1354
Administering the Domino System, Volume 1 Lotus Domino 6 software
software
Lotus Domino 6
Administering the Domino System, Volume 1
Disclaimer THIS DOCUMENTATION IS PROVIDED FOR REFERENCE PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS DOCUMENTATION, THIS DOCUMENTATION IS PROVIDED AS IS WITHOUT ANY WARRANTY WHATSOEVER AND TO THE MAXIMUM EXTENT PERMITTED, IBM DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SAME. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL DAMAGES, ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION. NOTWITHSTANDING ANYTHING TO THE CONTRARY, NOTHING CONTAINED IN THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF THIS SOFTWARE. Copyright Under the copyright laws, neither the documentation nor the software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software. Copyright IBM Corporation 1985, 2002 All rights reserved. Lotus Software IBM Software Group One Rogers Street Cambridge, MA 02142 US Government Users Restricted Rights Use, duplication or disclosure restricted by GS ADP Schedule Contract with IBM Corp. List of Trademarks 1-2-3, cc:Mail, Domino, Domino Designer, Freelance Graphics, iNotes, Lotus, Lotus Discovery Server, Lotus Enterprise Integrator, Lotus Mobile Notes, Lotus Notes, Lotus Organizer, LotusScript, Notes, QuickPlace, Sametime, SmartSuite, and Word Pro are trademarks or registered trademarks of Lotus Development Corporation and/or IBM Corporation in the United States, other countries, or both. AIX, AS/400, DB2, IBM, iSeries, MQSeries, Netfinity, OfficeVision, OS/2, OS/390, OS/400, S/390, Tivoli, and WebSphere are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Pentium is a trademark of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. All other trademarks are the property of their respective owners.
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . xv Volume 1 1 Deploying Domino . . . . . . . . . . . . 1-1Starting and shutting down the Domino server . . . . . . . . . . . . . . . . . .
...
3-46
4 Setting Up Server-to-Server Connections . . . . . . . . . . . . . . . . . . . 4-1
. . . . . . . . 1-1 Building the Domino environment . . . . . . 1-14Guidepost for deploying Domino
2 Setting Up the Domino Network . . . . . . . . . . . . . . . . . . . . . . 2-1
. . . . . . . . . . . 2-1 Network security . . . . . . . . . . . . . . . . . . 2-6 Planning the TCP/IP network . . . . . . . . . 2-10 Planning the NetBIOS network . . . . . . . . 2-26 Planning the IPX/SPX network . . . . . . . . 2-29 Setting up Domino servers on the network . . 2-32 Server setup tasks specific to TCP/IP . . . . 2-43 Server setup tasks specific to NetBIOS . . . . 2-58 Server setup tasks specific to IPX/SPX . . . . 2-61 NOTES.INI settings for networks . . . . . . . 2-64Lotus Domino and networks
. . . . . 4-1 How a server connects to another server . . . 4-4 Internet connections . . . . . . . . . . . . . . . 4-21 Passthru servers and hunt groups . . . . . . 4-23 Planning the use of passthru servers . . . . . 4-25 Setting up a server as a passthru server . . . 4-27 Setting up a server as a passthru destination . . 4-28 Planning for modem use . . . . . . . . . . . . 4-33 Commands for acquire and connect scripts . . 4-53 Connecting Notes clients to servers . . . . . . 4-55Planning server-to-server connections
5 Setting Up and Managing Notes Users . . . . . . . . . . . . . . . . . . . 5-1Setting up Notes users
...............
5-1 5-38 5-41 5-54 5-85 5-87
3 Installing and Setting Up Domino Servers . . . . . . . . . . . . . . . . 3-1
Adding an alternate language and name to a user ID . . . . . . . . . . . . . .
... Server installation . . . . . . . . . . . . . . . . . . The Domino Server Setup program . . . . . . .Installing and setting up Domino servers Using Domino Off-Line Services (DOLS) and iNotes Web Access . . . . . .
3-1 3-3 3-8 3-10 3-17 3-28 3-29 3-34
... Setting up client installation for users . . . . Managing users . . . . . . . . . . . . . . . . . . License Tracking . . . . . . . . . . . . . . . . . Custom welcome page deployment . . . . .
... Using the Domino Server Setup program . . The Certification Log . . . . . . . . . . . . . . . Server registration . . . . . . . . . . . . . . . . Optional tasks to perform after server setup . .
6 Setting Up and Managing Groups . . . . . . . . . . . . . . . . . . . . . . . 6-1
..................... Creating and modifying groups . . . . . . . . . Managing groups . . . . . . . . . . . . . . . . . . Assiging a policy to a group . . . . . . . . . . .Using groups
6-1 6-2 6-8 6-9
iii
7 Creating Replicas and Scheduling Replication . . . . . . . . . . 7-1
Collecting detailed information from user calendars . . . . . . . . . . . . . . . .
........................ How server-to-server replication works . . . .Replicas Guidelines for setting server access to databases . . . . . . . . . . . . . Setting up a database ACL for server-to-server replication Table of replication settings
7-1 7-3 7-5
......
. . . . . . . . 7-6 . . . . . . . . . . 7-117-17 7-20 7-22 7-23 7-24 7-27 7-28 7-29 7-30 7-31 7-31 7-32 7-33 7-34
Specifying replication settings for one replica . . . . . . . . . . . . . . . .
.... Scheduling server-to-server replication . . . Customizing server-to-server replication . . Specifying replication direction . . . . . . . . Scheduling times for replication . . . . . . . . Replicating only specific databases . . . . . . Replicating databases by priority . . . . . . . Limiting replication time . . . . . . . . . . . . Using multiple replicators . . . . . . . . . . . Refusing replication requests . . . . . . . . . . Forcing immediate replication . . . . . . . . . Disabling database replication . . . . . . . . . Forcing a server database to replicate . . . .Viewing replication schedules and topology maps . . . . . . . . .
. . 8-20 9 Using Policies . . . . . . . . . . . . . . . 9-1 Policies . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Policy hierarchy and the effective policy . . . 9-3 Planning and assigning policies . . . . . . . . . 9-6 Creating policies . . . . . . . . . . . . . . . . . . 9-7 Mail archiving and policies . . . . . . . . . . . 9-22 Managing policies . . . . . . . . . . . . . . . . 9-35 Viewing policy relationships . . . . . . . . . . 9-37 10 Setting Up Domain Search . . . 10-1 Domain Search . . . . . . . . . . . . . . . . . . . 10-1 Planning the Domain Index . . . . . . . . . . 10-4 Creating and updating the Domain Index . 10-14 Customizing Domain Search forms . . . . . 10-18 Setting up Notes users for Domain Search . 10-19 Setting up Web users for Domain Search . 10-20 Using content maps with Domain Search . 10-21 NOTES.INI settings for Domain Search . . 10-2311 Setting Up Domino Off-Line Services . . . . . . . . . . . . . . . . . . . . . 11-1Domino Off-Line Services
............
11-1
......
12 Planning the Service Provider Environment . . . . . . . . . . 12-1Planning the xSP server environment
8 Setting Up Calendars and Scheduling . . . . . . . . . . . . . . . . . . . . 8-1Calendars and scheduling Setting up scheduling
.... ..
12-1 12-4 12-16
............ ............... ......
8-1 8-5 8-7
Using Domino features in a hosted server environment . . . . . . . . . . . . . . Example of planning a hosted environment . . . . . .
Setting up the Resource Reservations database . . . . . . . . . . . . . . Creating Site Profile and Resource documents . . . . . . . . . .
.........
13 Setting Up the Service Provider Environment . . . . . . . . . . 13-1Setting up the service provider environment . Installing the first server or additional servers for hosted environments Setting up a hosted organization
. . . . . . . . 8-9 Editing and deleting Resource documents . . 8-13 Creating Holiday documents . . . . . . . . . . 8-17iv Administering the Domino System, Volume 1
.
13-1 13-2 13-3
... .......
Setting up the Domino certificate authority for hosted organizations Using policies in a hosted environment
.. ...
13-3 13-4
15 Setting Up the Administration Process . . . . . . . . 15-1
What happens when you register a hosted organization? . . . . . . . . . . . . . . .
. 13-5 Example of registering a hosted organization . . 13-8 Registering a hosted organization . . . . . 13-11Using Internet and Web Site documents in a hosted environment . . . . . . . . . 13-18 Global Web Settings documents and the service provider environment . . Configuring activity logging for billing hosted organizations . . . . . . .
.......... Setting up the Administration Process . . . .The Administration Process Administration Process support of secondary Domino Directories
15-1 15-5 15-7 15-8 15-13 15-19 15-29 15-35 15-36
..... ..
Processing administration requests across domains . . . . . . . . . . . . . . . . . Setting up ACLs for the Administration Process . . . . . . . . . . . . . . . . .
..
13-21 13-23
...
14 Managing a Hosted Environment . . . . . . . . . . . . . . . . . 14-1Maintaining hosted organizations
.. The Administration Requests database . . Customizing the Administration Process . Adminstration Process Statistics . . . . . . . Administration request messages . . . . . .
......
14-1
Adding a hosted organization to an additional server to provide new Web applications . . . . . . . . . Deleting a hosted organization Temporarily disabling services for a hosted organization . . . . . .
