SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR WAY TO THE CLOUD

Similar documents
SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Testking.C QA

ISBG May LDAP: It s Time. Gabriella Davis - Technical Director The Turtle Partnership

DIRECTORY INTEGRATION: USING ACTIVE DIRECTORY FOR AUTHENTICATION. Gabriella Davis The Turtle Partnership

SmartCloud Notes. Guidance on Migration Strategies and Tooling from On-Premises Mail Solution to SmartCloud Notes. December 2015

Vendor: IBM. Exam Code: C Exam Name: IBM SmartCloud Notes Hybrid Config & Onboard Data Transfer. Version: Demo

IBM EXAM - C IBM SmartCloud Notes Hybrid Config & Onboard Data Transfer. Buy Full Product.

Lotus IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals.

Tools Every Domino Admin Needs

Get Started Installing IBM Lotus Sametime You Too Can Be a WAS Admin! OR 140 Slides In 60 Minutes

Transitioning to IBM SmartCloud Notes

SmartCloud Notes. Administering SmartCloud Notes: Hybrid Environment March 2015

IBM SmartCloud Notes Security

Integrating AirWatch and VMware Identity Manager

App Gateway Deployment Guide

Starting your Cloud Computing Journey

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

D8L75G IBM Lotus Domino 8.5 System Administration Fundamentals Training

IBM SmartCloud Notes (SCN) Mail Routing

Configure Centralized Deployment

O365 Solutions. Three Phase Approach. Page 1 34

Domino Integration DME 4.6 IBM Lotus Domino

Administering Our Internal IBM Deployment Hybrid Environment SCN Iris. JMP-1560 Lessons Learned John Paganetti IBM Senior Engineer

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Understanding the Dynamic Update Mechanism Tech Note

SchoolBooking LDAP Integration Guide

Lotus IBM Lotus Notes Domino 7 SysAdmin Operating Fundamentals.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

SOLUTION MANAGEMENT GROUP

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

The ID Vault Feature Across IBM Products

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

A IBM. Assessment: IBM Notes and Domino 9.0 Social Edition System Administration U

Domino Clouds Public AND Private. Collin Murray Program Director, Lotus Domino Product Management

Sophos Mobile as a Service

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Your Auth is open! Oversharing with OpenAuth & SAML

LotusLive Notes Client Configuration

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

Getting Started with MarvelClient Essentials IBM

Your Notes and Domino in the Cloud

Lotus IBM WebShere Portal 6 Deployment and Administration.

Are You Avoiding These Top 10 File Transfer Risks?

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Connecting to Mimecast

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Directory Integration with VMware Identity Manager

Important Information

Sophos Mobile SaaS startup guide. Product version: 7.1

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

Important Information

Welcome to ContentCatcher 3.0! If this is your first time using ContentCatcher 3.0, here s a great way to start. We ll walk you through the essential

Sophos Mobile in Central

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

Open Mic - Troubleshooting & Best Practices for Read/Unread Marks. Manisha Parida and Sandeep R Deshpande 29 Feb 2012

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

IBM Lotus Domino Product Roadmap

Developing Microsoft Azure Solutions (70-532) Syllabus

Sophos Mobile Control SaaS startup guide. Product version: 7

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

New 8.5 Notes Shared Login "Gotchas"

Sophos Mobile as a Service

Open Mic on. ID Vault Overview & Best Practices. 19th December, 2012

Configure Push Notifications for Cisco Jabber on iphone and ipad

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

Cisco Unified Communications XMPP Federation

Setting Up Resources in VMware Identity Manager

Configuring Advanced Windows Server 2012 Services

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Introduction. The Safe-T Solution

Be a Domino Detective: Hunting the Gremlins Kim Greene Kim Greene Consulting David Hablewitz Divergent Solutions LLC

SAML-Based SSO Solution

Security in the Privileged Remote Access Appliance

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

LOT-925: Installing and Configuring IBM Lotus Notes and Domino 8.5

Microsoft Azure Course Content

Receiving Faxes with Concord FaxRX...4. Sending faxes using Concord FaxRX...6. Coversheets Faxing from MFPs and Traditional Fax Machines...

