Subject: Using a reverse proxy for iNotes access
It’s definitely time for the whole secure iNotes topic to be properly covered by an IBM Redbook again. Technologies and products have moved on since the last good coverage, in the 2004 Lotus Security Handbook: http://www.redbooks.ibm.com/abstracts/SG247017.html
That redbook is 4 years old, but the later revsions of it don’t have as much detail on the reverse proxy principles. Basically, if you want good security for your iNotes implementation, then you should use a reverse proxy of some sort in your DMZ. The redbook covers that in some detail in Chapters 5, 13 and 14.
The proxy ensures that there’s no direct path from the Internet to your internal network, and (if you implement advance authentication) that client sessions are authenticated before being allowed to hit your back-end servers. You need to think carefully about whether you do want to authenticate users at the proxy level, and against what directory. Technologies to do this (e.g. Tivoli Access Manager) can be expensive and complex.
In addition, you may want to have some kind of SSO, so that users don’t have to authenticate once with the proxy and then again with Domino. To accomplish that, one solution is to use IBM’s offering for the proxy piece (Websphere Edge Components, or whatever it’s called today) so that LTPA tokens for authenticated users can be passed back to your production Domino servers. That also allows you to have SSO across other IBM products (Websphere, Quickr, Connections, etc.)
An alternative approach, if you already have some infrastructure for web-based authentication (or an SSL VPN) is to hook into that, maybe authenticating users against Active Directory, an LDAP server, or via something like RSA SecurID. In those instances, you need to plan a mechanism to identify the authenticated user to Domino and have Domino trust that identification. Typically, you will need to include the user’s LDAP or Active Directory name as a synonym in the Domino Directory.
Then there’s SSL and load-balancing. If you’re putting in the effort to properly authenticate users, you really should encrypt their mail in transit across the Internet. With a proxy approach, your SSL server certificates should probably be installed on the proxy device(s) so that the proxies can work with the client’s decrypted requests.
If you want high availability, then you will also want to add a pair of load-balancers to the mix (in front of the proxies). The SSL tunnel would now terminate at the load balancers. You’ll probably want the load balancers to be “sticky” based on IP blocks, so that requests from the same client in the same session always hit the same proxy so long as it’s available.
Lastly, you will probably also want to use the Domino Web Access Redirect template to automatically redirect users to their home server and mail file after they have authenticated.
Because requirements, budgets and existing infrastructure vary greatly, you may choose to implement just some or all of these elements in your approach.
Hope that helps you get started,
Rupert Clayton
Chicago