing the Notes name: a. From an on-premises Domino Administrator, open the Domino directory in which the user is registered. b. From the People iew, select the user's Person document. c. Click Edit Person. d. In the Basics tab, in the Mail section, change the address in the Internet address field. e. Click Sae & Close. f. Wait for the change to replicate to the serice during directory synchronization. 258 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

267 Tip: To erify that the change has been made in the serice, open the Users page in SmartCloud Notes Administration, search for the user, and in the user page look at the Internet address field. 2. To change the account login identity to match the new Internet address: a. Log in to the serice as an administrator. b. If your account has the user role, click Admin > Manage Organization. c. Click User Accounts. d. Click the arrow next to the user account to change and select Edit User Account. e. Click Account Login. f. In the field, click change. g. In the New address field, proide the new address and click Finish. What to do next Proide the user with their new address and account login identity. Related tasks: Changing a Notes user name on page 255 In a hybrid enironment, you use the Domino Administrator client on-premises to change a user's Notes name. The steps initiate a series of administration process requests. Remoing a SmartCloud Notes subscription from a user account When you remoe a SmartCloud Notes subscription from a user's account, the subscription is aailable for another user. The account identity still exists, unless you delete the user account, and is still actie, unless you suspend the user. The user can still log in to the cloud serice, but the user no longer has access to SmartCloud Notes. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the name of the user to edit the user account settings. 5. Click Next to select the Subscriptions tab. 6. Perform one of the following steps: If the user has more than one subscription, select Customize the subscriptions for this user and in the Mail field select None selected. If the user has only a SmartCloud Notes subscription, select None. 7. Click Next and then Finish. 8. The Edit User Summary window indicates that subscription remoal is in progress. When you click Back to User Accounts, SmartCloud Notes is remoed from the Subscription column for the user. Results The subscription is no longer assigned and is aailable for another user. The mail file becomes inactie. The owner, or a user who has delegation access, cannot open it. Mail is no longer deliered to the mail file. Chapter 7. Administering user accounts 259

268 User data (including the mail file and aulted Notes ID) remains on the serers in the serice for 30 days. To see whether a user's data is still in the serice, from SmartCloud Notes Administration, click Users and then Deleted Users. If the user's name is listed, the data is still in the serice. You can force the data to be deleted by clicking Delete Data. What to do next If you want to add the subscription to the user account once again, be aware of the following considerations: If you remoed the user's SmartCloud Notes subscription and the user name is still shown in the Users > Deleted Users page of SmartCloud Notes Administration, the user data is still in the serice. In this case, to add back the subscription, you edit the Connections Cloud user account. The user regains access to the mail file and the name is remoed from the Deleted Users page. If you remoed the user's SmartCloud Notes subscription and the user name is no longer shown in the Users > Deleted Users page, the user data has been remoed from the serice. In this case, to add back the subscription, you must proision the user again through SmartCloud Notes Administration. The user starts with a new mail file, unless you transfer the mail file to the serice before you proision the user. Related tasks: Deleting a user account on page 261 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Suspending a user account You can suspend a user account. When an account is suspended, the user cannot log in to the serice. If the user is logged in at the time the account is suspended, the user can continue working, but cannot log in again after logging out. No subscriptions are aailable to the user, but they remain assigned to the user. Also, the user identity and user data remain on serers in the serice. Related information: Integration serer Suspending a user account You can suspend a user account. When an account is suspended, the user cannot log in to the serice. If the user is logged in at the time the account is suspended, the user can continue working, but cannot log in again after logging out. No subscriptions are aailable to the user, but they remain assigned to the user. Also, the user identity and user data remain on serers in the serice. About this task Use these steps to suspend a user account, which affects all subscriptions assigned to a user. If a user has other subscriptions that you want to remain aailable to the user, a Customer Serice Representatie can suspend a subscription, rather than suspending an entire account. In that case, the user can log in to the serice and there is no interruption to other subscriptions. 260 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

269 Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the arrow next to a user name and then click Suspend. Results Deleting a user account The following results occur when a user account is suspended: Subscriptions remain assigned, and cannot be assigned to other users. The user cannot log in and is not listed in the company directory. The mailbox becomes inactie and the owner cannot open it. Howeer, someone who has delegation access to the mail file can open it. Mail is not deliered to the mailbox. You can reset the user account password. Note: To return a suspended account to actie status, edit the user account using the preious steps, and in Step 4, click Unsuspend Account. When the account is returned to actie status, the mail file is once again aailable to the user. Related information: Integration serer When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the arrow next to a user name and then select Delete User. 5. Optional: Enter the address of a user in your organization to whom you want to transfer the deleted user's collaboration resources, such as files. Note: You cannot transfer ownership of the mail file. 6. Click Trash. Results The user whose account is deleted can no longer log in to the serice. If the user is logged in at the time of account deletion, he or she can continue to use the serice until the session expires. Up to 30 days from the initial account deletion, the following conditions exist: The user account has the status Trash in the User Accounts page. The mail file is inactie and cannot be opened by the owner, or by another user who has delegation access to the mail file. Mail is not deliered to the mail file. Chapter 7. Administering user accounts 261

270 The subscriptions associated with the deleted account cannot yet be assigned to other users. The user data remains in the serice. If you deleted the account by mistake, you can restore the account to full functionality, including mail. You can permanently delete the account to remoe the user data and free the subscriptions to be assigned to other users. 31 to 90 days from the initial account deletion, the following conditions exist if you did not permanently delete the account: The account is no longer isible and you cannot restore it or permanently delete it. An IBM customer serice representatie can restore the account. The subscriptions associated with the deleted account cannot yet be assigned to other users. After 90 days from the initial account deletion, the account is permanently deleted and the following conditions exist: The account subscriptions can be assigned to other users. The user data for collaboration subscriptions is permanently deleted. The SmartCloud Notes user data, such as the mail file, remains for 30 more days. You can permanently delete this data yourself, if you do not want to wait the 30 days. Note: While the SmartCloud Notes data remains, you cannot create a user account with the same common name and address as that of the deleted account. After 120 days from the initial account deletion, SmartCloud Notes user data is permanently deleted, if it was not deleted preiously. Related tasks: Restoring a deleted user account on page 263 After you delete a user account, you hae up to 30 days to restore it if you change your mind. Restoring the account returns it to full functionality, including full mail file access. Permanently deleting a user account on page 263 After you delete an account, it remains inactie in the serice, and you hae 30 days to restore it. If you are sure that you will not need to restore the account, you can permanently delete it within 30 days of the initial account deletion. Permanently deleting an account frees its subscriptions for other users. Remoing the SmartCloud Notes data for a deleted user account or subscription on page 264 After a user account is permanently deleted or an IBM SmartCloud Notes subscription is remoed from a user account, the SmartCloud Notes data such as the mail file remains for 30 days. Use this procedure to force the deletion of the user data from the serice, if you do not want to wait the 30 days. Related information: Integration serer 262 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