Chimpegration for The Raiser s Edge

Exam : Implementing Microsoft Azure Infrastructure Solutions

Centrify Identity Services for AWS

FAQ. General Information: Online Support:

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

akkadian Global Directory 3.0 System Administration Guide

Push Notifications (On-Premises Deployments)

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Echidna Concepts Guide

The Domino Certificate Authority Key Rollover Process. Author: Graham Farrell IBM Domino server Support Engineer

Quickr Configuration/Administration

SafeConsole On-Prem Install Guide

CAS, Shibboleth, And an evolving SSO approach

Transcription:

SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR WAY TO THE CLOUD Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1

WHO AM I? Admin of all things and especially quite complicated things where the fun is Working with security, healthchecks, single sign on, design and deployment of IBM technologies and things that they talk to Stubborn and relentless problem solver Lives in London about half of the Ame gabriella@turtlepartnership.com twider: gabturtle Awarded the first IBM LifeAme Achievement Award for CollaboraAon SoluAons 2

THE GOAL All users continue working together regardless of whether they are assigned to on premises or cloud servers Applications hosted on on premises servers can be accessed by any user Administration continues to be handled by corporate Domino administrators All users have access to Notes, Verse, Traveler, Connections, Sametime 3

HYBRID RULES You continue to create, manage and secure your own users and servers IBM has no rights or access to change that IBM creates, manages and secures its own servers You have no rights to the IBM servers You create your own SmartCloud users IBM provisions your users into Smartcloud on request You and I jointly manage your provisioned users with IBM managing the server and mail file aspects and you managing everything else 4

ARCHITECTURE 5

HYBRID SERVER ROLES Hybrid Servers are the bridges between the IBM owned and hosted Smartcloud servers and your own hosted and managed on premise servers The IBM servers need to route mail from your SmartCloud users to your on premise users Your on premise users need to lookup free/busytime information for your SmartCloud users Everyone needs to use the same directory 6

DIRECTORY SERVER Directory Server - synchronises directories into the SmartCloud Multiple directories from multiple Domino domains can be synchronised Directories can be used to provision users or purely for lookups There can be up to two Directory servers in a failover not clustered configuration Multiple servers must use identical file names / paths for directories 7

HUB SERVER Hub servers are used for routing mail primarily between on premises Notes users and Smartcloud Notes users Envision setting up a configuration where you want to route mail to another company running Domino, just that other company is IBM Configuration options allow you to set all non SmartCloud mail to route via your Mail hub servers (more on that later) Mail hub servers should not have any mail files on them There can be up to two Hub servers in a failover, not clustered environment 8

PASSTHRU SERVER IBM SmartCloud always initiate the connection to your on premises servers The SmartCloud servers never directly access your on premises primary (mail) domain(s) Passthru servers ensure that you do not need to open a port from the public side (IBM SmartCloud) to your mail servers on premises Passthru servers hold no data themselves but they authenticate requests for server access and route traffic Passthru servers ports can be encrypted so that all traffic routed through them is also encrypted 9

CLOUD DOMAIN Smartcloud Server1 Smartcloud Server2 ON PREMISES PASSTHRU DOMAIN Passthru Server ON PREMISES TURTLE DOMAIN Mail Server1 Mail Server2 Assigned servers in IBM Cloud These are managed for you Smartcloud servers connect to the Mail Hub and Directory Servers via the Passthru Mail Hub Directory Server Mail Hub Server: All mail between on premises and SmartCloud users route through this server Directory Server: Synchronising directories (and populating users) in the SmartCloud 10

PLANNING - PASSTHRU How many Passthru will you have Servers are connected to from the SmartCloud, they do not connect to the SmartCloud They are connected to in a failover, not load balanced, configuration Only if the first server fails to respond will the second server be tried Passthru servers are single points of failure for the entire hybrid environment 11

PLANNING - MAIL ROUTING Internal Users route internally via on premises servers Smartcloud to On Premises routes via Passthru server(s) to Mail Hub Smartcloud to extended directory users routes via Passthru to Mail Hub On premises to Internet routes out via SMTP on internal network routing Smartcloud to Internet routes directly out via IBM s cloud servers by default Customer SMTP routing is an optional alternative 12

PLANNING - HUB SERVERS How many Hub servers will you have How much on premise to SmartCloud traffic do you expect to be routing Servers are connected to via the Passthru servers Hub servers are routed to in a failover, not load balanced, configuration Only if the first server fails to respond will the second server be tried How will outbound mail route By default IBM routes outbound mail sent by service users out through its own servers You can configure your IBM Cloud account to send outbound mail via your Mail Hub instead You would do this if you want to control all organisational mail, content scanning, virus scanning and logging for instance 13

DIRECTORY SYNCHRONISATION There are two types of directories Those that contain users to be provisioned to the SmartCloud service Those that contain contacts that SmartCloud users might need to address mail to What directories replicate to SmartCloud? Directories containing SmartCloud users must be replicated Directories containing on premises users must be replicated if smart cloud users are going to schedule meetings / work seamlessly with them LDAP directories cannot be referenced or used in Smartcloud environments 14

