SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR WAY TO THE CLOUD Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1
WHO AM I? Admin of all things and especially quite complicated things where the fun is Working with security, healthchecks, single sign on, design and deployment of IBM technologies and things that they talk to Stubborn and relentless problem solver Lives in London about half of the Ame gabriella@turtlepartnership.com twider: gabturtle Awarded the first IBM LifeAme Achievement Award for CollaboraAon SoluAons 2
THE GOAL All users continue working together regardless of whether they are assigned to on premises or cloud servers Applications hosted on on premises servers can be accessed by any user Administration continues to be handled by corporate Domino administrators All users have access to Notes, Verse, Traveler, Connections, Sametime 3
HYBRID RULES You continue to create, manage and secure your own users and servers IBM has no rights or access to change that IBM creates, manages and secures its own servers You have no rights to the IBM servers You create your own SmartCloud users IBM provisions your users into Smartcloud on request You and I jointly manage your provisioned users with IBM managing the server and mail file aspects and you managing everything else 4
ARCHITECTURE 5
HYBRID SERVER ROLES Hybrid Servers are the bridges between the IBM owned and hosted Smartcloud servers and your own hosted and managed on premise servers The IBM servers need to route mail from your SmartCloud users to your on premise users Your on premise users need to lookup free/busytime information for your SmartCloud users Everyone needs to use the same directory 6
DIRECTORY SERVER Directory Server - synchronises directories into the SmartCloud Multiple directories from multiple Domino domains can be synchronised Directories can be used to provision users or purely for lookups There can be up to two Directory servers in a failover not clustered configuration Multiple servers must use identical file names / paths for directories 7
HUB SERVER Hub servers are used for routing mail primarily between on premises Notes users and Smartcloud Notes users Envision setting up a configuration where you want to route mail to another company running Domino, just that other company is IBM Configuration options allow you to set all non SmartCloud mail to route via your Mail hub servers (more on that later) Mail hub servers should not have any mail files on them There can be up to two Hub servers in a failover, not clustered environment 8
PASSTHRU SERVER IBM SmartCloud always initiate the connection to your on premises servers The SmartCloud servers never directly access your on premises primary (mail) domain(s) Passthru servers ensure that you do not need to open a port from the public side (IBM SmartCloud) to your mail servers on premises Passthru servers hold no data themselves but they authenticate requests for server access and route traffic Passthru servers ports can be encrypted so that all traffic routed through them is also encrypted 9
CLOUD DOMAIN Smartcloud Server1 Smartcloud Server2 ON PREMISES PASSTHRU DOMAIN Passthru Server ON PREMISES TURTLE DOMAIN Mail Server1 Mail Server2 Assigned servers in IBM Cloud These are managed for you Smartcloud servers connect to the Mail Hub and Directory Servers via the Passthru Mail Hub Directory Server Mail Hub Server: All mail between on premises and SmartCloud users route through this server Directory Server: Synchronising directories (and populating users) in the SmartCloud 10
PLANNING - PASSTHRU How many Passthru will you have Servers are connected to from the SmartCloud, they do not connect to the SmartCloud They are connected to in a failover, not load balanced, configuration Only if the first server fails to respond will the second server be tried Passthru servers are single points of failure for the entire hybrid environment 11
PLANNING - MAIL ROUTING Internal Users route internally via on premises servers Smartcloud to On Premises routes via Passthru server(s) to Mail Hub Smartcloud to extended directory users routes via Passthru to Mail Hub On premises to Internet routes out via SMTP on internal network routing Smartcloud to Internet routes directly out via IBM s cloud servers by default Customer SMTP routing is an optional alternative 12
PLANNING - HUB SERVERS How many Hub servers will you have How much on premise to SmartCloud traffic do you expect to be routing Servers are connected to via the Passthru servers Hub servers are routed to in a failover, not load balanced, configuration Only if the first server fails to respond will the second server be tried How will outbound mail route By default IBM routes outbound mail sent by service users out through its own servers You can configure your IBM Cloud account to send outbound mail via your Mail Hub instead You would do this if you want to control all organisational mail, content scanning, virus scanning and logging for instance 13
DIRECTORY SYNCHRONISATION There are two types of directories Those that contain users to be provisioned to the SmartCloud service Those that contain contacts that SmartCloud users might need to address mail to What directories replicate to SmartCloud? Directories containing SmartCloud users must be replicated Directories containing on premises users must be replicated if smart cloud users are going to schedule meetings / work seamlessly with them LDAP directories cannot be referenced or used in Smartcloud environments 14
