null  null
software
Lotus Sametime 3.1
Administrator's Guide
Disclaimer
THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS
WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF
THE INFORMATION CONTAINED IN THIS DOCUMENTATION, IT IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM'S
CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT
TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE
RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS DOCUMENTATION OR ANY OTHER
DOCUMENTATION. NOTHING CONTAINED IN THIS
DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT
OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM
(OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND
CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT
GOVERNING THE USE OF IBM SOFTWARE.
Copyright
© Copyright IBM Corporation 1998, 2003
All rights reserved.
US Government Users Restricted Rights - Use, duplication or disclosure
restricted by GS ADP Schedule Contract with IBM Corp.
Lotus Software
IBM Software Group
One Rogers Street
Cambridge, MA 02142
List of Trademarks
IBM, the IBM logo, AIX, AS/400, DB2, IBM, iSeries, pSeries, zSeries,
MQSeries, Netfinity, OfficeVision, OS/2, OS/390, OS/400, S/390,
Secureway, Thinkpad, Tivoli, UltraPort, WebSphere, 1-2-3, Domino,
Domino Designer, Freelance Graphics, iNotes, LearningSpace, Lotus, Lotus
Discovery Server, Lotus Enterprise Integrator, Lotus Mobile Notes, Lotus
Notes, Lotus Organizer, LotusScript, Notes, QuickPlace, Sametime,
SmartSuite, and Word Pro are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other
countries, or both.
AOL Instant Messenger is a service mark and America Online and AOL are
registered service marks of America Online, Inc.
Intel, MMX, and Pentium are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries.
Latitude Communications and MeetingPlace are trademarks of Latitude
Communications, Inc.
ActiveX, Microsoft, MSN, NetMeeting, Outlook, PowerPoint, Windows,
and Windows NT are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
UNIX is a registered trademark of The Open Group in the United States
and other countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States, other countries,
or both.
Other company, product, or service names may be trademarks or service
marks of others.
Third Party Notices
For the XSL and XML Parser and Processor
The Apache Software License, Version 1.1
Copyright (c) 1999-2000 The Apache Software Foundation. All rights
reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
The end-user documentation included with the redistribution, if any, must
include the following acknowledgment: "This product includes software
developed by the Apache Software Foundation
(http://www.apache.org/)." Alternately, this acknowledgment may appear
in the software itself, if and wherever such third-party acknowledgments
normally appear.
The names "Xerces" and "Apache Software Foundation" must not be used to
endorse or promote products derived from this software without prior
written permission. For written permission, please contact
[email protected]
Products derived from this software may not be called "Apache," nor may
"Apache" appear in their name, without prior written permission of the
Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation and was
originally based on software copyright (c) 1999, International Business
Machines, Inc., http://www.ibm.com. For more information on the
Apache Software Foundation, please see http://www.apache.org/.
For DSIG base64
COPYRIGHT 1995 BY: MASSACHUSETTS INSTITUTE OF TECHNOLOGY
(MIT), INRIA
This W3C software is being provided by the copyright holders under the
following license. By obtaining, using and/or copying this software, you
agree that you have read, understood, and will comply with the following
terms and conditions:
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee or royalty is hereby
granted, provided that the full text of this NOTICE appears on ALL copies
of the software and documentation or portions thereof, including
modifications, that you make.
THIS SOFTWARE IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS
MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, COPYRIGHT
HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE
OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL
NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS. COPYRIGHT HOLDERS WILL
BEAR NO LIABILITY FOR ANY USE OF THIS SOFTWARE OR
DOCUMENTATION.
The name and trademarks of copyright holders may NOT be used in
advertising or publicity pertaining to the software without specific, written
prior permission. Title to copyright in this software and any associated
documentation will at all times remain with copyright holders.
For STLport
License Agreement
Boris Fomitchev grants Licensee a non-exclusive, non-transferable,
royalty-free license to use STLport and its documentation without fee.
By downloading, using, or copying STLport or any portion thereof,
Licensee agrees to abide by the intellectual property laws and all other
applicable laws of the United States of America, and to all of the terms and
conditions of this Agreement.
Licensee shall maintain the following copyright and permissionnotices on
STLport sources and its documentation unchanged :
Copyright 1999,2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or
implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted
without fee, provided the above notices are retained on all copies.
Permission to modify the code and to distribute modified code is granted,
provided the above notices are retained, and a notice that the code was
modified is included with the above copyright notice.
The Licensee may distribute binaries compiled with STLport (whether
original or modified) without any royalties or restrictions.
The Licensee may distribute original or modified STLport sources, provided
that:
The conditions indicated in the above permission notice are met; The
following copyright notices are retained when present, and conditions
provided in accompanying permission notices are met :
Copyright 1994 Hewlett-Packard Company
Copyright 1996,97 Silicon Graphics Computer Systems, Inc.
Copyright 1997 Moscow Center for SPARC Technology.
Permission to use, copy, modify, distribute and sell this software and its
documentation for any purpose is hereby granted without fee, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation. Hewlett-Packard Company makes no representations about
the suitability of this software for any purpose. It is provided "as is" without
express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its
documentation for any purpose is hereby granted without fee, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation. Silicon Graphics makes no representations about the
suitability of this software for any purpose. It is provided "as is" without
express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its
documentation for any purpose is hereby granted without fee, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation. Moscow Center for SPARC Technology makes no
representations about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
Copyright 2001 by STLport
For MD5 hash
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to
copy and use this software is granted provided that it is identified as the
"RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that
such works are identified as "derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm" in all material mentioning or referencing the
derived work.
RSA Data Security, Inc. makes no representations concerning either the
merchantability of this software or the suitability of this software for any
particular purpose. It is provided "as is" without express or implied
warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
For Log4J Logging
The Apache Software License, Version 1.1 at
http://www.apache.org/LICENSE, 24 May 2002
The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any,
must include the following acknowledgment: "This product includes
software developed by the Apache Software Foundation
(http://www.apache.org/)." Alternately, this acknowledgment may
appear in the software itself, if and wherever such third-party
acknowledgments normally appear.
4. The names "Apache" and "Apache Software Foundation" must not be
used to endorse or promote products derived from this software
without prior written permission. For written permission, please
contact [email protected]
5. Products derived from this software may not be called "Apache", nor
may "Apache" appear in their name, without prior written permission
of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation. For more
information on the Apache Software Foundation, please see
<http://www.apache.org/>.
Portions of this software are based upon public domain software originally
written at the National Center for Supercomputing Applications, University
of Illinois, Urbana-Champaign.
Contents
1 Introduction to
Sametime . . . . . . . . . . . . . . . . . . . . . . 25
What is Sametime?
..................
25
Install Sametime on a
Domino 6.02 server .
27
Sametime basics
28
..............
....................
Collaborative
activities and
end-user features
...............
28
...............
Sametime clients . . . . . . . . . . . . . . . . . .
Sametime services . . . . . . . . . . . . . . . . .
40
Sametime
administration
terms and features
The Sametime Enterprise
Meeting Server
(EMS) . . . . . . . .
...............
Starting and stopping the
Sametime server . .
Sametime on a
Windows NT
server . . . .
..............
..................
Sametime on a
Windows 2000
server . . . . . .
.................
49
54
59
59
.................
..................
Details: Starting the
Sametime
Administration
Tool . . . . . . . .
62
.................
62
Server Overview
feature . . . .
..................
66
Message From
Administrator
feature . . . .
..................
66
Overview of the
Sametime
Administration
Tool features .
Monitoring the
Sametime server
................
66
Logging Sametime
activity . . . . .
.................
67
Managing users and
Domino Directories .
..............
68
...............
68
Managing users and
LDAP directories
60
Configuring ports and
network
connectivity . . . . .
61
62
................
59
2 Using the
Sametime
Administration
Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Starting the Sametime
Administration
Tool . . . . . . .
User name and
password
requirements
Configuring
Community
Services . .
..............
69
...................
70
Configuring Meeting
Services . . . . . .
Configuring
Audio/Video
Services . . .
...............
71
..................
72
ix
Additional
administrative
tasks . . . . .
..................
Configuring
Broadcast Services
Deploying multiple
Sametime servers
Managing security
Working with
Discussion and
TeamRoom
databases . . .
...............
73
...............
................
74
.................
Maintaining the
Sametime Meeting
Center . . . . . . .
Archiving Meeting
Details documents
74
75
...............
76
...............
77
Enabling the
PurgeMeetings
agent (deleting
Meeting Details
documents) . .
.................
77
Compacting the
Meeting Center
database . . . .
.................
78
Adding a new Sametime
administrator . . .
Create a Person
document for the
administrator . .
...............
79
................
80
Create an
Administrators
Group document
...............
Add the
Administrators
Group document to
Sametime database
ACLs . . . . . . . . .
Modifying the Server
document of the
Sametime server .
x
73
81
Adding and removing
names from an
Administrators
Group document .
..............
86
................
86
.................
88
Ensuring the
administrator can
access database
ACLs . . . . . . .
Roles in Sametime
database ACLs
Roles in the Sametime
Configuration
database
(stconfig.nsf) . . .
Roles in the Domino
Directory
(names.nsf) . . .
...............
89
................
90
Roles in the Sametime
Meeting Center
(stconf.nsf) . . . .
Roles in the Domino
Web
Administration
database
(webadmin.nsf)
...............
91
................
91
3 Using Domino
Directories with
Sametime . . . . . . . . . . . . . . . . . . . . . . 93
Managing the Domino
Directory . . . .
Basic Domino
Directory
requirements
................
93
..................
93
Managing multiple
Domino Directories
with Sametime . . .
..............
...............
..............
94
.................
97
82
Directory security
considerations
85
Using an LDAP
directory instead of
a Domino
Directory . . . . . .
..............
98
Managing users in the
Domino Directory
Adding users
...............
....................
Using Sametime
self-registration
Managing Sametime
users with the
Sametime
Administration
Tool . . . . . . . .
...............
...............
How Sametime uses
Domino Directory
information . . . .
..............
Person documents . . . . . . . . . . . . . . .
Group documents . . . . . . . . . . . . . . . .
The Server document . . . . . . . . . . . . . .
Directory views used
by Sametime
features . . . . . .
..............
98
99
100
102
107
107
...............
How LDAP is used with
Sametime . . . . .
Setting up an LDAP
connection .
LDAP directory settings
125
..................
132
Configuring the
LDAP Basics
settings . . .
Configuring LDAP
Authentication
settings . . . . .
................
142
110
Configuring the
LDAP Group
Contents setting
...............
148
................
149
111
116
Configure the LDAP
Directory settings
................
145
.................
Alter the Directory
Assistance
document for the
LDAP directory
Configuring LDAP
Connectivity
settings . . . . .
...............
113
..............
125
110
..............
Selecting the
appropriate LDAP
options during the
server installation
................
Configuring the
LDAP Searching
setting . . . . . .
108
4 Using LDAP
Directories with
Sametime . . . . . . . . . . . . . . . . . . . . . 111
Using LDAP with the
Sametime server
LDAP knowledge
required to
configure the
LDAP Directory
settings . . . . .
117
...............
118
..............
..............
119
Using SSL to encrypt
connections
between the
Sametime and
LDAP servers
Using SSL to encrypt
all data transmitted
between the
Sametime and
LDAP servers . . .
.............
150
..............
151
...............
153
Using SSL to encrypt
only user
passwords passing
between the
Sametime and
LDAP servers . .
Allowing all data to
pass unencrypted
between the
Sametime and
LDAP servers .
123
xi
Modifying the
Directory
Assistance
document of the
LDAP server to
encrypt the
connection
between the
Sametime server
and the LDAP
servers . . . . . .
Ensuring that the
Sametime server
trusts the LDAP
server certificate
Adding a new
administrator in
the LDAP
environment .
Copy and rename the
.DLL files . . . . .
Configuring the
LDAP directory
settings . . . . .
...............
...............
................
Setting up an LDAP
connection after
selecting the
Domino directory
during the server
installation . . . .
................
170
..............
154
156
161
161
Ports used by the
Sametime server
...............
171
...............
172
...............
Meeting Services ports . . . . . . . . . . . . . .
173
HTTP Services,
Domino Services,
LDAP Services,
and Sametime
intraserver ports
Community Services
ports . . . . . . .
Broadcast Services
ports . . . . . .
................
Audio/Video Services
ports . . . . . . . . .
..............
162
................
Create a Directory
Assistance
document that
enables the
Sametime server to
access the LDAP
server . . . . . . . .
Create an LDAP
document in the
Configuration
database . . . . .
..............
..............
...............
162
164
164
168
175
176
.............
178
...............
179
..............
180
180
HTTP Services settings
...............
...............
Community Services
Network settings
..............
184
Address for server
connections
(Community
Services) . . . .
................
185
Address for client
connections
(Community
Services) . . . .
................
186
Proxy support for
Sametime clients
Overview of Sametime
client connectivity
Identify the Directory
Assistance
database on the
Sametime server .
xii
169
5 Configuring
Ports and Network
Connectivity . . . . . . . . . . . . . . . . . . . 171
Access Control Lists and
LDAP User Names
Set up a Directory
Assistance
database . . . .
..............
Configuring Sametime
"Networks and
Ports" settings .
183
Address for
HTTPS-tunneled
client connections
(Community
Services) . . . . . .
Enable the Meeting
Room client to try
HTTP tunneling to
the Community
Server after trying
other options . . .
Address for
HTTP-tunneled
client connections
(Community
Services) . . . . . .
Meeting Services
Network settings
Address for server
connections
(Meeting Services)
Address for client
connections
(Meeting Services)
Broadcast gateway
address for control
connections . . . .
..............
..............
188
190
..............
191
..............
196
..............
196
..............
198
IP address of Small
Group Multicast
(SGM) router . .
..............
205
...............
206
Enable broadcast
client to try HTTP
tunneling after
trying other
options (Broadcast
Services) . . . . . .
207
Use multicast
210
..............
..................
Interactive Audio/Video
Network settings
..............
Allow H.323 clients
(such as
NetMeeting) to join
a Sametime
meeting . . . . . . .
H.323 server
communication
address . . . .
213
.............
213
................
214
Register Sametime
meetings with an
H.323 gatekeeper
..............
215
199
TCP tunneling
address for client
connections . . .
...............
216
Address for HTTP
tunneled client
connections
(Meeting Services)
200
Multimedia Processor
(MMP) UDP port
numbers start
at/end at . . . . .
Event server port
202
Enable Meeting Room
client to try HTTP
tunneling to the
Meeting Server
after trying other
options . . . . . . .
Token server port
..............
..............
................
................
Broadcast Services
Network settings
Broadcast gateway
address for client
connections . . .
..............
...............
203
204
204
Multimedia control
address . . . . .
..............
218
...............
218
Community Services
connectivity and
the home Sametime
server . . . . . . . . .
Sametime Connect client
connection
processes . . . . .
.............
219
..............
223
xiii
Basic Sametime
Connect client
connection process
Sametime Connect
client connection
processes using the
Web browser or
Java Plug-in
connectivity
settings . . . . . . .
Changing the default
connectivity
settings of the
Sametime Connect
for browsers client
Specifying the default
configuration
settings of the
Sametime Connect
for browsers client
Creating the Connectivity Method
applet parameter
Adding the
Connectivity
Method parameter
to the STSrc.nsf
database
.....
Example of custom
HTML code
required to launch
the Sametime
Connect for
browsers client . .
Meeting Room and
Broadcast client
connection
processes . . .
..............
..............
..............
..............
..............
..............
................
Meeting Room and
Broadcast client
connection
processes using the
Microsoft VM . .
xiv
..............
..............
224
233
245
246
247
250
251
252
253
Meeting Room client
connection process
using the Microsoft
VM (Community
Services and
Meeting Services) .
.............
253
Meeting Room client
connection process
using the Microsoft
VM (Audio/Video
Services) . . . . . . .
.............
258
Broadcast client
connection process
using the Microsoft
VM . . . . . . . . . .
.............
263
Meeting Room and
Broadcast client
connection
processes using the
Sun Microsystems
JVM 1.4.1 . . . . .
..............
270
Accessing proxy
connectivity
settings in the Java
Plug-in Control
Panel . . . . . . . .
..............
270
Suggested Java
Plug-in
configurations for
specific network
environments . . .
..............
271
Meeting Room client
connection process
using JVM 1.4.1
(Community
Services and
Meeting Services)
..............
273
Meeting Room client
connection process
using JVM 1.4.1
(Audio/Video
Services) . . . . . .
..............
279
Broadcast client
connection process
using JVM 1.4.1 .
..............
286
NetMeeting/H.323 client
connection process
293
About HTTP tunneling
..............
..............
What is HTTP
tunneling on port
80? . . . . . . . .
...............
296
Configuring
HTTP-tunneling
settings on a server
that uses a single
IP address . . . . .
Configuring HTTP
tunneling on a
server that uses
multiple IP
addresses . . .
..............
Notes about client
connection
processes using
HTTP tunneling on
port 80 . . . . . . . .
Issues associated with
TCP tunneling of
interactive
audio/video
streams . . . . . . .
Enabling TCP
tunneling of
interactive
audio/video
streams on port 80
323
Connecting to other
Sametime servers
..............
323
.................
324
297
303
Using the Servers in this
Community
settings . . . . . . .
Extending a Sametime
server to the
Internet . . . . .
..............
324
...............
325
Using reverse proxy or
portal servers with
the Sametime
server . . . . . . . .
.............
...............
TCP tunneling of
interactive
audio/video
streams on port 80
...............
Connecting Meeting
Servers . . . .
................
Sametime Connect
client 2.5 and 3.1
compatibility
issues with HTTP
tunneling on port
80 . . . . . . . . .
295
Assigning IP addresses
to multiple
Sametime servers
installed on a
single server
machine . . . . .
..............
..............
..............
310
311
315
315
317
What is a reverse
proxy server?
..............
325
.................
326
Requirements and
limitations of
Sametime 3.1
reverse proxy
support . . . .
................
327
Configuring mapping
rules on a reverse
proxy server to
support Sametime
..............
332
Configuring a
Sametime server to
operate with a
reverse proxy
server . . . . . . . .
..............
338
...............
339
Sametime client
connectivity and
reverse proxy
servers . . . . . .
6 Configuring the
Community
Services . . . . . . . . . . . . . . . . . . . . . . 343
xv
About the Community
Services . . . . .
Community Services
configuration
settings . . . . .
...............
344
................
345
Number of entries on
each page in dialog
boxes that show
names in the
directory . . . . . . .
How often to poll for
new names added
to the Sametime
Community
directory . . . . . .
.............
..............
347
348
How often to poll for
new servers added
to the Sametime
Community . . . .
..............
349
Maximum user and
server connections
to the Community
server . . . . . . . .
..............
350
Allow users to
authenticate using
either LTPA or
Sametime Tokens
(stauths.nsf and
stautht.nsf) . . . .
Display the
"Download
Sametime Connect
for the desktop"
link . . . . . . . . .
..............
..............
351
351
Allow users to
transfer files to
each other . . .
................
353
Allow users to send
announcements
...............
354
Allow Connect users
to save their user
name, password,
and proxy
information
(automatic login)
..............
355
Display the "Launch
Sametime Connect
for browsers" link
..............
356
.................
357
Anonymous Access
Settings for
Community
Services . . .
Anonymous users can
participate in
meetings or enter
virtual places . . .
..............
359
Users of Sametime
applications can
specify a display
name so that they
do not appear
online as
"anonymous." .
...............
360
Directory Searching
and Browsing
options . . . . . .
...............
362
Allowing users to control
the default screen
location and size of
chat windows . . .
One-to-one chat
windows and
n-way chat
windows . .
.............
363
.................
364
Enabling users to
select the default
location and size of
chat windows . .
Chat Logging
..............
.....................
Deploying a Community
Services
multiplexer on a
separate machine
xvi
..............
365
365
366
Performance
improvements with
a separate
multiplexer . . . . .
.............
367
..............
368
...............
373
................
374
Installing and setting
up a separate
Community
Services
multiplexer . . . .
Enabling Sametime
Connect for
browsers to
function in kiosk
mode . . . . . . .
Enabling the kiosk
mode . . . . . .