271 Restoring a deleted user account After you delete a user account, you hae up to 30 days to restore it if you change your mind. Restoring the account returns it to full functionality, including full mail file access. About this task An IBM customer serice representatie can restore a user account up to 90 days after the account deletion. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Select Status in the drop-down box and then select Trash to show the deleted user accounts that can be restored. 5. Click the arrow next to the user name and select Restore User. 6. In the window that is shown, click Restore. Related tasks: Deleting a user account on page 261 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Permanently deleting a user account After you delete an account, it remains inactie in the serice, and you hae 30 days to restore it. If you are sure that you will not need to restore the account, you can permanently delete it within 30 days of the initial account deletion. Permanently deleting an account frees its subscriptions for other users. About this task You cannot restore an account after you permanently delete it. If there is a chance you might need to restore the account, do not complete this procedure. A user account is permanently deleted automatically 90 days after the initial account deletion. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Select Status in the drop-down box and then select Trash. 5. Click the arrow next to the user name and then select Delete User. 6. Optional: Enter the address of a user in your organization to whom you want to transfer the deleted user's collaboration resources, such as files. Note: You cannot transfer ownership of the mail file. 7. Click Delete. Chapter 7. Administering user accounts 263

272 Results The account cannot be restored. The subscriptions associated with the account are free to be assigned to other users. The SmartCloud Notes data such as the mail file remains for 30 more days and is automatically deleted after that period. You can delete this data before then yourself. While this data remains, you cannot create a user account with the same common name and address as that of the deleted account. What to do next If you want to permanently delete the SmartCloud Notes data immediately, complete the procedure Remoing the SmartCloud Notes data for a deleted user account or subscription. Related tasks: Deleting a user account on page 261 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Restoring a deleted user account on page 263 After you delete a user account, you hae up to 30 days to restore it if you change your mind. Restoring the account returns it to full functionality, including full mail file access. Remoing the SmartCloud Notes data for a deleted user account or subscription After a user account is permanently deleted or an IBM SmartCloud Notes subscription is remoed from a user account, the SmartCloud Notes data such as the mail file remains for 30 days. Use this procedure to force the deletion of the user data from the serice, if you do not want to wait the 30 days. About this task In most situations, there is no need to force the deletion of the SmartCloud Notes data. Howeer, if an account is permanently deleted and you want to create a new account that uses the same address and common name, the SmartCloud Notes data must first be deleted. You can delete the data of a user whose SmartCloud Notes subscription was remoed but who still has a user account. Howeer, do so with caution; to add back the SmartCloud Notes subscription, you must proision the user again through SmartCloud Notes Administration. In this case, the user starts with a new mail file, unless you transfer an on-premises mail file before you proision the user again. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. In SmartCloud Notes Administration, under Users and Groups, click Users. 5. In the naigation pane, click Deleted Users. 264 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

273 6. Optional: To search for a name if many users are listed, type the beginning characters of any of the following user alues: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 7. Click Delete Data next to the name of the user whose data you want to remoe, and then confirm the deletion. Results The user data is remoed from the serice and the user name is remoed from the Deleted Users page. Related tasks: Deleting a user account on page 261 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Permanently deleting a user account on page 263 After you delete an account, it remains inactie in the serice, and you hae 30 days to restore it. If you are sure that you will not need to restore the account, you can permanently delete it within 30 days of the initial account deletion. Permanently deleting an account frees its subscriptions for other users. Remoing a SmartCloud Notes subscription from a user account on page 259 When you remoe a SmartCloud Notes subscription from a user's account, the subscription is aailable for another user. The account identity still exists, unless you delete the user account, and is still actie, unless you suspend the user. The user can still log in to the cloud serice, but the user no longer has access to SmartCloud Notes. Moing users to different Domino directories You can moe the Person document of a user who is currently proisioned in the serice to a different Domino directory. About this task If an on-premises Notes rename request is underway for a user, wait until the request is complete before moing the user s Person document. Chapter 7. Administering user accounts 265

274 Procedure Copy the Person document to the new Domino directory and then delete the original Person document. Follow these guidelines: Moe a Person document only to a Domino directory that is used for proisioning. In other words, moe a Person document to a full Domino directory that is listed in the Directory Sync Serer Configuration window of SmartCloud Notes Administration. The Do not use this Domino Directory for user proisioning must not be selected for the directory. If you want to change the alues of the following fields in the new Person document, do not do so yet. These alues must be the same as in the original Person document while the moe of the Person document is underway. You can change the alue of any other field. First name (FirstName) Middle name (MiddleInitial) Last name (LastName) User name (FullName) Internet address (InternetAddress) Domain (MailDomain) The deletion of the original Person document can replicate to the serice before the addition of the new Person document, or ice ersa. The replication order is not important. The document identifier alue of the new Person document will be different from the one in the original Person document. A document identifier, for example Notes:///632576F5004E65D4/85255E A C / 14BD98F6358E2E C , is displayed in Notes document properties. What to do next If you want to change the user name, Internet address, or Domino domain name, contact Support before you do so. Support must erify that the Person document change is complete in the serice before you make these changes. After Support confirms that the Person document change is complete, make the additional changes. If you want to change the Domino domain name, do so before you change the user name or Internet address. To change the domain, edit the Domain (MailDomain) field. To change the user name, follow the documented procedure for changing a Notes user name. Do not edit name fields directly in the Person document. Related tasks: Changing a Notes user name on page 255 In a hybrid enironment, you use the Domino Administrator client on-premises to change a user's Notes name. The steps initiate a series of administration process requests. Configuring directory synchronization on page 89 A directory serer in the serice has a replica of one or more on-premises IBM Domino directories. To support directory synchronization, proide the name of the primary serer and file path of at least one on-premises directory that you want to synchronize. The directory serer performs a regular pull and push replication of the directories to keep the contents of both the serice and the on-premises replicas synchronized. 266 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