DOMAINS The Passthru server should be in its own domain A domain is separate from an organisational certifier Servers can be in different domains but have the same certifier IBM SmartCloud servers must share a root certificate with the on premises servers No cross certification is available Having a server in its own domain minimises the risk of exposing internal configuration details and provides a layer of opt in security 15
CREATING AN OU CERTIFIER The SmartCloud servers will be created by the IBM Smartcloud service and named automatically They will use an OU certifier you create that must be separate from any other used in your organisation That OU must be a child of your organisational certifier so it shares a trusted root with all other servers The server certifier used for the Smartcloud server must be a downstream OU, not a different O It can t be changed so if your Organisational certifier needs to change at any point you need to consider that The ID can have a password but only one The OU name must be at least 3 characters long 16
UNIQUENESS Your Organisational certifier will be verified for uniqueness within the SmartCloud service Your top level certifier name must be unique within Smartcloud.. If there s another Turtle out there then I have to use a different certifier for my SmartCloud and passthru servers. 17
BEFORE STARTING 18
STEP 1: BUILD YOUR PASSTHRU SERVER Build your Passthru server(s) in its own domain This is a standard Domino server build where the setup is as first server in a new domain This will allow us to create a new domain for our Passthru server 19
STEP 1: BUILD YOUR PASSTHRU SERVER This is what my Passthru server will be called 20
STEP 1: BUILD YOUR PASSTHRU SERVER DO NOT CREATE A NEW CERTIFIER ON THIS PAGE We must use an existing certifier already created that either has the same, or shares a trusted root with our other on premises servers 21
VERIFYING THE PASSTHRU SERVER Once the Passthru is created, go to Actions - Edit Directory Profile in its names.nsf and verify the of your Passthru server Domain is entered correctly SmartCloud setup will ask for this and verify it 22
STEP 2: BUILD YOUR HUB SERVERS Hub servers are Domino servers that should be configured to be inside your mail routing Domino domain There can be up to two hub servers assigned for use by IBM SmartCloud and you can add a second one later if you need to Hub servers should contain nothing but the contents of your Domino directory for routing No mail files should be on your hub servers Only the tasks except Adminp, Updall, Replica and Router need to be running 23
STEP 3: BUILD YOUR DIRECTORY SERVERS Build your Passthru server(s) in its own domain\ This is a standard Domino server build Build your mail hub and directory server(s) within your existing internal domain Replicate the directories you want to use in the cloud to the directory server(s) Create the OU certifier to be used by the SmartCloud servers 24
CONFIGURATION 25
SETTING UP YOUR HYBRID CONFIGURATION Order a subscription to IBM s SmartCloud for as many users as you need provisioned into the cloud Login to https://apps.na.collabserv.com using whatever administrative account you registered the subscription with Choose Admin then Manage Organization 26
checkbox for Hybrid Environment Then click on Set Up My Account Select IBM SmartCloud Notes to set up mail. If it isn t available you probably have the wrong subscription 27
This is our starting point. We have configured nothing. We can keep coming back to this point to check what needs to be done next 28
Configuring the Directory Sync Servers Flores/Turtle We can add multiple Domino directories to use They don t need to be configured as directories on the Directory sync server Each directory can have a failover server but this doesn t use Domino clustering to failover 29
Configuring how mail will route Domino server name of hub server On Premise Domino Domain 30
The SmartCloud servers that will be created for you will use this base name + # + OU e.g. TurtleMail1/TTL/Turtle TurtleMail2/TTL/Cloud 31
Configuring the passthru server(s) ptserver.turtlehost.net Cloud is the OU I setup to be used by the cloud servers public FQHN for the passthru server 32
Upload the dedicated OU certifier and submit its password so Smartcloud can use it 33
Once all the steps are complete click on the preconfiguration tool which downloads an NSF called liveservercheck.nsf 34
Flores/Turtle Open liveservercheck.nsf in Domino Administrator. Make sure you can connect to all servers with Admin rights 35
Once all the tests are successful you can Enable the Smartcloud Notes account Once the account is enabled the menu item for the Domino Configuration Tool will appear 36
1. 2. 3. downloads liveserverconfig.nsf which you should open through Domino Administrator 37
38
For each domain in your Global Domain Document a unique key will be created that you must use to create a CNAME DNS entry 39
Once all the configuration pieces are complete the SmartCloud Notes account can be activated 40
Once your Smartcloud account is activated these management menu options appear 41
MANAGEMENT 42