16 Setting Up and Using Domino Administration Tools . . . 16-1
.... ........ ...... ... ..
14-2 14-3 14-4 14-4 14-5 14-10 14-11 14-12 14-12 14-14 14-14 14-15
Enabling anonymous access to a hosted organizations database . . . . . .
........... Installing the Domino Administrator . . . . Setting up the Domino Administrator . . . . Starting the Domino Administrator . . . . . Navigating Domino Administrator . . . . . .The Domino Administrator Selecting a server to administer in the Domino Administrator . . . . .
16-1 16-1 16-2 16-2 16-3
Moving a hosted organization to another server . . . . . . . . . . . . . . . . . . . Removing a hosted organization from a backup or load-balancing server . Restoring a hosted environment after a server crash . . . . . . . . . . . . . Using a browser to access a hosted organizations Web site . . .
..
...
.....
. . . . . 16-4 Setting Domino Administration preferences . . 16-5 Domino Administrator tabs . . . . . . . . . 16-13 Web Administrator . . . . . . . . . . . . . . . 16-17 Setting up the Web Administrator . . . . . 16-17 Starting the Web Administrator . . . . . . . 16-22 Using the Web Administrator . . . . . . . . 16-23The Server Controller and the Domino Console . . . . . . . . . . . . . . .
Using the Resource Reservations database in a hosted environment . . . . . . .
. Viewing hosted organizations . . . . . . . . Managing users at a hosted organization .Using the Web Administrator to manage users at a hosted organization . . .
...
16-28
17 Using Domino with Windows Synchronization Tools . . 17-1Setting up Windows NT User Manager
... ..
17-1 17-6
.
Setting policy-based registration options for use with Notes synchronization
Contents v
Using the Windows NT Performance Monitor to view Domino . . . Setting up Domino Active Directory synchronization . . . . . . . .
Customizing the Directory Profile
.....
19-16
....
17-23
Scheduling replication of the Domino Directory . . . . . . . . . . . . .
. . . . . 17-25 18 Planning Directory Services . . 18-1 Overview of Domino directory services . . . 18-1Using directory servers in a Domino domain . . . . . . . . . . . . . . .
..... Planning LDAP features . . . . . . . . . . . . . Planning directory access control . . . . . . .Planning new entries in the Domino Directory . . . . . . . . . . . . .
18-1 18-3 18-7 18-7 18-9 18-10 18-12 18-15 18-18 18-19 18-20
. . . . 19-17 20 Setting Up the LDAP Service . . 20-1 The LDAP service . . . . . . . . . . . . . . . . . 20-1 How the LDAP service works . . . . . . . . . 20-2 Setting up the LDAP service . . . . . . . . . . 20-7 Starting and stopping the LDAP service . . . 20-8Customizing the LDAP service configuration . . . . . . .
..... .
Planning the management of entries in the Domino Directory . . . . . . . . . . . . Planning directory services for Notes clients . . . . . . . . . . . . . . . Planning directory services in a multiple-directory environment Directory search order
....
... .............
Planning internationalized directory services . . . . . . . . . . . . . .
.... Planning directory customization . . . . . . Directory services terms . . . . . . . . . . . .
. . . . . . . . . 20-9 Setting up clients to use the LDAP service . 20-34 Using LDAP to search a Domain index . . 20-36 Monitoring the LDAP service . . . . . . . . 20-37 NOTES.INI settings for the LDAP service . 20-41 RFCs supported by the LDAP service . . . 20-42 21 Managing the LDAP Schema . . 21-1 LDAP schema . . . . . . . . . . . . . . . . . . . 21-1 The Domino LDAP schema . . . . . . . . . . . 21-2 The schema daemon . . . . . . . . . . . . . . . 21-5 Domino LDAP Schema database . . . . . . . 21-7 Methods for extending the schema . . . . . 21-10Extending the schema using the Schema database . . . . . . . . . . . . . . . .
19 Setting Up the Domino Directory . . . . . . . . . . . . . . . . . . . . . 19-1The Domino Directory
.............. .... .. ..
19-1 19-2 19-2 19-5
Setting up the Domino Directory for a domain . . . . . . . . . . . . . . . .
.. Schema-checking . . . . . . . . . . . . . . . . Searching the root DSE and schema entry .NOTES.INI settings related to the schema daemon . . . . . . . . . . . . . . . . .
21-13 21-18 21-19
Using a central directory architecture in a Domino domain . . . . . . . . . . . . Managing Domino Directories in a central directory architecture . . . . . . . . Controlling access to the Domino Directory . . . . . . . . . . . Corporate hierarchies
. 21-21 22 Using the ldapsearch Utility . . 22-1Using the ldapsearch utility to search LDAP directories . . . . . . . .
. . . . . . . 19-9 . . . . . . . . . . . . . 19-13 .19-15
..... Table of ldapsearch parameters . . . . . . . . Using search filters with ldapsearch . . . . .Using ldapsearch to return operational attributes . . . . . . . . . . . . . . Examples of using ldapsearch
22-1 22-2 22-4 22-5 22-6
Setting up Notes clients to use a directory server . . . . . . . . . . . . . . . . . . .
.... .........
vi Administering the Domino System, Volume 1
23 Setting Up Directory Assistance . . . . . . . . . . . . . . . . . . . 23-1
Specifying the Domino Directories for the Dircat task to aggregate . . . . . . . Controlling which information is aggregated into a directory catalog Full-text indexing directory catalogs Planning issues specific to Extended Directory Catalogs . . . . . . . Planning issues specific to condensed Directory Catalogs . . . . . . . Multiple directory catalogs Overview of setting up a condensed Directory Catalog . . . . . . . The Dircat task
.
24-15 24-16 24-25 24-26 24-29 24-33 24-34 24-45
. . . . . . . . . . . . . . . 23-1 How directory assistance works . . . . . . . . 23-2 Directory assistance services . . . . . . . . . . 23-3 Directory assistance concepts . . . . . . . . 23-12 Directory assistance and naming rules . . . 23-12 Directory assistance and domain names . . 23-18Directory assistance Directory assistance and failover for a directory . . . . . . . . . . . . . . . Directory assistance for an Extended Directory Catalog . . . . . . . .
. .... ....
.... ..........
...
23-19 23-22 23-24 23-26 23-29 23-29 23-51 23-60
.... .
..... ..................
Directory assistance in conjunction with a condensed Directory Catalog . . . . Directory assistance for the primary Domino Directory . . . . . . .
Opening the configuration document for a directory catalog . . . . . . . . . . . . . 24-48
..... Number of directory assistance databases . Setting up directory assistance . . . . . . . . Directory assistance examples . . . . . . . . Monitoring directory assistance . . . . . . .
. . . . . . . . 24-49 25 Setting Up Extended ACLs . . . 25-1 Extended ACL . . . . . . . . . . . . . . . . . . . 25-1Monitoring directory catalogs How other database security features restrict extended ACL access settings . . . . . . . . . . . . . . .
24 Setting Up Directory Catalogs . . . . . . . . . . . . . . . . . . . . . 24-1
................. Condensed Directory Catalogs . . . . . . . .Directory catalogs Directory catalogs on servers compared to directory assistance for individual Domino Directories . . . . . . . . . .
24-1 24-2
.. Extended Directory Catalogs . . . . . . . . . . Overview of directory catalog setup . . . . . Planning directory catalogs . . . . . . . . . . .Directory catalogs and client authentication . . . . .
24-4 24-5 24-8 24-9 24-9 24-14 24-14
. . . . . 25-2 Elements of an extended ACL . . . . . . . . . 25-3 Extended ACL access settings . . . . . . . . . 25-3 Extended ACL subject . . . . . . . . . . . . . . 25-9 Extended ACL target . . . . . . . . . . . . . . 25-12 Extended ACL examples . . . . . . . . . . . 25-19 Extended ACL guidelines . . . . . . . . . . . 25-22Setting up and managing an extended ACL . . . . . . . . . . . . . . . . .
...
25-22
26 Overview of the Domino Mail System . . . . . . . . . . . . . . . . . . . . . . 26-1Messaging overview
..........
...............
26-1 26-2 26-5 26-17
Directory catalogs and Notes mail encryption . . . . . . . . . .
...... Picking the server(s) to run the Dircat task .
Supported routing, format, and access protocols . . . . . . . . . . . . . . .
.... The Domino mail server and mail routing . .Overview of routing mail using Notes routing . . . . . . . . . . . . . . . .
...
Contents vii
Overview of routing mail using SMTP The Domain Name System (DNS) and SMTP mail routing . . . . . . . .
...
26-21
Restricting outbound mail routing Mail journaling
. . . . . 28-98 . . . . . . . . . . . . . . . . . 28-105
. . . 26-25 27 Setting Up Mail Routing . . . . . 27-1 The Domino mail router . . . . . . . . . . . . . 27-1 Planning a mail routing topology . . . . . . . 27-2 Sample mail routing configurations . . . . . 27-9Creating a Configuration Settings document . . . . . . . . . . . Setting up Notes routing
Setting inbound and outbound MIME and character set options . . . . . . . . .
...... ........... . .
27-18 27-20 27-37 27-42 27-58 27-59
Configuring Domino to send and receive mail over SMTP . . . . . . . . . . . . Setting up how addresses are resolved on inbound and outbound mail . . . . Configuring Domino to send mail to a relay host or firewall . . . . . . .
