Scheduled topology deployment for Sametime 8.5.1

Document directory

• Deploy Lotus Sametime Gateway in DMZ
• Topology of independent servers

Deploy instant messages and online notifications only

Only instant messages and online notifications are provided. You can use the Sametime Community Server or server cluster running on Domino.

The following components are deployed in a Sametime environment that only contains instant messages and online notifications:

• Lotus Sametime System Console (used to manage servers from a central location)
• DB2
• LDAP directory
• Lotus Sametime Community Server
• Lotus Sametime Proxy Server
• Sametime Connect client, Sametime client embedded in Notes, or Sametime browser client

To extend instant messages to external communities, deploy the Lotus Sametime Gateway. To provide audio and video functions on the Sametime client, deploy the Lotus Sametime Media Manager.

Deploy instant messages and meetings

To provide instant messages and online notifications, use the Sametime Community Server or server cluster running on Domino. To provide a meeting room, use the Sametime conferencing Server or Server cluster running on WebSphere Application Server.

The following components are deployed in the Sametime environment that combines instant messages and online notifications to a meeting:

• Lotus Sametime System Console (used to manage servers from a central location)
• DB2
• LDAP directory
• Lotus Sametime Community Server
• Lotus Sametime Proxy Server
• Lotus Sametime conference server
• Sametime Connect client, Sametime client embedded in Notes, or Sametime browser client

Note:

• To extend instant messages to external communities, deploy the Lotus Sametime Gateway.
• To provide audio and video functions in the Sametime client and conference, deploy the Lotus Sametime Media Manager.

Deploy instant messaging, conferencing, and Web clients

To provide instant messages and online notifications, use the Sametime Community Server or server cluster running on Domino. To provide a meeting room, use the Sametime conferencing Server or Server cluster running on WebSphere Application Server. To support the Web Client, use the Sametime proxy server.

The following components are deployed in the Sametime environment that combines instant messages and online notifications to a meeting:

• Lotus Sametime System Console (used to manage servers from a central location)
• DB2
• LDAP directory
• Lotus Sametime Community Server
• Lotus Sametime Proxy Server
• Lotus Sametime conference server
• Sametime Connect client, Sametime client embedded in Notes, or Sametime browser client

Note:

• To extend instant messages to external communities, deploy the Lotus Sametime Gateway.
• To provide audio and video functions in the Sametime client and conference, deploy the Lotus Sametime Media Manager.

Deploy instant messaging, conferences, Web clients, audio and video

To provide all client features to users, deploy Sametime Community Server, Sametime conference server, Sametime proxy server, and Lotus Sametime Media Manager.

The following components are deployed in the Sametime environment that combines instant messages and online notifications to a meeting:

• Lotus Sametime System Console (used to manage servers from a central location)
• DB2
• LDAP directory
• Lotus Sametime Community Server
• Lotus Sametime Proxy Server
• Lotus Sametime conference server
• Sametime Connect client, Sametime client embedded in Notes, or Sametime browser client

Note:

• To extend instant messages to external communities, deploy the Lotus Sametime Gateway.
• To provide audio and video functions in the Sametime client and conference, deploy the Lotus Sametime Media Manager.

Audio/Video components attached to Lotus Sametime Media Manager

Lotus Sametime Media Manager contains three components installed on different systems in the production environment.

• Group SwitchRoute audio and video data to the attendee endpoint Based on voice activation switching. One or more group switches can be deployed, but the group switches cannot be cluster. The group switch can only be registered with the Meeting Manager. If a meeting manager cluster exists, the group switch registers to the cluster, and each cluster member uses the same group switch.
• Meeting ManagerManage multi-point meetings by maintaining a dialogue with each participant and ensuring that all media streams between those participants. You can install multiple Conference Manager components and create clusters for these components to achieve high availability and failover.
• SIP proxy/registerDirects attendees to the Conference Manager server and provides high availability and Failover functions. You can install multiple SIP proxy/register components and create clusters for these components to achieve high availability and failover.

Deploy instant messages to the external message passing Community

Use the Lotus Sametime Gateway to connect the Sametime client to other instant messaging clients. Multiple options are available for setting a single server or Lotus Sametime Gateway server cluster in network deployment. You can install the Lotus Sametime Gateway securely in the network DMZ. In some cases, Network Address Translation (NAT) is supported ).

Deploy Lotus Sametime Gateway in DMZ

Lotus Sametime Gateway is an enterprise solution that requires cluster deployment in the network DMZ. DMZ is a network term derived from the military term "non-protected area. DMZ refers to some areas of the network, usually between two firewalls. In this area, users on the Internet are granted limited access permissions, you can access a predefined server or host through a set of defined network ports. DMZ serves as the border between the Internet and the company's intranet. Network DMZ is the only place in the enterprise network that allows simultaneous access by Internet users and internal users.

Because Lotus Sametime Gateway does not contain data, there is no risk of data damage. There is no need to install reverse proxy or other servers, such as the IP sprayer or Server Load balancer at the front-end of Lotus Sametime Gateway. Lotus Sametime Gateway is safe because:

• Due to firewall restrictions, Internet users cannot directly access the Sametime community server on the enterprise intranet, but Internet users can access the Lotus Sametime Gateway in DMZ.
• The Sametime Community Server is protected by an internal firewall and can only be accessed through the encrypted VP protocol.
• DB2 is protected by an internal firewall and restricted by access to hosts and ports.
• LDAP is protected by an internal firewall and can be accessed through SSL, and is restricted by access from hosts and ports.
• Lotus Sametime Gateway exchange with other instant message providers through SSL-encrypted SIP.