275 Contacting Support on page 303 If you are unable to resole a problem, contact Support. Conerting a serice user to an on-premises user in a hybrid enironment If you use a hybrid enironment, you can conert a serice user to an on-premises user. Conersion remoes the SmartCloud Notes subscription from the user account. You then switch the user to a Domino mail serer at your company site. About this task Steps 1-5 in this procedure assume that you want to create a replica of the current SmartCloud Notes mail file on your on-premises serer. By creating a replica, you presere the current content of the mail file. Howeer, replicating the mail file is not required. You can instead conert the user to a new mail file or to an existing mail file that you hae on-premises. In this case, substitute Steps 1-5 with your own procedure to create the user mail file on your serer. After users are conerted to on-premises mail serers, they cannot be delegates for the mail files of serice users. Perform the following steps to conert a serice user to an on-premises user. Procedure 1. Perform the following steps to create a local replica of the serice mail file on an IBM Notes client that can connect to the serice: Note: The owner of a mail file who uses a managed mail replica already has a local mail file replica and can skip this step. a. Make sure that you hae a SmartCloud Notes subscription with the User role. b. From the Notes client, log on to the serice using a Notes ID that has access to the mail file in the serice. The IDs of the following users hae access to the mail file: The owner of the mail file Someone who the owner gies delegate access Someone who has access through an entry in a customized mail file ACL. c. Open the mail file on the SmartCloud Notes serer, following the appropriate procedure in the following table: Table 78. Opening a mail file in the serice Person Owner Delegate Steps Open your mail file as you normally do. For example, from the home page, click Mail. Open your mail file as you normally do, then complete the following steps: 1. In the naigation pane, expand Other Mail. 2. Click Open Other Mail. 3. Select the name of the mail file owner from the company directory. Chapter 7. Administering user accounts 267

276 Table 78. Opening a mail file in the serice (continued) Person Administrator with access to the mail file through a custom ACL Steps Determine the mail serer name and mail file name in the serice: 1. From SmartCloud Notes Administration, click Users. 2. Click the name of the mail file owner. 3. In the Mail serers field, note the name of the first serer that is listed, for example, MAIL16/SCN/RENOVATIONS. 4. In the Mail databases field, note the name of the first database that is listed, for example, data0/ / nsf. Open the mail file: 1. From Notes, click File > Open > IBM Notes application. 2. In the Look in field, type the mail serer name. 3. In the File name field, type the mail file name. 4. Click Open. d. From the open mail file, click File > Replication > New Replica. e. Make selections in the Create Replica dialog box: In the Serer field, be sure to select Local. If you plan to use an operating system command to create the replica on the on-premises serer in Step 3, do not select Encrypt the replica using. 2. (Optional) To minimize message loss during the conersion process, perform the following steps to suspend the account for the user. Suspending the account stops mail deliery to the Notes mail file. a. Perform a final replication between the mail file replica on the SmartCloud Notes serer and the replica on the Notes client. b. Log on to the serice as an administrator. c. If your account has the user role, click Admin > Manage Organization. d. From the naigation pane, click User Accounts. e. Click the arrow next to the name of the user being conerted and select Suspend Account. Note: This step suspends all of the subscriptions that the user has. 3. Replicate the mail file on the client to the on-premises mail serer the user is switching to. 4. Adjust the mail file ACL as necessary, for example, to allow access by on-premises serers. 5. Apply an on-premises mail file template to replace the template from the serice. 6. Perform the following steps to remoe the SmartCloud Notes subscription from the account of the user. a. Log on to the serice as an administrator. b. If your account has the user role, click Admin > Manage Organization. 268 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

277 c. From the naigation pane, click User Accounts. d. If you completed Step 2, click the arrow next to the name of the user to conert and select Unsuspend Account. e. Click the arrow next to the name of the user and select Edit User Account. Note: If the user has only a SmartCloud Notes subscription, you can instead select Delete user to delete the account. In this case, skip the remaining substeps. f. Click Next to moe to the Subscriptions tab. g. Perform one of the following steps: If the user has more than one subscription, select Customize the subscriptions for this user and in the Mail field select None selected. If the user has only a SmartCloud Notes subscription, select None. h. Click Next and then Finish. Note: You can reinstate the account for up to 30 days. To reinstate, add the SmartCloud Notes back to the account, or restore the account, if you deleted it. If you continue to step 7, the 30-day period does not apply; the user is returned to being an on-premises user, and the account cannot be reinstated. 7. To switch the user to an on-premises mail serer and mail file, edit the Domino directory Person document of the user as follows: Change the Mail serer field to refer to the on-premises mail serer Change the Mail file field to refer to the on-premises mail file Results After Step 7 is completed and directory synchronization occurs between the serice and the on-premises enironment, the user can no longer access the mail file on the SmartCloud Notes serer. Uploading a Notes ID to the ault In a hybrid enironment, if a serice user has an IBM Notes ID file, the ID must be stored in the ID ault in the serice. In some cases, for users who hae a Notes ID, but who will not use the Notes client, you might need to upload the Notes ID to the ault manually. If it is not stored in the ault, web client, Notes Traeler, and BlackBerry smartphone users cannot perform secure mail operations. Other limitations also apply, as outlined in this topic. Before you begin Make sure that you hae a copy of the user's Notes ID file and password. If you are unsure whether to store a Notes ID in the ault for web client users, read Planning for Notes IDs. About this task Upload a Notes ID to the ID ault for users who hae an ID file, but who do not use the Notes client: If they are starting with new mail files. Chapter 7. Administering user accounts 269

278 If the mail file was transferred to the serice without an imported Notes ID. In this case, if you do not store the ID in the ault, the user cannot read old encrypted messages if there are any. Note: Alternatiely, web client users can upload Notes IDs themseles. For more information, see the topic about importing a Notes ID in the SmartCloud Notes web section of the SmartCloud Notes user documentation. Typically, this procedure is not necessary in these situations: For Notes client users, because the ID is automatically uploaded to the ault at some point after the client connects to the serice. For web client users whose existing on-premises mail files were transferred to the serice, and whose Notes ID was imported into the mail file before the transfer. In this case, the Notes ID is uploaded to the ault the first time a user performs a secure mail operation, such as signing mail, or reading or sending encrypted mail. For web client users who neer had a Notes ID and who do not want to perform secure operations. For users who hae a Notes ID, if the ID is not stored in the serice ault, the following limitations apply: Web client, IBM Notes Traeler, and BlackBerry smartphone users cannot perform secure operations, which include signing mail, and reading or sending encrypted mail. Notes ID password resets and ID recoery are not aailable. If a user's name changes, the user's Notes name cannot be changed. You can also use this procedure to replace a Notes ID in the ault. Note: You cannot use this procedure to upload an ID file that is enabled for Notes shared login (NSL). To allow the ID to be uploaded manually, disable NSL. Or, use the Notes client with the serice, so that the ID file can be uploaded to the ault automatically. For more information about Notes shared login, see the security section of the IBM Domino documentation. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations 270 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

279 Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Under Aailable actions for this user, click Upload Notes ID File. 8. Browse for the Notes ID file, and optionally proide the password if one exists. Results Viewing subscriptions The Notes ID is stored in the ault. Note, howeer, that the password for the ID is not stored in the ault. Related information: SmartCloud Notes user documentation IBM Domino documentation You can iew the subscriptions assigned to existing users, or iew the subscriptions that are aailable to assign to new serice users. In addition to the mail serice, other subscriptions can include collaboration serices. Third-party integrated applications may also display if your organization has enabled them. About this task Use these steps to iew the aailable subscriptions, and find out how many user accounts are aailable for each subscription. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click Subscriptions. Viewing assigned subscriptions About this task To iew the subscriptions that are assigned to an existing user, perform the following steps. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Locate the user name. The assigned subscriptions are listed in the Subscription column. Chapter 7. Administering user accounts 271

280 Managing IBM Notes Traeler deices For each user with an IBM Notes Traeler subscription, you can iew information about the user's mobile deice. You can also wipe the deice to remoe sensitie data from it, for example, if the deice is lost or stolen. About this task Note the following information about wiping a deice: After you issue a wipe request, the deice cannot be used with the serice again unless you cancel a pending wipe or reactiate the deice. If you remoe a user's IBM Notes Traeler subscription, the deice information is no longer aailable in the serice and you cannot perform this procedure. In this case, the user can request a deice reset through the mobile carrier. If you cancel a pending wipe, the data is not wiped from the deice. Wipe options can be shown for deices that do not support them. If you select a wipe option, the status field indicates if a deice does not support it. If a wipe is done outside the IBM Notes Traeler serice, for example, if a user resets a deice, the status is not shown. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users in SmartCloud Notes Administration. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Click Manage IBM Notes Traeler Deices to see information about the user's deice such as the name, the time it was last synchronized, and the status of a wipe request. 272 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

281 If you do not see this option, the selected user does not hae a IBM Notes Traeler subscription. 8. To remoe data from the deice, click one of the following options: Option Wipe Deice Wipe Traeler Data Description Select this option to remoe the IBM Notes Traeler application and all personal data and settings from the deice. After deice confirmation, the deice is reset to the factory default settings. This option affects all users of the deice. Select this option to remoe only the IBM Notes Traeler application and its data, but leae personal data on the deice. This option affects only the selected user. 9. If you issue a wipe request, the following options are aailable: Option Refresh Deice List Cancel Wipe Reactiate Description Shows the status of a wipe request. Cancels a wipe request that shows the status Wipe pending. Reactiates a deice in the serice after a wipe request is complete or fails with an error. Results The following table describes the messages that you might see in the Wipe status field after you issue a wipe request and click Refresh Deice List. Table 79. Wipe status messages Wipe status message Wipe pending Deactiated Hard reset failed Hard reset confirmed Application wipe failed Application wipe confirmed Not requested Description Wipe Deice or Wipe Traeler Data was selected. The request will be processed when the deice is turned on. The deice was wiped successfully and is no longer connected to IBM Notes Traeler. If Wipe Traeler Data was selected, Wipe Deice can still be selected. Wipe Deice was selected but the deice cannot be reset to factory default settings. This error usually indicates that the deice is an older model that does not support hard resets. Wipe Deice was selected and the deice confirmed the request. A Wipe Traeler Data request failed. This error can occur for older deice models. Wipe Traeler Data was selected and the deice confirmed the request. No wipe has been requested. Chapter 7. Administering user accounts 273

282 Related tasks: Enabling application passwords on page 139 Application passwords can be used to proide a secure login for applications that do not support forms-based authentication. For example, they can be used to access applications that require passwords on a mobile deice or for organizations that use federated identity and serice login passwords are not used. When you enable application passwords, you also hae the option of requiring the use of application passwords, and of allowing mobile users to bypass IP restrictions. Preparing for Notes Traeler deices on page 195 Before enabling users to use IBM Notes Traeler mobile deices with the serice, prepare your enironment and the deices. Managing BlackBerry smartphones After actiating a user s BlackBerry smartphone, perform any of the following tasks to manage it. Related concepts: Settings enforced for BlackBerry smartphones on page 205 This topic describes the settings that the serice currently enforces for BlackBerry smartphones. Related tasks: Getting started with BlackBerry deices on page 238 If BlackBerry deices supported by a Hosted BlackBerry Serices subscription are used, complete the following tasks to begin using the deices with the serice. Reactiating a user's BlackBerry smartphone If a user experiences a problem using a BlackBerry smartphone, actiating it again often resoles the problem. Before actiating again, back up the smartphone and then wipe it. Wiping remoes all data and preents duplicate Contacts and Calendar entries from occurring when you actiate it again. About this task Alternatiely, the user can reactiate the BlackBerry. Procedure 1. Back up the smartphone. For instructions, see the BlackBerry Knowledge Base article How to back up the data on a BlackBerry smartphone. 2. Log on to the serice as an administrator. 3. If your account also has the User role, click Admin > Manage Organization. 4. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 5. Under User and Groups, click Users. 6. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching 274 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

283 alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 7. Click the user's name in the search results. 8. Click Manage BlackBerry Smartphone. 9. Perform the following steps to wipe the smartphone: a. Click Wipe b. Click Wipe again to confirm. 10. To begin the actiation process, perform the following steps to create an actiation password: a. Click Reactiate or Actiate Now, depending on the option that is displayed b. Create a one-time actiation password and then click Set Password. Remember the password because you or the user enter it on the smartphone in the next step. If you do forget it, you can simply repeat this step to set a new one. 11. To actiate the smartphone, refer to the following table and perform the steps that are shown for the operating system (OS) ersion of the smartphone. Actiation can take from a few minutes to an hour, depending on the size of the mail file. After performing these steps, look for the Actiation Complete message on the smartphone, which indicates that actiation is successful. OS ersion OS4, OS5 Steps to actiate 1. From the Home screen of the smartphone, click Manage Connections and then enable your Mobile Connection. 2. From the Home screen of the smartphone, click Options > Adanced Options > Enterprise Actiation. 3. Enter your SmartCloud Notes Internet address, for example sdaryn@renoations.com. 4. Enter the actiation password. 5. Click the track ball and select Actiate. Note: Leae the Actiation Serer Address field blank, if you see it. Chapter 7. Administering user accounts 275