... Routing mail over transient connections .
28 Customizing the Domino Mail System . . . . . . . . . . . . . . . . . . 28-1
. . . . . . . . . . . . . . . . . 28-1 Controlling messaging . . . . . . . . . . . . . . 28-1 Improving mail performance . . . . . . . . . . 28-2 Controlling message delivery . . . . . . . . . 28-8 Setting server mail rules . . . . . . . . . . . . 28-20 Customizing message transfer . . . . . . . . 28-26 Setting transfer limits . . . . . . . . . . . . . 28-33Customizing mail Setting advanced transfer and delivery controls . . . . . . . . . . . . . . .
. 28-115 29 Setting Up Shared Mail . . . . . . 29-1 Shared mail overview . . . . . . . . . . . . . . 29-1 Setting up shared mail databases . . . . . . . 29-5 Managing a shared mail database . . . . . 29-11 Disabling shared mail . . . . . . . . . . . . . 29-25 30 Setting Up the POP3 Service . . 30-1 The POP3 service . . . . . . . . . . . . . . . . . 30-1 Setting up the POP3 service . . . . . . . . . . 30-2 Setting up POP3 users . . . . . . . . . . . . . . 30-7 31 Setting Up the IMAP Service . . 31-1 The IMAP service . . . . . . . . . . . . . . . . . 31-1 Setting up the IMAP service . . . . . . . . . . 31-4 Customizing the IMAP service . . . . . . . . 31-5 Setting up IMAP users . . . . . . . . . . . . . 31-22IMAP settings in the server NOTES.INI file . . . . . . . . . . . . . . . . . . . .
..
31-39
32 Setting Up iNotes Web Access . . . . . . . . . . . . . . . . . . . . . . 32-1
... Customizing Notes routing . . . . . . . . . . Customizing SMTP Routing . . . . . . . . . Changing SMTP port settings . . . . . . . . Restricting SMTP inbound routing . . . . .Preventing unauthorized SMTP hosts from using Domino as a relay
28-39 28-50 28-57 28-58 28-70 28-75 28-86
. . . . . . . . . . . . . . . . 32-1 iNotes Access for Microsoft Outlook . . . . 32-11 33 Monitoring Mail . . . . . . . . . . . . 33-1 Tools for mail monitoring . . . . . . . . . . . . 33-1 Setting up mail monitoring . . . . . . . . . . . 33-3 Viewing mail usage reports . . . . . . . . . 33-16iNotes Web Access
34 Setting Up the Domino Web Server . . . . . . . . . . . . . . . . . . . . . . . 34-1The Domino Web server
.............
34-1
.... ..
Enabling DNS blacklist filters for SMTP connections . . . . . . . . . . . . . .
Setting up a Domino server as a Web server . . . . . . . . . . . . . . . . Setting up WebDAV
. . . . . 34-4 . . . . . . . . . . . . . . 34-15
viii Administering the Domino System, Volume 1
................ Web Site rules and global Web settings . . Custom Web server messages . . . . . . . . Improving Web server performance . . . .Hosting Web sites
34-17 34-34 34-48 34-52
Certificates
..................... ......
39-2 39-4
Password-protection for Notes and Domino IDs . . . . . . . . . . . Verifying user passwords during authentication . . . . . . . .
35 Setting Up Domino to Work with Other Web Servers . . . . . . . . 35-1Setting up Domino to work with other Web servers . . . . . . . . . . . . .
. . . . . . . 39-8 ID recovery . . . . . . . . . . . . . . . . . . . . 39-14 Public key security . . . . . . . . . . . . . . . 39-22Using cross-certificates to access servers and send secure S/MIME messages Adding cross-certificates to the Domino Directory or Personal Address Book
....
35-1
. .
39-27 39-29
36 Setting Up the Web Navigator . . . . . . . . . . . . . . . . . . . . 36-1
. . . . . . . . . . . . . . . . 36-1 Setting up a Web Navigator server . . . . . . 36-2 Customizing the Web Navigator . . . . . . . 36-6 The Web Navigator database . . . . . . . . . 36-10 Customizing the Web Navigator database . 36-11The Web Navigator
40 Controlling User Access to Domino Databases . . . . . . . . . . . . 40-1
Volume 2 37 Planning Security . . . . . . . . . . 37-1Overview of Domino security The Domino security model The Domino security team Security planning checklists
. . . . . . . . . 37-1 . . . . . . . . . . 37-5 . . . . . . . . . . . 37-8 . . . . . . . . . 37-11
. . . . . . . . 40-1 Default ACL entries . . . . . . . . . . . . . . . 40-2 Acceptable entries in the ACL . . . . . . . . . 40-4 Configuring a database ACL . . . . . . . . . 40-11 Access levels in the ACL . . . . . . . . . . . 40-13 Access level privileges in the ACL . . . . . 40-16 User types in the ACL . . . . . . . . . . . . . 40-19 Roles in the ACL . . . . . . . . . . . . . . . . 40-20 Managing database ACLs . . . . . . . . . . . 40-22The database access control list Using the Administration Process to update ACLs . . . . . . . . . . .
38 Controlling Access to Domino Servers . . . . . . . . . . . . . . . 38-1Validation and authentication for Notes and Domino . . . . . . . . . . . . . Server access for Notes users, Internet users, and Domino servers . . . Setting up Notes user, Domino server, and Internet user access to a Domino server . . . . . . . . . . .
.... .
40-23 40-24 40-24 40-25 40-28 40-30 40-30
Setting up the Administration Process for database ACLs . . . . . . . . . . . . . Managing database ACLs with the Web Administrator . . . . . . . . . . . . Editing entries in multiple ACLs
...
38-1 38-2
....
. . . . 38-4 Customizing access to a Domino server . . . 38-7 Physically securing the Domino server . . 38-2339 Protecting and Managing Notes IDs . . . . . . . . . . . . . . . . . . . . 39-1Domino server and Notes user IDs
.. ...... Enforcing a consistent access control list . Setting up database access for Internet users .Maximum Internet name-and-password access . . . . . . . . . . . . . . . . . .
..
41 Protecting User Workstations with Execution Control Lists . . . . . 41-1The execution control list
......
39-1
............
41-1
Contents ix
The administration ECL
.............
41-6
Default Domino SSL trusted roots SSL port configuration
42 Setting Up Name-and-Password and Anonymous Access to Domino Servers . . . . . . . . . . . . . . . . . . . . . . 42-1Name-and-password authentication for Internet/intranet clients . . . . . . Session-based name-and-password authentication for Web clients
..... ............. ....... ....
46-11 46-14 46-20
Managing server certificates and certificate requests . . . .
...
42-1 42-6
Authenticating Web SSL clients in secondary Domino and LDAP directories . . . . . . . . . . . . .
46-25
.....
47 Setting Up Clients for S/MIME and SSL . . . . . . . . . . . . . . 47-1SSL and S/MIME for clients
Multi-server session-based name-and-password authentication for Web users (single sign-on) . . .
..........
47-1
. Managing Internet passwords . . . . . . . . Anonymous Internet/intranet access . . .Validation and authentication for Internet/intranet clients . .
42-12 42-24 42-25 42-27
Setting up Notes and Internet clients for SSL authentication . . . . . . . . .
. . . 47-3 Internet certificates for SSL and S/MIME . . 47-5 Setting up Notes clients for S/MIME . . . . 47-13Dual Internet certificates for S/MIME encryption and signatures . .
......
.... ..
47-17 47-18
43 Encryption and Electronic Signatures . . . . . . . . . . . . . . . . . . . 43-1
Setting up Notes and Internet clients for SSL client authentication . . . . . Using SSL when setting up directory assistance for LDAP directories
..................... Mail encryption . . . . . . . . . . . . . . . . . . Electronic signatures . . . . . . . . . . . . . . .Encryption
43-1 43-4 43-9
. . . 47-23 48 Rolling Out Databases . . . . . . 48-1Database design, management, and administration . . . . . . . . .
44 Setting Up a Domino Server-Based Certification Authority . . . . . . . . . . . . . . . . . . . . 44-1Domino server-based certification authority . . . . . . . . . . . Setting up a server-based Domino certification authority . . .
...... Rolling out a database . . . . . . . . . . . . . . Copying a new database to a server . . . . .Creating a Mail-In Database document for a new database . . . . . . . . . . . . .
48-1 48-1 48-4 48-5 48-7 48-7
....... .......
44-1 44-5
45 Setting Up a Domino 5 Certificate Authority . . . . . . . . . . . 45-1
.. Adding a database to the Domain Index . . Signing a database or template . . . . . . . .
.... Setting up a Domino 5 certificate authority . .Using a Domino 5 certificate authority
45-1 45-1
49 Organizing Databases on a Server . . . . . . . . . . . . . . . . . . . . . . . 49-1Organizing databases on a server
.......
49-1
46 Setting Up SSL on a Domino Server . . . . . . . . . . . . . . . . . . . . . . . 46-1
50 Setting Up and Managing Full-text Indexes . . . . . . . . . . . . . . 50-1Full-text indexes for single databases
..................... Setting up SSL on a Domino server . . . . . .SSL security
46-1 46-2
....