DOMAINS The Passthru server should be in its own domain A domain is separate from an organisational certifier Servers can be in different domains but have the same certifier IBM SmartCloud servers must share a root certificate with the on premises servers No cross certification is available Having a server in its own domain minimises the risk of exposing internal configuration details and provides a layer of opt in security 15

CREATING AN OU CERTIFIER The SmartCloud servers will be created by the IBM Smartcloud service and named automatically They will use an OU certifier you create that must be separate from any other used in your organisation That OU must be a child of your organisational certifier so it shares a trusted root with all other servers The server certifier used for the Smartcloud server must be a downstream OU, not a different O It can t be changed so if your Organisational certifier needs to change at any point you need to consider that The ID can have a password but only one The OU name must be at least 3 characters long 16

UNIQUENESS Your Organisational certifier will be verified for uniqueness within the SmartCloud service Your top level certifier name must be unique within Smartcloud.. If there s another Turtle out there then I have to use a different certifier for my SmartCloud and passthru servers. 17

BEFORE STARTING 18

STEP 1: BUILD YOUR PASSTHRU SERVER Build your Passthru server(s) in its own domain This is a standard Domino server build where the setup is as first server in a new domain This will allow us to create a new domain for our Passthru server 19

STEP 1: BUILD YOUR PASSTHRU SERVER This is what my Passthru server will be called 20

STEP 1: BUILD YOUR PASSTHRU SERVER DO NOT CREATE A NEW CERTIFIER ON THIS PAGE We must use an existing certifier already created that either has the same, or shares a trusted root with our other on premises servers 21

VERIFYING THE PASSTHRU SERVER Once the Passthru is created, go to Actions - Edit Directory Profile in its names.nsf and verify the of your Passthru server Domain is entered correctly SmartCloud setup will ask for this and verify it 22

STEP 2: BUILD YOUR HUB SERVERS Hub servers are Domino servers that should be configured to be inside your mail routing Domino domain There can be up to two hub servers assigned for use by IBM SmartCloud and you can add a second one later if you need to Hub servers should contain nothing but the contents of your Domino directory for routing No mail files should be on your hub servers Only the tasks except Adminp, Updall, Replica and Router need to be running 23

STEP 3: BUILD YOUR DIRECTORY SERVERS Build your Passthru server(s) in its own domain\ This is a standard Domino server build Build your mail hub and directory server(s) within your existing internal domain Replicate the directories you want to use in the cloud to the directory server(s) Create the OU certifier to be used by the SmartCloud servers 24

CONFIGURATION 25

SETTING UP YOUR HYBRID CONFIGURATION Order a subscription to IBM s SmartCloud for as many users as you need provisioned into the cloud Login to https://apps.na.collabserv.com using whatever administrative account you registered the subscription with Choose Admin then Manage Organization 26

checkbox for Hybrid Environment Then click on Set Up My Account Select IBM SmartCloud Notes to set up mail. If it isn t available you probably have the wrong subscription 27

This is our starting point. We have configured nothing. We can keep coming back to this point to check what needs to be done next 28

Configuring the Directory Sync Servers Flores/Turtle We can add multiple Domino directories to use They don t need to be configured as directories on the Directory sync server Each directory can have a failover server but this doesn t use Domino clustering to failover 29

Configuring how mail will route Domino server name of hub server On Premise Domino Domain 30

The SmartCloud servers that will be created for you will use this base name + # + OU e.g. TurtleMail1/TTL/Turtle TurtleMail2/TTL/Cloud 31

Configuring the passthru server(s) ptserver.turtlehost.net Cloud is the OU I setup to be used by the cloud servers public FQHN for the passthru server 32

Upload the dedicated OU certifier and submit its password so Smartcloud can use it 33

Once all the steps are complete click on the preconfiguration tool which downloads an NSF called liveservercheck.nsf 34

Flores/Turtle Open liveservercheck.nsf in Domino Administrator. Make sure you can connect to all servers with Admin rights 35

Once all the tests are successful you can Enable the Smartcloud Notes account Once the account is enabled the menu item for the Domino Configuration Tool will appear 36

1. 2. 3. downloads liveserverconfig.nsf which you should open through Domino Administrator 37

38

For each domain in your Global Domain Document a unique key will be created that you must use to create a CNAME DNS entry 39

Once all the configuration pieces are complete the SmartCloud Notes account can be activated 40

Once your Smartcloud account is activated these management menu options appear 41