PROVISIONING USERS Register users and their IDs in your own domain as you would an on premise user a temporary, unused, mail file is created for the user during registration on the on premises server The SmartCloud servers connect to your Directory Servers to replicate the directory(ies) you have defined as containing service accounts You can configure multiple directories to be populated into Smartcloud specifying do not provision from this directory prevents the Smartcloud server creating user accounts from person documents Once the directories are in place you can provision users into the cloud A new mail file is created on the SmartCloud servers and their person document updated 43
All users Users who are synchronised and ready to be provisioned 44
Search and find a user to provision 45
Default mail template 46
47
Provisioned user 48
Management options. The ID is automatically uploaded from the on premises ID Vault 49
50
REPLICATION OF DIRECTORY Pull Person documents not including mail server and mail file name Policies (not including organisational policies) Groups Rooms and Resources Push Mail file, server and SaasIdentityID fields in person documents (the last representing the Connections cloud account Specific server groups used by Smartcloud ID Vault information for the Smartcloud vault 51
DUPLICATE NAMES Domino directory takes priority of Extended Catalog First person entry is the one used Public key checking won t work 52
RESERVED GROUPS AND ALL ENTRIES Directory Synchronisation servers - Manager access including delete rights Server Group LLNServers - Editor rights with roles [UserModifier] [GroupCreator] [GroupModifier] LLNMailHubs is reserved for Smartcloud Certifiers_ or SAAS are group prefixes used by Smartcloud Server Group SaaSLocalDomainServers - Manager with delete rights Wildcard naming in group names aren t supported e.g */Turtle 53
POLICIES On premise Domino administrators can use policies to manage both on premise and SmartCloud users Policies in a synchronised directory are applied to SmartCloud users Only explicit policies are recognised, organisational ones are ignored Policy names should be unique across all directories 54
CUSTOMISATION 55
OPTIONS FOR NOTES SMARTCLOUD 56
EMAIL MANAGEMENT 57
EMAIL MANAGEMENT 58
EMAIL MANAGEMENT 59
EMAIL MANAGEMENT 60
EMAIL FILTERS 61
IMAP 62
JOURNALING 63
INTEGRATION SERVER / FTP Used to download logs and journaling via a SmartCloud FTP account Create a new administration user account or use an existing one Send an email to support@collabserv.com asking for Integration Server rights to be set up and for which accounts https://www.ibm.com/support/knowledgecenter/en/ssps94/hybrid/topics/ llis_enablingllis_t.html#llis_enablingllis_t this may not work in which case secure http is available 64
MAIL TEMPLATES Selecting Mail Templates Uploading a custom templates Field extensions forms9_x.ntf 65
INSTANT MESSAGING 66
INBOUND MAIL ROUTING 67
NAME FINDER 68
NAME FINDER 69
SECURITY 70
ON PREMISES OPEN PORTS Inbound NRPC 1352 for access to the Passthru servers NRPC 1352 for service users to access on premises server applications (via VPN or public via Passthru) SMTP (25) if you have configured Smartcloud to route all outbound mail via on premises servers Outbound NRPC 1352 for Notes client to access SmartCloud servers HTTPS 443 for Traveler, Connections Instant Messaging 1533 71
SUPPORTED LOGINS Notes ID - Notes client access SmartCloud Service Account - inotes, Verse, Traveler, Sametime Federated SAML Login - inotes, Verse, Traveler for Android only Application Passwords - Traveler, Sametime 72
USER LOGINS ID Vault Syncing ID passwords when service passwords are changed Password settings can be controlled by a security policy that applies to SmartCloud assigned users 73
PASSWORD MANAGEMENT 74
FEDERATED LOGINS SmartCloud Notes support SAML Federation You must configure SAML in your on premises environment first then contact customer services to provide them the information for the Smartcloud servers If SAML is enabled then service login passwords are no longer used and application passwords must be used instead 75
APPLICATION PASSWORDS Application Passwords vs Service Passwords Application passwords are 16 characters long and generated automatically on user request they are shown to the user once users can generate new ones or disable the existing one Restricting access to the service for an ip range will most likely prevent Traveler or mobile applications from working and requires an application password 76
SUMMARY Hybrid Cloud does not require you to make any changes to your existing on premises servers or users You add a new layer of passthru, directory and routing servers specifically to talk to the SmartCloud servers You can still register your users and have policies that apply to them You can move as many or as few users onto SmartCloud servers as you want Your on premises users should not be able to tell if someone is being managed by a SmartCloud server or an on premises server and vice versa You can continue to manage all mail routing through your on premises servers if you wish Hybrid gives you the ability to evaluate SmartCloud as a solution for your mail users whilst retaining your on premises servers for applications 77
QUESTIONS? Gab Davis gabriella@turtlepartnership.com http://turtleblog.info twitter: gabturtle skype: gabrielladavis 78