50-1
x Administering the Domino System, Volume 1
51 Setting Up Database Libraries and Catalogs . . . . . . . . . 51-1Database libraries
54 Using IBM Tivoli Analyzer for Lotus Domino . . . . . . . . . . . . . 54-1
.................
51-1 51-2 51-3 51-4 51-5
Creating a database library and assigning librarians . . . . . . . . . . . . . . . .
.. Publishing databases in a library . . . . . . . Database catalogs . . . . . . . . . . . . . . . . . Setting up a servers database catalog . . . .
... Server Health Monitor . . . . . . . . . . . . . . Table of Server Health Monitor statistics . . Table of Server Health Monitor ratings . . . Server Health Monitor configuration . . . . . Using the Server Health Monitor . . . . . . .IBM Tivoli Analyzer for Lotus Domino Working with Server Health Monitor statistics . . . . . . . . . . . . . .
54-1 54-2 54-3 54-5 54-6 54-8 54-13 54-17 54-18 54-22 54-26 54-27 54-34 54-37 54-48 54-51 54-53 54-61
52 Monitoring the Domino Server . . . . . . . . . . . . . . . . . . . . . . . 52-1
. . . . . . . . 52-1 Monitoring events on the Domino system . . 52-2 Event generators . . . . . . . . . . . . . . . . . 52-3 Event handlers . . . . . . . . . . . . . . . . . . 52-14 Viewing an event report . . . . . . . . . . . . 52-20Monitoring the Domino system Viewing event messages, causes, and solutions . . . . . . . . . . . . . .
.... Activity Trends . . . . . . . . . . . . . . . . . Setting up Activity Trends . . . . . . . . . .Activity Trends server and statistics profiles . . . . . . . . . . . . . .
..... Resource balancing in Activity Trends . . .Setting up resource balancing in Activity Trends . . . . . . . . . . . . . . . . . . Understanding resource-balancing behavior . . . . . . . . . . . . .
....
52-20
.
Customizing the appearance of the Domino server console and Domino Administrator console . . . . . . . .
.....
. Statistics and the Domino system . . . . . . Platform statistics . . . . . . . . . . . . . . . .Using the Domino Administrator to monitor statistics . . . . . . .
52-21 52-24 52-26 52-31 52-36 52-40 52-43
Analyzing resource-balancing distributions . . . . . . . Domino Change Manager
........ ........... ... ........... ..
..... Charting statistics . . . . . . . . . . . . . . . . Domino server monitor . . . . . . . . . . . . Profiles and the Domino server monitor .
ACLs for the Domino Change Control database . . . . . . . . . . . . . . . Resource-balancing plans
Setting up plan documents for resource balancing . . . . . . . . . . . . . . .
53 Using the Domino SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . 53-1
55 Transaction Logging and Recovery . . . . . . . . . . . . . . . . . . . . 55-1
........... Configuring the Domino SNMP Agent . . .The Domino SNMP Agent Using the Domino MIB with your SNMP management station . . . . . . . . . Troubleshooting the Domino SNMP Agent . . . . . . . . . . . . . . .
53-1 53-8 53-21 53-24
............... How transaction logging works . . . . . . . . Planning for transaction logging . . . . . . .Transaction logging Setting up a Domino server for transaction logging . . .
55-1 55-3 55-4 55-5 55-7
.
.....
......... Changing transaction logging settings . . . .
Contents xi
Disabling transaction logging for a specific database . . . . . . . .
. . . . . . 55-8 View logging . . . . . . . . . . . . . . . . . . . . 55-9 Using transaction logging for recovery . . . 55-9 Fault recovery . . . . . . . . . . . . . . . . . . 55-10 56 Using Log Files . . . . . . . . . . . . 56-1 The Domino server log (LOG.NSF) . . . . . . 56-1Controlling the size of the log file (LOG.NSF) . . . . . . . . . . The Domino Web server log (DOMLOG.NSF) . . .
59 Maintaining Domino Servers . . 59-1
. . . . . . . . . . . . . . . . . 59-1 Decommissioning a Domain Search server . 59-12 Uninstalling a Domino partitioned server . 59-13Managing servers
60 Improving Server Performance . . . . . . . . . . . . . . . . . 60-1Improving Domino server performance Tools for measuring server performance
....... Logging Domino Web server requests . . . .
56-1 56-8
... .. .. . ..
60-1 60-2 60-3 60-5 60-6
Improving basic server performance and capacity . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 56-8 Domino Web server logging to text files . . 56-1057 Setting Up Activity Logging . . 57-1
Improving partitioned server performance and capacity . . . . . . . . . . . . . . . Improving Agent Manager performance Improving database and Domino Directory performance . . . Tips for tuning mail performance
. . . . . . . . . . . . . . . . . . 57-1 The information in the log file . . . . . . . . . 57-1 Configuring activity logging . . . . . . . . . 57-12 Viewing activity logging data . . . . . . . . 57-13 58 Maintaining Databases . . . . . . 58-1 Database maintenance . . . . . . . . . . . . . . 58-1 The Files tab in the Domino Administrator . . 58-2 Monitoring replication of a database . . . . . 58-6 Replication or save conflicts . . . . . . . . . . 58-8 Monitoring database activity . . . . . . . . . 58-11 Updating database indexes and views . . . 58-14 Managing view indexes . . . . . . . . . . . . 58-23Activity logging Synchronizing databases with master templates . . . . . . . . . . . . .
. . . . . . . 60-9 . . . . . . 60-11 .. ...60-13 60-14
Improving Windows NT and Windows 2000 server performance . . . . . Improving UNIX server performance
61 Improving Database Performance . . . . . . . . . . . . . . . . . 61-1Setting advanced database properties Database properties that optimize database performance . . .
....
61-1
.... Fixing corrupted databases . . . . . . . . . . Using Fixup . . . . . . . . . . . . . . . . . . . Moving databases . . . . . . . . . . . . . . . . Deleting databases . . . . . . . . . . . . . . . Database analysis . . . . . . . . . . . . . . . .
58-24 58-25 58-26 58-33 58-36 58-37
. . . . . . . 61-3 The database cache . . . . . . . . . . . . . . . . 61-9 Controlling database size . . . . . . . . . . . 61-12 Tools for monitoring database size . . . . . 61-13 Monitoring database size . . . . . . . . . . . 61-13 Compacting databases . . . . . . . . . . . . . 61-13 Ways to compact databases . . . . . . . . . . 61-16 Database size quotas . . . . . . . . . . . . . . 61-23 Deleting inactive documents . . . . . . . . . 61-25Using an agent to delete and archive documents . . . . . . . . . . . . Allowing more fields in a database
.... .....
61-27 61-29
xii Administering the Domino System, Volume 1
62 Using Server.Load . . . . . . . . . . 62-1
..................... Server.Load agents . . . . . . . . . . . . . . . . Server.Load metrics . . . . . . . . . . . . . . .Server.Load Setting up clients and servers for Server.Load . . . . . . . . .
62-1 62-4 62-7
.. Passthru connections Troubleshooting . Replication Troubleshooting . . . . . . .Partitioned servers Troubleshooting You see the message Database is not fully initialized yet . . . . . .
63-78 63-79 63-80
. . . . . . . 62-12 Idle Workload script . . . . . . . . . . . . . . 62-14 R5 IMAP Workload test . . . . . . . . . . . . 62-15 R5 Simple Mail Routing test . . . . . . . . . 62-20 R5 Shared Database test . . . . . . . . . . . . 62-24 SMTP and POP3 Workload test . . . . . . . 62-26 Web Idle Workload test . . . . . . . . . . . . 62-30 Web Mail test . . . . . . . . . . . . . . . . . . 62-31 63 Troubleshooting . . . . . . . . . . . 63-1 Troubleshooting the Domino system . . . . . 63-1 Troubleshooting tools . . . . . . . . . . . . . . 63-2 Overview of server maintenance . . . . . . . 63-6 Server maintenance checklist . . . . . . . . . . 63-6 Backing up the Domino server . . . . . . . . . 63-7Administration Process Troubleshooting . .
. . . . 63-89 Server access Troubleshooting . . . . . . 63-91 Server crashes Troubleshooting . . . . . 63-96 Transaction logging Troubleshooting . 63-102Web server, Web Navigator, and the Web Administrator Troubleshooting
. 63-104 Server.Load Troubleshooting . . . . . . . 63-110 Appendix A Server Commands . . A-1 Appendix B Server Tasks . . . . . . . B-1 Appendix C NOTES.INI File . . . . . C-1Appendix D System and Application Templates . . . . . . . . . D-1 Appendix E Customizing the Domino Directory . . . . . . . . . . . . . . E-1 Appendix F Administration Process Requests . . . . . . . . . . . . . . F-1 Appendix G Novell Directory Service for the IPX/SPX Network . . G-1 Appendix H Accessibility and Keyboard Shortcuts in Domino Administrator . . . . . . . . . . . . . . . . . H-1 Appendix I Server.Load Command Language . . . . . . . . . . . . I-1 Appendix J Server.Load Scripts . . . J-1 Index . . . . . . . . . . . . . . . . . . . . . . Index-1
............
63-8 63-12 63-16 63-21 63-36 63-45 63-48 63-52 63-55 63-74
Agent Manager and agents Troubleshooting . . . . .