When components are installed on their own machines, their performance is the best; when the internal firewall is protected, their security is the highest.

Topology of independent servers

The independent Sametime Gateway server has its own console. The independent server does not need a SIP or XMPP proxy server. In the following configuration, the Sametime Gateway server is deployed in DMZ without the protection of the internal firewall, while both the DB2 and LDAP servers have the protection of the firewall.

Topology of managed server groups

Each of the following deployments is composed of a server cluster that operates in one unit to provide high availability and Failover functions. There is a management console used to manage all servers. You may consider using the following cluster deployment:

• Solution: Install the Sametime Gateway server unit on two machines
  • Machine 1: DB2, Deployment Manager, master node
  • Machine 2: Secondary node and Proxy Server
• Solution: Install the Sametime Gateway server unit on three machines
  • Machine 1: DB2
  • Machine 2: Deployment Manager and master node
  • Machine 3: Secondary node and Proxy Server
• Solution: Install the Sametime Gateway server unit on four machines
  • Machine 1: DB2
  • Machine 2: Deployment Manager and master node
  • Machine 3: Secondary Node
  • Machine 4: Proxy Server
• Solution: Install the Sametime Gateway server unit on five machines
  • Machine 1: DB2
  • Machine 2: Deployment Manager and master node
  • Machine 3: Secondary Node
  • Machine 4: Secondary Node
  • Machine 5: Proxy Server

Displays the typical Sametime Gateway cluster and the ports that must be opened in the firewall for the following purposes: connect to DB2 and LDAP, exchange Instant messages and online notifications between the local Sametime community and the external instant messaging community.

 

WebSphere Application Server and DB2

IBM Lotus Sametime Gateway runs on WebSphere Application Server. WebSphere Application Server provides the following functions:

• High Availability manager for cluster support and powerful failover capabilities
• Basic Structure of the Session Initiation Protocol (SIP), including the stateless SIP proxy and sip ip sprayer provided by the Platform
• Open and scalable platform support. You can flexibly configure other plug-in services.
• It is used to manage the central location of system configuration, monitoring, and security policies. It is managed through the Integrated Solutions Console and wsadmin script commands.

DB2 is the storage of Lotus Sametime Gateway policies and records. DB2 can use cluster configuration for failover and load balancing. DB2 is part of the Lotus public storage policy. Lotus Domino can use DB2 as a backup repository, and Lotus Sametime Enterprise Meeting Server also uses DB2 to store and share configuration data between multiple servers. DB2 should be installed on a separate machine protected by the internal firewall.

Typical deployment when connecting to the instant messaging community

Lotus Sametime Gateway can connect to the following instant messaging community:

• AOL, Yahoo! Messenger, Google Talk, and XMPP communities
• Other Lotus Sametime communities
• Other Lotus Sametime companies using the AOL Exchange Office

You can set any or all configurations as needed. Lotus Sametime Gateway allows selected individual users in the company to send instant messages to users on one or more public networks so that they can directly access millions of users worldwide.

Note: When setting a connection to AOL, you can choose to connect only AOL users or to the AOL, ICQ, iChat, and AOL Enterprise Federation Partner communities (including external Sametime communities) the AOL exchange community of other users. IBM recommends that you do not configure these two communities because the users of the AOL exchange service belong to the extension set of the users served by the AOL community. If you only set AOL and later decide to connect to the AOL exchange community, first Delete the AOL community and then add the AOL exchange community to the Lotus Sametime Gateway.

When you connect to another Lotus Sametime company, you can connect business users of different companies. This deployment method is useful when the IT infrastructure is still scattered and you want to connect different vendors on the Internet. SSL Certificate exchange ensures connection security.

 

Recommended deployment

For small test configurations only, you can install the Lotus Sametime Gateway on the same machine where the Sametime server, DB2, or other applications are located. For the production environment, the Sametime Community Server and Lotus Sametime Gateway should be installed on different machines.

Use NAT and multiple NICs

You can deploy a network address translation program (NAT) between the local Lotus Sametime community server and the Lotus Sametime Gateway ). However, when you try to connect the Lotus Sametime Gateway to the external community of AOL, Yahoo, or SIP-based TLS encryption, you cannot deploy a NAT device between the Lotus Sametime Gateway and the Internet. Although there are NAT devices with SIP-aware capabilities, these are not enough because both the AOL and Yahoo communities require secure SIP (SSL/TLS) communication, however, the NAT device cannot decrypt or convert packets for normal operations. NAT does not affect the XMPP protocol. Therefore, you can always use the Lotus Sametime Gateway to enable NAT between Google Talk and the Internet.

 

Multiple network interface cards

To simulate NAT, you can use two network interface cards (NICS): one for internal IP addresses and the other for external IP addresses. If you use this configuration, you must use the Integrated Solutions Console to update the default host. See Help topics for configuring multiple NICs.