284 OS ersion OS6, OS7 Steps to actiate 1. From the Main screen of the smartphone, click Options > Deice > Adanced System Settings > Enterprise Actiation. 2. Enter the SmartCloud Notes Internet address, for example 3. Enter the actiation password. 4. Click the Actiate button. 12. If you backed up data before actiating, restore the data now. For information, see the BlackBerry Knowledge Base article How to use BlackBerry Desktop Software to restore data to a BlackBerry smartphone from a backup file. Wiping a user's BlackBerry smartphone if it is lost or stolen If a user's BlackBerry smartphone is lost or stolen, wipe it to remoe all data and deactiate it. About this task Wiping a smartphone remoes all data from it and deactiates it. If the smartphone is off, it is wiped the next time it is turned on. Alternatiely, users can wipe their smartphones themseles. For information on wiping a smartphone as part of reactiating it to correct a problem, see Reactiating a user's BlackBerry smartphone. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Under User and Groups, click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado 276 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

285 Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Click Manage BlackBerry Smartphone. 8. Click Wipe 9. Click Wipe again to confirm. Setting a deice password on a user's BlackBerry smartphone A deice password helps to preent unauthorized access to a user's BlackBerry smartphone. Use this procedure to set an initial deice password on a user's smartphone or to set a new deice password if a user has forgotten the current one. About this task The deice password is a different password than the one-time actiation password used to actiate the smartphone. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Under User and Groups, click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. 6. Click the user's name in the search results. 7. Click Manage BlackBerry Smartphone. 8. Click Set Deice Password. 9. Enter a password and then click Set Password. The password must be at least eight characters, including at least one numeric character and at least one alphabetic character. Chapter 7. Administering user accounts 277

286 Results A message indicating that you hae changed the password is displayed on the smartphone. What to do next Proide the password to the user. Related concepts: Settings enforced for BlackBerry smartphones on page 205 This topic describes the settings that the serice currently enforces for BlackBerry smartphones. Remoing a BlackBerry subscription from a user account You can remoe a BlackBerry subscription from a user account. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the naigation pane, click User Accounts. 4. Click the arrow next to a user's name, select Edit User Account, and click Next. 5. In the Subscription Add-ons section, clear SmartCloud Notes for Hosted BlackBerry Serices. 6. Click Next and Finish. Results The user can no longer use a BlackBerry smartphone with SmartCloud Notes. Frequently asked questions about BlackBerry smartphone administration Table 80. Frequently asked questions about BlackBerry smartphone administration Question How do I know if a user has a BlackBerry smartphone subscription? Answer 1. From SmartCloud Notes Administration, click Users. 2. Search for the user's name and then select it. 3. Do either of the following steps: Select Show BlackBerry only to show only users with BlackBerry smartphone subscriptions and see if the user's name is listed. Click the user's name and see if the alue of the BES subscription field has been set to Enabled. 278 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

287 Table 80. Frequently asked questions about BlackBerry smartphone administration (continued) Question Answer How do I know if a user's smartphone is actiated? What do I do if BlackBerry actiations fails? If I set an actiation password, can a user oerride it? What do I do if there are duplicate Calendar or Contact entries on a smartphone? How do I tell which operating system (OS) ersion a BlackBerry smartphone uses? How can I display a user's BlackBerry smartphone deice model and other deice information? 1. From SmartCloud Notes Administration, click Users. 2. Search for the user's name and then select it. 3. Click Manage BlackBerry Smartphone. 4. If the user's smartphone is not actiated, a message is displayed indicating that it needs to be actiated. Perform these steps: 1. If the BlackBerry smartphone is an OS5 or earlier ersion, from the Home screen click Manage Connections and then enable your Mobile Connection. 2. Make sure that the user has an Enterprise plan with the wireless carrier rather than a Personal plan. If there is no Enterprise Actiation option on the smartphone, the user has a Personal plan and needs to change to an Enterprise Plan. After changing to the Enterprise Plan, reactiate the BlackBerry. 3. Reactiate the BlackBerry smartphone. Yes, the actiation password is the last one set by either the administrator or the user. Wipe the smartphone and then reactiate it. See the BlackBerry Knowledge Base article How to check the model number and ersion of installed BlackBerry deice software on a BlackBerry smartphone. 1. From SmartCloud Notes Administration, click Users. 2. Search for the user's name and then select it. 3. Click Manage BlackBerry Smartphone. Chapter 7. Administering user accounts 279

288 280 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

289 Chapter 8. Integrating a single domain (Example) This example illustrates how a fictitious company, Renoations, integrates serers in a single IBM Domino domain with the IBM SmartCloud Notes serice. About this task Renoations plans to moe the mail files of 500 of its 1000 users to mail serers in the serice. The mail files of the other 500 users will remain on-premises on the company mail serers. The serice users and the on-premises users will communicate by mail, look up free time for each other, schedule meetings with each other, and resere shared meeting resources. The current Domino deployment at Renoations consists of a single Domino domain, Renoations. This domain includes the serers described in the following table. Table 81. Serers in the Renoations domain Domino serer name Current Domino ersion Current serer function Dirhub1/Renoations 8.0 Directory hub that replicates to the other serers in the domain Mailhub1/Renoations 8.0 Mail routing hub that routes mail to and from other serers in the domain Mail1/Renoations 8.0 User mail serer that is also used to look up the free time of users Mail2/Renoations 8.0 User mail serer that is also used to look up the free time of users To integrate these on-premises serers with the serice, Bill Ranney, the lead Domino administrator at Renoations, performs the following steps. 1. Preparing the on-premises enironment. 2. Configuring the serice. Note: This example does not illustrate the process of proisioning users, which occurs after the serice is configured. Preparing the on-premises enironment (Example) To prepare the on-premises enironment, Bill Ranney prepares the on-premises directory synchronization and mail hub serers, prepares the on-premises passthru serer domain, configures firewalls, prepares the Global Domain document, and creates the certifier and names for mail serers. Copyright IBM Corp

290 Preparing the on-premises directory synchronization and mail hub serers (Example) Bill Ranney prepares a directory synchronization serer and a mail hub serer in the Renoations domain. About this task A directory synchronization serer is an on-premises serer with which the serice connects to replicate Domino directories. The serice regularly initiates a Pull and Push replication operation to synchronize the on-premises Domino directories with replicas on serers in the serice. A mail hub serer is an on-premises serer used to route mail between serice users and on-premises users. After getting input from other members of the Renoations IT staff, Bill decides to use one directory synchronization serer, the existing serer, Dirhub1/Renoations. He also decides to use one mail hub serer, the existing serer, Mailhub1/Renoations. Bill upgrades all of the serers in the domain from Lotus Domino 8.0 to the latest ersion aailable, Lotus Domino He also upgrades the user mail serers, Mail1/Renoations and Mail2/Renoations, so that on-premises users who use those mail serers can look up free time for serice users. The following information about this task is important to remember. On-premises mail hub serers must run Lotus Domino Fix Pack 2 or higher. Mail serers of on-premises users that look up free time for serice users must run Lotus Domino Fix Pack 2 or higher. One or two on-premises directory synchronization serers are allowed. One or two on-premises mail hub serers are allowed. One serer can function as both a directory synchronization serer and as a mail hub serer. Preparing the on-premises passthru serer domain (Example) Bill Ranney prepares the on-premises passthru serers, placing them in their own Domino domain. The serice uses the serers in the domain as passthru serers through which it connects to the on-premises directory synchronization serers and mail hub serers. About this task Bill installs and sets up two new Domino serers, Passthru1/Renoations and Passthru2/Renoations, in a new Domino domain, SCNPassthru. During serer setup, he selects the option "I want to use an existing certifier ID file" so that he can certify the new serers under the existing /Renoations 282 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

291 organization certifier. Although an organization certifier and Domino domain often share the same name, they are independent entities. In this case, the passthru domain name and the certifier name are different. When Bill runs the Domain Configuration tool later, connection documents are created that enable the passthru connections to Dirhub1/Renoations and Mailhub1/Renoations in the Renoations domain. The following information about this task is important to remember. For optimum security, a on-premises passthru serer domain should be in a dedicated Domino domain that is located in the corporate demilitarized zone (DMZ) between an inner and outer firewall. Serers in an on-premises passthru serer domain must be certified under the same organization certifier as the directory synchronization serers and mail hub serers. One or two serers passthru serers are allowed. In this example, they are in one Domino domain, but they can be in separate domains. A passthru serer domain manages only incoming connections from the serice. Connections from on-premises clients and serers to the serice do not use the passthru domain. Install Domino or later on serers in a passthru domain for fastest response time for freetime requests from serice users to on-premises users Configuring firewalls (Example) Bill works with the Renoations IT staff to configure inner and outer firewalls. About this task The following tables summarizes the configuration. Note that this example illustrates just one approach to firewall configuration; others are possible. Table 82. Outer firewall - inbound connections Setting Value Port TCP/IP port 1352 Source addresses Unpublished IP addresses that the serice firewall generates. The IBM Customer Serice Representatie proided these to the company. Destination addresses passthru1.renoations.com passthru2.renoations.com Table 83. Outer firewall - outbound connections at Renoations Setting Value Port TCP/IP port 1352 Source addresses All Chapter 8. Integrating a single domain (Example) 283

292 Table 83. Outer firewall - outbound connections at Renoations (continued) Setting Destination addresses Value notes.na.collabser.com Table 84. Inner firewall - inbound connections at Renoations Setting Value Port TCP/IP 1352 Source addresses passthru1.renoations.com passthru2.renoations.com Destination addresses dirhub1.renoations.com mailhub1.renoations.com Table 85. Inner firewall - outbound connections Setting Value Port TCP/IP 1352 Source addresses All Destination addresses notes.na.collabser.com Preparing the Global Domain document (Example) Bill Ranney ensures that the Internet domain, renoations.com, is correctly defined in a Global Domain document. About this task Renoations owns the Internet domain renoations.com. The domain is used to form the Internet address of users in the Renoations Domino Directory, for example, sdaryn@renoations.com. Bill performs the following steps to erify that the domain has a Global Domain document that is correctly configured. 1. Open the Renoations Domino Directory. 2. Select Configuration > Messaging > Domains. 3. Open the Global Domain document for renoations.com. 4. Verify that the document is correctly configured. The following table shows the erified Global Domain document for renoations.com Table 86. Verified Global Domain document for renoations.com Tab Field Value Basics Domain type Global Domain Basics Global domain name renoations.com Basics Global domain role R5/R6/R7/R8 Basics Use as default Global Domain Not applicable because there is only one Global Domain document in the Renoations Domino Directory. 284 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

293 Table 86. Verified Global Domain document for renoations.com (continued) Tab Field Value Restrictions Domino domains and aliases Not applicable because the serice does not use Domino domain information for routing. Conersions - SMTP Address Conersions Conersions - SMTP Address Conersions Local primary Internet domain Alternate Internet domain aliases renoations.com None The following information about this task is important to remember. Each Internet domain that a company owns and uses for Internet mail requires a corresponding alid Global Domain document. The document must be in a Domino Directory that replicates to the serice during directory synchronization. During account setup, the Global Domain document is used to show the domain in a list of domains to be erified. Routing of incoming Internet mail addressed to serice users is configured and done on-premises. The serice performs outbound Internet mail routing only. Only two fields in the Conersions > SMTP Address Conersions section of a Global Domain document are used by the serice: Local primary Internet domain and Alternate Internet domain aliases. The remaining fields in the SMTP Address Conersions section apply to incoming Internet mail and are therefore ignored by the serice. Creating the certifier and names for mail serers (Example) Bill Ranney creates the OU certifier used to certify and name the Renoations mail serers in the serice. About this task Bill decides to use Mail as the base name for the company mail serers in the serice. He proides the base name later when configuring account settings. The base name and OU certifier combine to form mail serer names Mail1/SCN/Renoations, Mail2/SCN/Renoations, and so on. Bill creates the OU certifier /SCN/Renoations to use to certify and name the Renoations serice mail serers. He saes the password-protected certifier ID file, scn_renoations.id, to a local, secure location so that he can easily select it when uploading it to the serice when configuring account settings later. The following information about this task is important to remember. Chapter 8. Integrating a single domain (Example) 285

294 It is important that you choose and create your serice mail serer OU certifier carefully. After you upload the OU certifier ID to the serice, you cannot change to an ID with a different certifier name. The OU certifier you proide for your serice mail serers must be under the same organization certifier as the passthru serers, directory synchronization serers, and primary mail hub serers. It can be at any leel below the organization certifier. This OU certifier must be unique and used only for the serice mail serers; the OU certifier cannot be used on-premises. The certifier used for serice users must trust the serice mail serer OU certifier, and ice ersa. If any users are certified under a different organization than the OU certifier, you must create the required cross-certificates to establish trust. The cross-certificates must be replicated to the directory synchronization serers. Configuring the serice (Example) After preparing the on-premises enironment, Bill Ranney perform the steps required to configure the serice to integrate with on-premises serers. Completing an account settings worksheet (Example) Bill Ranney completes the following worksheet to gather the information required to configure account settings. About this task Table 87. Account settings worksheet Information required to configure account settings Local file path of the OU certifier ID file used to certify the mail serers of serice users Domino passthru serer domain Primary Domino passthru serer Primary passthru serer hostname or IP address Secondary Domino passthru serer Secondary passthru serer hostname or IP address Primary Domino on-premises mail hub serer Secondary on-premises mail hub serer Base name for mail serers of serice users Primary on-premises directory synchronization serer Local file path of each Domino Directory on the primary directory synchronization serer to replicate to the serice Secondary directory synchronization serer Value C:\scn_renoations.id (password-protected) (Certifier name: /SCN/Renoations SCNPassthru Passthru1/Renoations passthru1.renoations.com Passthru2/Renoations passthru2.renoations.com Mailhub1/Renoations None Mail Dirhub1/Renoations C:\syncdir\names.nsf None 286 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

295 Configuring account settings (Example) Bill Ranney uses IBM SmartCloud Notes Administration on to configure account settings for the company. About this task Bill logs on to as the first company administrator. He uses the completed account settings worksheet to configure account settings. He performs the following tasks to configure account settings, as described in the topic Roadmap to configuring a hybrid enironment. Proiding a certifier ID file Specifying one or more passthru serers Specifying a mail routing serer Creating a base name for your mail serers Specifying a Domino Directory synchronization serer The following information about this task is important to remember. An IBM Customer Serice Representatie must add the SmartCloud Notes subscription for a company before account settings can be configured. Adding the company subscription creates the first company administrator account for the company. The first company administrator receies an initation with a URL to use to log on to the Connections Cloud website for the first time. When configuring account settings, the company administrator uploads the organizational unit certifier ID file to use for certification of the mail serers of serice users. It is important that the administrator erifies that the selected Certifier ID file is correct before clicking the Upload button. After the certifier ID file is uploaded, it cannot be changed to an ID with a different certifier name. When configuring account settings, you can proide the host name or the IP address of a passthru serer. Best practice is to proide a host name. If you proide an IP address and the IP address changes in the future, you must configure account settings and run the Domain Configuration tool again. Downloading and running the Domain Configuration tool (Example) After Bill Ranney configures account settings, he downloads and runs the Domain Configuration tool. The tool takes the information Bill proides in account settings and makes required changes to the Domino directories of the SCNPassthru domain and Renoations domain. About this task The directory changes made by the tool configure connections, routing, and replication between the serers in the serice and the on-premises serers. Chapter 8. Integrating a single domain (Example) 287

296 The following information about this task is important to remember. Do not edit the directory content added by the tool. For example, do not edit changes to the ACL or to Connection documents. Doing so preents proper operation of the serice. Refer to the report generated by the tool to see the exact directory changes the tool makes The IBM Notes client from which the tool is run must be able to connect to the passthru serers in the passthru domain. The client must also be able to connect to the directory synchronization and mail hub serers in the on-premises hub domain. Firewall rules at your company might preent connections from systems inside the firewall to the passthru serers. In this case, use a Notes client running on a system connected outside the firewall. Allow a direct connection to the passthru serers, and through them, connect to the serers in the on-premises hub domain. The person who runs the tool must hae Full Remote Console access to the passthru serers, directory synchronization serers, and mail hub serers. This access is granted through the Full Remote Console Administrators field in each Serer document. Verifying the Internet domain name (Example) After Bill Ranney tests network connections, he erifies ownership of the Internet domain, renoations.com. About this task This step confirms that the serice is allowed to use renoations.com for the Internet mail address of users at Renoations. To erify ownership, Bill creates a CNAME record for renoations.com through the domain hosting serice that the company uses. A CNAME record is a type of resource record for a domain. The fact that Bill can access DNS settings to create a CNAME record for renoations.com is what proes ownership of the domain to the serice. To erify domain ownership, Bill follows instructions in the topic "Verifying Internet domain names in a hybrid enironment." When he clicks Verify Ownership in the Internet Domain Verification window, he is gien the following information just for his company to use to add to a new CNAME record: The unique key, domino-3ktteaarn-rules The domain to point to, collabser.com He clicks Begin Verification and then creates the CNAME record on the hosting serice with the required information. To erify ownership, the LotusLie Notes serice connects to domino-3ktteaarn-rules.renoations.com. The following information about this task is important to remember. 288 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

297 The list of domain names to be erified that is shown in the Internet Domain Verification window is deried from on-premises Global Domain documents. These documents replicate to the serice during directory synchronization. The key that is proided in the Internet Domain Verification window must exactly match the key used to create the CNAME record. If there is a mismatch, domain erification fails. The serice can take up to 48 hours to erify ownership, but it usually takes less time. Testing network connections (Example) After Bill Ranney runs the Domain Configuration tool, he waits for directory synchronization to complete, and then tests network connections between on-premises serers and the serice. About this task To test network connections, Bill first performs the task described in "Checking network connections from the serice to on-premises serers." After doing so, he sees the following pair of messages listed for the serer Dirhub1/Renoations and for the serer Mailhub1/Renoations. These messages indicate that the serice can connect to the on-premises serers. "Successfully accessed mail.box" "Successfully accessed Domino Directory" Next, Bill performs the task, "Checking network connections from on-premises serers to the serice." He tests that the on-premises mail hub serer Mailhub1/Renoations can connect to the serice mail serer Mail1/SCN/ Renoations. To do so, he enters the command trace Mail1/SCN/Renoations from the Domino serer console of the Mailhub1/Renoations serer. He sees the message Connected to serer Mail1/SCN/Renoations in the output, which indicates a successful connection. When using the trace command, Bill ignores the message Error connecting to serer_name: Serer error: You are not authorized to use the serer. This message indicates only that an attempt to connect anonymously failed. Anonymous connections are not allowed, so this is expected behaior. The following information about this task is important to remember. The on-premises directory synchronization serers and mail hub serers in the on-premises hub domain must be running. Issuing a Vault Trust Certificate (Example) Bill Ranney issues a Vault Trust Certificate to the ID ault in the serice. The Vault Trust Certificate establishes that the ault is trusted to store user IDs that are certified under the certifier that issues the certificate. Chapter 8. Integrating a single domain (Example) 289

298 About this task All the serice users at Renoations are certified under the /Renoations certifier, so just one Vault Trust Certificate is required, issued from /Renoations. Bill follows the steps described in Issuing a Vault Trust Certificate. From an on-premises Domino Administrator client, he issues a Vault Trust Certificate in the Domino Directory of the Renoations domain. He sees the ault document /IDVault_ for Renoations in the Configuration > Security > ID Vaults iew of the Domino Directory. He issues the trust certificate from the certifier /Renoations to /IDVault_ Example illustrations The following information about this task is important to remember. After the Vault Trust Certificate is created, it replicates to the serice during directory synchronization. The following topics proide pictures to illustrate the operation of the serice at Renoations with single-domain integration. Directory synchronization at Renoations This picture illustrates directory synchronization of the Renoations domain Domino Directory. 290 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