........ Database performance Troubleshooting . Directories Troubleshooting . . . . . . . Mail routing Troubleshooting . . . . . .Meeting and resource scheduling Troubleshooting . . . . . . . . . Modems and remote connections Troubleshooting . . . . . . . .
....
..... Platform statistics Troubleshooting . . .Network connections over NRPC Troubleshooting . . . . . . . . . Network dialup connections Troubleshooting . . . . .
....
........
Contents xiii
PrefaceThe documentation for IBM Lotus Notes, IBM Lotus Domino, and IBM Lotus Domino Designer is available online in Help databases and, with the exception of the Notes client documentation, in print format.
License informationAny information or reference related to license terms in this document is provided to you for your information. However, your use of Notes and Domino, and any other IBM program referenced in this document, is solely subject to the terms and conditions of the IBM International Program License Agreement (IPLA) and related License Information (LI) document accompanying each such program. You may not rely on this document should there be any questions concerning your right to use Notes and Domino. Please refer to the IPLA and LI for Notes and Domino that is located in the file LICENSE.TXT.
System requirementsInformation about the system requirements for Lotus Notes and Domino is listed in the Release Notes.
Printed documentation and PDF filesThe same documentation for Domino and Domino Designer that is available in online Help is also available in printed books and PDF files. You can order printed books from the IBM Publications Center at www.ibm.com/shop/publications/order. You can download PDF files from the IBM Publications Center and from the Documentation Library at the Lotus Developer Domain at www-10.lotus.com/ldd.
Related informationIn addition to the documentation that is available with the product, other information about Notes and Domino is available on the Web sites listed here. IBM Redbooks are available at www.redbooks.ibm.com.
xv
A technical journal, discussion forums, demos, and other information is available on the Lotus Developer Domain site at www-10.lotus.com/ldd.
Table of conventionsThis table lists conventions used in the Notes and Domino documentation.Convention italicsmonospaced type
Description Variables and book titles are shown in italic type. Code examples and console commands are shown in monospaced type. File names are shown in uppercase, for example NAMES.NSF. Hyphens are used between menu names, to show the sequence of menus.
file names hyphens in menu names (File - Database - Open)
Structure of Notes and Domino documentationThis section describes the documentation for Notes, Domino, and Domino Designer. The online Help databases are available with the software products. Print documentation can be downloaded from the Web or purchased separately. Release Notes The Release Notes describe new features and enhancements, platform requirements, known issues, and documentation updates for Lotus Notes 6, Lotus Domino 6, and Lotus Domino Designer 6. The Release Notes are available online in the Release Notes database (README.NSF). You can also download them as a PDF file. Documentation for the Notes client The Lotus Notes 6 Help database (HELP6_CLIENT.NSF) contains the documentation for Notes users. This database describes user tasks such as sending mail, using the Personal Address Book, using the Calendar and Scheduling features, using the To Do list, and searching for information. Documentation for Domino administration The following table describes the books that comprise the Domino Administration documentation set. The information in these books is also found online in the Lotus Domino Administrator 6 Help database (HELP6_ADMIN.NSF). The book Installing Domino Servers ships with Domino. The other books are available for purchase, or for free download as PDF files.
xvi Administering the Domino System, Volume 1
Title Upgrade Guide
Description Describes how to upgrade existing Domino servers and Notes clients to Notes and Domino 6. Also describes how to move users from other messaging and directory systems to Notes and Domino 6. Describes how to plan a Domino installation; how to configure Domino to work with network protocols such as Novell SPX, TCP/IP, and NetBIOS; how to install servers; and how to install and begin using Domino Administrator and the Web Administrator. Describes how to register and manage users and groups, and how to register and manage servers including managing directories, connections, mail, replication, security, calendars and scheduling, activity logging, databases, and system monitoring. This book also describes how to use Domino in a service provider environment, how to use Domino Off-Line Services, and how to use IBM Tivoli Analyzer for Lotus Domino. Describes how to set up, manage, and troubleshoot Domino clusters.
Installing Domino Servers
Administering the Domino System, Volumes 1 and 2
Administering Domino Clusters
Documentation for Domino Designer The following table describes the books that comprise the Domino Designer documentation set. The information in these books is also found online in the Lotus Domino Designer 6 Help database (HELP6_DESIGNER.NSF) with one exception: Domino Enterprise Connection Services (DECS) Installation and User Guide is available online in a separate database, DECS User Guide Template (DECSDOC6.NSF). The printed documentation set also includes Domino Objects posters. In addition to the books listed here, the Domino Designer Templates Guide is available for download in NSF or PDF format. This guide presents an in-depth look at three commonly used Designer templates: TeamRoom, Discussion, and Documentation Library.Title Application Development with Domino Designer Description Explains how to create all the design elements used in building Domino applications, how to share information with other applications, and how to customize and manage applications.
Domino Designer Programming Introduces programming in Domino Designer and Guide, describes the formula language. Volume 1: Overview and Formula Language continued Preface xvii
Title
Description
Domino Designer Programming Describes the LotusScript/COM/OLE classes for access to databases and other Domino structures. Guide, Volumes 2A and 2B: LotusScript/COM/OLE Classes Domino Designer Programming Provides reference information on using the Java and CORBA classes to provide access to databases Guide, Volume 3: Java/CORBA Classes and other Domino structures. Domino Designer Programming Describes the XML and JSP interfaces for access to Guide, databases and other Domino structures. Volume 4: XML Domino DTD and JSP Tags LotusScript Language Guide Domino Enterprise Connection Services (DECS) Installation and User Guide Lotus Connectors and Connectivity Guide Describes the LotusScript programming language. Describes how to use Domino Enterprise Connection Services (DECS) to access enterprise data in real time. Describes how to configure Lotus Connectors for use with either DECS or IBM Lotus Enterprise Integrator for Domino (LEI). It also describes how to test connectivity between DECS or LEI and an external system, such as DB2, Oracle, or Sybase. Lastly, it describes usage and feature options for all of the base connection types that are supplied with LEI and DECS. This online documentation file name is LCCON6.NSF. Describes how to use the LC LSX to programmatically perform Lotus Connector-related tasks outside of, or in conjunction with, either LEI or DECS. This online documentation file name is LSXLC6.NSF. Describes installation, configuration, and migration information and instructions for LEI. The online documentation file names are LEIIG.NSF and LEIIG.PDF. This document is for LEI customers only and is supplied with LEI, not with Domino. Provides information and instructions for using LEI and its activities. The online documentation file names are LEIDOC.NSF and LEIDOC.PDF. This document is for LEI customers only and is supplied with LEI, not with Domino.
Lotus Connector LotusScript Extensions Guide
IBM Lotus Enterprise Integrator for Domino (LEI) Installation Guide
IBM Lotus Enterprise Integrator for Domino (LEI) Activities and User Guide
xviii Administering the Domino System, Volume 1
Installation
Chapter 1 Deploying DominoThis chapter outlines the steps required to deploy IBM Lotus Domino 6 successfully and introduces important concepts that you need to know before you install Domino servers.
Guidepost for deploying DominoWhether youre setting up IBM Lotus Domino 6 and IBM Lotus Notes 6 for the first time or adding to an established Domino environment, planning is vital. Along with determining your companys needs, you need to plan how to integrate Domino into your existing network. After planning is complete, you can begin to install and set up Domino servers and the Domino Administrator and build the Domino environment. The following list describes, in order, the process to use to deploy Domino. 1. Determine your companys server needs. Decide where to locate each server physically, taking into consideration local and wide-area networks and the function of each server. 2. Develop a hierarchical name scheme that includes organization and organizational unit names. 3. Decide whether you need more than one Domino domain. 4. Understand how server name format affects network name-to-address resolution for servers. Ensure that the DNS records for your company are the correct type for the server names. 5. Determine which server services to enable. 6. Determine which certificate authority Domino server-based certification authority, Domino 5 certificate authority, third-party to use. 7. Install and set up the first Domino server. 8. Install and set up the Domino Administrator on the administrators machine. 9. Complete network-related server setup.
1-1
10. If the Domino server is offering Internet services, set up Internet site documents. There are some instances where Internet Site documents are required. 11. Specify Administration Preferences. 12. Create additional certifier IDs to support the hierarchical name scheme. 13. Set up recovery information for the certifier IDs. 14. Add the administrators ID to the recovery information for the certifier IDs and then distribute the certifier IDs, as necessary, to other administrators. 15. Register additional servers. 16. If you did not choose to do so during first server setup, Create a group in the Domino Directory for all administrators, and give this group Manager access to all databases on the first server. 17. Install and set up additional servers. 18. Complete network-related server setup for each additional server. 19. Build the Domino environment.
Functions of Domino serversBefore you install and set up the first Domino server, consider the function and physical location of the servers that your company needs and determine how to connect the servers to each other. The current configuration of local and wide-area networks affects many of these decisions. Consider your companys need for: Servers that provide Notes and/or browser users with access to applications Hub servers that handle communication between servers that are geographically distant Web servers that provide browser users with access to Web applications Servers that manage messaging services Directory servers that provide users and servers with information about how to communicate with other users and servers Passthru servers that provide users and servers with access to a single server that provides access to other servers Domain Search servers that provide users with the ability to perform searches across all servers in a Domino domain
1-2 Administering the Domino System, Volume 1
Installation
Clustered servers that provide users with constant access to data and provide load-balancing and failover Partitioned servers that run multiple instances of the Domino server on a single computer Firewall servers that provide Notes users with access to internal Domino services and protect internal servers from outside users xSP servers that provide users with Internet access to a specific set of Domino applications
Your decisions help determine which types of Domino servers your require. When you install each server, you must select one of the following installation options: Domino Utility Server Installs a Domino server that provides application services only, with support for Domino clusters. The Domino Utility Server is a new installation type for Lotus Domino 6 that removes client access license requirements. Note that it does NOT include support for messaging services. See full licensing text for details. Domino Messaging Server Installs a Domino server that provides messaging services. Note that it does NOT include support for application services or Domino clusters. Domino Enterprise Server Installs a Domino server that provides both messaging and application services, with support for Domino clusters. Note All three types of installations support Domino partitioned servers. Only the Domino Enterprise Server supports a service provider (xSP) environment.
Hierarchical naming for servers and usersHierarchical naming is the cornerstone of Domino security; therefore planning it is a critical task. Hierarchical names provide unique identifiers for servers and users in a company. When you register new servers and users, the hierarchical names drive their certification, or their level of access to the system, and control whether users and servers in different organizations and organizational units can communicate with each another. Before you install Domino servers, create a diagram of your company and use the diagram to plan a meaningful name scheme. Then create certifier IDs to implement the name scheme and ensure a secure system.
Deploying Domino 1-3
A hierarchical name scheme uses a tree structure that reflects the actual structure of a company. At the top of the tree is the organization name, which is usually the company name. Below the organization name are organizational units, which you create to suit the structure of the company; you can organize the structure geographically, departmentally, or both. For example, the Acme company created this diagram for their servers and users:Acme
West
East
HR
Accounting
IS
Sales
Marketing
Development
Looking at Acmes diagram, you can see where they located their servers in the tree. Acme decided to split the company geographically at the first level and create certifier IDs for the East and West organizational units. At the next level down, Acme made its division according to department. For more information on certifier IDs, see the topic Certifier IDs and certificates in this chapter. Components of a hierarchical name A hierarchical name reflects a users or servers place in the hierarchy and controls whether users and servers in different organizations and organizational units can communicate with each another. A hierarchical name may include these components: Common name (CN) Corresponds to a users name or a servers name. All names must include a common name component. Organizational unit (OU) Identifies the location of the user or server in the organization. Domino allows for a maximum of four organizational units in a hierarchical name. Organizational units are optional. Organization (O) Identifies the organization to which a user or server belongs. Every name must include an organization component. Country (C) Identifies the country in which the organization exists. The country is optional.
1-4 Administering the Domino System, Volume 1
Installation
An example of a hierarchical name that uses all of the components is: Julia Herlihy/Sales/East/Acme/US Typically a name is entered and displayed in this abbreviated format, but it is stored internally in canonical format, which contains the name and its associated components, as shown below: CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US. Note You can use hierarchical naming with wildcards as a way to isolate a group of servers that need to connect to a given Domino server in order to route mail. For more information, see the chapter Setting Up Mail Routing.
Domino domainsA Domino domain is a group of Domino servers that share the same Domino Directory. As the control and administration center for Domino servers in a domain, the Domino Directory contains, among other documents, a Server document for each server and a Person document for each Notes user. Planning for Domino domains There are four basic scenarios for setting up Domino domains. The first scenario, which many small- and medium-size companies use, involves creating only one Domino domain and registering all servers and users in one Domino Directory. This scenario is the most common and the easiest to manage. The second scenario is common when a large company has multiple independent business units. In this case, one organization spread across multiple domains may be the best scenario. Then all servers and users are members of the same organization, and each business unit administers its own Domino Directory. For more information on administering multiple Domino directories, see the chapter Planning Directory Services. A third scenario is common when multiple companies work closely together yet want to retain individual corporate identities. Then one domain and multiple organizations may work best. Finally, the fourth scenario involves maintaining multiple domains and multiple organizations. This scenario often occurs when one company acquires another. Sometimes the decision to create multiple Domino domains is not based on organizational structure at all. For example, you may want to create multiple Domino domains if you have slow or unreliable networkDeploying Domino 1-5
connections that prohibit frequent replication of a single, large directory. Keep in mind that working with multiple domains requires additional administrative work and requires you to set up a system for managing them. Domains can be used as a broad security measure. For example, you can grant or deny a user access to servers and databases, based on the domain in which the user is registered. Using an extended ACL is an alternative to creating multiple domains, because you can use the extended ACL to specify different levels of access to a single Domino Directory, based on organization name hierarchy. For more information on extended ACLs, see the chapter Setting Up Extended ACLs.
Partitioned serversUsing Domino server partitioning, you can run multiple instances of the Domino server on a single computer. By doing so, you reduce hardware expenses and minimize the number of computers to administer because, instead of purchasing multiple small computers to run Domino servers that might not take advantage of the resources available to them, you can purchase a single, more powerful computer and run multiple instances of the Domino server on that single machine. On a Domino partitioned server, all partitions share the same Domino program directory, and thus share one set of Domino executable files. However, each partition has its own Domino data directory and NOTES.INI file; thus each has its own copy of the Domino Directory and other administrative databases. If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Dominos fault recovery feature restarts only that partition, not the entire computer. For information on setting up fault recovery, see the chapter Transaction Logging and Recovery. Partitioned servers can provide the scalability you need while also providing security. As your system grows, you can migrate users from a partition to a separate server. A partitioned server can also be a member of a cluster if you require high availability of databases. Security for a partitioned server is the same as for a single server. When you set up a partitioned server, you must run the same version of Domino on each partition. However, if the server runs on UNIX, there is an alternative means to run multiple instances of Domino on the server: on UNIX, you can run different versions of Domino on a single computer, each version with its own program directory. You can even1-6 Administering the Domino System, Volume 1
Installation
run multiple instances of each version by installing it as a Domino partitioned server. For more information on installing Domino on UNIX, see the chapter Installing and Setting Up Domino Servers. Deciding whether to use partitioned servers Whether or not to use partitioned servers depends, in part, on how you set up Domino domains. A partitioned server is most useful when the partitions are in different Domino domains. For example, using a partitioned server, you can dedicate different Domino domains to different customers or set up multiple Web sites. A partitioned server with partitions all in the same Domino domain often uses more computer resources and disk space than a single server that runs multiple services. When making the decision to use partitioned servers, remember that it is easier to administer a single server than it is to administer multiple partitions. However, if your goal is to isolate certain server functions on the network for example, to isolate the messaging hub from the replication hub or isolate work groups for resource and activity logging you might be willing to take on the additional administrative work. In addition, running a partitioned server on a multiprocessor computer may improve performance, even when the partitions are in the same domain, because the computer simultaneously runs certain processes. To give Notes users access to a Domino server where they can create and run Domino applications, use a partitioned server. However, to provide customers with Internet access to a specific set of Domino applications, set up an xSP server environment. For more information about using Domino in an xSP environment, see the chapter Planning the Service Provider Environment. Deciding how many partitions to have How many partitions you can install without noticeably diminishing performance depends on the power of the computer and the operating system the computer uses. For optimal performance, partition multiprocessor computers that have at least one, and preferably two, processors for each partition that you install on the computer.
Certifier IDs and certificatesCertifier IDs and certificates form the basis of Domino security. To place servers and users correctly within your organizations hierarchical name scheme, you create a certifier ID for each branch on the name tree. You use the certifiers during server and user registration to stamp each server ID and user ID with a certificate that defines where each belongsDeploying Domino 1-7
in the organization. Servers and users who belong to the same name tree can communicate with each other; servers and users who belong to different name trees need a cross-certificate to communicate with each other. Note You can register servers and users without stamping each server ID and user ID if you have migrated the certifier to a Domino server-based certification authority (CA). For more information about server-based CAs, see the chapter Setting Up a Domino Server-based Certification Authority. Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier document. The ID file contains the ID that you use to register servers and users. The Certifier document serves as a record of the certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID that issued it, and the names of certificates associated with it. There are two types of certifier IDs: organization and organizational unit. Organization certifier ID The organization certifier appears at the top of the name tree and is usually the name of the company for example, Acme. During first server setup, the Server Setup program creates the organization certifier and stores the organization certifier ID file in the Domino data directory, giving it the name CERT.ID. During first server setup, this organization certifier ID automatically certifies the first Domino server ID and the administrators user ID. If your company is large and decentralized, you might want to use the Domino Administrator after server setup to create a second organization certifier ID to allow for further name differentiation for example, to differentiate between company subsidiaries. For more information on working with multiple organizations, see the topic Domino domains earlier in this chapter. Organizational unit certifier IDs The organizational unit certifiers are at all the branches of the tree and usually represent geographical or departmental names for example, East/Acme or Sales/East/Acme. If you choose to, you can create a first-level organizational unit certifier ID during server setup, with the result that the server ID and administrators user ID are stamped with the organizational unit certifier rather than with the organization certifier. If you choose not to create this organizational unit certifier
1-8 Administering the Domino System, Volume 1
Installation
during server setup, you can always use the Domino Administrator to do it later just remember to recertify the server ID and administrators user ID. For information on recertifying user IDs, see the chapter Setting Up and Managing Notes Users. For information on recertifying server IDs, see the chapter Maintaining Domino Servers. You can create up to four levels of organizational unit certifiers. To create first-level organizational unit certifier IDs, you use the organization certifier ID. To create second-level organizational unit certifier IDs, you use the first-level organizational unit certifier IDs, and so on. Using organizational unit certifier IDs, you can decentralize certification by distributing individual certifier IDs to administrators who manage users and servers in specific branches of the company. For example, the Acme company has two administrators. One administers servers and users in West/Acme and has access to only the West/Acme certifier ID, and the other administers servers and users in East/Acme and has access to only the East/Acme certifier ID. Certifier security By default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino data directory. When you use the Domino Administrator to create an additional organization certifier ID or organizational unit certifier ID, you specify where you want the ID stored. To ensure security, store certifiers in a secure location such as a disk locked in a secure area. User ID recovery To provide ID and password recovery for Notes users, you need to set up recovery information for each certifier ID. Before you can recover user ID files, you need access to the certifier ID file to specify the recovery information, and the user ID files themselves must be made recoverable. There are three ways to do this: At user registration, create the ID file with a certifier ID that contains recovery information. Export recovery information from the certifier ID file and have the user accept it. (Only for servers using the server-based certification authority) Add recovery information to the certifier. Then, when existing users authenticate to their home server, their IDs are automatically updated.
For more information, see the chapter Protecting and Managing Notes IDs.Deploying Domino 1-9
Example of how certifier IDs mirror the hierarchical name scheme To implement their hierarchical name scheme, the Acme company created a certifier ID at each branch of the hierarchical name tree:AcmeKey:Acme
Acme
Certifier ID Names
West
East
West/Acme
East/Acme
HR
Accountingcm e
IS
Salese
Marketing/A cm e
Development/A cm e
g/ W es t/A
es t/A cm
as t/A cm
e
e
Ac
M
To register each server and user, Acme does the following: Creates /Acme as the organization certifier ID during first server setup. Uses the /Acme certifier ID to create the /East/Acme and /West/Acme certifier IDs. Uses the /East/Acme certifier ID to register servers and users in the East coast offices and uses the /West/Acme certifier ID to register servers and users in the West coast offices. Uses the /East/Acme certifier ID to create the /Sales/East/Acme, /Marketing/East/Acme, and /Development/East/Acme certifier IDs. Uses the /West/Acme certifier ID to create the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acme certifier IDs. Uses the /Sales/East/Acme, /Sales/Marketing/Acme, and Development/East/Acme certifier IDs to register users and servers in the East coast division. Uses the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acme certifier IDs to register users and servers in the West coast division.
1-10 Administering the Domino System, Volume 1
D
ev el op m en t/ E as t
cm
IS /W es t/A
le s/ E
ar ke tin g/
R/ W
co un
tin
Sa
H
Ea st
Installation
For more information on hierarchical name schemes, see the topic Hierarchical naming for users and servers earlier in this chapter.
Domino server servicesBefore you start the Server Setup program, decide which services and tasks to set up on the server. If you dont select the services during the setup program, you can later enable them by editing the ServerTasks setting in the NOTES.INI file or by starting the server task from the server console. Internet services The Domino Server Setup program presents these selections for Internet services: Web Browsers (HTTP Web services) Internet Mail Clients (SMTP, POP3, and IMAP mail services) Directory services (LDAP)
Advanced Domino services These Domino services, which are necessary for the proper operation of the Domino infrastructure, are enabled by default when you set up a Domino server: Database Replicator Mail Router Agent Manager Administration Process Calendar Connector Schedule Manager DOLS (Domino Off-Line Services) DIIOP CORBA Services DECS (Domino Enterprise Connection Services) Billing HTTP Server IMAP Server ISpy LDAP Server POP3 Server
These are optional advanced Domino server services that you can enable:
Deploying Domino 1-11
Remote Debug Server SMTP Server Stats Statistic Collector Web Retriever Note It is best to use activity logging instead of the billing service. For more information on activity logging, see the chapter Planning the Service Provider Environment.
Table of Domino naming requirementsConsider these guidelines when naming parts of the Domino system.Name Domino domain Characters 31 maximum Tips This is usually the same as the organization name. Use a single word, made up of only alpha (A-Z) or numeric (0-9) characters. Notes named network 31 maximum By default, the Server Setup program assigns names in the format port name network for example, TCP/IP network. Edit Notes named network names to use an identifier such as the location of the Notes named network and the network protocol for example, TCPIP-Boston. Organization 3-64 maximum* This name is typically the same as the Domino domain name. The organization name is the name of the certifier ID and is appended to all user and server names. Organizational 32 maximum* unit There can be up to four levels of organizational units. continued
1-12 Administering the Domino System, Volume 1
Installation
Name Server
Characters 79 maximum
Tips Choose a name you want to keep. If you change a server name, you must recertify the server ID. Choose a name that meets your networks requirements for unique naming. On TCP/IP, use only the characters 0 through 9, A through Z, and - (dash), and do not use spaces or underscores. On NetBIOS, the first 15 characters must be unique. On SPX, the first 47 characters must be unique. Keep in mind that Domino performs replication and mail routing on servers named with numbers before it does those tasks on servers named with alphabetic characters.
User Alternate user Group
79 maximum* No minimum 62 maximum
Use a first and last name. A middle name is allowed, but usually not needed. Can have only one alternate name Use any of these characters: A - Z, 0 - 9, & - . _ / (ampersand, dash, period, space, underscore, apostrophe, and forward slash) For mail routing, you can nest up to five levels of groups. For all other purposes, you can nest up to six levels of groups.
Port Country code
No maximum 0 or 2
Do not include spaces Optional
* This name may include alpha characters (A - Z), numbers (0 - 9), and the ampersand (&), dash (-), period (.), space ( ) , and underscore (_). For more information on network name requirements and the effect that server name format has on network name-to-address resolution, see the chapter Setting Up the Domino Network.
Deploying Domino 1-13
Building the Domino environmentAfter installing the first Domino server and any additional servers, you configure the servers and build the environment. This overview lists the features that you may want to include in your Domino environment. 1. Create Connection documents for server communication. 2. If you have mobile users, set up modems, dialup support, and RAS. 3. Set up mail routing 4. Establish a replication schedule. 5. Configure incoming and outgoing Internet mail (SMTP). 6. Customize the Administration Process for your organization. 7. Plan and create policies before you register users and groups. 8. Register users and groups. 9. Determine backup and maintenance plans and consider transaction logging. 10. Consider remote server administration from the Domino console or Web Administrator console. Also consider the use of an extended administration server. 11. Set up a mobile directory catalog on Notes clients to give Notes users local access to a corporate-wide directory. 12. Consider implementing clustering on servers. For information about clustering, see the book Administering Domino Clusters.
1-14 Administering the Domino System, Volume 1
Installation
Chapter 2 Setting Up the Domino NetworkThis chapter describes planning concepts and presents protocol-specific procedures required to run Domino on a network. The chapter describes using network protocols from a Domino perspective and does not provide general network information.
Lotus Domino and networksA variety of client systems can use wireless technology or modems to communicate with Domino servers over local area networks (LANs), wide area networks (WANs), and metropolitan area networks (MANs). To govern how computers share information over a network, they use one or more protocols, which are sets of rules. For example, Notes workstations and Domino servers use the Notes remote procedure call (NRPC) protocol running over the LANs network protocol to communicate with other Domino servers. Other client systems, such as Web browsers, Internet mail clients, wireless application protocol (WAP) devices, and personal information management (PIM) devices, can also communicate with Domino servers. Isolated LANs can be connected by WANs. A WAN is either a continuous connection such as a frame-relay, leased telephone line, or digital subscriber line (DSL) or a dialup connection over a modem or Integrated Services Digital Network (ISDN) line. Dialup connections are either to an individual server or to a LAN (through a provider network or your companys own communications server). Buildings or sites that are geographically close to each other can use a MAN, which is a continuous, high-speed connection that can connect corporate LANs or connect a LAN to the WAN. Like a WAN, a MAN is usually shared by multiple organizations. Wireless technology that works with Domino ranges from localized transmission systems (802.11a or 802.11b) to national or international satellite transmission systems that are geostationary, mid-orbit, or tracked orbit.
2-1
If you are planning a network for geographically dispersed locations, consider how to achieve a cost-effective infrastructure. Placing servers in one location requires that users in other locations access the Domino server across WAN connections, which can be slow and expensive. Placing servers in every location and replicating databases to make the same information available on several LANs requires attention to administration at each location. One effective way to set up a network is to use a hub server at each location to handle communication with hub servers in other locations. Then, only the hub servers, not every server in the network, use WAN connections. The functionality of Notes workstations and Domino servers depends on the effectiveness and capacity of networks. To plan a Domino network with sufficient capacity, you must consider not only the traffic to and from Domino servers but also any other traffic on the network.
NRPC communicationDomino servers offer many different services. The foundation for communication between Notes workstations and Domino servers or between two Domino servers is the Notes remote procedure call (NRPC) service. Network protocols for NRPC communication To communicate, two computers must run the same network protocol and software driver. For dialup connections, Lotus Domino uses its own X.PC protocol natively; Notes and Domino also support PPP using either Microsoft Dialup Networking (DUN) or Remote Access Service (RAS) for network dialup. In addition, you can use any IETF-compliant PPP communications server to dial into the network on which the Domino server resides or though which the server can be accessed. For more information on dialup connections, see the chapter Setting Up Server-to-Server Connections. On LANs, Lotus Domino is compatible with the TCP/IP and IPX/SPX protocol suites, as well as NetBIOS over the lower transports IP, IPX, and NetBEUI. For NetBIOS connections to work, both Notes workstations and Domino servers must use the same lower transport. For detailed information on which protocols are compatible with Lotus Domino for each supported operating system, see the Release Notes. Notes network ports During the Server Setup program, Domino provides a list of Notes network ports based on the current operating system configuration. If these ports are not the ones you want to enable for use with the Domino server, you can edit the list during setup.2-2 Administering the Domino System, Volume 1
Installation
Because each network protocol consumes memory and processing resources, you might want to exclude one or more ports and later remove the associated protocol software from the system. In TCP/IP and NetBIOS, you can install multiple network interface cards (NICs) and enable additional Notes network ports for each protocol, using the NOTES.INI file to bind each port to a separate IP address or NetBIOS LANA number. For more information, see the topic Adding a network port on a server later in this chapter. Notes named networks Consider Notes named networks in your planning. A Notes named network (NNN) is a group of servers that can connect to each other directly through a common LAN protocol and network pathway for example, servers running on TCP/IP in one location. Servers on the same NNN route mail to each another automatically, whereas you need a Connection document to route mail between servers on different NNNs. When you set up Server documents, be sure to assign each server to the correct NNN. Lotus Domino expects a continuous connection between servers that are in the same NNN, and serious delays in routing can occur if a server must dial up a remote LAN because the remote server is inadvertently placed within the NNN. Also bear in mind that the Notes Network field for each port can contain only one NNN name, and no two NNN names can be the same. NNNs affect Notes users when they use the Open Database dialog box. When a user selects Other to display a list of servers, the servers displayed are those on the NNN of the users home server for the port on which the Notes workstation communicates with the home server. Also, when users click on a database link or document link, if a server in their home servers NNN has a replica of that database, they can connect to the replica. Note If a server is assigned to two NNNs in the same protocol, as in the case where the server has two Notes network ports for TCP/IP, a Notes workstation or Domino server connecting to that server uses the NNN for the port listed first in the Server document.
Setting Up the Domino Network 2-3
Resolving server names to network addresses in NRPCCommunications between Lotus Notes and Lotus Domino run over the NRPC protocol on top of each supported LAN protocol. When a Notes workstation or Domino server attempts to connect to a Domino server over a LAN, it uses a combination of the built-in Notes Name Service and the network protocols name-resolver service to convert the name of the Domino server to a physical address on the network. The Notes Name Service resolves Domino common names to their respective protocol-specific names. Because the Notes Name Service resolves common names by making calls to the Domino Directory, the service becomes available to the Notes workstation only after the workstation has successfully connected to its home (messaging) server for the first time. (The protocol name-resolver service normally makes the first connection possible.) When the Notes workstation makes a subsequent attempt to connect to a Domino server, the Notes Name Service supplies it with the Domino servers protocol-specific name that is, the name that the server is known by in the protocols name service which is stored in the protocols Net Address field in the Server document. The protocols name-resolver service then resolves the protocol-specific name to its protocol-specific address, and the workstation is able to connect to the server. Note When resolving names of Domino servers that offer Internet services, Lotus Notes uses the protocols name-resolver service directly. How name resolution works in NRPC A Notes workstation or Domino server follows these steps to resolve the name of the Domino server to which it is trying to connect over NRPC. Note If the Net Address field in the Server document contains a physical address a practice that is not recommended in a production environment the Notes Name Service performs the resolve directly, thus placing the burden of maintaining physical address changes on the Domino administrator. 1. If the workstation/server has a Connection document for the destination server that contains the protocol-specific name, the workstation/server passes the protocol-specific name to the protocols name-resolver service. If the Connection document contains a physical address, the Notes Name Service performs the resolve directly. Normal-priority Connection documents are checked first, and then low-priority Connection documents. Note Unlike in Server documents, adding physical addresses in Connection documents is not discouraged, since only the local workstation/server uses the Connection document.2-4 Administering the Domino System, Volume 1
Installation
2. To determine if the destination servers protocol-specific name is cached, the workstation checks the Location document and the server checks its own Server document. If the name is cached, the workstation/server uses the last-used Notes network port to determine the protocol and passes this value to the protocols name-resolver service. 3. If the protocol-specific name is not cached, one of the following occurs, based on the list order of enabled Notes network ports: For a Notes workstation connected to the home (messaging) server, Notes gives the common name of the destination Domino server to the home server, which looks in the Domino Directory for the Server document of the destination server. The home server locates the contents of the Net Address field for the Notes named network that the Notes workstation has in common with the destination server and passes this name to the protocols name-resolver service. If the workstation and the destination server are in the same Domino domain but not in the same Notes named network, the home server locates the names of each protocol that the workstation has in common with the destination server and passes each to the appropriate protocol until a resolve is made. If the Notes workstation cant access its home server, it connects to its secondary Notes name server, which carries out the same actions as the home server. For a Domino server, Domino checks the Server document for the destination server, locates the contents of the Net Address field for the Notes named network that the Domino server has in common with the destination server, and passes this name to the protocols name-resolver service. If the destination server is in the same Domino domain as the Domino server, but not in the same Notes named network, the Domino server locates the protocol name of each protocol that it has in common with the destination server and passes each to the appropriate protocol until a resolve is made. 4. If Steps 1 through 3 do not produce the servers network address, the workstation/server offers the Domino common name of the destination server to the name-resolver service of each protocol, based on the order of the enabled network ports in the Server document.
Setting Up the Domino Network 2-5
Network securityPhysical network security is beyond the scope of this book, but you must set it up before you set up connection security. Physical network security prevents unauthorized users from breaking through the network and using one of the operating systems native services for example, file sharing to access the server. Physical network security also comes into play when any data is exposed, as the potential exists for malicious or unauthorized users to eavesdrop both on the network where the Domino system resides and on the system you are using to set up the server. Network access is typically controlled using network hardware such as filtering routers, firewalls, and proxy servers. Be sure to enable rules and connection pathways for the services that you and others will access. Newer firewall systems offer virtual-private-network (VPN) services, which encapsulate the TCP/IP packet into another IP wrapper where the inner TCP/IP packet and its data are encrypted. This is a popular way to create virtual tunnels through the Internet between remote sites. If you want to have the Domino server access both a private VPN and the Internet for SMTP mail, make sure your solution is able to handle full TCP data packets and that it allows dual connections. If not, the Domino server system may require a second NIC to work around limitations of the VPN solution. For more information, see the chapter Controlling Access to Domino Servers.
NRPC and Internet connection securityTo control connection access, you typically use a network hardware configuration, such as a firewall, reverse proxy, or Domino passthru server, to which you can authorize connections and define access to network resources. In addition, you can encrypt all connections by service type. Encrypting connections protects data from access by malicious or unauthorized users. To prevent data from being compromised, encrypt all Domino and Notes services that connect to public networks or to networks over which you have no direct control. Encrypting the connection channel prevents unauthorized users from using a network protocol analyzer to read data. To encrypt NRPC network traffic, use the Notes port encryption feature. For traffic over Internet protocols, use SSL. For both NRPC and Internet protocols, you can enforce encryption at the server for all inbound and outbound connections. In the case of the Notes client, you can also enforce encryption on all outbound connections, even if the server to which you are connecting allows unencrypted connections.2-6 Administering the Domino System, Volume 1
Installation
Because encryption adds additional load to the server, you may want to limit the services for which the server uses encryption. Other ways to minimize the load that encryption puts on the system include: Using an additional Domino server acting as a passthru server for NRPC connections Using a reverse proxy to manage authentication and encryption outside of Domino servers when using SSL Removing unnecessary or unused protocols or services on the server system as well as Domino server services
For more information, see the chapters Installing and Setting Up Domino Servers and Setting Up SSL on a Domino Server. Using a Domino passthru server as a proxy A proxy is a system that understands the type of information transmitted for example, NRPC or HTTP-format information and controls the information flow between trusted and untrusted clients and servers. A proxy communicates on behalf of the requester and also communicates information back to the requester. A proxy can provide detailed logging information about the client requesting the information and the information that was transmitted. It can also cache information so requesters can quickly retrieve information again. A proxy stops direct access from an untrusted network to services on a trusted network. If an application proxy is in use, then application-specific heuristics can be applied to look at the connections from the untrusted networks and determine if what is being requested is legal or safe. An application proxy resides in the actual server application and acts as an intermediary that communicates on behalf of the requester. An application proxy works the same as a packet filter, except the application proxy delivers the packet to the destination. An application proxy can be used with any protocol, but it is designed to work with one application. For example, an SMTP proxy understands only SMTP. A circuit-level proxy is similar to an application proxy, except that it does not need to understand the type of information being transmitted. For example, a SOCKS server can act as a circuit-level proxy. You can use a circuit-level proxy to communicate