7 Enabling the SIP
Gateway . . . . . . . . . . . . . . . . . . . . . . 379
Using the SIP
functionality with
Sametime . . . . .
Using the SIP
functionality in a
Windows
environment . .
...............
Using the SIP
functionality in an
IBM iSeries
environment . . .
Overview of SIP
components
380
380
..................
382
.................
Sametime SIP
Gateway overview
..............
...................
SIP proxies and
connections
379
..............
What are SIP and
SIMPLE . . .
Sametime SIP
Connector
overview
..............
..................
382
382
384
385
Setting up the SIP
Gateway
functionality
.................
385
Setting up the SIP
Gateway
functionality
(Windows
environment)
.................
386
Review the SIP
Connector
planning
considerations
(Windows
environment)
.................
386
Install the SIP
Connector
(Windows
environment)
.................
388
Configuring the SIP
Gateway and SIP
Connector
parameters
(Windows
environment) . .
Setting up the SIP
Gateway
functionality
(iSeries
environment)
Review the SIP
Connector
planning
considerations
(iSeries
environment)
...............
388
.................
395
.................
395
Installing or enabling
the SIP Connector
(iSeries
environment) . . .
..............
398
Configuring the SIP
Gateway and SIP
Connector
parameters (iSeries
environment) . . .
..............
400
xvii
Disabling the SIP
Gateway
functionality
.................
Encrypting SIP traffic
with Transport
Layer Security
(TLS) . . . . . .
................
Specify the host name
and port for TLS
connections . . . .
..............
Set the TLS encryption
mode . . . . . . . . .
Managing the
certificates
required for TLS
connections
(integrated SIP
Connector on
iSeries) . . . . . .
Managing the
certificates
required for TLS
connections
(standalone SIP
Connector on
Windows) . . . .
407
408
409
Enabling a SIP
Connector to
require client
certificate
authentication
..............
423
................
424
Audio/Video
connectivity with
SIP . . . . . . . .
...............
End user experience with
the SIP Gateway . .
...............
410
..................
Meeting Services
configuration
settings . . . .
...............
Ensure the SIP
Connector can
operate as a client
in a TLS handshake .
Enabling client certificate
authentication for a
standalone SIP
Connector on a
Windows machine
(optional) . . . . . .
.............
.............
.............
413
414
421
422
.............
427
428
8 Configuring the
Meeting Services . . . . . . . . . . . . . . . 431
About the Meeting
Services . .
Ensure the SIP
Connector can
operate as a server
in a TLS handshake .
xviii
.............
407
Enabling a SIP
Connector to
operate as a client
when client
certificate
authentication is
required . . . . . .
.................
431
433
Accessing the Meeting
Services
configuration
settings . . . . . .
...............
434
General Settings for
Meeting Services
...............
434
Automatically
extending meetings
beyond the
scheduled end time .
.............
435
Adding the names of
participants to the
meeting document
..............
436
Allowing or
preventing use of
the screen-sharing
tool in meetings .
..............
437
Allowing or
preventing use of
the whiteboard tool
in meetings . . . . .
Allowing or
preventing use of
the Send Web Page
tool in meetings .
Allowing or
preventing the use
of the Polling tool
in meetings . . . .
.............
..............
..............
Allow people to
record meetings for
later playback
(scheduled
meetings) . . . . . .
438
440
441
.............
442
..............
442
Allowing or
preventing
broadcast meetings
..............
443
Requiring all
scheduled
meetings to have a
password . . . . .
Managing recorded
meetings (Record
and Playback) .
..............
444
445
446
453
Replacing recorded
meetings . . . . .
...............
454
Importing recorded
meetings . . . . .
...............
455
Recorded meeting
performance issues
Telephone Options
Settings for
Meeting Services
..............
457
...............
458
.............
459
Installing TPL files on
the Latitude
WebPublisher
server . . . . . . . .
..............
459
Enabling the ability to
schedule Latitude
MeetingPlace
telephone
conferences . . . .
..............
460
...............
461
...............
465
End user
authentication to
the MeetingPlace
server . . . . . . .
Connection Speed
Settings for
Meeting Services
How Connection
Speed Settings are
used . . . . . . . .
Connection Speed
Settings (Meeting
Services) . . . . .
..............
448
...............
451
................
452
Managing recorded
meeting files . .
Deleting recorded
meetings . . . .
.............
...............
Allowing or
preventing
recorded meetings
on the Sametime
server . . . . . . . .
...............
Verify the system
requirements of the
Latitude server . . .
Allowing or
preventing the use
of NetMeeting for
screen sharing and
whiteboard . . . .
Encrypting all
Sametime meetings .
Exporting recorded
meetings . . . . .
..............
466
...............
467
Connecting to the
WebPublisher
server through an
HTTP proxy server
..............
470
9 Configuring the
Broadcast Services . . . . . . . . . . . . . . 471
xix
Broadcast Services
components and
clients . . . . . .
...............
Broadcast Services
server components
..............
472
................
...................
474
Broadcast Services
client . . . . . .
Using multicast
471
Configuring the
Broadcast Services
settings . . . . . . .
..............
475
476
Broadcast Services
Connection Speed
Settings and
meeting
performance . . .
..............
477
Broadcast Services
performance issues
..............
481
10 Configuring the
Audio/Video
Services . . . . . . . . . . . . . . . . . . . . . . 483
About the Audio/Video
Services . . . . . .
Client system
requirements for
the Audio/Video
Services . . . . .
..............
483
...............
486
Supported sound
cards and cameras
IP audio/video
terminology and
concepts . . . . .
Audio/Video Services
components and
clients . . . . . .
xx
..............
...............
486
488
Audio/Video Services
configuration
settings . . . . . .
Accessing the
Audio/Video
Services
configuration
settings . . . .
...............
498
.................
499
Interactive
Audio/Video
Services settings
...............
500
Connection Speed
Settings for
Audio/Video
Services . . . .
................
505
Connection Speed
Settings and
bandwidth usage
Usage Limits and
Denied Entry
..............
516
.................
518
Prioritizing
audio/video UDP
data (TOS values)
..............
526
Connecting to the
Audio/Video
Services through
an H.323
gatekeeper . . .
...............
528
Using a 360-degree
video camera with
Sametime . . . . .
Tips for using
audio/video
..............
529
.................
531
11 Monitoring the
Sametime Server . . . . . . . . . . . . . . . 533
...............
492
Audio/Video Services
server components .
.............
492
Audio/Video Services
clients . . . . . . . .
.............
495
Accessing the
Monitoring charts
..............
General Server Status . . . . . . . . . . . . . .
Logins . . . . . . . . . . . . . . . . . . . . . . .
Meetings and
Participants
..................
533
533
538
538
................
..................
Tools in Meetings
539
Miscellaneous
540
12 Logging
Sametime Activity . . . . . . . . . . . . . . 543
Community
Logins/Logouts
...............
Community Statistics . . . . . . . . . . . . . .
Community Events . . . . . . . . . . . . . . .
Place Login Failures . . . . . . . . . . . . . .
Meeting Login
Failures .
...................
Meeting Connections . . . . . . . . . . . . . .
Server Connections . . . . . . . . . . . . . . .
Meeting Statistics . . . . . . . . . . . . . . . .
Meeting Events . . . . . . . . . . . . . . . . .
Capacity Warnings . . . . . . . . . . . . . . .
Usage Limits in the
log . . . . . . . . .
...............
Domino log . . . . . . . . . . . . . . . . . . . .
Sametime log settings . . . . . . . . . . . . . . .
General log settings . . . . . . . . . . . . . . .
Capacity Warnings
log settings . .
................
543
545
547
547
550
551
553
553
554
557
558
559
561
561
565
13 Managing
Security . . . . . . . . . . . . . . . . . . . . . . 567
Getting started with
Sametime security
The required fully
qualified server
name . . . . . .
................
Basic password
authentication and
authentication by
token . . . . . . . .
Basic password
authentication
..............
567
567
..............
568
................
568
Authentication by
token . . . . . .
................
User requirements for
basic password
authentication . .
Changing a user's
password . . .
568
..............
569
................
573
Anonymous access
and the Sametime
Meeting Center .
..............
574
Domino security and the
Web browser
connection . . . .
..............
576
Using database ACLs for
identification and
authentication . .
..............
578
..............
Database ACL settings . . . . . . . . . . . . . .
579
Adding a name to a
database Access
Control List (ACL)
Anonymous access
and database ACLs .
.............
586
..............
588
..............
591
................
593
Basic password
authentication and
database ACLs . .
Authentication by token
using LTPA and
Sametime tokens
Authentication by
token using the
Domino Single
Sign-On (SSO)
feature . . . . .
580
Altering the Domino
Web SSO
configuration
following the
Sametime server
installation . . .
...............
Manually enabling the
Domino SSO
feature . . . . . . . .
.............
594
598
xxi
Using the Sametime
custom logon form
for SSO . . . . . . .
Authentication by
token using Secrets
and Tokens
databases . . . . .
Authentication by
token with
Netegrity
SiteMinder and
DSAPI . . . . .
..............
..............
................
Security
recommendations
for self-registration
..............
601
603
607
608
Encryption and meeting
passwords . . . . .
..............
610
Modifying the
administrator ECL
for Lotus Notes R5
clients . . . . . . .
..............
611
...................
611
Using SSL with
Sametime
Encrypting Web
browser
connections .
.................
Ensuring access to
Sametime servlets
when Domino
requires SSL for all
connections . . . .
Encrypting
connections to an
LDAP server . .
..............
...............
Ensuring Sametime
servlet access when
Domino requires
SSL for all
connections . . . . .
Obtaining the
appropriate SSL
trusted root or SSL
server certificate .
xxii
.............
..............
611
612
612
612
613
Installing the IBM
KeyMan program
on the Sametime
server . . . . . . . .
..............
617
Using the IBM
KeyMan program
to create a key
store token on the
Sametime server .
..............
618
Import the SSL
certificate into the
key store token . .
..............
619
...............
620
Configure the
Sametime.ini file
on the Sametime
server . . . . . . .
14 Deploying
Multiple Sametime
Servers . . . . . . . . . . . . . . . . . . . . . . . 623
About Sametime server
clusters . . . . . .
...............
624
Advantages of using
multiple Sametime
servers . . . . . . .
..............
624
Integrating a Sametime
server into an
existing Sametime
community . . . .
..............
627
Installing a Sametime
server into an
existing Sametime
community . . . .
..............
627
Managing
administration
settings for
multiple Sametime
servers . . . . . . .
..............
627
................
632
Configuring ports for
server-to-server
connections . .
Ports required for
communication
between Sametime
servers . . . . . . .
About invited servers,
audio/video, and
client connectivity
Synchronizing the
Sametime server
with other
Sametime servers
Directory
management for
multiple Sametime
servers . . . . . . .
Assign users to the
new Sametime
server (setting the
home Sametime
server) . . . . . . .
Creating Connection
Records to connect
Sametime servers
Opening ports on the
external firewall .
..............
..............
633
..............
634
..............
634
..............
..............
Configuring the
"Meeting Servers
That Are
Connected" options .
Enhancing security for
multiple Sametime
servers . . . . . . .
Enabling the secrets
generation agent
632
.............
635
636
639
..............
644
...............
645
Replicating Secrets to
enhance security
for multiple
Sametime servers
..............
646
Extending Sametime to
Internet users . .
...............
648
Positioning a
Sametime server in
the network DMZ
Opening ports on the
internal firewall .
..............
..............
648
Screen-sharing
security and
Internet users
..............
653
.................
656
Extending a single
Sametime
community across
multiple Domino
domains . . . . . .
..............
658
Example of extending a
single Sametime
community across
two Domino
domains . . . . . .
..............
658
Setting up the
environment
.................
659
Connecting the
communities
.................
659
Sharing meetings
between
communities
.................
665
Alternate ways to
share Directory
information across
domains . . . . . .
..............
667
15 Using
Sametime Meeting
Scheduling for
Microsoft
Exchange . . . . . . . . . . . . . . . . . . . . . 671
Required hardware and
software . . . . . .
..............
671
Understanding Microsoft
Exchange
Conferencing
server
administration . .
..............
672
...............
674
Setting up Sametime to
work with the
Exchange server
649
xxiii
Enabling the
Exchange server to
create Sametime
meetings . . . . . .
Installing and setting up
Sametime Meeting
Scheduling for
Microsoft
Exchange . . . . .
Configuring Sametime
meetings . . . . .
..............
674
..............
676
...............
677
16 Managing
Discussion and
TeamRoom
Databases . . . . . . . . . . . . . . . . . . . . 681
Deploying Sametime
databases . . .
................
681
Differences between
the clustering and
single-server
approaches . . . .
..............
703
...............
706
Load balancing and
failover in
Community
Services clusters
Overview of the
Enterprise Meeting
Server and Meeting
Services clustering .
684
Scheduling and load
balancing in the
Meeting Services
cluster . . . . . .
...............
711
691
Booking meetings in
the Meeting
Services cluster .
...............
712
..............
...............
..............
692
694
17 Introduction to
Sametime server
clusters and the
Enterprise Meeting
Server . . . . . . . . . . . . . . . . . . . . . . . . 697
xxiv
702
708
Modifying the Notes
workstation ECL
Creating Sametime
server clusters
..............
..............
683
Replicating secrets to
enhance security
for Sametime
databases . . . . .
Overview of Community
Services clustering
What is the Enterprise
Meeting Server? .
...............
................
698
707
..............
Enabling the Secrets
generation agent
on one Sametime
server . . . . . . .
...............
.............
Deploying Sametime
databases
(step-by-step
procedures) . . . .
Enhancing security for
Sametime
databases . . . .
Clustering
Community
Services and
Meeting Services
698
Monitoring the health
of servers in the
cluster . . . . . . .
..............
713
Managing meeting
materials with the
EMS . . . . . . . . .
..............
714
User interaction with
the Enterprise
Meeting Server . .
..............
716
Client connectivity in
a Meeting Services
cluster . . . . . . .
..............
717
................
718
Enterprise Meeting
Server security
LDAP directory access
and the Enterprise
Meeting Server . . .
.............
719
18 Setting up a
Community
Services cluster
without clustering
the Meeting
Services . . . . . . . . . . . . . . . . . . . . . . 723
Community Services
cluster setup
procedures . .
................
724
Community Services
clustering
preparations . .
...............
725
Deploying an LDAP
directory server
...............
725
Installing the
Sametime servers
for the Community
Services cluster . .
Creating a Domino
server cluster .
..............
................
Setting up replication
of Sametime
databases . . . . .
Deploying separate
Community
Services
multiplexers
(optional) . . . .
Set up the
load-balancing
mechanism
(rotating DNS or
Network
Dispatcher) . . .
Creating a cluster
document in the
Configuration
database
(stconfig.nsf) . .
727
730
..............
732
...............
734
...............
...............
740
742
Creating a cluster
document on other
Sametime servers
in the community
..............
Configuring client
connectivity for the
Community
Services cluster . . .
744
.............
745
Adding another server to
the Community
Services cluster . .
..............
747
Creating multiple
Community
Services clusters in
a single Sametime
community . . . .
..............
748
Creating multiple
Community
Services clusters
...............
749
Rotating DNS
Limitations with
cached DNS
resolve requests
...............
750
Sametime Connect for
browsers . . . . . .
..............
752
19 Setting Up the
Enterprise Meeting
Server and a
Meeting Services
Cluster . . . . . . . . . . . . . . . . . . . . . . . 755
EMS deployment and
Meeting Services
cluster setup
procedures . . .
...............
756
EMS pre-deployment
requirements and
considerations .
...............
759
Ensuring the
hardware required
for an EMS
deployment is
available . . . . . .
..............
759
xxv
Deploying an LDAP
directory . . . . .
...............
Create or identify the
required LDAP
directory accounts
Installing the
Sametime 3.1
servers . . . .
763
..............
764
.................
766
Setting up a
connection
between a
Sametime server
and an LDAP
server . . . . . . .
...............
Installing the J2EE
infrastructure on
the EMS machine
..............
..............
Setting up the
required Windows
administrator
account . . . . . . .
..............
................
768
769
770
771
774
Installing the DB2
Server Fixpak 6
...............
776
Updating the JDBC
driver . . . . . . .
...............
777
Installing WebSphere
MQ V5.3.1 . . . .
..............
778
Installing MQSeries
Publish/Subscribe
SupportPac ma0c
..............
782
Installing the
WebSphere
Application Server
V4.0, Advanced
Edition
......
xxvi
..............
782
..............
Ensuring that the
WebSphere
administration
server service starts
automatically . . . .
Creating the JMS
system queues
Ensuring the software
required for EMS
deployment is
available . . . . . .
Installing the DB2
server . . . . .
Installing the
WebSphere
Application Server
4.0 Fixpak 3
...
784
.............
786
................
786
Ensuring WebSphere
MQ supports the
Double-Byte
Character Set
(DBCS) . . . . . . .
..............
790
Configuring WebSphere
server security and
LDAP directory
access . . . . . . . .
..............
791
Enabling WebSphere
security and Single
Sign-On (SSO) . .
..............
791
.................
795
Specifying a
WebSphere
administrator
Enabling LDAP
directory access
...............
Deploying the Enterprise
Meeting Server
(EMS) . . . . . . . .
..............
Creating an additional
WebSphere
Application Server
for the Sametime
EMS
Administration
Tool . . . . . . . . . .
.............
797
804
804
Enabling the
Automatic
Generation of
Plugin file for the
EMS application
server and
Sametime EMS
Administration
Tool application
server . . . . . . .
...............
Installing the
Enterprise Meeting
Server files . . . .
Creating the DB2
database
..
806
..............
807
.................
809
Creating the
WebSphere MQ
queues . . . . .
................
811
Editing the files
required to create
the JMS messaging
queues . . . . . . .
..............
812
Creating the JMS
messaging queues
..............
816
................
818
.................
819
Installing the JMS
Providers . . .
Creating the Data
Source . . . .
Creating the JMS
Connection Factory .
Creating the JMS
Destinations
.............
820
.................
821
Ensuring UTF-8
Unicode character
support for the
EMS . . . . . . . . .
..............
822
Deploying the
Sametime
Enterprise Archive
(EAR) file . . . . .
..............
823
Regenerating the
WebServer plugin
and starting the
Enterprise Meeting
Server . . . . . . .
..............
825
Adding Sametime
servers to the EMS
..............
826
Upgrade the EMS to
support Sametime
3.1 servers . . . . .
..............
827
Synchronizing the
Single Sign-On
(SSO) support for
the EMS and
Sametime servers
..............
833
Edit the Sametime.ini
file on the
Sametime servers
..............
837
Edit the
MeetingServices
document in the
Configuration
database on the
Sametime server
...............
838
Adding a Sametime
server using the
Sametime EMS
Administration
Tool . . . . . . . .
...............
840
Specifying Usage
Limits and Denied
Entry settings for
the Sametime
server . . . . . . . .
..............
842
20 Creating a
Community
Services cluster
with the Enterprise
Meeting Server . . . . . . . . . . . . . . . . . 851
Community Services
cluster setup
procedures (with
the EMS) . . . . .
...............
852
xxvii
Create a Domino
server cluster
Set up real-time
replication of
Sametime
databases . .
.................
.................
(Optional) Deploying
separate
Community
Services
multiplexers . . .
Set up a load
balancing
mechanism
853
854
..................
856
..............
857
..................
861
21 Setting Up
Security for the
Enterprise Meeting
Server . . . . . . . . . . . . . . . . . . . . . . . . 863
Securing user access to
the Enterprise
Meeting Server .
...............
Understanding the
Enterprise Meeting
Server security
roles . . . . . . . .
Sample security
configurations
864
................
869
Assigning security
roles to users in the
LDAP directory . .
Managing the SSL
certificates . . .
xxviii
863
..............
.............
871
..............
873
................
873
Encrypting Web browser
connections to the
EMS with SSL . .
Configuring the IBM
HTTP server to
support SSL . . . .
..............
880
Configuring the
WebSphere virtual
host alias for SSL
..............
888
................
888
Modifying the DB2
database . . . .
..............
Configure the
Community
Services clustering
parameters in the
DB2 database . . .
Configure client
connectivity
853
Enabling client certificate
authentication for
Web browser
connections to the
EMS . . . . . . . . .
..............
890
Manage the
certificates
required for client
certificate
authentication . .
..............
891
................
896
Configure the IBM
HTTP server to
support client
certificate
authentication
Encrypting HTTP traffic
between the EMS
and Sametime
servers with SSL .
..............
897
Configuring the EMS
to operate as the
server for an SSL
connection . . . .
..............
898
Configuring the
Sametime servers
to operate as clients
for an SSL
connection . . . . .
Configuring the
Sametime server to
operate as a server
for an SSL
connection . . . .
.............
899
..............
907
Configuring the EMS
to operate as the
client for an SSL
connection . . . .
Restarting the servers
..............
..............
909
920
22 Administering
Sametime servers
from the Enterprise
Meeting Server . . . . . . . . . . . . . . . . . 923
Using the Sametime EMS
Administration
Tool to administer
Sametime servers
..............
924
Sending a message from
the administrator
..............
926
Monitoring Sametime
servers added to
the EMS . . . . .
...............
926
Using the Sametime EMS
Administration
Tool logging
features . . . . . .
Managing the
Community
Statistics and
Meeting Statistics
logging views .
..............
929
Configuring the
Community
Services of
Sametime servers
added to the EMS
..............
941
Configuring the Meeting
Services of
Sametime servers
added to the EMS
..............
943
Configuring the
Audio/Video
Services of
Sametime servers
added to the EMS
..............
945
Working with the
Broadcast Services
of Sametime
servers added to
the EMS . . . . . .
..............
946
Appendix A:
Sametime Record
and Playback
(.RAP) file format . . . . . . . . . . . . . . . 947
......................
Data Types . . . . . . . . . . . . . . . . . . . .
File Header . . . . . . . . . . . . . . . . . . . .
Chunks
...............
Configuring LDAP
directory settings
from the Sametime
EMS
Administration
Tool . . . . . . . . .
Configuring connectivity
for Sametime
servers added to
the EMS . . . . . .
932
Session Content
Header . . .
..................
Session Properties
Header . . . . .
..............
..............
937
938
947
948
948
949
................
949
................
Data Record . . . . . . . . . . . . . . . . . . .
Data Packet . . . . . . . . . . . . . . . . . . . .
Index . . . . . . . . . . . . . . . . . . . . . . . . .
950
Stream Properties
Header . . . . .
950
950
951
xxix
Chapter 1
Introduction to Sametime
This chapter provides network administrators with an overview of the IBM®
Lotus® Sametime® 3.1 server. This chapter introduces Sametime collaborative
features, clients, services, applications, administrative features, and the
Sametime Enterprise Meeting Server (EMS) application.
What is Sametime?
Sametime consists of client and server applications that enable a community
of users to collaborate in real-time online meetings over an intranet or the
Internet. Members of the Sametime community use collaborative activities
such as presence, chat, screen sharing, a shared whiteboard, and real-time
audio/video capabilities to meet, converse, and work together in instant or
scheduled meetings.
Sametime “presence” technology enables members who have logged in to
the Sametime server to see all other members who are online (logged in). The
names of online users display in “presence lists” in Sametime applications.
From these presence lists, members of the community can converse through
instant messaging sessions or start instant meetings that include chat,
screen-sharing, whiteboard, question and answer polls, the ability to send
Web pages to other users, and audio/video collaborative activities.
While presence lists support instant awareness and instant collaboration
with other online users, the Sametime Meeting Center on the Sametime
server provides a central meeting place for members of the community. In
the Meeting Center, users can schedule meetings to start at a particular time.
Users access the Sametime Meeting Center with Web browsers at the
scheduled meeting time to attend the meeting.
The two primary Sametime client applications are the IBM Lotus Sametime
Connect client and the Sametime Meeting Room client. The Sametime
Connect client is a Windows® application that contains a presence list that
displays selected members of the community who are online. From
Sametime Connect, a user can collaborate by sending instant messages or by
starting an instant meeting with any other online member of the community.
The Sametime Meeting Room client is a JavaTM applet that loads and runs in
a user's Web browser whenever the user attends an instant or scheduled
1
meeting. The Sametime Meeting Room client contains components that
support the full range of Sametime collaborative activities, including
interactive audio and video.
The Sametime server also supports connections from T.120 and
H.323-compliant clients such as Microsoft® NetMeeting®.
Sametime supports a broadcast technology that enables a large number of
view-only users (or audience members) to watch a small number of users (or
presenters) interact in a meeting. The broadcast technology is especially
useful for meetings in which one person, or a small group of people, make
presentations to a large audience. Audience members watch a broadcast
meeting using a separate receive-only Java client called the Sametime
Broadcast client.
Each Sametime server contains an IBM Lotus DominoTM Directory that
maintains information about all users and servers that comprise the
Sametime community. The Sametime server can also be configured to
operate as a client to a Lightweight Directory Access Protocol (LDAP) server
containing an LDAP directory.
Sametime works through the interaction of its client applications with
services on the Sametime server. The Sametime services include the
Community Services, Meeting Services, Broadcast Services, Domino/Web
Application Services, and Audio/Video Services (provided by the Sametime
Multimedia Services). Managing the directory, ensuring that Sametime
clients can connect to the Sametime server, configuring the Sametime
services, and monitoring the server are some of the primary administrative
tasks associated with the Sametime server.
Sametime administrators use the Web-based Sametime Administration Tool.
This tool runs in a Web browser and is available from the “Administer the
Server” link on the Sametime server home page.
The Sametime 3.1 server includes the concept of server clustering. Sametime
server clusters:
•
Enhance server scalability and reliability to enable Sametime to meet the
demands of large user populations.
•
Provide load balancing and failover capabilities for Sametime
Community Services and Meeting Services.
For more information about server clusters, see “Creating Sametime server
clusters” in Chapter 17.
2 Sametime 3.1 Administrator's Guide
Install Sametime on a Domino 6.02 server
A Sametime server must be installed on a Domino 6.02 server. Sametime can
be installed on a Domino 6.02 server running on a Windows NT®, Windows
2000, IBM iSeriesTM, or IBM pSeriesTM server. This documentation uses the
term “Sametime server” to refer to the server that includes both Domino and
Sametime.
Note For detailed information about installing Sametime, see the Lotus
Sametime 3.1 Installation Guide (stinstall.nsf or stinstall.pdf) that is shipped
with the Sametime server. Separate installation guides are provided for each
platform.
Sametime uses the Directory, security, and replication features of Domino
servers. It is best if the Sametime server is dedicated to supporting the
real-time, interactive communication services of Sametime. A Sametime
server should not be used for other high-demand Domino services such as
mail storage and routing, application and database storage, or centralized
Directory and administration services.
Note An iSeries or pSeries server can run multiple partitioned servers on
the same Domino system. While it is possible to add Sametime to an existing
production Domino server, this configuration is not recommended. Instead,
consider creating a new Domino server for running Sametime. The new
Domino server can reside on the same system as your existing production
server.
Users must access the Sametime server with a Web browser. IBM Lotus
Notes® client access to the Sametime server home page (stcenter.nsf) or the
Sametime Meeting Center database (stconf.nsf) is not supported. All other
Sametime clients, including the Sametime Connect client, can be
downloaded by end users from the Sametime server home page.
Sametime includes Discussion (stdisc50.ntf) and IBM Lotus TeamRoom®
(stteam50.ntf) templates that integrate Sametime functionality into the
Domino Discussion and TeamRoom databases. Discussion and TeamRoom
databases created from these templates contain presence lists from which
users can initiate Sametime communications such as instant messages.
Discussion and TeamRoom databases can be easily created from the
Sametime server home page using a Web browser. You can also deploy these
databases to Domino servers in the domain. A Sametime Discussion or
TeamRoom database can be accessed with a Lotus Notes client. For more
information, see Chapter 16, Managing Discussion and TeamRoom
databases.
You can install more than one Sametime server in a Domino environment.
Installing multiple Sametime servers provides several advantages related to
Chapter 1: Introduction to Sametime 3
load balancing and network usage and can enhance meeting and server
performance. For more information, see “Advantages of using multiple
Sametime servers” in Chapter 14.
If you install multiple Sametime servers, the administrator has the option of
clustering the Sametime servers. Clustering Sametime servers provides
server failover and can increase the reliability and scalability of Sametime.
For more information, see “Creating Sametime server clusters” in Chapter
17.
The Web-based Sametime Administration Tool is the recommended
administration tool for the Sametime components of the Sametime server.
The Sametime Administration Tool should be used for most administrative
tasks. See “Sametime Administration Tool” later in this chapter for more
information about tasks that are not performed with the Sametime
Administration Tool.
Sametime basics
This section introduces Sametime administrators to basic Sametime terms,
concepts, and features that appear throughout the Lotus Sametime 3.1
Administrator's Guide. The terms, concepts, and features are grouped into
four basic categories:
•
Collaborative activities and end-user features
•
Administration terms and features
•
Sametime clients
•
Sametime services
Collaborative activities and end-user features
This section provides brief descriptions of Sametime collaborative activities
and end-user features that are referred to throughout the Lotus Sametime 3.1
Administrator's Guide. Sametime administrators should be familiar with these
terms. To learn more about these collaborative activities and features, you
can experiment with the end-user features of Sametime. Online help for
many of these features is also available from the Documentation link of the
Sametime server home page.
The Sametime collaborative activities and end-user features include:
•
Presence
•
Chat
•
Meetings
•
Screen sharing
4 Sametime 3.1 Administrator's Guide
•
Shared whiteboard
•
Send Web Pages
•
Polling
•
Hand raise
•
Transfer files
•
Record and Playback
•
IP audio
•
IP video
•
Sametime server home page
•
Sametime Meeting Center
•
Sametime Discussion and TeamRoom databases
•
Breakout sessions
Presence
Presence refers to the ability of a user to detect when other users are online.
A user can view a presence list in a Sametime client or application that
displays the names of other online users. Presence is sometimes called
“awareness” or “online awareness.”
A presence list is a starting point for immediate or “instant” collaboration.
Presence lists in Sametime clients display the names of online users in green
text. Instant messaging sessions and instant meetings can be started
immediately from a presence list. A user simply double-clicks or right-clicks
an online user's name to send an instant message or start an instant meeting.
Presence lists are found in all Sametime clients. The Sametime Connect client
includes a contact list that can display the names of all users in the
community who are online. The Sametime Meeting Room client contains a
Participant List that displays the names of all users attending a particular
meeting. The Sametime Discussion and TeamRoom databases contain
presence lists that display all users active in the database, or all users
viewing a particular document in a database.
A user logs in to the Community Services on the Sametime server to become
present in the community or an online place (such as a Sametime meeting or
Web site enabled with Sametime technology). The Community Services on
the Sametime server support all presence functionality in Sametime.
Chat
Sametime supports text-based chat and instant messaging. A chat session
can consist of two (or more) users exchanging instant messages. Chat or
instant messaging sessions can be initiated from any presence list in a
Sametime client.
Chapter 1: Introduction to Sametime 5
The Sametime Connect client includes a presence list (called the contact list)
from which instant messaging sessions can be started with any other
member in the community who is online. Sametime Discussion and
TeamRoom databases also include presence lists from which instant
messaging sessions can be started. Additional community members can be
invited into instant messaging sessions to form group chat conferences.
The Sametime Meeting Room client contains a public chat area (called the
“Meeting Room chat tool”) that enables all participants in a meeting to view
and enter messages. All messages entered in the public chat area can be
viewed by all participants in the meeting.
In addition to the Meeting Room chat tool, the Sametime Meeting Room
client also includes a Participant List. The Participant List is a presence list
from which one user can initiate a private chat session with another user in
the meeting. The messages exchanged in the private chat session are seen by
the users engaging in the chat session, but not by all participants in the
meeting. The Meeting Room chat tool is the public chat tool in a meeting.
The Participant List supports private chats in the meeting.
All instant messaging and chat activity is supported by Community Services
on the Sametime server.
Meetings
Sametime meetings are either “instant” or “scheduled.”
An instant meeting is started immediately from a presence list in any
Sametime client. Whiteboard files cannot be saved during instant meetings.
Instant meetings cannot be recorded.
A scheduled meeting is scheduled to start at a particular time and date.
Scheduled meetings are created in advance in the Sametime Meeting Center
application (stconf.nsf) on the Sametime server. Users access the Sametime
Meeting Center application on the Sametime server with a Web browser at
the scheduled meeting time to attend the meeting.
Note You can create a meeting in the Sametime Meeting Center and enable
the meeting to “Start immediately.” For clarity, such a meeting is considered
a scheduled meeting. Any meeting started in the Sametime Meeting Center
is a scheduled meeting. Any meeting started from a presence list is an instant
meeting.
A collaborative session is a meeting if the Sametime Meeting Room client is
launched. The Sametime Meeting Room client is launched for collaborative
sessions that include any of the following activities: screen sharing,
whiteboard, question and answer polling, send Web pages, Meeting Room
chat, audio, and video. However, the Sametime Meeting Room client is not
launched for chat-only sessions between users. A session that includes only
6 Sametime 3.1 Administrator's Guide
instant messaging or a group chat conference does not require the use of the
Sametime Meeting Room client.
The Meeting Services and the Community Services support the starting,
stopping, and creation of meetings on the Sametime server. Components of
the Sametime Meeting Room clients interact with the Meeting Services,
Community Services, and Audio/Video Services when participating in
Sametime meetings.
Breakout sessions
Users who are attending a meeting see a list of all meeting participants in the
Participant List component of the Meeting Room client. While the meeting is
in progress, a user can start a “breakout session” with any user displayed in
the Participant List.
A breakout session is an instant meeting that is started from the Participant
List of a meeting that is currently active. To start a breakout session, the user
selects the name of another meeting participant (or participants) from the
Participant List and starts an instant meeting with that user. Other users can
also be invited to this breakout session.
Breakout sessions have the following characteristics:
•
If a breakout session will include any collaborative activities other than
chat (such as whiteboard or screen sharing), the user must have
permission to edit/share from the Meeting Moderator to start a breakout
session. If the breakout session will use chat only, no permissions are
necessary to start the breakout session.
•
When the user starts a breakout session, the original meeting remains
open in a browser window, and the user is still a participant in the
original meeting. To return to the original meeting, the user leaves the
instant meeting and selects the browser window that contains the active
meeting.
•
When a breakout session begins, it does not contain any information
(such as a chat transcript or whiteboard file) from the original meeting.
•
If both the original meeting and the breakout session include IP audio,
the user's voice is heard in both meetings. Users should mute their
microphones in either the original meeting or the breakout session so
that their voices are heard in only one meeting at a time. Users should
also mute their speakers in one of the meetings if they do not want to
hear audio from both meetings at once.
Chapter 1: Introduction to Sametime 7
•
If the original meeting includes IP audio and the breakout session
includes IP video, the user's video image is not seen in the breakout
session until his or her microphone is muted in the original meeting. If a
user was the last person to speak in the original meeting, the user's video
image continues to appear in the original meeting until someone else in
the original meeting speaks.
Screen sharing
Screen sharing is a Sametime collaborative activity that enables multiple
users to work within a single application on one user's computer.
Geographically dispersed users in remote locations can collaborate within a
single application to produce a document, spreadsheet, blueprint, or any
other file generated from a Windows application. Screen sharing is
sometimes referred to as “application sharing.”
In a meeting that includes screen sharing, one end user uses the
screen-sharing tool in the Sametime Meeting Room client to share a screen or
application on the user's local computer with other meeting participants in
remote locations. The other meeting participants also use the screen-sharing
tools of the Sametime Meeting Room client on their local computers to view
and make changes to the shared screen or application. It is not necessary for
the remote users to have the application that is being shared installed on
their local systems. (The remote users share a single instance of the
application that is running on only one meeting participant's computer.)
Only one user at a time can be in control of the shared screen. Most users see
the initials of the user who controls the shared screen beside the cursor. The
person who is sharing the screen does not see the initials when someone else
controls the shared screen. The person who is sharing the screen must view
the Participant List details to confirm who controls the shared screen.
The administrator controls whether this collaborative activity is available for
meetings on the Sametime server from the Configuration - Meeting Services
- General tab of the Sametime Administration Tool.
Screen sharing is supported by T.120 components of the Meeting Services on
the Sametime server. For more information about using this collaborative
activity in a meeting, see the Sametime end-user online help.
Shared whiteboard
The shared whiteboard is a Sametime collaborative activity that supports
interactive presentations. A shared whiteboard presentation closely
resembles a slide show.
In a whiteboard presentation, one participant presents images in the
whiteboard tool of the Sametime Meeting Room client on the participant's
local computer. Remote meeting participants can also view the images and
8 Sametime 3.1 Administrator's Guide
annotate the images using the whiteboard tools in the Sametime Meeting
Room clients running on their local computers.
Before images can be presented on the whiteboard, a file containing the
images must be attached to the meeting. Users can attach files when creating
meetings, and the Moderator can attach files before or during meetings. Files
are automatically converted into the file type required for display on the
whiteboard.
In some cases, the format of a file that is added to the Attachments dialog
might not be properly preserved and the file might not display correctly
during a whiteboard meeting. In these cases, the IBM Lotus Sametime Print
Capture utility provides an alternate method of creating a whiteboard file.
The Sametime Print Capture operates much like a printer driver and enables
end users to print output from any Windows application to the file format
required by the whiteboard.
Note Sametime servers that run on operating systems other than Windows
NT or Windows 2000 only support whiteboard attachments created with the
Sametime Print Capture utility. For more information on how to use the
Sametime Print Capture utility, see the Sametime end-user help and the
Sametime Print Capture help.
The shared whiteboard is supported by T.120 components of the Meeting
Services on the Sametime server.
The administrator controls whether the shared whiteboard collaborative
activity is available for meetings on the Sametime server from the
Configuration - Meeting Services - General tab of the Sametime
Administration Tool. For more information about using the shared
whiteboard collaborative activity in a meeting, see the Sametime end-user
online help available from the Documentation link on the server home page.
Saving the whiteboard
During a meeting, the meeting Moderator can save a whiteboard file so that
others can view it when the meeting is over. For example, if someone has
presented a file on the whiteboard, and several participants have annotated
the file, the Moderator can save the changed file.
The whiteboard file is saved on the Sametime server as an attachment to the
Meeting Details document associated with the meeting. The whiteboard is
saved in two file formats: RTF and SWB (Sametime whiteboard). The RTF
file can be opened in most word processing or graphics applications for
printing or viewing after the meeting has ended. The SWB file can be
attached to future meetings and presented on the whiteboard during those
meetings.
Chapter 1: Introduction to Sametime 9
If the whiteboard is saved more than once during a meeting, only the most
recently saved version is available from the Meeting Details document. The
most recently saved version is available in both the RTF and SWB formats.
The administrator controls whether the Meeting Moderator is allowed to
save the whiteboard from the Configuration - Meeting Services - General tab
of the Sametime Administration Tool.
Send Web Pages
Send Web Pages is a Sametime collaborative activity that enables a Meeting
Moderator to send a Web page URL to all participants in a meeting,
including audience members in broadcast meetings. When the Moderator
sends a Web page URL to the meeting participants, a browser window opens
on each participant's screen and displays the Web page. If the Moderator
sends an additional Web page URL to the meeting participants, the new Web
page displays in the same Web browser window as the previous Web page.
The Send Web Pages feature enables the Moderator to ensure that all
meeting participants are looking at the same Web page. However, if the
Meeting Moderator or any meeting participant clicks a link or scrolls the
Web page, the other meeting participants do not see this activity occurring in
the Web browser window on their local machines. Each participant can
explore the Web page, go to a different Web page, or close the window
without affecting what other participants see in their browser windows.
The administrator controls whether this collaborative activity is available for
meetings on the Sametime server from the Configuration - Meeting Services
- General settings of the Sametime Administration Tool.
For more information about using the Send Web Pages feature in a meeting,
see the Sametime end-user online help available from the Documentation
link on the Sametime server home page.
Polling
Polling is a Sametime collaborative activity that enables a Meeting
Moderator to use polls (or ask questions) to gather feedback from meeting
participants. For example, the Moderator might ask meeting participants to
vote to approve or reject a proposal. Only the Moderator can send polls.
Note During broadcast meetings, only presenters can respond to polls, but
both presenters and audience members can view poll responses shared by
the Moderator. During fully-interactive Sametime meetings, all meeting
participants can respond to polls and view responses shared by the
Moderator.
Participants' responses to poll questions are tallied in the Moderator's Poll
Tab. The Moderator can keep the poll responses private, or share them with
the other meeting participants.
10 Sametime 3.1 Administrator's Guide
When sending a poll, the Moderator can also:
•
Share the tallied responses with other participants - Normally, the
Moderator is the only person who sees poll responses. The Moderator
can choose to share the tallied poll responses so that all participants see
the responses in the Poll Tab of the Sametime Meeting Room client.
•
Allow anonymous responses - By default, the Moderator can see each
participant's response to poll questions. (These individual responses
cannot be shared with other meeting participants.) Because people often
answer more freely when they know their identity will not be revealed,
the Moderator can preserve participants' privacy by allowing
anonymous responses to poll questions. During Broadcast meetings,
only presenters can respond to polls.
•
Mark correct answers - The Moderator can specify correct answers for
poll questions. When the Moderator shares the poll responses,
participants can see if they answered the question correctly.
The administrator controls whether this collaborative activity is available for
meetings on the Sametime server from the Configuration - Meeting Services
- General tab of the Sametime Administration Tool.
For more information about using this collaborative activity in a meeting, see
the Sametime end-user online help available from the Documentation link on
the Sametime server home page.
Hand raise
Hand raise is a collaborative activity that allows users to “raise a hand” at
any time during a meeting. When users raise their hands, a hand icon
appears next to their names in the Participant List.
A user might raise a hand to:
•
Ask for permission to edit/share or permission to speak.
•
Respond to a question or speak during the meeting.
•
Attract the Moderator's attention.
The Moderator can lower raised hands at any time, or users can lower their
own hands. Users do not need permission to edit/share or permission to
speak to raise their hands.
Transfer files
Transferring files is a Sametime collaborative activity that enables users to
send a file to another user via a presence list in the Sametime Meeting Room
or the Sametime Connect client. Presence lists in Sametime Discussion and
TeamRoom databases do not support transferring files. Users must transfer
one file at a time to one person at a time. File transfers are automatically
encrypted.
Chapter 1: Introduction to Sametime 11
The administrator can enable or disable this feature. When you enable this
feature, both authenticated and anonymous users can transfer files.
Caution To protect against viruses that might be spread through file
transfers, users should have current anti-virus software. The software's
real-time protection settings should be enabled and set to scan all files.
Users cannot use Sametime to transfer files to AOL Instant MessengerSM
users or to users in other SIP-enabled communities.
For more information about enabling, disabling, and setting size limits for
file transfers, see “Allow users to transfer files to each other” in Chapter 6.
Note The file transfer feature does not work with Sametime Links. For
more information about Sametime Links, refer to the Sametime Software
Development Kit (SDK) documentation.
Record and Playback
Sametime includes a Record and Playback feature that enables a user to
record meetings. When scheduling a meeting, the user selects a check box
labeled “Record this meeting so that others can replay it later” to record the
meeting.
When a user records a meeting, a Sametime Record and Playback (.RAP) file
that contains a recorded version of the meeting is automatically saved as an
attachment to the Meeting Details document when the meeting ends.
Anyone who has access to the meeting can click a “Replay the Meeting”
button on the Meeting Details document in the Sametime Meeting Center to
play the recorded version of the meeting.
When the user clicks “Replay the Meeting,” a modified version of the
Sametime Broadcast client Java applet starts in a Web browser window on
the user's machine and connects to the Broadcast Gateway component of the
Sametime server. The Broadcast client is modified to include controls that
enable the user to stop, pause, and resume the playback of recorded meeting
files.
The following restrictions apply to recorded meetings:
•
Users cannot choose to record a meeting after the meeting begins; they
must select the “Record this meeting…” option when scheduling the
meeting.
•
Users can only record a scheduled meeting; it is not possible to record an
instant meeting.
The administrator controls whether the Record and Playback feature is
available for meetings on the Sametime server from the Configuration Meeting Services - General tab of the Sametime Administration Tool.
12 Sametime 3.1 Administrator's Guide
If the administrator allows the Record and Playback feature to be available
on the server, there are administrative tasks associated with managing the
recorded meeting files. These tasks include:
•
Exporting (or saving) a recorded meeting
•
Deleting a recorded meeting
•
Replacing a recorded meeting with another recorded meeting file
•
Importing a recorded meeting file
•
See “Managing recorded meetings (Record and Playback)” in Chapter 8
for more information.
IP audio
Interactive IP Audio is a Sametime collaborative activity that enables
multiple (two or more) users to transmit and receive audio over an IP
network.
In a meeting that includes interactive IP audio, the audio can operate in
either the “automatic microphone” or the “request microphone” mode. The
request microphone mode is the more controlled mode. Only one user can
speak at a time and a user must request the microphone before speaking.
The automatic microphone mode enables two users to speak simultaneously.
In the automatic microphone mode, the person speaking is automatically
detected by the Audio/Video Services on the Sametime server (it is not
necessary to request the microphone before speaking). Automatic
microphone mode offers a more natural form of conversation but provides
less control.
The end user uses the audio tool of the Sametime Meeting Room client when
participating in a meeting that includes IP audio. This tool contains
microphone and speaker volume controls and mute features, and a button
that allows users to configure the audio and video preferences on their
computers. End users can also use H.323-compliant clients, such as
NetMeeting, to participate in IP audio meetings on the Sametime server. For
more information about the end-user aspects of the IP Audio collaborative
activity, see the Sametime end-user online help.
The term “interactive” IP audio refers to the technology that enables all
participants in a meeting to both transmit and receive IP audio packets on
the network. In an interactive IP audio meeting, one user transmits a stream
of audio packets to the server and the server disseminates this stream to all
other meeting participants. This “one-to-many” form of communication is
sometimes called “multipoint” audio.
The term “broadcast” IP audio refers to the streaming technology that
enables a large group of users (or audience members) to receive the audio
from a meeting but not transmit audio to other users in a meeting.
Chapter 1: Introduction to Sametime 13
IP audio is supported by the Audio/Video Services on the Sametime server.
Broadcast IP audio is supported by the Audio/Video Services and the
Broadcast Services on the Sametime server.
IP video
Interactive IP Video is a Sametime collaborative activity that enables
multiple users to transmit and receive video packets over an IP network.
In a meeting that includes interactive IP video, the video follows the audio.
The video component of the Sametime Meeting Room client includes a
Remote and Local video window. The Remote window displays images from
the camera of the person who is speaking and the Local window displays the
image from a user's local camera.
Sametime does not support video-only meetings. A meeting that includes IP
video must also include IP audio. End users can also use H.323-compliant
clients, such as NetMeeting, to participate in IP audio/video meetings on the
Sametime server. For more information about the end-user aspects of this
collaborative activity, see the Sametime end-user online help.
The term “interactive” IP video refers to the technology that enables all
participants in a meeting to both transmit and receive IP video packets on
the network. In an interactive IP video meeting, one user transmits a stream
of video packets to the server and the server disseminates this stream to all
other meeting participants. This “one-to-many” form of communication is
sometimes called “multipoint” video.
The term “broadcast” IP video refers to the streaming technology that
enables a large group of users (or audience members) to receive video but
not transmit it.
Interactive IP video is supported by the Audio/Video Services on the
Sametime server. Broadcast IP video is supported by the Audio/Video
Services and the Broadcast Services on the Sametime server.
Sametime server home page (stcenter.nsf)
The Sametime server home page is an HTML page that exists in the
Sametime Center database (stcenter.nsf). The Sametime server home page
can only be accessed by a Web browser and is the end-user entry point to the
Sametime server.
After installing the Sametime server on the Domino server, you must set
stcenter.nsf as the Home URL for the server. To do this, open the Server
document for the Domino server that includes Sametime, select the Internet
Protocols tab, select the HTTP tab, and enter stcenter.nsf in the Home URL
field of the Mapping section of the Server document.
14 Sametime 3.1 Administrator's Guide
As the user entry point to the Sametime server, the Sametime server home
page contains links to the following important Sametime entities:
•
Sametime Meeting Center
•
Discussion and TeamRoom databases
•
Sametime Connect client (includes clients that can be downloaded)
•
Self-registration feature
•
Sametime Administration Tool
•
End-user documentation
•
Sametime Software Development Kit (SDK)
•
Sametime Developers Community Web site
•
Lotus Sametime Web site
•
IBM Web site
Sametime Meeting Center (stconf.nsf)
The Sametime Meeting Center is an application (a Lotus Notes database
named stconf.nsf) on the Sametime server that is accessed by a Web browser.
This application is a central meeting place for members of the Sametime
community. From the Sametime Meeting Center, you can schedule a
meeting, start a meeting immediately, attend a meeting, and view
information about scheduled and finished meetings.
Users access the Sametime Meeting Center database by clicking “Attend a
Meeting” or “Schedule a Meeting” on the Sametime Server home page.
Note All scheduled meetings in Sametime are created in the Sametime
Meeting Center. A user who starts an instant meeting from a presence list
does not access the Sametime Meeting Center.
Anonymous access is allowed to the Sametime Meeting Center database by
default. With anonymous access, users are not required to authenticate when
accessing the Sametime Meeting Center. For more information about the
implications of anonymous access to the Sametime Meeting Center, see
“Anonymous Access Settings for Community Services” in Chapter 6.
Chapter 1: Introduction to Sametime 15
Sametime Discussion and TeamRoom databases
Sametime includes Discussion (stdisc50.ntf) and TeamRoom (stteam50.ntf)
templates from which end users can create Discussion and TeamRoom
databases enabled with Sametime technology.
Sametime Discussion and TeamRoom databases can be deployed on
Sametime servers or on Domino servers in the domain that do not include
Sametime.
These Sametime databases contain presence lists that add real-time
collaborative capabilities to the existing document-based collaboration
features of the popular Domino Discussion and TeamRoom databases.
A specially-designed user interface enables a Web browser user to quickly
and easily create a new Discussion or TeamRoom database by accessing the
“Use Discussions and TeamRooms” link from the Sametime Server home
page. Users also select the “Use Discussions and TeamRooms” link to access
and contribute to Discussion and TeamRoom databases that are already
created on the server.
The Sametime Discussion and TeamRoom databases created from the
database templates on the Sametime server do not allow anonymous access
by default. The administrator can modify the Access Control Lists (ACLs) of
individual Discussion and TeamRoom databases as needed to allow
unauthenticated anonymous access when accessing individual Discussion
and TeamRoom databases.
Sametime administration terms and features
This section provides brief descriptions of general Sametime administration
terms that appear throughout the Lotus Sametime 3.1 Administrator's Guide.
Sametime administrators should be familiar with these terms and features.
Issues and administrative procedures associated with these terms are
discussed in greater detail in subsequent chapters and topics of the Lotus
Sametime 3.1 Administrator's Guide.
Some basic Sametime administration terms and features include:
•
Sametime server
•
Sametime Administration Tool
•
Community
•
Domino Directory
•
LDAP directory
•
Self-registration
•
Connectivity (firewall and proxy support)
•
Broadcast
16 Sametime 3.1 Administrator's Guide
•
Monitoring and logging
•
Security
•
SIP Gateway and SIP Connector
•
Reverse proxy and portal server support
•
Chat logging
•
Sametime server clusters
Sametime server
The term “Sametime server” is used throughout the documentation to refer
to a server that has both Sametime and Domino installed.
Sametime Administration Tool
The Sametime Administration Tool is an HTML- and XML-based application
that runs in a Web browser. You open the Sametime Administration Tool by
clicking “Administer the Server” on the Sametime server home page. The
Sametime Administration Tool is the primary administration tool for the
Sametime server. For more information about the Sametime Administration
Tool, see “Overview of the Sametime Administration Tool features” in
Chapter 2.
During the Sametime installation, one user is specified as the administrator
of the Sametime server. This administrator has access to the Sametime
Administration Tool and all of its administrative features. The administrator
specified during the installation can provide other administrators with
access to the Sametime Administration Tool as needed.
The Sametime Administration Tool should be used to perform all
administrative procedures on the Sametime server with the following
exceptions:
•
Replication and creation of new Lotus Notes databases - If a Sametime
procedure requires you to replicate a database or create a new database,
you must use a Lotus Notes or Domino Administrator client. The
Sametime Administration Tool does not provide the functionality
required to create one-time replicas (replica stubs) or other new
databases, or set up replication schedules.
•
Managing LDAP users - If you have configured Sametime to operate as
a client to an LDAP server, you cannot use the Sametime Administration
Tool to add or delete users in the LDAP directory on the LDAP server.
Use the software provided with the LDAP server for management of the
LDAP directory.
Note Although you cannot use the Sametime Administration Tool to
manage users in an LDAP directory on a third-party server, you must
Chapter 1: Introduction to Sametime 17
use the Sametime Administration Tool to configure the Sametime server
to access the LDAP directory on the third-party LDAP server.
•
Setting up Secure Sockets Layer (SSL) on the Sametime server - If you
want to configure the Sametime server so that all Web browser clients
use the SSL protocol when connecting to the Sametime server, you must
use a Lotus Notes client or the Domino Administrator client to set up
SSL on the server.
•
Enabling a SIP gateway and deploying a SIP Connector - If you want
to allow users in your Sametime community to communicate with users
in other instant messaging communities that support the SIP/SIMPLE
protocol, you must use a Lotus Notes client to enable the Session
Initiation Protocol (SIP) Gateway.
•
Implementing chat logging - The chat logging feature can capture all
chat conversations that occur on the Sametime server, including instant
messages, chat conferences (chats involving more than two people), and
Meeting Room chats. For more information about chat logging, see the
Sametime Software Development Kit documentation available from the
SDK link at the bottom of the Sametime server home page.
•
Creating Community Services clusters - A Community Services cluster
consists of multiple Sametime servers configured to operate together,
providing failover and load balancing for the Sametime instant
messaging and presence functionality. For more information see
“Overview of Community Services clustering” in Chapter 17.
•
Starting or stopping Sametime services - You must use the Services
settings in the Windows NT Control Panel or Windows 2000
Administrative Tools to start or stop a Sametime service.
Community
The Sametime community refers to all users that have Web browser access to
a Sametime server (or servers) and all Sametime servers that support those
users. The Sametime community can be maintained in the Domino Directory
on the Sametime Server or in an LDAP Directory on a third-party
LDAP-compliant server.
Specifically, the Sametime community can be described as follows:
•
A shared directory, or set of directories, that lists the people and groups
of the community
•
One or more Sametime servers that each have access to the shared
directory or set of directories
For information on integrating multiple Sametime servers into a single
community, see Chapter 14, Deploying multiple Sametime servers.
18 Sametime 3.1 Administrator's Guide
Domino Directory
The Sametime server uses the Domino Directory of the Domino server on
which Sametime is installed.
The Domino Directory is a database that serves as a central repository for
information about Sametime users (or members of the Sametime
community). The Domino Directory contains a separate Person document for
each Sametime user. The Person document contains the User Name and
Internet password required for authentication with the Sametime server. The
Person document also contains a “Sametime server” field that is used to
specify a user's home Sametime server. The home “Sametime server” is the
Sametime server a user connects to when logging in to the Community
Services for presence and chat activity.
The Domino Directory also contains Group documents that hold lists of
users that perform similar tasks. Group documents also define the Public
Groups that end users can add to the Sametime Connect client presence list.
Other information stored in the Domino Directory includes server
configuration information in the Server document, database configuration
settings, and Access Control Lists (ACLs).
Person and Group documents, and ACLs within the Domino Directory, can
be accessed from the Sametime Administration Tool.
Sametime administrators have the option of using the Domino Directory for
user management or configuring Sametime to connect to an LDAP directory
on an LDAP server for user management.
To maintain current information about users, groups, and servers in the
Sametime community, the Community Services must receive periodic
updates from the Domino Directory.
For more information about the Domino Directory, see “Managing the
Domino Directory” in Chapter 3.
LDAP directory
The administrator can configure the Sametime server to connect to a
Lightweight Directory Access Protocol (LDAP) server. This capability
enables an administrator to integrate Sametime into an environment in
which LDAP servers and LDAP directories are already deployed.
When Sametime is configured to connect to an LDAP server, the Sametime
server searches and authenticates user names against entries in the LDAP
directory on the third-party LDAP server. The LDAP directory replaces the
Domino Directory as the primary tool for user management in the
community. The community is defined by the users in the LDAP directory.
Chapter 1: Introduction to Sametime 19
Accessing an LDAP directory that is already deployed allows the
administrator to use existing LDAP directories with the Sametime server. It
is not necessary for the administrator to populate and maintain a separate
directory of users in the Domino Directory on the Sametime server.
Sametime can access LDAP directories on multiple LDAP servers.
For more information, see “Using LDAP with the Sametime server” in
Chapter 4.
Self-registration
The Sametime server includes a self-registration feature. This feature allows
an end user to create a Person document that contains a User Name and
Internet password in the Domino Directory on the Sametime server.
The self-registration feature is available to end users from the Register link of
the Sametime server home page.
The administrator has the option of allowing or not allowing
self-registration. Self-registration can reduce the workload for the
administrator because it enables users to add themselves to the Domino
Directory (create a Person document in the directory containing a User
Name and Internet password). Allowing self-registration can involve
security risks because it enables anonymous users to create records in the
Domino Directory. These records permit anonymous users to authenticate
with databases on the server.
Self-registration is not allowed by default. Also, self-registration cannot be
used if Sametime is configured to operate as a client to an LDAP server.
For more information, see “Using Sametime self-registration” in Chapter 3.
Connectivity (firewall and proxy support)
To engage in collaborative activities, the Sametime clients must connect to
various services on the Sametime server, as described below:
•
Web browsers connect to the HTTP Services on the Sametime server.
•
The Sametime Connect client connects to the Community Services on the
Sametime server.
•
The Sametime Meeting Room client contains components that connect to
the Meeting Services, Community Services, and Audio/Video Services.
•
The Sametime Broadcast client connects to the Broadcast Services on the
Sametime server.
•
H.323-compliant clients (such as NetMeeting) connect to the Sametime
server using the H.323 connection process.
The HTTP Services, Community Services, Meeting Services, Broadcast
Services, and Audio/Video Services on the Sametime server listen for
20 Sametime 3.1 Administrator's Guide
connections from clients on different TCP/IP ports. Because of the number
of ports required to support the full range of collaborative activities,
Sametime includes specially-designed connectivity features that enable
Sametime clients to establish connections through firewalls and proxy
servers.
Generally, the Sametime connectivity features enable Sametime clients to
establish connections through HTTP and SOCKS proxy servers, or by using
the HTTP connection method. If necessary, Sametime can be configured to
listen for HTTP connections from all clients on port 80 to enable Sametime
clients behind very restrictive firewalls to connect to the Sametime server.
Note The Sametime Connect client can also establish connections to the
Community Services through an HTTPS proxy server.
For more information about enabling Sametime clients to connect through
firewalls and proxy servers, see Chapter 5, Configuring Ports and Network
Connectivity.
For information about enabling Sametime servers to operate behind a
reverse proxy server, see “Using reverse proxy or portal servers with the
Sametime server” in Chapter 5.
Broadcast
Sametime includes streaming technology that enables the server to broadcast
meetings on the Internet or corporate intranet. Broadcast meetings can scale
to extremely large audiences.
A Sametime Broadcast meeting includes two types of users: presenters and
audience members. Presenters use the Sametime Meeting Room client to
engage in interactive collaborative activities in a meeting. “Audience
members” watch the actions of the presenters in a special view-only
Sametime Broadcast client. The audience members can watch the meeting,
but do not interact in the collaborative activities. The meeting experience for
audience members in a Broadcast meeting is similar to watching television.
Broadcast Services on the Sametime server transmit screen-sharing and
whiteboard Real-Time Protocol (RTP) data streams to the special view-only
Sametime Broadcast clients. Audio and video RTP data streams can also be
broadcast on the network and received by the Broadcast clients. Audience
members can watch the screen-sharing or whiteboard activity of the
presenters, view poll responses shared by the Moderator, view Web pages
sent by the Moderator, view Meeting Room chat entered by the presenters,
hear audio discussions, and see video images from the camera of the person
currently speaking. However, Audience Members cannot interact with the
Presenters. The Broadcast client used by the audience members contains no
interactive capabilities.
Chapter 1: Introduction to Sametime 21
The Broadcast media streams travel in only one direction, from the server to
the Broadcast clients. Scalability is enhanced primarily because the Sametime
server is not required to handle any incoming data from Audience Members.
Broadcast meetings are very effective for company-wide presentations or
any type of meeting where one person, or a small number of people, lecture
or make presentations to a large audience.
For more information, see Chapter 9, Configuring the Broadcast Services.
Monitoring and logging
The Sametime server provides monitoring and logging features that enable
you to monitor the current status of the server and record (or log)
information about server events and activities.
Monitoring
The Sametime server includes charts that allow you to monitor current
Sametime server statistics. The monitoring charts, which are presented as
tables, provide up-to-the-second information about Community Services,
Meeting Services, Broadcast Services, Audio/Video Services, Web statistics,
and free disk space on the server.
For more information, see Chapter 11, Monitoring the Sametime server.
Logging
The Sametime server logging tools include the Sametime log and the
Domino log. The Sametime log records events in the Sametime log database
(stlog.nsf). The Sametime Administration Tool includes logging settings that
enable you to control whether activities are logged to a database or to text
files and to determine which activities are logged. If you log Sametime
information to a database, you can view the Sametime log from the
Sametime Administration Tool.
The Sametime Administration Tool also allows an administrator to launch
the Domino Web Administration Tool to view the Domino log. The Domino
log includes information about available memory and disk space, server
performance, and databases that need maintenance.
For more information, see Chapter 12, Logging Sametime Activity.
Security
The Sametime server uses the Internet and intranet security features that are
available on the Domino server on which it is installed. Generally, you use
the Access Control Lists (ACLs) of databases on the Sametime server to
provide users with anonymous access or basic password authentication to
individual databases on the server. For example, you might want to set the
ACL of the Sametime Meeting Center database (stconf.nsf) to require basic
password authentication so that only authenticated users can create and
22 Sametime 3.1 Administrator's Guide
attend meetings on the Sametime server. You might want to allow
anonymous access to a TeamRoom or Discussion database on the server.
To authenticate with the Sametime server, users must have a Person
document that contains a User Name and Internet password in the Domino
Directory on the Sametime server. The user is prompted for these credentials
when logging in to the Sametime Connect client or accessing a Sametime
server database that requires basic password authentication.
Note If you have configured Sametime to connect to an LDAP server, users
are authenticated using names and passwords stored in LDAP directory
entries.
In addition to the Domino Internet and intranet security features, the
Sametime server requires “authentication by token” security mechanisms to
ensure that Sametime clients that establish connections to the Sametime
services are authenticated. These security mechanisms include the Sametime
Secrets and Tokens authentication databases and the Domino Single Sign-On
(SSO) authentication feature.
For more information, see Chapter 13, Managing security.
SIP gateway and SIP connector
Enabling the Session Initiation Protocol (SIP) Gateway and deploying a SIP
Connector are optional procedures that you can perform if you want users in
your Sametime community to share presence and instant messaging
capabilities with users in other SIP-enabled communities.
You can enable this functionality to allow users in your community to
communicate with users in another Sametime community that contains a
Sametime server with the SIP Gateway functionality enabled.
Enabling the SIP Gateway functionality requires the installation of a separate
component, the SIP Connector. For more information see Chapter 7,
Enabling the Session Initiation Protocol (SIP) Gateway.
Reverse proxy and portal server support
A Sametime 3.1 server can be deployed behind a reverse proxy server or a
portal server. When a Sametime 3.1 server is deployed on an internal
network behind a reverse proxy server, the reverse proxy server operates as
an intermediary between the Sametime server and the Sametime clients. All
Sametime data flowing between the Sametime server and its clients passes
through the reverse proxy server.
To accomplish its security objectives, a reverse proxy server manipulates the
data that passes through it. The manipulation of Sametime data by the
reverse proxy server imposes specific requirements and limitations on the
use of reverse proxy servers with the Sametime server.
Chapter 1: Introduction to Sametime 23
These limitations and requirements are discussed in detail in "Using reverse
proxy or portal servers with the Sametime server" in Chapter 5.
Sametime server clusters
The Sametime 3.1 server supports Sametime server clustering. Sametime
server clusters:
•
Enhance server scalability and reliability to enable Sametime to meet the
demands of large user populations.
•
Provide load balancing and failover capabilities for Sametime
Community Services and Meeting Services.
Sametime server clustering enables you to cluster the Community Services
separately from the Meeting Services. For example, if you have three
Sametime servers, you can have two separate clusters: a Community
Services cluster and a Meeting Services cluster.
The two cluster types operate independently. The Community Services
cluster provides load balancing and failover for the instant messaging and
presence functionality. The Meeting Services cluster provides load balancing
and failover for the Meeting Services functionality.
Clustering each of the services separately provides the flexibility to manage
the Sametime functionality according to the needs of your company. For
example, some companies might have a greater need for Community
Services functionality than Meeting Services functionality while other
companies have more need for the Meeting Services functionality than the
Community Services.
To support flexibility in the deployment of your Sametime servers, you have
three options when creating Sametime server clusters:
•
You can cluster the Community Services without clustering the Meeting
Services
•
You can cluster the Meeting Services without clustering the Community
Services
•
You can cluster both the Community Services and the Meeting Services
For more information about server clusters, including detailed information
about each option for clustering the servers, see Chapter 17, Introduction to
Sametime Server Clusters and the Enterprise Meeting Server.
24 Sametime 3.1 Administrator's Guide
Sametime clients
The collaborative activities in Sametime are accomplished through the
interactions of client applications installed on users' local machines with
services on the Sametime server.
Administrators should be familiar with the following Sametime client
applications:
•
Web browsers
•
Lotus Notes clients
•
Sametime Connect client
•
Sametime Meeting Room client
•
Sametime Broadcast client
•
NetMeeting (H.323-compliant clients)
Web browsers
Sametime supports Web browser access to the Sametime server. Supported
browsers for Sametime by operating system include:
•
Windows 2000 Pro (with Service Pack 2)
• Internet Explorer 5.5 running its native Virtual Machine (VM)
• Internet Explorer 6.0 running its native Virtual Machine (VM) or the
Sun Microsystems Java VM 1.4 and Java Plug-in 1.4.
• Netscape 7 running the Sun Microsystems Java VM 1.4.1 and Java
Plug-in 1.4.1.
•
Windows XP
• Internet Explorer 6.0 running its native Virtual Machine (VM) or the
Sun Microsystems Java VM 1.4 and Java plug-in 1.4.
• Netscape 7 running the Sun Microsystems Java VM 1.4.1 and Java
Plug-in 1.4.1.
Note By default, some Netscape 7 browsers use the Sun Microsystems JVM
1.4. Netscape 7 users must manually install the Sun Microsystems JVM 1.4.1
to use Netscape 7 browsers with Sametime.
For information about browser support on operating systems other than
Windows, refer to the installation guide that shipped with the Sametime
server.
Accessing the Sametime server with a Web browser
A user can enter the Sametime server DNS name or IP address in the Web
browser URL locator to access the Sametime server. The Sametime server
home page (stcenter.nsf) serves as the Web browser entry point to the
Chapter 1: Introduction to Sametime 25
Sametime server and contains links to the Sametime Meeting Center and
other Sametime entities, including the Sametime Administration Tool.
Specifying a Windows default browser
Sametime includes Java applets that are automatically downloaded from the
Sametime server and run in the Java VM of the user's local Web browser
when a user attends a meeting. The end user does not need to perform a
separate installation for these Java clients. However, a user must have a
particular Web browser specified as the Windows default browser or the
browser cannot be launched automatically when a user joins an instant
meeting.
When a Netscape browser is installed, it automatically sets itself as the
Windows default browser.
Microsoft Internet Explorer checks to see if it is the default browser each
time it is started. Each time Microsoft Internet Explorer launches, a dialog
box that allows the user to select Microsoft Internet Explorer as the default
browser appears. If the user has disabled this dialog box, the user can do the
following to make the dialog box display when Microsoft Internet Explorer
launches:
1. Choose View - Tools - Internet Options.
2. Click the Programs tab.
3. Select “Internet Explorer should check to see whether it is the default
browser.”
4. Restart Microsoft Internet Explorer. The dialog box that enables the user
to select Microsoft Internet Explorer as the Windows default browser
appears.
Lotus Notes clients
Users cannot access the Sametime server home page (stcenter.nsf) or the
Sametime Meeting Center (stconf.nsf) with a Lotus Notes client. These
databases are designed for Web browser access only. These databases can be
accessed by a Microsoft Internet Explorer or Netscape Navigator Web
browser launched from within Notes.
Users can access a Sametime Discussion or TeamRoom database with a
Lotus Notes client. For more information, see Chapter 16, Managing
Discussion and TeamRoom databases.
Sametime Connect client
Sametime includes two versions of the Sametime Connect client: a
standalone Windows application and a signed Java applet.
The Sametime Connect Windows client (Sametime Connect for the desktop)
is downloaded and installed on the user's machine from a link on the
26 Sametime 3.1 Administrator's Guide
Sametime server Download page. The Java version of Sametime Connect
(Sametime Connect for browsers) is launched from a link on the Sametime
server home page and runs in the user's Web browser instead of on the
Windows operating system.
Both versions of the Sametime Connect client contain a presence list (or
contact list) that provides an entry point to all collaborative activities in
Sametime. This contact list can display the name of any user that is online in
the Sametime community. From the presence list, a user can select another
user's name to initiate an instant messaging session, a file transfer, or an
instant meeting. Other users can be invited to join the chat or instant
meeting.
Initiating an instant meeting from the contact list launches the Sametime
Meeting Room client on a user's machine. The Sametime Meeting Room
client contains collaborative components that support screen-sharing,
whiteboard, send Web page, polling, chat, and audio/video collaborative
activities.
The Sametime Connect client contains features that enable a user to browse
or search the Domino Directory on the Sametime server to add users or
groups of users to the presence list.
Sametime Connect also includes privacy features that can prevent selected
users from seeing you or contacting you when you are online. Records for
the Sametime Connect privacy features are maintained in the Privacy
(vpuserinfo.nsf) database on the Sametime server.
The Sametime Connect client includes its own Sametime Connectivity
settings. Sametime Connect connects to the Community Services using
TCP/IP on the default port 1533. Sametime Connect can also establish
connections with the Community Services through HTTP, HTTPS, or SOCKS
proxy servers. Sametime Connect clients can also use connectivity settings
defined in a user's web browser to establish connections to the Community
Services on the Sametime server.
To log in to Sametime Connect, a user must enter the User Name and
Internet password that has been specified in the user's Person document in
the Domino Directory. A Sametime Connect user is always logged into the
server specified as the “home” Sametime server.
The Sametime Connect presence, instant messaging, privacy, directory
browsing, and connectivity features are supported by the Community
Services on the Sametime server.
Chapter 1: Introduction to Sametime 27
Sametime Meeting Room client
The Sametime Meeting Room client contains the collaborative components
required to interact in Sametime instant or scheduled meetings. This client is
downloaded to a user's local machine the first time a user attends a
Sametime meeting. The user should respond Yes when prompted to trust
Lotus during this initial download. The Meeting Room client is cached on
the user's machine to improve response times when attending subsequent
meetings.
The Sametime Meeting Room client is a Java applet that contains several
Java collaborative components used in meetings. These collaborative
components include:
•
Participant List
•
Public chat
•
Screen sharing
•
Shared whiteboard
•
Send Web Pages
•
Polling
•
Hand raise
•
IP audio
•
IP video
The Meeting Room client loads in a user's Web browser when the user
attends an instant or scheduled meeting. The Meeting Room client must
establish connections with the Meeting Services on the Sametime server (on
default port 8081) and the Community Services on the Sametime server (on
default port 1533).
Generally, the Meeting Room client first attempts to establish a direct
TCP/IP connection with a Sametime service on the Sametime server. If the
direct TCP/IP connection attempt fails, the Meeting Room client attempts to
establish connections using information in the Web browser proxy (or
connectivity) settings, or uses a direct HTTP connection to connect to the
Sametime services. For more information, see Chapter 5, Configuring Ports
and Network Connectivity.
28 Sametime 3.1 Administrator's Guide
Sametime Broadcast client
The Sametime Broadcast client is a Java applet that receives Real-Time
Protocol (RTP) data streams from Broadcast Services on the Sametime
server. The Sametime Broadcast client is a receive-only client with no
interactive capabilities. This client enables users to watch and listen to
activity occurring in a broadcast meeting, but not to interact in the meeting.
The Broadcast client is downloaded to a user's local machine the first time a
user attends a Sametime broadcast meeting. The user should respond Yes
when prompted to trust Lotus during this initial download. The Broadcast
client is cached on the user's machine and launched from the cache when the
user joins subsequent broadcast meetings.
Initially, the Broadcast client attempts a direct RTSP TCP/IP connection to
the Broadcast Services on the Sametime server on default port 554. Over this
connection, the Broadcast client negotiates with the server to receive the
Broadcast streams. The Broadcast client can also connect to the Broadcast
Services through an HTTP or SOCKS proxy server, or by using a direct
HTTP connection.
The Broadcast client can receive broadcast meeting streams through unicast
UDP or multicast UDP. If UDP is not available on the network, the broadcast
UDP streams can be tunneled using the direct TCP/IP connection, tunneled
through an HTTP or SOCKS proxy server, or tunneled through a direct
HTTP connection.
For more information, see Chapter 8, Configuring the Broadcast Services.
NetMeeting (H.323-compliant clients)
NetMeeting and other H.323-compliant clients can be used to attend
meetings on the Sametime server.
NetMeeting and Sametime Meeting Room audio/video components can
collaborate in the audio and video portions of a Sametime meeting.
However, the screen-sharing and whiteboard components of NetMeeting
cannot be used with the screen-sharing and whiteboard components of the
Sametime Meeting Room client in a Sametime meeting.
If a meeting includes only NetMeeting clients, the NetMeeting clients can
use their screen-sharing and whiteboard components to collaborate in the
Sametime meeting.
The administrator controls whether the NetMeeting clients can participate in
screen-sharing, whiteboard, and audio/video activities on the Sametime
server.
For more information, see “H.323-compliant clients (NetMeeting)” in
Chapter 5.
Chapter 1: Introduction to Sametime 29
Sametime services
End users can engage in real-time collaborative activities through the
interactions of Sametime client applications with various services on the
Sametime server. This section briefly describes the Domino and Sametime
services that support the real-time collaborative activities.
The services include:
•
Domino Services
•
Community Services
•
Meeting Services
•
Broadcast Services
•
Audio/Video Services
Domino Services
Sametime uses the infrastructure and services of the Domino server on
which it is installed. The following are the primary Domino services used by
a Sametime server:
•
Web server
•
Directory
•
Security
•
Replication
•
Database storage
Note For information about the version of Domino on which Sametime
must be installed, see the Lotus Sametime 3.1 Installation Guide.
It is best if the Domino server on which Sametime is installed is not used as a
Domino mail or application server. If Sametime is installed on its own
Domino server, the real-time, interactive communication services of
Sametime will not compete for resources with other high-demand Domino
services.
In this documentation, the term “Sametime server” refers to the server that
includes both Domino and Sametime.
Community Services
The Sametime Community Services support all presence (or awareness), text
chat, and file transfer activity in a Sametime community. Any Sametime
client that contains a presence list must connect to the Community Services.
The Community Services clients include the Sametime Connect client,
Participant List and public chat components of the Sametime Meeting Room
client, and presence lists in Sametime Discussion or TeamRoom databases or
applications developed from the Sametime Software Development Kit.
30 Sametime 3.1 Administrator's Guide
Basic functionality supported by the Community Services includes:
•
Handling client login requests.
•
Handling connections from clients that access the Sametime server
through a direct TCP/IP connection, or through HTTP, HTTPS, or
SOCKS proxy servers.
•
Providing directory access for user name search and display purposes.
•
Providing directory access to compile lists of all Sametime servers and
users in the community.
•
Dissemination of presence, chat, and file transfer data to all users
connected to Community Services.
•
Maintenance and storage of privacy information, user preference
settings, and presence lists for online users.
•
Interacting with the Meeting Services to create meetings in which
collaborative activities supported by the Community Services, Meeting
Services, and Audio/Video Services are simultaneously available.
•
Handling connections from the Community Services on other Sametime
servers when multiple servers are installed. Server-to-server connections
for the Community Services occur on default TCP/IP port 1516.
Note Port 1516 is also used by the Meeting Services. In a multiple
server environment, port 1516 must be open between two Sametime
servers to enable a single Sametime meeting to be simultaneously active
on both Sametime servers. This functionality is sometimes called
“invited servers.” For more information, see “Advantages of a single
meeting on multiple servers” in Chapter 14.
•
Logging of Community Services events to the Sametime log (stlog.nsf).
•
Enabling a name entry prompt to appear when the ACL settings of the
Sametime Meeting Center database (or any other database that includes
Sametime technology) allow anonymous access. This name entry prompt
ensures that the presence list in the Sametime database can display a
name for the user.
•
Capturing chat conversations that occur on the Sametime server for later
retrieval. Developers must implement a chat logging feature to capture
and retrieve chat conversations.
Chapter 1: Introduction to Sametime 31
Meeting Services
The Meeting Services include the T.120 multipoint communications software
that supports screen sharing and the shared whiteboard, and the starting,
stopping, and deletion of meetings. Meeting Services also support
connections for the interactive audio/video components of the Sametime
Meeting Room client.
Basic functionality supported by the Meeting Services includes:
•
Creating and destroying meeting objects.
•
Handling connections from clients that access the Sametime server
through a direct TCP/IP connection, or through HTTP, or SOCKS proxy
servers.
•
Dissemination of T.120 screen-sharing and whiteboard data among
multiple users in a meeting.
•
Maintaining lists of active, scheduled, and completed meetings.
•
Starting and stopping instant and scheduled meetings at the appropriate
times.
•
Interacting with the Community Services to create meetings in which
collaborative activities supported by the Community Services, Meeting
Services, and Audio/Video Services are simultaneously available.
•
Allowing the administrator to control which collaborative activities are
available to end users of the Sametime server.
•
Handling connections from the Meeting Services of other Sametime
servers when a community includes multiple Sametime servers. Meeting
Services server-to-server connections occur on TCP/IP ports 1503 and
1516.
Note In a multiple server environment, port 1516 must be open
between two Sametime servers to enable a single Sametime meeting to
be simultaneously active on both Sametime servers. This functionality is
sometimes called “invited servers.” For more information, see
“Advantages of a single meeting on multiple servers” in Chapter 14.
•
Logging Meeting Services events to the Sametime log (stlog.nsf).
•
Provide the ability to record Sametime meetings in Sametime Record
and Playback (RAP) files so that users can replay meetings after the
meetings have ended.
32 Sametime 3.1 Administrator's Guide
Broadcast Services
The Broadcast Services support the conversion of the following data into
individual RTP streams for transmission on the network:
•
Screen-sharing
•
Whiteboard
•
Meeting Room chat
•
Polling
•
Send Web Pages
•
Audio and video
The Sametime Broadcast client is the only client of the Broadcast Services.
Basic functionality supported by the Broadcast Services includes:
•
Handling connections from the Sametime Broadcast clients using the
Real Time Streaming Protocol (RTSP)
•
Handling connections from clients that access the Sametime server
through a direct TCP/IP connection, or through HTTP, or SOCKS proxy
servers
•
Negotiations with the Broadcast clients to ensure the clients can receive
the meeting streams
•
Identifying and attaching to broadcast meetings on the Sametime server
•
Transcoding screen-sharing/whiteboard data, Meeting Room
chat/poll/send Web page data, audio data, and video data into RTP
streams
•
Transmission of RTP streams using User Datagram Protocol (UDP), or
tunneling UDP data within TCP or HTTP packets to ensure clients
operating in a variety of different network environments can receive the
streams
•
Multicasting of data streams when transmitting on multicast-enabled
networks
•
Simultaneous broadcast of multiple meetings
•
Handling the playback of recorded meetings
Chapter 1: Introduction to Sametime 33
Audio/Video Services
The Audio/Video Services of Sametime support all IP audio/video
capabilities of Sametime.
The Audio/Video Services clients include the IP audio and video
components of the Sametime Meeting Room client and H.323-compliant
programs (such as NetMeeting).
Interactive audio/video meetings can be bandwidth intensive. Also, too
many interactive audio/video users can tax the system resources of the
server and degrade the audio/video quality. Sametime allows the
administrator to set limits on audio/video usage to ensure a good quality of
service.
Connection Speed Settings are also available for the Audio/Video Services
to ensure audio and video data can be transmitted at speeds that are
acceptable for users with modem connections and users with LAN/WAN
connections.
Basic functionality supported by the Audio/Video Services includes:
•
Handling connections from Sametime Meeting Room clients or
H.323-compliant clients (such as NetMeeting)
•
Negotiation of audio/video capabilities with clients
•
Detecting the person currently speaking (or detecting the source of an
audio stream)
•
Performing audio and video switching operations as different people
speak in meetings
•
Sequencing and transmission of audio and video data streams to
multiple clients
•
Transmission of audio and video data streams using the UDP transport
•
Multicasting of audio and video data streams when transmitting on
multicast-enabled networks
•
Tunneling of UDP streams through TCP when UDP is unavailable on a
network
•
Interoperability with H.323 gateways and gatekeepers
•
Full-duplex operation (includes two-way mixing of audio that allows
two participants to speak simultaneously and be heard by all meeting
participants)
34 Sametime 3.1 Administrator's Guide
The Sametime Enterprise Meeting Server (EMS)
This release of Sametime includes the Sametime Enterprise Meeting Server,
or EMS. The EMS is a new software application that supports a Meeting
Services cluster. A Meeting Services cluster consists of a group of Sametime
server that work together to increase Meeting Services reliability by
providing load balancing and server failover for Sametime meetings.
The EMS is the central component of a Sametime Meeting Services cluster.
The EMS provides the end user interface, administration tool, and meeting
management functionality for all Sametime servers in the Meeting Services
cluster.
The EMS is built using Java 2 Platform, Enterprise Edition (J2EE)
technologies. These technologies include Java servlets, JavaServer Pages
(JSPs), Java applications, and a relational database. The J2EE infrastructure
must be in place before you can deploy the Sametime EMS. Specifically, this
release of the EMS requires the following J2EE infrastructure:
• IBM Universal Database V7.2 with FixPak 6.
• WebSphere MQ 5.3.1
• IBM WebSphere Application Server V4.0 with FixPak 3.
For more information about the EMS, see Chapter 17, Introduction to
Sametime Server Clusters and the Enterprise Meeting Server.
Starting and stopping the Sametime server
The Sametime server is configured as a set of Windows services that stop
and start automatically when the Domino server is stopped or started.
The procedure for starting and stopping a Sametime server is slightly
different depending on whether Sametime is running on a Windows NT or
Windows 2000 server.
Note For information about starting and stopping a Sametime server that is
installed on an IBM iSeries or pSeries server, see the installation guide
(stinstall.nsf or stinstall.pdf) that shipped with the Sametime server.
Sametime on a Windows NT server
Follow the instructions below to start and stop a Sametime server that is
running on a Windows NT server.
Starting the Sametime server
To manually start and stop the server from the Windows NT desktop:
Chapter 1: Introduction to Sametime 35
1. Select Start - Settings - Control Panel - Services.
2. In the Services dialog box, select Sametime Server and click Start.
Stopping the Sametime server
To manually stop the Sametime server from the Windows NT desktop:
1. Select Start - Settings - Control Panel - Services.
2. In the Services dialog box, select Sametime Server and click Stop.
Sametime on a Windows 2000 server
Follow the instructions below to start and stop a Sametime server that is
running on a Windows 2000 server.
Starting the Sametime server
To manually start and stop the server from the Windows 2000 desktop:
1. Select Start - Administrative Tools - Component Services.
2. In the Services dialog box, select Services (Local).
3. Right-click “Sametime server” and select start.
Stopping the Sametime server
To manually stop the Sametime server from the Windows 2000 desktop:
1.
Select Start - Administrative Tools - Component Services.
2.
In the Services dialog box, select Services (Local).
3.
Right-click “Sametime server” and select Stop.
36 Sametime 3.1 Administrator's Guide
Chapter 2
Using the Sametime Administration Tool
This chapter describes the administrative features available from the
Sametime Administration Tool and provides step-by-step instructions for
giving others access to the Administration Tool.
Starting the Sametime Administration Tool
The Sametime Administration Tool is an HTML- and XML-based application
that enables you to administer the Sametime server using a Web browser.
Start the Sametime Administration Tool from the “Administer the Server”
link of the Sametime server home page. You must enable Java applets and
JavaScriptTM or ActiveX® Controls in your browser to use the Sametime
Administration Tool.
To start the Sametime Administration Tool from the Sametime server home
page:
1. Start your browser.
2. Enter the URL for the Sametime server:
http://hostname
where hostname is the fully qualified Domain Name Service (DNS) name
or the IP address of the Sametime server you want to administer.
3. From the Sametime server home page (Sametime Welcome page), click
“Administer the Server.”
4. Enter the administrator name and password specified during the
Sametime setup program. The Sametime Administration Tool opens in
its own Web browser window.
37
User name and password requirements
To access the Sametime Administration Tool, an administrator enters the
user name and the Internet password specified on the administrator's Person
document in the Domino Directory on the Sametime server. The installation
automatically creates a Person document containing a user name and
Internet password for the person specified as the administrator.
The administrator specified during the installation can provide other
administrators with access to the Sametime Administration Tool. To allow
other users to access the Sametime Administration Tool, see “Adding a new
Sametime administrator” later in this chapter.
Details: Starting the Sametime Administration Tool
To run the Sametime Administration Tool in Microsoft Internet Explorer,
make the following changes in your browser. You must make these changes
regardless of whether Microsoft Internet Explorer is installed on a client or
server computer.
1. Select Tools - Internet Options.
2. Select the Advanced tab.
3. Clear the check mark from the “Use HTTP 1.1” option.
Set the default font in your browser to a small font size to ensure that all
Command Group and Command names display in the space provided in the
Sametime Administration Tool.
To view multiple versions of the Sametime Administration Tool at the same
time (for example, to simultaneously monitor Community Services and
Meeting Services connections), start additional copies of the browser and
open the Sametime Administration Tool in each copy of the browser.
Arrange the windows so all copies display on the screen.
Overview of the Sametime Administration Tool features
The Sametime Administration Tool includes six command groups: Server
Overview, Message From Administrator, Monitoring, Logging, Directory,
and Configuration. You can use the command groups to perform a variety of
administrative tasks. The basic command groups and their features are
briefly described below.
Server Overview
Use the Server Overview feature to ensure that the Sametime services are
functionigng as expected. For more information, see “Server Overview
feature” later in this chapter.
38 Sametime 3.1 Administrator's Guide
Message From Administrator
The Message From Administrator command group enables the Sametime
administrator to send a message to all users who are currently logged in to
the Community Services from the Sametime Connect client, the Sametime
Meeting Room client, or a presence list in a Sametime Discussion or
TeamRoom database. For more information, see “Message From
Administrator feature” later in this chapter.
Monitoring
The Sametime server includes charts that allow you to monitor current
Sametime server statistics. The monitoring charts provide up-to-the-second
information about Community Services, Meeting Services, Broadcast
Services, Audio/Video Services, Web statistics, and free disk space on the
server. For more information, see “Monitoring the Sametime server” later in
this chapter.
Logging
The Sametime logging command group enables the Sametime administrator
to log information about Sametime activity to a database on the server or to a
text file. The administrator can also configure logging parameters to
determine the types of events and activities that are recorded in the
Sametime log. For more information, see “Logging Sametime activity” later
in this chapter.
Directory
The available Directory group features depend on whether the Sametime
server uses a Domino Directory or an LDAP directory on an LDAP server.
If the Sametime server is using a Domino Directory, the Directory features
enable the administrator to manage users by creating, editing, and deleting
Person and Group documents in the Domino Directory on the Sametime
server. The administrator can also open the Access Control Lists (ACLs) of
databases on the Sametime server from the Domino Directory settings of the
Sametime Administration Tool. The ACLs are used to manage security for
databases on the Sametime server. For more information about using the
Domino Directory, see “Managing Users and Domino Directories” later in
this chapter. For more information about ACLs and Sametime security, see
Chapter 13, Managing Security.
Chapter 2: Using the Sametime Administration Tool 39
If the Sametime server is operating in an LDAP environment, the
administrator can use the LDAP Directory settings of the Sametime
Administration Tool to configure the Sametime server to operate as a client
to an LDAP server. In this environment, the Sametime users are managed in
an LDAP directory on an LDAP server. The Sametime server establishes a
connection to the LDAP server and accesses LDAP directory entries to
perform search and authentication operations on behalf of Sametime clients.
The administrator can also open the Access Control Lists (ACLs) of
databases on the Sametime server from the LDAP Directory settings of the
Sametime Administration Tool. For more information, see “Managing Users
and LDAP Directories” later in this chapter.
Configuration
The Configuration command group allows the Sametime administrator to
control the operation of the Sametime services and the connection ports and
processes of Sametime clients. The Configuration features include:
Z Connectivity - The Connectivity configuration settings control the ports
on which the Sametime services listen for connections from clients. The
Connectivity settings also provide features that enable Sametime clients
to connect to the Sametime server through restrictive firewalls and proxy
servers. For more information, see Chapter 5, Configuring Ports and
Network Connectivity.
The Connectivity configuration settings also include “Servers in this
Community” settings. These settings are used when you install multiple
Sametime servers. For more information, see “Advantages of using
multiple Sametime servers” in Chapter 14.
Z Community Services - The Community Services configuration settings
enable the administrator to ensure that the Community Services receive
timely updates from the Directory. These updates are necessary to
ensure that Community Services have recent information concerning
new users and servers that have been added to the Directory. The
administrator can specify the time intervals in which the Community
Services receive updates from the Directory.
The Community Services settings also enable the administrator to
control whether the Windows or Web browser version of Sametime
Connect is available to end users and whether end users are allowed to
use the automatic login feature of Sametime Connect.
The administrator also uses the Community Services configuration
settings to set the maximum number of connections to Community
Services, to allow or prevent end users from using Sametime to transfer
files to one another, to set the maximum size allowed for file transfers,
40 Sametime 3.1 Administrator's Guide
and to allow or prevent users from sending announcements (one-way
unencrypted instant messages)..
The Community Services Anonymous Access settings force a name entry
dialog box to appear when anonymous access is allowed to a Sametime
database by the database ACL. This name entry dialog box enables the
user to enter a name so that the user can be individually identified in
presence lists. (Normally, a name entry dialog box does not appear when
the ACL settings of a database allow anonymous access.) The
Community Services Anonymous Access settings also determine
whether anonymous users can search and browse the Directory. For
more information, see "Anonymous Access Settings for Community
Services" in Chapter 6.
Z Meeting Services - The Meeting Services configuration settings allow
the administrator to enable meetings to extend past scheduled end times,
record lists of meeting attendees on the Meeting Details document in the
Sametime Meeting Center, and control the collaborative activities and
end-user security features that are available for all meetings on the
Sametime server.
The Meeting Services Telephone Options settings enable the Sametime
server to operate with a MeetingPlaceTM server from Latitude
CommunicationsTM so that end users can use Sametime to schedule a
telephone conference call.
Connection Speed Settings control the rates at which broadcast meeting
streams and interactive audio/video streams are transmitted on the
network for modem and LAN/WAN users.
Z Audio/Video - The Audio/Video configuration settings enable the
administrator to turn the audio/video features on and off, set the
switching time for audio and video, set the buffer time for broadcast
meetings, set Connection Speed Settings for Audio/Video clients, and
limit the number of audio and video users. You might want to limit the
number of audio and video users if consistently high numbers of audio
and video users degrade server performance or consume too much
network bandwidth. For more information, see Chapter 10, Configuring
the Audio/Video Services.
Chapter 2: Using the Sametime Administration Tool 41
Server Overview feature
Use the Server Overview feature to ensure that the Sametime services are
functioning as expected.
Services Status
The Services Status list includes all Sametime services and their current
status: Running or Not Running. You cannot start or stop any Sametime
service from the Sametime Administration Tool. Use the Services settings in
the Windows NT Control Panel or Windows 2000 Administrative Tools to
start or stop a Sametime service. The names of the services in the Control
Panel or Administrative Tools are identical to the names of the services in
the Sametime Administration Tool.
Refresh your browser to get current statistics. The Overview lists do not
update until you click Refresh. The date and time of the last update are listed
above the Services Status table.
To access the Server Overview feature, click Server Overview in the
Sametime Administration Tool.
Message From Administrator feature
Use the Sametime Administration Tool to simultaneously send a single
message to all users currently logged in to Community Services from the
Sametime Connect client, the Participant List of a Sametime meeting, or a
presence list in a Sametime Discussion or TeamRoom database.
To send a message to all users currently logged in to Community Services:
1. From the Sametime server home page, click "Administer the Server."
2. Select Message From Administrator.
3. Enter the message in the text box provided.
4. Click Send. You receive a confirmation that your message was sent.
Monitoring the Sametime server
Sametime includes a variety of monitoring tools that provide
up-to-the-second information about server activity and statistics. The
Sametime monitoring tools display information about:
•
General Server Status
•
Logins
•
Meetings and Participants
•
Tools in Meetings
For more information on the Sametime Monitoring tools, see Chapter 11,
Monitoring the Sametime Server.
42 Sametime 3.1 Administrator's Guide
Logging Sametime activity
Sametime provides a variety of logging capabilities that enable the
administrator to record information about Sametime server activity and
statistics. You can record the following information in the Sametime log:
•
Community Logins/Logouts
•
Community Statistics
•
Community Events
•
Place Login Failures
•
Meeting Login Failures
•
Meeting Connections
•
Server Connections
•
Meeting Statistics
•
Meeting Events
•
Capacity Warnings
•
Usage Limits
You can also view the Domino log from the Sametime Administration Tool.
Use the Domino log to monitor:
•
Available server disk space
•
Available server memory
•
Server load
•
Server performance
•
Databases that need maintenance
You can determine the format for the Sametime log and the content of the
log in the logging settings. For more information about the Sametime log, see
Chapter 12, Logging Sametime Activity.
Chapter 2: Using the Sametime Administration Tool 43
Managing users and Domino Directories
Sametime uses the Domino Directory of the Domino server on which it is
installed. Sametime can also use Domino Directory Assistance or the Domino
Extended Server Directory Catalog feature to access secondary Domino
Directories in the Domino environment.
To ensure that Sametime can successfully access the Domino Directory or
Directories and interoperate in the Domino domain, review the following
topics:
•
Managing the Domino Directory
•
Managing users in the Domino Directory
•
How Sametime uses Domino Directory information
Managing users and LDAP directories
Sametime can be configured to connect to a third-party LDAP server and
access an LDAP directory on the LDAP server. This capability enables
Sametime to be integrated into an environment in which LDAP servers are
already operating.
The Sametime LDAP Directory Settings ensure that the Sametime server can
access the LDAP directory (or directories) on behalf of Sametime clients.
For detailed information on the procedures required to configure Sametime
to operate as a client to an LDAP server, see the following topics in Chapter
4:
•
"Using LDAP with the Sametime server"
•
"Setting up an LDAP connection"
Note For information on using LDAP with a Sametime server that operates
on a platform other than Windows (such as the IBM iSeries or pSeries
servers), see the installation guide (stinstall.nsf or stinstall.pdf) that shipped
with the Sametime server.
Sametime Administration Tool and LDAP environments
If the Sametime server is configured to operate as a client to an LDAP server,
Sametime administrators are authenticated using Person documents in the
Domino Directory.
Note In the LDAP environment, only Sametime administrators (or users
that access the Sametime Administration Tool) are authenticated against the
Domino Directory. All other users are authenticated against an LDAP
directory on a third-party server.
If you have configured Sametime to operate in an LDAP environment, you
must maintain Person documents in the Domino Directory on the Sametime
server for the administrators. When accessing the Sametime Administration
44 Sametime 3.1 Administrator's Guide
Tool, the administrator must enter the last name or user name and the
Internet password from the administrator's Person document in the Domino
Directory. For information on adding administrators in the LDAP
environment, see "Adding a new Sametime administrator" later in this
chapter.
When operating in an LDAP environment, administrators cannot use the
Sametime Administration Tool to add or modify users and groups in the
LDAP directory on the third-party server. User accounts must be added and
modified using the software and procedures required by the LDAP directory
on the third-party server.
Configuring ports and network connectivity
If you have installed the Sametime server behind a firewall and all clients
that will access the server are also behind the firewall, configuring network
ports and connectivity might not be an issue.
However, if clients are required to cross firewalls or access the Sametime
server through proxy servers, you might need to make adjustments to the
Sametime Networks and Ports settings available from the Configuration Connectivity options of the Sametime Administration Tool.
Sametime provides a variety of features that enable clients to connect
through restrictive firewalls and proxy servers. Some of these features
include:
•
HTTP tunneling of Community Services, Meeting Services, and
Broadcast Services data on port 80
•
TCP tunneling of audio and video streams on port 80
•
HTTP, HTTPS, and SOCKS proxy support for Sametime Connect client
connections
•
HTTP and SOCKS proxy support for Sametime Meeting Room client
connections and Broadcast client connections
•
Set the ports on which Community Services, Meeting Services, Broadcast
Services, and Interactive Audio/Video Services listen for connections
from clients
•
Control whether NetMeeting clients (or other H.323-compliant clients)
are allowed to use the audio/video capabilities of the Sametime server
•
Reverse HTTP proxy support for the Sametime server
For detailed information about the ports used by the Sametime server and
how Sametime clients connect through firewalls and proxy servers, review
the list of topics in About Sametime Connectivity.
Chapter 2: Using the Sametime Administration Tool 45
For additional information about connectivity, see "Extending Sametime to
Internet users" in Chapter 14.
Configuring Community Services
The Sametime Administration Tool includes several features that enable the
administrator to control the behavior of the Community Services.
The Community Services administration features enable the administrator
to:
•
Configure the number of user names that appear on a page when users
search or browse the Directory.
•
Configure the time intervals at which the Community Services receive
updates from a Domino or LDAP Directory. The Community Services
must receive updates from the Directory at periodic intervals to ensure
that users recently added to the directory can be displayed in presence
lists. The Community Services must also maintain an updated list of all
Sametime servers operating in the community.
•
Configure the maximum number of client and server connections to
Community Services.
•
Allow users to authenticate using either Lightweight Third Party
Authentication (LTPA) or Sametime tokens.
•
Determine whether the links that enable users to access the Java version
of Sametime Connect (Sametime Connect for browsers) and the
Windows version of Sametime Connect (Sametime Connect for the
desktop) are available.
•
Allow users to transfer files to each other and set a maximum file size for
transfers.
•
Allow users to send announcements (unencrypted one-way instant
messages).
•
Determine whether end users can use the automatic login feature of
Sametime Connect.
•
Configure Anonymous Access:
• Allow anonymous users to participate in meetings and enter virtual
places.
• Force a name entry dialog box to appear when anonymous access is
allowed to a Sametime database by the database ACL. This name
entry dialog box enables the user to enter a name so that the user can
be individually identified in presence lists.
• Set the default name that appears for anonymous users who do not
use the name entry dialog box.
46 Sametime 3.1 Administrator's Guide
• Determine the level of access that anonymous users have to the
Directory.
For more information about the Community Services configuration settings,
see "Community Services configuration settings" in Chapter 6.
For information about connecting to the Community Services, see
"Community Services Network settings" in Chapter 5.
Configuring Meeting Services
The Sametime Administration Tool includes features that enable the
administrator to control the behavior of the Meeting Services.
The Meeting Services administration features enable the administrator to:
•
Automatically extend meetings past their scheduled end times to ensure
a meeting does not end before the meeting is concluded.
•
Add the names of meeting participants to the meeting details document
after a meeting ends.
•
Specify the collaborative activities and security features that are
available for all meetings on the Sametime server.
•
Control whether users can record meetings, specify a location for storing
the recordings, and specify that Sametime stop recording meetings when
a certain amount of disk space is left.
•
Control whether NetMeeting clients (or other T.120-compliant clients)
are allowed to use the screen-sharing and whiteboard capabilities of the
Sametime server.
•
Automatically encrypt all Sametime meetings (not available with
NetMeeting).
•
Require that all scheduled meetings use a meeting password.
•
Enable the Sametime Meeting Services to operate with a Latitude
MeetingPlace server so that end users can use Sametime to schedule a
telephone conference call.
•
Specify the default Connection Speed Settings for scheduled and instant
meetings.
•
Specify the Connection Speed Settings for the screen-sharing and
whiteboard data stream that is transmitted on the network during a
broadcast meeting. These settings control the speed (or bit rate) at which
screen-sharing and whiteboard data is transmitted on the network. The
administrator can specify different rates for users with modem
connections and users with LAN/WAN connections.
Chapter 2: Using the Sametime Administration Tool 47
•
Capture chat conversations that occur on the Sametime server. The
chat-logging feature can capture all chat conversations that occur on the
Sametime server, including instant messages, chat conferences (chats
involving more than two people), and Meeting Room chats.
Administrators must use the Sametime Software Development Kit to
implement chat logging. For more information on chat logging, see the
Sametime Software Development Kit documentation available from the
SDK link at the bottom of the Sametime server home page.
For more information about the Meeting Services configuration settings, see
"Meeting Services configuration settings" in Chapter 8.
For information about connecting to the Meeting Services, see "Meeting
Services Network settings" in Chapter 5.
Configuring Audio/Video Services
The Audio/Video Services administration features enable the administrator
to:
•
Specify whether IP audio and video is available for all meetings on the
server.
•
Control switching intervals for audio and video.
•
Specify a time to buffer data, audio, and video during broadcast
meetings.
•
Specify the Connection Speed Settings for interactive audio/video and
broadcast meetings. These settings control the speed (or bit rate) at
which audio and video streams are transmitted on the network. The
administrator can specify different rates for users with modem
connections and users with LAN/WAN connections.
•
Set the bit rate for screen-sharing and whiteboard data during broadcast
meetings.
•
Set the audio/video jitter buffer.
•
Set the number of audio frames per packet.
•
Set audio/video usage limits that limit the number of users
simultaneously using audio/video. Too many audio/video users can
adversely affect the performance of the server and significantly increase
network bandwidth usage. Limiting the number of users enables the
administrator to control network bandwidth usage and ensure an
acceptable level of server performance.
For more information about configuring the Audio/Video Services, see
"Audio/Video Services configuration settings" in Chapter 10.
For information about connecting to the Audio/Video Services, see
"Interactive Audio/Video Network settings" in Chapter 5.
48 Sametime 3.1 Administrator's Guide
Additional administrative tasks
The following administrative tasks require you to use a combination of
command groups in the Sametime Administration Tool or to use tools other
than the Sametime Administration Tool.
•
Configuring Broadcast Services
•
Deploying multiple Sametime servers
•
Managing users and LDAP Directories
•
Managing Security
•
Working with Sametime Discussion and TeamRoom databases
•
Enabling the Session Initiation Protocol (SIP) Gateway
•
Chat logging
Note If a Sametime procedure requires you to replicate a database or create
a new database, you must use a Lotus Notes or Domino Administrator
client. The Sametime Administration Tool does not provide the functionality
required to create one-time replicas (replica stubs) or other new databases or
set up replication schedules.
Configuring Broadcast Services
The Sametime Administration Tool includes features that enable the
administrator to control the behavior of the Broadcast Services.
The Broadcast Services administration features enable the administrator to:
•
Specify the time to buffer broadcast data. Broadcast data can be held in a
Sametime Broadcast client buffer for a brief period of time. Buffering
data ensures that network congestion does not affect the playout of
broadcast meeting streams in the Broadcast client.
•
Enable the Broadcast Services to operate on a multicast-enabled
network.
•
Set Connection Speed Settings that control the amount and speed (or bit
rate) of the data that the Broadcast Services transmit on the network. The
administrator can specify different rates for users with modem
connections and users with LAN/WAN connections.
For more information on the Broadcast Services configuration settings, see
"Configuring the Broadcast Services settings" in Chapter 9.
For information on connecting to the Broadcast Services, see "Broadcast
Services Network settings" in Chapter 5.
Chapter 2: Using the Sametime Administration Tool 49
Deploying multiple Sametime servers
A Sametime community can include more than one Sametime server. If you
have a large number of Sametime users, you can install multiple Sametime
servers for load balancing and to reduce network bandwidth usage. You can
also install multiple Sametime servers to securely allow Internet clients to
attend meetings conducted on servers inside your firewall.
Before adding another Sametime server to your Sametime community, you
should review the information in the Deploying multiple Sametime servers
section of this documentation. This documentation contains information
about:
•
Installing multiple Sametime servers
•
Synchronizing multiple Sametime servers to operate as a single
community
•
Enabling Internet clients to participate in meetings conducted on internal
Sametime servers
•
Techniques that can be used to extend a single Sametime community
across multiple Domino domains
For more information, see "Advantages of using multiple Sametime servers"
in Chapter 14.
Managing security
After you have installed and set up the Sametime server, you might want to
review the available security features and default security settings of the
Sametime server.
Sametime offers several features to enhance security. Some of the
administrative tasks associated with enhancing security include:
•
Turning off anonymous access to the Sametime Meeting Center - By
default, the Sametime server allows anonymous access to the Sametime
Meeting Center database (stconf.nsf). Anonymous access allows any
unauthenticated user to create meetings in the Sametime Meeting
Center. You can turn off anonymous access to the Sametime Meeting
Center so that only authenticated users can create and attend meetings
in the Sametime Meeting Center.
For information about anonymous access to the Meeting Center, see
"Anonymous access and the Sametime Meeting Center" in Chapter 13.
•
Deciding whether to encrypt all meetings - Data that passes between
Sametime Meeting Room clients can be encrypted using 128-bit RC2
encryption. For more information, see "Encryption and meeting
passwords" in Chapter 13.
50 Sametime 3.1 Administrator's Guide
•
Requiring all Sametime meetings to have a password - The
administrator can force users to specify a meeting-specific password for
every new meeting that is created in the Sametime Meeting Center. For
more information, see "Requiring all scheduled meetings to have a
password" in Chapter 8.
•
Administering the Domino Single Sign-On (SSO) feature - The
Domino SSO feature is enabled by default during a Sametime
installation. The authentication tokens created by this feature are
required to authenticate client connections to the Sametime services. In
some cases, it may be necessary for the administrator to perform
additional configurations following the Sametime server installation to
ensure the Domino SSO feature is configured correctly. For more
information, see "Authentication by token using LTPA and Sametime
tokens" in Chapter 13.
•
Enabling the SametimeSecretsGenerator Agent - For added protection
against hackers or other outside attacks, the administrator can enable the
SametimeSecretsGenerator in the Secrets database. Before taking this
step, the administrator should review Authentication by token using
LTPA and Sametime tokens.
•
Setting up SSL - The Secure Sockets Layer (SSL) can be used to encrypt
information passing over the initial connection between the Web
browser and the Sametime server. This information includes the user
names and Internet passwords that members of the Sametime
community use to access Sametime Connect and protected databases on
the server. A Lotus Notes client is required to set up SSL for the initial
Web browser connection. For more information, see "Using SSL with
Sametime" in Chapter 13.
•
Ensuring the administrator can access database ACLs - It might be
necessary to add the Sametime administrator's name to a File Protection
Document in the Domino Directory on the Sametime server to ensure
that the administrator can access database ACLs from the Sametime
Administration Tool. For more information, see "Ensuring the
administrator can access database ACLs" later in this chapter.
Working with Discussion and TeamRoom databases
End users can quickly and easily create Sametime Discussion and
TeamRoom databases on the Sametime server from a link on the Sametime
server home page.
Discussion and TeamRoom databases are Domino databases that enable
teams to collaborate on projects and participate in discussions by posting
and managing documents and other project information in a database. With
Sametime, the traditional collaborative features of these databases are
Chapter 2: Using the Sametime Administration Tool 51
enhanced with the addition of presence lists. From these presence lists, users
can initiate Sametime communications concerning project information stored
in a Discussion or TeamRoom database.
You can deploy a Sametime Discussion or TeamRoom database on a Domino
server that does not include Sametime. When deployed on a Domino-only
server, these databases can be accessed with a Lotus Notes client or a Web
browser.
For more information, see Chapter 16, Managing Discussion and TeamRoom
Databases.
Maintaining the Sametime Meeting Center
To ensure the Meeting Center operates efficiently, the administrator should
prevent the number of Meeting Details documents in the Sametime Meeting
Center database from growing too large.
The Sametime Meeting Center database (stconf.nsf) provides several
different views (such as "Scheduled," "Finished," "Today," and "All
Meetings") that enable an end user to quickly locate meetings in the Meeting
Center. The user selects a specific view in the Meeting Center and then clicks
on a meeting name to view the Meeting Details document for that meeting.
When a user selects a view in the Meeting Center, Sametime builds the view
by parsing through the Meeting Details documents of active meetings,
scheduled meetings, and finished meetings. If there is a large number of
Meeting Details documents, the parsing process takes longer, and end users
experience slower performance when using the Sametime Meeting Center.
To prevent this problem, the Sametime Meeting Center database includes a
"PurgeMeetings" agent that automatically deletes Meeting Details
documents from the Sametime Meeting Center when the documents reach a
certain age. This agent is disabled by default.
To enable this agent and optimize Meeting Center performance, the
administrator should:
•
Archive the current Meeting Center database or Meeting Details
documents (optional).
•
Enable the PurgeMeetings agent in the Meeting Center database.
•
Periodically compact the Meeting Center database.
52 Sametime 3.1 Administrator's Guide
Note The size of the Sametime Meeting Center database is limited to 1GB,
but you should keep it below 800 MB for optimal performance. For
additional information on performance issues, visit the Web site
www.lotus.com/sametime and click the About Sametime link. Lotus
publishes white papers about performance issues on this Web site.
Archiving Meeting Details documents
Before enabling the PurgeMeetings agent, decide how to archive the Meeting
Details documents so that back up copies are available after the documents
are deleted from the Meeting Center. To archive Meeting Details documents:
•
Lotus software recommends setting up a one-way replication of the
Meeting Center database (stconf.nsf) from the Sametime server to a
Domino server (preferably a Domino server that is reserved for database
storage).
Setting up a one-way replication ensures that a backup replica of the
Meeting Center database exists in case you need to get a copy of a
Meeting Details document after the document has been deleted by the
agent.
•
You can also create an agent that moves the Meeting Details documents
from the Sametime Meeting Center to a database on a different server
after the documents reach a certain age. The standard IBM Lotus Notes
Mail templates have archiving agents that provide examples for creating
your own custom archiving agents.
Enabling the PurgeMeetings agent (deleting Meeting Details
documents)
Enabling the PurgeMeetings agent to delete Meeting Details documents
involves two tasks:
•
Enabling the PurgeMeetings agent from the Notes client
•
Setting the STPurgeMeetingPastDays Notes.ini parameter - This
parameter specifies the age of documents the agent will delete
Enabling the PurgeMeetings agent from a Notes client
Perform the following procedure to enable the PurgeMeetings agent.
1. From a Lotus Notes client connected to the Sametime server, choose File
- Database - Open:
a. In the Server drop-down list, select the Sametime server.
b. In the Filename text box, type stconf.nsf.
c. Click Open.
2. From the Sametime Meeting Center database, select the View - Agents
menu option.
Chapter 2: Using the Sametime Administration Tool 53
3. Right click on the PurgeMeetings agent and select Run.
4. Close the Sametime Meeting Center database.
5. Set the STPurgeMeetingPastDays Notes.ini parameter, as described
below.
The agent runs once each day. The agent deletes all Meeting Details
documents that have a meeting state of "finished" or "failed" and have
reached the age specified in the STPurgeMeetingPastDays parameter in the
Notes.ini file.
Setting the STPurgeMeetingPastDays Notes.ini parameter
The STPurgeMeetingPastDays= parameter in the Notes.ini file on the
Sametime server specifies the age (in days) of Meeting Details documents
that are deleted from the Sametime Meeting Center by the PurgeMeetings
agent.
Note The PurgeMeetings agent does not run if you specify a setting of 0
(zero) for the STPurgeMeetingPastDays= Notes.ini setting.
To set the STPurgeMeetingPastDays parameter in the Notes.ini file:
1. Use a text editor to open the Notes.ini file in the C:\Lotus\Domino
directory on the Sametime server.
2. In the Notes.ini file, locate the STPurgeMeetingPastDays= setting.
If the STPurgeMeetingPastDays= setting does not exist in the Notes.ini
file, you must use a text editor to manually type the setting into the
Notes.ini file.
3. For the STPurgeMeetingPastDays setting, specify the age in days of
documents that you want the PurgeMeetings agent to delete from the
Sametime Meeting Center.
For example, a setting of STPurgeMeetingPastDays=30 indicates that
Meeting Details documents that are 30 days old are deleted from the
Sametime Meeting Center.
4. Save and close the Notes.ini file.
Compacting the Meeting Center database
You should also compact the Sametime Meeting Center database
periodically. Compacting a database ensures that space in the database is
reused efficiently after documents are deleted from it.
Use the -B compact option when compacting the database. This option
ensures that the space in the database is reused most efficiently and that the
database is reduced in size.
54 Sametime 3.1 Administrator's Guide
It is not necessary to stop the Sametime server when compacting the Meeting
Center database. However, users cannot access the Meeting Center database
while it is compacting. You should compact the Meeting Center database
when server usage is at its lowest.
Note Avoid using the -D (Discard any built view indexes) and -R (Keep or
revert database back to Release 4 format) options when compacting the
Sametime Meeting Center. Also avoid using any of the Advanced
compacting options.
For more information on compacting databases, see Managing Domino
Databases available from the Documentation Library at the Lotus Developer
Domain Web site www-10.lotus.com/ldd. Information is also available in
the Domino Administration Help database in the help directory on a Domino
server.
Adding a new Sametime administrator
A Sametime administrator name and password is specified during the
Sametime installation and setup process. The administrator specified during
the Sametime server installation and setup can access all features of the
Sametime Administration Tool and can provide other administrators with
access to the Sametime Administration Tool.
The recommended method for adding new administrators is to create an
Administrators Group document. Add this Administrators Group to the
ACLs of the appropriate Sametime databases and to the appropriate fields in
the Server document of the Sametime server.
After you have added the Administrators Group document to the
appropriate database ACLs and the appropriate fields on the Server
document, you can add or remove an administrator by adding or removing
a name from the Administrators Group document.
Allowing others to access the Sametime Administration Tool
To allow others to access the Sametime Administration Tool, perform the
following tasks:
1. Create a Person document for the administrator (if necessary).
2. Create an Administrators Group document.
3. Add the Administrators Group document to Sametime database ACLs.
Generally, you provide the Administrators Group with the Manager
access level in the ACL of all Sametime databases, and provide the
Administrators Group with all roles available in the database ACL.
Chapter 2: Using the Sametime Administration Tool 55
4. Modify the Server document of the Sametime server. You must add the
Administrators Group to the "Administer the server from a browser"
and "Run unrestricted LotusScript/Java agents" fields in the Server
document of the Sametime server.
5. Edit the Administrators Group document to allow or revoke access to
the Sametime Administration Tool.
Note If the new administrator uses Microsoft Internet Explorer to access the
Sametime Administration Tool, the administrator must disable the "Use
HTTP 1.1" setting in the Tools - Internet Options - Advanced tab of the Web
browser. Also, to ensure the new administrator can access ACL settings from
the Sametime Administration Tool, see "Ensuring the administrator can
access database ACLs" later in this chapter.
Using individual names instead of an Administrators Group
You can also use the instructions in steps 1, 3 and 4 above to add individual
user names to the database ACLs and the fields of the Server document.
Note If the Sametime server is configured to use SSL for Web browser
connections to the HTTP server, you must use the individual names of
administrators in the database ACLs. If SSL is enabled, and the
administrator is listed only as a member of a group in database ACLs, the
administrator will be unable to log in to the Sametime Administration Tool.
If you use individual names instead of a Group document, you must repeat
steps 1, 3, and 4 for each user. This is a more cumbersome method of
providing access for administrators, but it allows you to use database roles
to control the types of administrative tasks that each administrator can
perform. If you use a Group document, every administrator entered in the
Administrators Group document will have the same level of access to the
Sametime Administration Tool.
Create a Person document for the administrator
This procedure is the first of five required when adding a new Sametime
administrator. In this procedure, you create a Person document in the
Domino Directory for the Sametime administrator. If the administrator
whom you are adding already has a Person document that contains a last
name, user name, and Internet password, skip this procedure.
To create a Person document from the Sametime Administration Tool:
1. From the Sametime server home page, click "Administer the Server."
2. From the Sametime Administration Tool:
• If you are using a Domino Directory with the Sametime server, select
Domino Directory - Domino.
56 Sametime 3.1 Administrator's Guide
• If you are using an LDAP directory with the Sametime server, select
LDAP Directory.
3. Choose "Add Sametime Administrators - Create a record for each person
who will be an administrator."
4. Choose Add Person.
5. In the Person document, select the Basics tab.
6. Enter the user's first, middle, and last name in the appropriate fields.
Only the last name is required.
7. Enter a name for the user in the User Name field. An entry in this field is
required for the user to authenticate with the Sametime server.
You can use any of the following characters in a user name: A - Z, 0 - 9,
ampersand (&), dash (-), period (.), underscore (_), apostrophe (’), and
space. Using other characters can cause unexpected results.
8. Enter an Internet password for the person in the "Internet password"
field. An entry in this field is required for the user to authenticate when
accessing the Sametime Administration Tool. There are no restrictions on
the number of characters used in the Internet password.
9. Click "Save & Close." The Person document is added to the Directory.
Next step
After creating the Person document for the administrator, create an
Administrators Group document.
Create an Administrators Group document
This procedure is the second of five required when adding a new Sametime
administrator. In this procedure, you create a group document to hold the
names of Sametime administrators.
To create an Administrators Group document:
1. From the Sametime server home page, click "Administer the Server."
2. From the Sametime Administration Tool:
• If you are using a Domino Directory with the Sametime server, select
Domino Directory - Domino.
• If you are using an LDAP directory with the Sametime server, select
LDAP Directory.
3. Choose "Add Sametime Administrators -Create a group for the
administrators."
4. Click Add Group.
5. Enter a name for the group in the "Group name" field (for example,
"Administrators" or "Sametime Administrators").
Chapter 2: Using the Sametime Administration Tool 57
6. For group type, select Multipurpose.
7. (Optional) Enter a description of the group in the Description field.
8. In the Members field, list the names of users you want to access the
Sametime Administration Tool.
Make sure to enter the name exactly as it is entered in the topmost entry
of the "User name" field of a user's Person document.
9. Select Administration at the top of the Group document.
10. Enter the names of the group owners in the Owners field. Generally, the
group owner is the administrator creating the group. Only the
administrator listed in the Owners field can modify this Group
document. If the Owners field is blank, any administrator can modify
this Group document.
11. Click "Save & Close."
Next step
After creating the Administrators Group document, add the Administrators
Group document to the ACLs of the appropriate Sametime databases.
Add the Administrators Group document to Sametime database ACLs
This procedure is the third of five required when adding a new Sametime
administrator. In this procedure, you add the Administrators Group
document (or the name of an individual user) to Sametime database Access
Control Lists (ACLs) and provide the Manager access level to the Group (or
individual user).
In addition to ACL access levels, you must also specify the ACL privileges
and roles that the Administrators Group (or an individual user) has in each
database. Generally, for an Administrators Group, select all ACL privileges
and roles available when adding the Group to a Sametime database ACL.