299 The directory synchronization serers in the serice regularly perform a pull and push replication operation. The serers pull changes from the Renoations Domino Directory on the on-premises directory synchronization serer, Dirhub1/Renoations. They push directory changes from the serice to Dirhub1/Renoations. The directory synchronization serers in the serice connect to Dirhub1/Renoations through a passthru serer in the SCNPassthru domain. The Dirhub1/Renoations serer performs two-way replication of the Renoations Domino directory with the other on-premises serers. Directory synchronization serers and mail serers in the serice also replicate directory changes. Serice user sending Notes mail to an on-premises user This picture illustrates how Notes mail is routed from a serice user to an on-premises user at Renoations. Chapter 8. Integrating a single domain (Example) 291

300 1. The client of the serice user connects to the serice user s mail serer, Mail1/SCN/Renoations, to send the message. The client connects through the serice proxy, notes.na.collabser.com. 2. The Mail1/SCN/Renoations serer routes the message to a mail hub serer in the serice. 3. The mail hub serer routes the message to the on-premises mail hub serer, Mailhub1/Renoations. The serer connects through a serer in the SCNPassthru domain. 4. Mailhub1/Renoations routes the message to Mail2/Renoations, the mail serer of the on-premises user. 5. The client of the on-premises user connects to Mail2/Renoations to open the message. The serice scrubs iruses from the outbound messages. On-premises user sending Notes mail to a serice user This picture illustrates how Notes mail is routed from an on-premises user to a serice user at Renoations. 292 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

301 1. The client of the on-premises user connects to the on-premises mail serer, Mail2/Renoations, to send the message. 2. Mail2/Renoations routes the message to the on-premises mail hub serer, Mailhub1/Renoations. 3. Mailhub1/Renoations routes the message to a mail hub serer in the serice. The serer connects through the serice proxy, notes.na.collabser.com. 4. The mail hub serer in the serice routes the message to the serice user s mail serer, Mail1/SCN/Renoations. 5. The client of the serice user connects to Mail1/SCN/Renoations to open the message. The client connects through the serice proxy, notes.na.collabser.com. The serice scrubs iruses from the inbound messages. Chapter 8. Integrating a single domain (Example) 293

302 Serice user receiing Internet mail This picture illustrates how Internet mail is routed to a serice user at Renoations. 1. A client on the Internet addresses mail to the serice user at renoations.com. The mail is sent to the on-premises SMTP router on Mailhub1/Renoations, which is configured to route incoming mail for users in the renoations.com domain. 2. Mailhub1/Renoations routes the message to a mail hub serer in the serice. Malhub1/Renoations connects to the hub serer through the serice proxy, notes.na.collabser.com. An SMTP serer in the on-premises DMZ performs mail hygiene on the message beforehand. 3. The mail hub serer routes the message to Mail1/SCN/Renoations, the serice user s mail serer. 4. The serice user client connects to Mail1/SCN/Renoations to open the message. The client connects to the serer through the serice proxy, notes.na.collabser.com Serice user sending Internet mail This picture illustrates how Internet mail is routed from a serice user at Renoations. The serice manages the routing; a company-controlled SMTP host is not used in this example. 294 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

303 1. The client of the serice user sends the mail to the serice user s mail serer, Mail1/SCN/Renoations. The client connects to the serer through the serice proxy, notes.na.collabser.com. 2. Mail1/SCN/Renoations sends the mail to the mail hygiene serers in the serice for irus checking. 3. The SMTP serer routes the mail to the mail hygiene serers. 4. The mail hygiene serers route the mail to the Internet. Serice user requesting the free time of an on-premises user This picture illustrates a serice user at Renoations requesting the free time of an on-premises user. Chapter 8. Integrating a single domain (Example) 295

304 1. The client of the serice user sends a free-time request to the serer user s mail serer, Mail1/SCN/Renoations. The client connects to the serer through the serice proxy, notes.na.collabser.com. 2. Mail1/SCN/Renoations sends the free-time request to the on-premises mail hub serer, Mailhub1/Renoations. It connects to Mailhub1/Renoations through a passthru serer in the SCNPassthru domain. 3. Mailhub1/Renoations sends the free-time request to Mail2/Renoations, the mail serer of the on-premises user. 4. Mail2/Renoations looks up the free time of the on-premises user in its Free Time database and returns the free time to Mailhub1/Renoations. 5. Mailhub1/Renoations returns the free time to Mail1/SCN/Renoations. 6. Mail1/SCN/Renoations returns the free time of the on-premises user to the client of the serice user. On-premises user requesting free time of a serice user This picture illustrates an on-premises user at Renoations requesting the free time of a serice user. 296 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

305 1. The client of the on-premises user sends a free-time request to Mail2/Renoations, the on-premises user s mail serer. 2. Mail2/Renoations sends the free-time request to Mail1/SCN/Renoations, the serice users s mail serer. Mail2/Renoations connects to Mail1/SCN/Renoations through the serice proxy, notes.na.collabser.com. 3. Mail1/SCN/Renoations looks up the free time of the serice user in its Free Time database and returns the free time to Mail2/Renoations. 4. Mail2/Renoations returns the free time to the client of the on-premises user. Serice user requesting the free time of a resource This picture illustrates a serice user requesting the free time of a resource at Renoations. Chapter 8. Integrating a single domain (Example) 297

306 1. The client of the serice user sends a request for the free-time of the resource to the serice user s mail serer, Mail1/SCN/Renoations. The client connects to Mail1/SCN/Renoations through the serice proxy, notes.na.collabser.com. 2. Mail1/SCN/Renoations sends the free-time request to Mailhub1/Renoations, the on-premises mail hub serer. It connects to Mailhub1/Renoations through a serer in the SCNPassthru domain. 3. Mailhub1/Renoations looks up the free time for the resource in its local Resource Reserations database and returns the free time to Mail1/SCN/Renoations. 4. Mail1/SCN/Renoations returns the free time for the resource to the client of the serice user. 298 SmartCloud Notes: Administering SmartCloud Notes: Hybrid Enironment March 2015

307 Serice user resering a resource This picture illustrates a serice user resering a resource. 1. The client of the serice user sends the resource reseration to the serice user s mail serer, Mail1/SCN/Renoations. The client connects to the serer through the serice proxy, notes.na.collabser.com. 2. Mail1/SCN/Renoations mails the reseration to a mail hub serer in the serice. 3. The mail hub serer mails the reseration to the Mail-in Resource document for the resource on Mailhub1/Renoations, the on-premises mail hub serer. The mail hub serer connects to Mailhub1/Renoations through a serer in the SCNPassthru domain. 4. Mailhub1/Renoations creates the reseration in its local Resource Reserations database. Chapter 8. Integrating a single domain (Example) 299