MANAGEMENT 42

PROVISIONING USERS Register users and their IDs in your own domain as you would an on premise user a temporary, unused, mail file is created for the user during registration on the on premises server The SmartCloud servers connect to your Directory Servers to replicate the directory(ies) you have defined as containing service accounts You can configure multiple directories to be populated into Smartcloud specifying do not provision from this directory prevents the Smartcloud server creating user accounts from person documents Once the directories are in place you can provision users into the cloud A new mail file is created on the SmartCloud servers and their person document updated 43

All users Users who are synchronised and ready to be provisioned 44

Search and find a user to provision 45

Default mail template 46

47

Provisioned user 48

Management options. The ID is automatically uploaded from the on premises ID Vault 49

50

REPLICATION OF DIRECTORY Pull Person documents not including mail server and mail file name Policies (not including organisational policies) Groups Rooms and Resources Push Mail file, server and SaasIdentityID fields in person documents (the last representing the Connections cloud account Specific server groups used by Smartcloud ID Vault information for the Smartcloud vault 51

DUPLICATE NAMES Domino directory takes priority of Extended Catalog First person entry is the one used Public key checking won t work 52

RESERVED GROUPS AND ALL ENTRIES Directory Synchronisation servers - Manager access including delete rights Server Group LLNServers - Editor rights with roles [UserModifier] [GroupCreator] [GroupModifier] LLNMailHubs is reserved for Smartcloud Certifiers_ or SAAS are group prefixes used by Smartcloud Server Group SaaSLocalDomainServers - Manager with delete rights Wildcard naming in group names aren t supported e.g */Turtle 53

POLICIES On premise Domino administrators can use policies to manage both on premise and SmartCloud users Policies in a synchronised directory are applied to SmartCloud users Only explicit policies are recognised, organisational ones are ignored Policy names should be unique across all directories 54

CUSTOMISATION 55

OPTIONS FOR NOTES SMARTCLOUD 56

EMAIL MANAGEMENT 57

EMAIL MANAGEMENT 58

EMAIL MANAGEMENT 59

EMAIL MANAGEMENT 60

EMAIL FILTERS 61

IMAP 62

JOURNALING 63

INTEGRATION SERVER / FTP Used to download logs and journaling via a SmartCloud FTP account Create a new administration user account or use an existing one Send an email to support@collabserv.com asking for Integration Server rights to be set up and for which accounts https://www.ibm.com/support/knowledgecenter/en/ssps94/hybrid/topics/ llis_enablingllis_t.html#llis_enablingllis_t this may not work in which case secure http is available 64

MAIL TEMPLATES Selecting Mail Templates Uploading a custom templates Field extensions forms9_x.ntf 65

INSTANT MESSAGING 66

INBOUND MAIL ROUTING 67

NAME FINDER 68

NAME FINDER 69

SECURITY 70

ON PREMISES OPEN PORTS Inbound NRPC 1352 for access to the Passthru servers NRPC 1352 for service users to access on premises server applications (via VPN or public via Passthru) SMTP (25) if you have configured Smartcloud to route all outbound mail via on premises servers Outbound NRPC 1352 for Notes client to access SmartCloud servers HTTPS 443 for Traveler, Connections Instant Messaging 1533 71

SUPPORTED LOGINS Notes ID - Notes client access SmartCloud Service Account - inotes, Verse, Traveler, Sametime Federated SAML Login - inotes, Verse, Traveler for Android only Application Passwords - Traveler, Sametime 72

USER LOGINS ID Vault Syncing ID passwords when service passwords are changed Password settings can be controlled by a security policy that applies to SmartCloud assigned users 73

PASSWORD MANAGEMENT 74

FEDERATED LOGINS SmartCloud Notes support SAML Federation You must configure SAML in your on premises environment first then contact customer services to provide them the information for the Smartcloud servers If SAML is enabled then service login passwords are no longer used and application passwords must be used instead 75

APPLICATION PASSWORDS Application Passwords vs Service Passwords Application passwords are 16 characters long and generated automatically on user request they are shown to the user once users can generate new ones or disable the existing one Restricting access to the service for an ip range will most likely prevent Traveler or mobile applications from working and requires an application password 76

SUMMARY Hybrid Cloud does not require you to make any changes to your existing on premises servers or users You add a new layer of passthru, directory and routing servers specifically to talk to the SmartCloud servers You can still register your users and have policies that apply to them You can move as many or as few users onto SmartCloud servers as you want Your on premises users should not be able to tell if someone is being managed by a SmartCloud server or an on premises server and vice versa You can continue to manage all mail routing through your on premises servers if you wish Hybrid gives you the ability to evaluate SmartCloud as a solution for your mail users whilst retaining your on premises servers for applications 77

QUESTIONS? Gab Davis gabriella@turtlepartnership.com http://turtleblog.info twitter: gabturtle skype: gabrielladavis 78

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback