Gabriella Davis - [email protected]
IBM Lifetime Champion for Social Business
The Turtle Partnership
1
SETTING UP A HYBRID DOMINO ENVIRONMENT TO EASE YOUR
WAY TO THE CLOUD
mailto:[email protected]
WHO AM I?
AdminofallthingsandespeciallyquitecomplicatedthingswherethefunisWorkingwithsecurity,healthchecks,singlesignon,designanddeploymentofIBMtechnologiesandthingsthattheytalktoStubbornandrelentlessproblemsolverLivesinLondonabouthalfoftheAmegabriella@turtlepartnership.comtwiDer:gabturtleAwardedthefirstIBMLifeAmeAchievementAwardforCollaboraAonSoluAons
2
THE GOAL
All users continue working together regardless of whether they are assigned to on premises or cloud servers
Applications hosted on on premises servers can be accessed by any user
Administration continues to be handled by corporate Domino administrators
All users have access to Notes, Verse, Traveler, Connections, Sametime
3
HYBRID RULES
You continue to create, manage and secure your own users and servers
IBM has no rights or access to change that
IBM creates, manages and secures its own servers
You have no rights to the IBM servers
You create your own SmartCloud users
IBM provisions your users into Smartcloud on request
You and I jointly manage your provisioned users with IBM managing the server and mail file aspects and you managing everything else
4
ARCHITECTURE
5
HYBRID SERVER ROLES
Hybrid Servers are the “bridges” between the IBM owned and hosted Smartcloud servers and your own hosted and managed on premise servers
The IBM servers need to route mail from your SmartCloud users to your on premise users
Your on premise users need to lookup free/busytime information for your SmartCloud users
Everyone needs to use the same directory
6
DIRECTORY SERVER
Directory Server - synchronises directories into the SmartCloud
Multiple directories from multiple Domino domains can be synchronised
Directories can be used to provision users or purely for lookups
There can be up to two Directory servers in a failover not clustered configuration
Multiple servers must use identical file names / paths for directories
7
HUB SERVER
Hub servers are used for routing mail primarily between on premises Notes users and Smartcloud Notes users
Envision setting up a configuration where you want to route mail to another company running Domino, just that other company is IBM
Configuration options allow you to set all non SmartCloud mail to route via your Mail hub servers (more on that later)
Mail hub servers should not have any mail files on them
There can be up to two Hub servers in a failover, not clustered environment8
PASSTHRU SERVER
IBM SmartCloud always initiate the connection to your on premises servers
The SmartCloud servers never directly access your on premises primary (mail) domain(s)
Passthru servers ensure that you do not need to open a port from the public side (IBM SmartCloud) to your mail servers on premises
Passthru servers hold no data themselves but they authenticate requests for server access and route traffic
Passthru servers ports can be encrypted so that all traffic routed through them is also encrypted
9
10
ON PREMISES TURTLE DOMAIN
Mail Server1
Mail Server2
Mail Hub
Directory Server
CLOUD DOMAIN
Smartcloud Server1
Smartcloud Server2
ON PREMISES PASSTHRU DOMAIN
Passthru Server
Assigned servers in IBM Cloud
These are managed for you
Mail Hub Server : All mail between on premises and SmartCloud users route through this server
Directory Server : Synchronising directories (and populating users) in the SmartCloud
Smartcloud servers connect to the Mail Hub and Directory
Servers via the Passthru
PLANNING - PASSTHRU
How many Passthru will you have
Servers are connected to from the SmartCloud, they do not connect to the SmartCloud
They are connected to in a failover, not load balanced, configuration
Only if the first server fails to respond will the second server be tried
Passthru servers are single points of failure for the entire hybrid environment
11
PLANNING - MAIL ROUTING
Internal Users route internally via on premises servers
Smartcloud to On Premises routes via Passthru server(s) to Mail Hub
Smartcloud to extended directory users routes via Passthru to Mail Hub
On premises to Internet routes out via SMTP on internal network routing
Smartcloud to Internet routes directly out via IBM’s cloud servers by default
Customer SMTP routing is an optional alternative
12
PLANNING - HUB SERVERS
How many Hub servers will you have
How much on premise to SmartCloud traffic do you expect to be routing
Servers are connected to via the Passthru servers
Hub servers are routed to in a failover, not load balanced, configuration
Only if the first server fails to respond will the second server be tried
How will outbound mail route
By default IBM routes outbound mail sent by service users out through its own servers
You can configure your IBM Cloud account to send outbound mail via your Mail Hub instead
You would do this if you want to control all organisational mail, content scanning, virus scanning and logging for instance13
DIRECTORY SYNCHRONISATION
There are two types of directories
Those that contain users to be provisioned to the SmartCloud service
Those that contain contacts that SmartCloud users might need to address mail to
What directories replicate to SmartCloud?
Directories containing SmartCloud users must be replicated
Directories containing on premises users must be replicated if smart cloud users are going to schedule meetings / work seamlessly with them
LDAP directories cannot be referenced or used in Smartcloud environments14
DOMAINS
The Passthru server should be in its own domain
A domain is separate from an organisational certifier
Servers can be in different domains but have the same certifier
IBM SmartCloud servers must share a root certificate with the on premises servers
No cross certification is available
Having a server in its own domain minimises the risk of exposing internal configuration details and provides a layer of “opt in” security
15
CREATING AN OU CERTIFIER
The SmartCloud servers will be created by the IBM Smartcloud service and named automatically
They will use an OU certifier you create that must be separate from any other used in your organisation
That OU must be a child of your organisational certifier so it shares a trusted root with all other servers
The server certifier used for the Smartcloud server must be a downstream OU, not a different O
It can’t be changed so if your Organisational certifier needs to change at any point you need to consider that
The ID can have a password but only one
The OU name must be at least 3 characters long16
UNIQUENESS
Your Organisational certifier will be verified for uniqueness within the SmartCloud service
Your top level certifier name must be unique within Smartcloud..
If there’s another “Turtle” out there then I have to use a different certifier for my SmartCloud and passthru servers.
17
BEFORE STARTING
18
STEP 1: BUILD YOUR PASSTHRU SERVER
Build your Passthru server(s) in its own domain
This is a standard Domino server build where the setup is as “first server” in a new domain
This will allow us to create a new domain for our Passthru server
19
STEP 1: BUILD YOUR PASSTHRU SERVER
20
This is what my Passthru server will be called
STEP 1: BUILD YOUR PASSTHRU SERVER DO NOT CREATE A NEW CERTIFIER ON THIS PAGE
21
We must use an existing certifier already created that either
has the same, or shares a trusted root with our other on premises
servers
VERIFYING THE PASSTHRU SERVER
Once the Passthru is created, go to Actions - Edit Directory Profile in its names.nsf and verify the of your Passthru server Domain is entered correctly
SmartCloud setup will ask for this and verify it
22
STEP 2: BUILD YOUR HUB SERVERS
Hub servers are Domino servers that should be configured to be inside your mail routing Domino domain
There can be up to two hub servers assigned for use by IBM SmartCloud and you can add a second one later if you need to
Hub servers should contain nothing but the contents of your Domino directory for routing
No mail files should be on your hub servers
Only the tasks except Adminp , Updall, Replica and Router need to be running23
STEP 3: BUILD YOUR DIRECTORY SERVERS
Build your Passthru server(s) in its own domain\
This is a standard Domino server build
Build your mail hub and directory server(s) within your existing internal domain
Replicate the directories you want to use in the cloud to the directory server(s)
Create the OU certifier to be used by the SmartCloud servers
24
CONFIGURATION
25
SETTING UP YOUR HYBRID CONFIGURATION
Order a subscription to IBM’s SmartCloud for as many users as you need provisioned into the cloud
Login to https://apps.na.collabserv.com using whatever administrative account you registered the subscription with
26
Choose “Admin” then “Manage Organization”
https://apps.na.collabserv.com
27
Select IBM SmartCloud Notes to set up mail. If it isn’t
available you probably have the wrong subscription
checkbox for “Hybrid Environment”
Then click on “Set Up My Account”
28
This is our starting point. We have
configured nothing.
We can keep coming back to this point to check what needs to
be done next
29
Flores/Turtle
We can add multiple Domino directories to use
They don’t need to be configured as directories on the Directory
sync server Each directory can have a failover server but this doesn’t use
Domino clustering to failover
Configuring the Directory Sync Servers
30
Configuring how mail will route Domino
server name of hub server
On Premise Domino Domain
31
The SmartCloud servers that will be created for you will use this
base name + # + OU e.g.
TurtleMail1/TTL/Turtle
TurtleMail2/TTL/Cloud
32
“Cloud” is the OU I setup to be used by the
cloud serversptserver.turtlehost.net
Configuring the passthru server(s)
public FQHN for the passthru server
http://ptserver.turtlehost.net
33
Upload the dedicated OU certifier and submit its
password so Smartcloud can use it
34
Once all the steps are complete click on the pre-
configuration tool which downloads an NSF called
liveservercheck.nsf
35
Open liveservercheck.nsf in
Domino Administrator. Make sure you can connect to all servers
with Admin rightsFlores/Turtle
36
Once all the tests are successful you can Enable the Smartcloud
Notes account
Once the account is enabled the menu item for the Domino Configuration Tool will appear
37
downloads liveserverconfig.nsf which you should open through Domino
Administrator
1. 2. 3.
38
39
For each domain in your Global Domain Document a unique key will be created that you must use to create a
CNAME DNS entry
40
Once all the configuration pieces are complete the SmartCloud Notes
account can be activated
41
Once your Smartcloud account is activated these management
menu options appear
MANAGEMENT
42
PROVISIONING USERS
Register users and their IDs in your own domain as you would an on premise user
a temporary, unused, mail file is created for the user during registration on the on premises server
The SmartCloud servers connect to your Directory Servers to replicate the directory(ies) you have defined as containing service accounts
You can configure multiple directories to be populated into Smartcloud
specifying “do not provision from this directory’ prevents the Smartcloud server creating user accounts from person documents
Once the directories are in place you can provision users into the cloud
A new mail file is created on the SmartCloud servers and their person document updated 43
44
Users who are synchronised and ready to be provisioned
All users
45
Search and find a user to provision
46
Default mail template
47
48
Provisioned user
49
Management options.
The ID is automatically uploaded from the on premises ID Vault
50
REPLICATION OF DIRECTORY
Pull
Person documents not including mail server and mail file name
Policies (not including organisational policies)
Groups
Rooms and Resources
Push
Mail file, server and SaasIdentityID fields in person documents (the last representing the Connections cloud account
Specific server groups used by Smartcloud
ID Vault information for the Smartcloud vault51
DUPLICATE NAMES
Domino directory takes priority of Extended Catalog
First person entry is the one used
Public key checking won’t work
52
RESERVED GROUPS AND ALL ENTRIES
Directory Synchronisation servers - Manager access including delete rights
Server Group “LLNServers” - Editor rights with roles [UserModifier] [GroupCreator] [GroupModifier]
LLNMailHubs is reserved for Smartcloud
Certifiers_ or SAAS are group prefixes used by Smartcloud
Server Group “SaaSLocalDomainServers” - Manager with delete rights
Wildcard naming in group names aren’t supported e.g */Turtle53
POLICIES
On premise Domino administrators can use policies to manage both on premise and SmartCloud users
Policies in a synchronised directory are applied to SmartCloud users
Only explicit policies are recognised, organisational ones are ignored
Policy names should be unique across all directories
54
CUSTOMISATION
55
OPTIONS FOR NOTES SMARTCLOUD
56
EMAIL MANAGEMENT
57
EMAIL MANAGEMENT
58
EMAIL MANAGEMENT
59
EMAIL MANAGEMENT
60
EMAIL FILTERS
61
IMAP
62
JOURNALING
63
INTEGRATION SERVER / FTP
Used to download logs and journaling via a SmartCloud FTP account
Create a new administration user account or use an existing one
Send an email to [email protected] asking for Integration Server rights to be set up and for which accounts
https://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_t
this may not work in which case secure http is available64
mailto:[email protected]://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_thttps://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/llis_enablingllis_t.html#llis_enablingllis_t
MAIL TEMPLATES
Selecting Mail Templates
Uploading a custom templates
Field extensions forms9_x.ntf
65
INSTANT MESSAGING
66
INBOUND MAIL ROUTING
67
NAME FINDER
68
NAME FINDER
69
SECURITY
70
ON PREMISES OPEN PORTS
Inbound
NRPC 1352 for access to the Passthru servers
NRPC 1352 for service users to access on premises server applications (via VPN or public via Passthru)
SMTP (25) if you have configured Smartcloud to route all outbound mail via on premises servers
Outbound
NRPC 1352 for Notes client to access SmartCloud servers
HTTPS 443 for Traveler, Connections
Instant Messaging 153371
SUPPORTED LOGINS
Notes ID - Notes client access
SmartCloud Service Account - iNotes, Verse, Traveler, Sametime
Federated SAML Login - iNotes, Verse, Traveler for Android only
Application Passwords - Traveler, Sametime
72
USER LOGINS
ID Vault
Syncing ID passwords when service passwords are changed
Password settings can be controlled by a security policy that applies to SmartCloud assigned users
73
PASSWORD MANAGEMENT
74
FEDERATED LOGINS
SmartCloud Notes support SAML Federation
You must configure SAML in your on premises environment first then contact customer services to provide them the information for the Smartcloud servers
If SAML is enabled then service login passwords are no longer used and application passwords must be used instead
75
APPLICATION PASSWORDS
Application Passwords vs Service Passwords
Application passwords are 16 characters long and generated automatically on user request
they are shown to the user once
users can generate new ones or disable the existing one
Restricting access to the service for an ip range will most likely prevent Traveler or mobile applications from working and requires an application password
76
SUMMARY
Hybrid Cloud does not require you to make any changes to your existing on premises servers or users
You add a new layer of passthru, directory and routing servers specifically to talk to the SmartCloud servers
You can still register your users and have policies that apply to them
You can move as many or as few users onto SmartCloud servers as you want
Your on premises users should not be able to tell if someone is being managed by a SmartCloud server or an on premises server and vice versa
You can continue to manage all mail routing through your on premises servers if you wish
Hybrid gives you the ability to evaluate SmartCloud as a solution for your mail users whilst retaining your on premises servers for applications 77
QUESTIONS?
78
Gab Davis
http://turtleblog.info
twitter: gabturtle
skype: gabrielladavis
mailto:[email protected]