Selecting all ACL privileges and roles provides any administrator listed in
the Administrators Group document with access to the full range of
administrative features available from the Sametime Administration Tool.
Note If you are adding individual user names to Sametime database ACLs
instead of a group name, database roles can be used to prevent or allow
access to specific features of the Sametime Administration Tool. For more
information, see "Roles in Sametime database ACLs" later in this chapter.
Add the Administrators Group to the ACLs of the following Sametime
databases.
•
Sametime Configuration (stconfig.nsf) - Stores the configuration
parameters that are set from the Sametime Administration Tool.
58 Sametime 3.1 Administrator's Guide
•
Domino Directory or Address Book (names.nsf) - Stores Person and
Group documents, ACL settings, and other configuration information
for the Domino/Web Application Services.
•
Sametime Online Meeting Center (stconf.nsf) - Provides a central
meeting place on the Sametime server.
•
Sametime Log (stlog.nsf) - Stores logging information.
•
Sametime Self Registration (streg.nsf) - Enables end users to add
Person documents to the Domino Directory. These Person documents
contain the credentials required to authenticate with the Sametime
server.
•
Domino Web Administration (webadmin.nsf) - Contains the Domino
Web Administration client, which includes monitoring features for the
HTTP Services and free disk space. This is the full Domino Web
Administration client that is included with Domino servers.
•
Sametime Discussion or TeamRoom databases (optional) - You might
also want to include the Administrators Group in any Discussion or
TeamRoom databases created by end users on the Sametime server.
Adding the Administrators Group to these databases enables an
administrator to control access to these databases by altering the
database ACLs.
Follow the instructions below to add the Administrators Group document
(or an individual user's name) to the ACLs of the Sametime databases and
make the appropriate ACL settings in each database.
1. From the Sametime Administration Tool:
• If you are using the Domino Directory with the Sametime server,
choose Domino Directory - Domino.
• If you are using an LDAP Directory with the Sametime server, choose
LDAP Directory.
2. Choose "Add Sametime Administrators -Give the administrator group
Manager access for all appropriate databases, such as stconf.nsf and
stcenter.nsf." The Access Control options appear.
Note If the Access Control options do not appear, see "Ensuring the
administrator can access database ACLs" later in this chapter.
3. From the Databases list, select Sametime Configuration (stconfig.nsf).
Note The database filename appears below the Databases list.
4. Click the Access button.
5. Click the Add button. Enter the Administrators Group document name
in the dialog box (for example, "Administrators" or "Sametime
Administrators").
Chapter 2: Using the Sametime Administration Tool 59
If you are adding individual user names, enter the person's user name in
the dialog box. Enter the name as it is entered in the top entry of the
"User name" field on the user's Person document.
6.
Click OK.
7. Select the Administrators Group name (or individual person's name)
from the list in the Database Security window.
8. In the User Type drop-down list, select Group (or Person if you are
adding an individual user's name).
9. In the Access drop-down list, select Manager.
10. Make sure that all ACL privileges, such as "Create documents" and
"Delete documents," are selected.
11. Click the Roles button.
12. If you want the Administrators Group to have access to the full range of
administrative functions, select all roles. Click OK.
The roles determine which administration tasks the members of the
group can perform. If you are adding individual user names to the
ACLs, you can use the roles to control the administrative features that
are available to individual administrators. For more information, see
"Roles in Sametime databases ACLs" later in this chapter.
13. Click Submit.
14. After adding the Administrators Group to the ACL of the Sametime
Configuration database (stconfig.nsf), repeat steps 4 through 14 to add
the Administrators Group to the ACL of each of the Sametime databases
listed below:
• Domino Address Book or Domino Directory (names.nsf)
• Sametime Online Meeting Center (stconf.nsf)
• Sametime Log (stlog.nsf)
• Sametime Self Registration (streg.nsf)
• Domino Web Administration (webadmin.nsf)
• (Optional) Sametime Discussion or TeamRoom databases created by
end users. Individual file names are specified by end users when
creating the databases.
If you are adding an Administrators Group document, for each of the
databases above, be sure to select the Manager access level and all ACL
privileges and roles as described in steps 9 through 12.
If you are adding individual user names, you can specify different roles
for each user.
60 Sametime 3.1 Administrator's Guide
Next step
After adding the Administrators Group document (or individual user
names) to the database ACLs, you must modify the Server document of the
Sametime server.
Modifying the Server document of the Sametime server
This procedure is the fourth of five required when adding a new Sametime
administrator. In this procedure, you add the Administrators Group
document (or the name of an individual user) to two fields on the Server
document. The two fields are the "Administer the server from a browser"
field and the "Run unrestricted LotusScript/Java agents" field in the Security
section of the Server document.
To add users to the fields on the Server document of the Sametime server:
1. From the Sametime Administration Tool:
• If you are using the Domino Directory with the Sametime server,
choose Domino Directory - Domino.
• If you are using an LDAP Directory with the Sametime server, choose
LDAP Directory.
2. Choose "Add Sametime Administrators - Edit the Server document."
3. Click Security.
4. In the "Administer the server from a browser" field of the Server Access
section, type the name of the Administrators Group (or enter the name
of an individual user).
Note Type a group name exactly as it appears in the Group document.
If you are entering an individual user name in this field, type the user
name exactly as it is entered in the topmost entry of the "User name"
field on the Person document. Be sure to separate multiple entries in the
"Administer the server from a browser" field with commas.
5. In the "Run unrestricted LotusScript/Java agents" field of the Agent
Restrictions section, type the Administrators Group name (or an
individual user's name). Be sure to separate multiple entries in this field
with commas.
6. Click "Save & Close."
Next step
The fifth procedure explains how to edit the Administrators Group
document (add or remove a user's name from the Group document) to allow
or revoke access to the Sametime Administration Tool.
Chapter 2: Using the Sametime Administration Tool 61
Adding and removing names from an Administrators Group document
This procedure is the last of five required when adding a new Sametime
administrator. If you created an Administrators Group document to provide
others with access to the Sametime Administration Tool, you can control
access to the Sametime Administration Tool by editing the Group document.
Adding a user's name to the Administrators Group document provides the
user with access to the Sametime Administration Tool. Removing a user's
name from the Group document revokes the user's access to the Sametime
Administration Tool.
To add or remove a user's name from the Administrators Group document:
1. From the Sametime server home page, click "Administer the Server."
2. From the Sametime Administration Tool:
• If you are using the Domino Directory with the Sametime server,
choose Domino Directory - Domino.
• If you are using an LDAP Directory with the Sametime server, choose
LDAP Directory.
3. Choose "Add Sametime Administrators - Create a group for the
administrators."
4. Double-click a group name.
5. Select Edit Group.
6. In the Members field, add or remove a user's name from the Group
document. If you add a user's name, the user must have a Person
document in the Domino Directory that contains a last name, user name,
and Internet password. Make sure to enter the name exactly as it is
entered in the top entry of the "User name" field of a user's Person
document.
The user must enter a last name or user name and the Internet password
from the Person document to access the Sametime Administration Tool.
7. Click "Save & Close."
Ensuring the administrator can access database ACLs
Sametime administrators can use the Sametime Administration Tool to
access the Access Control Lists (ACLs) of databases on the Sametime server.
To access the ACLs, the administrator chooses one of the following options
from the Sametime Administration Tool:
•
Domino Directory - Access Control
•
LDAP Directory - Access Control
62 Sametime 3.1 Administrator's Guide
If the ACLs cannot be accessed from these options in the Sametime
Administration Tool, it might be necessary to add the administrator's name
(or administrator's group name) to a File Protection Document in the
Domino Directory.
CGI scripts for the Sametime Administration Tool ACL access applet are
stored in the "adm-bin" directory on the Sametime server. The adm-bin
directory is protected by a File Protection Document that controls who can
read, write, or execute programs that are stored in the adm-bin directory. To
enable a Sametime administrator to use the ACL access applet in the
Sametime Administration Tool, you must ensure that the administrator's
name (or administrator's group name) appears in the File Protection
Document.
To add an administrator's name (or administrator's group name) to the File
Protection Document:
1. Open the Lotus Notes client on the Sametime server. To open the Lotus
Notes client from the Windows desktop, choose Start - Run and browse
to the file C:\Lotus\Domino\nlnotes.exe and click OK.
2. From the Lotus Notes client, open the Domino Directory on the
Sametime server.
• Choose File - Database - Open.
• For Server, select Local.
• For Database, select the Address Book icon that includes the
community name. For example, if the community name is Acme,
select Acme Address Book. The filename for the Directory or Address
Book is names.nsf.
• Click Open.
• If necessary, close the "About this database" window.
3. In the left-hand panel of the Domino Directory, select Server - Web
Configurations.
4. In the right-hand panel of the Domino Directory, click the twistie to the
left of the Sametime server name.
5. Click the twistie to the left of Domino Server.
6. Double-click the document named "Access to
C:\Lotus\Domino\Data\domino\adm-bin" to open the File Protection
Document.
7. Click Edit File Protection.
8. Click the Access Control tab.
9. Click the "Set/Modify Access Control List" button. The Access Control
List dialog box appears.
Chapter 2: Using the Sametime Administration Tool 63
10. Select the arrow to the right of the Name box to browse the list of user
names and groups in the Directory. The Names box appears.
11. From the list at the top of the Names box, select the Directory (or
Address Book) for the Sametime community.
12. Select the administrator's name (or administrator's group name) from
the list of Directory entries and click OK.
13. In the "Access: radio buttons" field, select the "Write/Read/Execute
access (POST and GET method)" option.
14. Click Next.
15. Click OK.
16. Click "Save & Close" at the top of the File Protection Document.
17. Close the Lotus Notes client.
18. Restart the server for the change to take effect.
Note If you are using Microsoft Internet Explorer, the names of databases
might not appear in the ACL access applet of the Sametime Administration
Tool after you have modified the File Protection Document.
To correct this problem, perform the following procedure:
19. Start Microsoft Internet Explorer and browse to the Sametime server
home page.
20. Click "Administer the Server."
21. Select either Domino Directory - Access Control or LDAP Directory Access Control.
22. Type a valid Sametime filename in the Filename box of the ACL access
applet. For example, type stconf.nsf in the Filename box.
23. Click the Access button.
24. If the list of databases still does not appear, restart Microsoft Internet
Explorer and open the Sametime Administration Tool ACL access applet
again. The filenames should appear in the ACL access applet.
Roles in Sametime database ACLs
Roles provide a way to define the access an administrator has to the features
and settings of the Sametime Administration Tool. For example, the
Sametime Configuration database (stconfig.nsf) ACL contains three roles:
ServerMonitor, ServerAdmin, or DatabaseAdmin. If you assign only the
ServerMonitor role to an administrator, the administrator can monitor server
memory, disk space, and other server statistics but cannot perform any other
64 Sametime 3.1 Administrator's Guide
administrative functions. Assign all roles to an administrator if you want the
administrator to have full access to all administrative functions.
Access Control List (ACL) roles are defined in the following Sametime
databases:
•
Sametime Configuration database (stconfig.nsf)
•
Domino Directory or Address Book (names.nsf)
•
Sametime Meeting Center (stconf.nsf)
•
Domino Web Administration (webadmin.nsf)
Roles in the Sametime Configuration database (stconfig.nsf)
The Sametime Configuration database (stconfig.nsf) stores the values for
parameters that are available from the Sametime Administration Tool. The
roles in this database affect the administrative tasks that an administrator
can perform from the Sametime Administration Tool.
The following table lists the commands and features available with the
Sametime Administration Tool and the roles that an administrator must be
assigned in the stconfig.nsf database to use the Sametime Administration
Tool commands and features. If an administrator does not have the
appropriate roles, the Sametime Administration Tool does not display the
command.
Note The SametimeAdmin role allows the administrator to perform all
tasks in the Sametime Administration Tool.
Command Group
Command or feature
Role required
Message From
Administrator
Sends message to all users
logged into Community
Services
None
Monitoring
All monitoring features
[ServerMonitor] or
[SametimeAdmin]
Logging
All logging features
[ServerMonitor] or
[SametimeAdmin]
Directory
Add Users, People, Groups
[SametimeAdmin] or
[DatabaseAdmin]
Directory
Access Control Lists (ACL)
[DatabaseAdmin] or
[SametimeAdmin]
continued
Chapter 2: Using the Sametime Administration Tool 65
Command Group
Command or feature
Role required
Configuration
Connectivity, Community
Services, Meeting Services,
Audio/Video Services
[SametimeAdmin] or
[ServerMonitor]
A user with the ServerMonitor
role can view settings available
from these commands but
cannot change the settings.
Help
Online help for administrators
No roles required
Roles in the Domino Directory (names.nsf)
The Domino Directory (or Address Book) contains the Person and Group
documents that you create and edit when you use the Sametime
Administration Tool. The roles in the Domino Directory determine who can
create or edit a particular type of document in the Directory.
The Domino Directory also contains the Server document that you access to
provide another user with administrative privileges to the Sametime
Administration Tool.
Note If you use Sametime in a Domino environment, the Domino Directory
roles function the same as they do on Domino servers.
The Domino Directory contains eight roles. The privileges for each role are
listed in this table:
Role
Description
UserCreator
Allows an administrator to create Person documents in the
Domino Directory
UserModifier
Allows an administrator to edit all Person documents in the
Domino Directory
GroupCreator
Allows an administrator to create Group documents in the
Domino Directory
GroupModifier
Allows an administrator to edit all Group documents in the
Domino Directory
ServerCreator
Allows an administrator to create Server documents in the
Domino Directory
ServerModifier
Allows an administrator to edit all Server documents in the
Domino Directory
NetCreator
Not used by Sametime
NetModifier
Not used by Sametime
66 Sametime 3.1 Administrator's Guide
Roles in the Sametime Meeting Center (stconf.nsf)
The Sametime Meeting Center database contains only the Sametime Admin
role.
Role
Description
Sametime Admin Allows an administrator to see hidden meetings displayed in
the All Meetings view of the Meeting Center.
Allows an administrator to see the Hidden Meetings view in
the Meeting Center. This view displays only hidden
meetings.
Allows the administrator to alter the meeting details of any
meeting. For example, the administrator can delete or change
the end time of a meeting that the administrator did not
create.
Allows an administrator to see and use the “Delete the
Recording,” “Export the Recording,” “Replace the
Recording,” and Import Recording options in the Meeting
Center forms. These features enable the administrator to
manage the recorded meeting files if the administrator makes
the Record and Playback feature available on the Sametime
server.
Roles in the Domino Web Administration database (webadmin.nsf)
The Domino Web Administration database is available on the Sametime
server to enable administrators to monitor the HTTP server and access
logging information about the Domino Application Services.
The following table defines the roles in the Domino Web Administration
database:
Role
Description
ServerAdmin
A Sametime administrator requires this role to access the Server
document when providing other users with access to the
Sametime Administration Tool.
ServerMonitor
A Sametime administrator requires this role to access the
Monitoring - Miscellaneous functions of the Sametime
Administration Tool. These monitoring functions enable the
administrator to monitor HTTP commands and requests, server
memory usage, and free disk space. The Sametime
administrator also requires this role to access the Logging Domino Log functions of the Sametime Administration Tool,
which report information about the Domino Application
Services.
continued
Chapter 2: Using the Sametime Administration Tool 67
Role
Description
DatabaseAdmin
A Sametime administrator requires this role to change database
ACLs from the Sametime Administration Tool.
FileRead
This feature provides access to the Configuration - System Files
(read-only) command of the Domino Web Administration Tool.
This feature is usually not used with Sametime.
FileModify
This feature provides access to the Configuration - System Files
(read/write) command. This feature is usually not used with
Sametime.
68 Sametime 3.1 Administrator's Guide
Chapter 3
Using Domino Directories with Sametime
This chapter discusses issues pertaining to using Domino Directories with
Sametime.
If you have configured the Sametime server to operate as a client to an
LDAP server, the Domino Directory is not used for user management. For
information about using Sametime in an LDAP environment, see Chapter 4,
Using LDAP Directories with Sametime.
Managing the Domino Directory
The Sametime community consists of users and Sametime servers that are
registered in the Domino Directory (or Directories) in use in the Domino
domain in which Sametime is installed.
This section includes the following information concerning Domino
Directory management:
•
Basic Domino Directory requirements
•
Managing multiple Directories with Sametime
•
Directory security considerations
•
Using an LDAP directory instead of a Domino Directory
Basic Domino Directory requirements
Every Domino server has a primary Directory in which the server is
registered. When you install Sametime on a Domino server, Sametime uses
the primary Directory of that Domino server. The primary Directory must
always exist on the Sametime server.
Note The primary Directory must exist on the Sametime server even if you
set up Directory Assistance or an Extended Server Directory Catalog to
access secondary Directories in the environment.
Sametime administrators should be aware of the following basic issues
concerning Directory management:
•
The Person document for each user in the Directory must contain entries
in the “User name,” “Internet password,” and “Sametime server” fields.
For more information, see “Person documents” later in this chapter.
69
•
Group documents in the Directory can be used to simplify the process of
adding users to the contact list in the Sametime Connect client. For more
information, see “Group documents” later in this chapter.
•
The Server document for the Sametime server requires specific values
for the “Server name,” “Is this a Sametime server,” “Port,” and “Net
Address” fields to support online presence. For more information, see
“The Server document” later in this chapter.
•
You must ensure that Sametime agents can access the Domino Directory
and run unrestricted LotusScript/Java agents on the Sametime server.
For more information, see “Directory security considerations” later in
this chapter.
For more information, see “How Sametime uses Domino Directory
information” later in this chapter.
Managing multiple Domino Directories with Sametime
Every Domino server has a primary Directory in which the server is
registered. When you install Sametime on a Domino server, Sametime uses
the primary Directory of that Domino server. The primary Directory must
always exist on the Sametime server.
If the Sametime server is installed into a Domino environment that uses
multiple Directories, the administrator should replicate the primary
Directory to the Sametime server.
To access additional Domino Directories of interest in the environment, use
either Directory Assistance or an Extended Directory Catalog. For more
information, see either of the following topics later in this chapter:
•
“Using Directory Assistance with the Sametime server”
•
“Using Extended Server Directory Catalogs with the Sametime server”
Note Multiple Directory environments generally indicate a large or
geographically distributed user population. It might be necessary to install
multiple Sametime servers to adequately support a large or distributed user
population. For more information, see “Advantages of using multiple
Sametime servers” in Chapter 14.
70 Sametime 3.1 Administrator's Guide
Using Directory Assistance with the Sametime server
To access other Directories of interest in the Domino environment, the
administrator can set up Directory Assistance on the Sametime server. The
Sametime server can use Directory Assistance to obtain all needed Directory
information in environments that include multiple Directories. Ideally, the
Directory Assistance database should point to a Directory server that is
dedicated to providing Directory services. However, a Directory server is
not required in a Sametime community that includes multiple Sametime
servers.
For information about setting up Directory Assistance, see your Domino
server administration documentation, available in the following locations:
•
The C:\Lotus\Domino\help directory of the Domino server on which
Sametime is installed
•
Http://www-10.lotus.com/ldd/doc (the IBM Lotus documentation
library)
Using an Extended Server Directory Catalog on the Sametime server
You can use an Extended Server Directory Catalog to share Directory
information when the Sametime server operates in an environment that
includes multiple Directories.
Follow the procedures in the Lotus Domino Release 6 Administration Help to
set up an Extended Server Directory Catalog on the Sametime server. This
documentation is available at http://notes.net/notesua.nsf and in the
C:\Lotus\Domino\Data\help directory of any Domino Release 6 server.
When setting up the Extended Server Directory Catalog to use with
Sametime, note the following:
•
You must include specific fields in the “Additional fields to include” list
on the Configuration document for the Extended Server Directory
Catalog.
•
If you only want to use the Directory documents that Sametime requires,
you can include a selection formula in the Configuration document for
the Extended Server Directory Catalog.
Chapter 3: Using Domino Directories with Sametime 71
“Additional fields to include” list requirements
The Configuration document includes an “Additional fields to include” list
in the Basics tab. The following field name entries must exist in the
“Additional fields to include” list to ensure all information needed by
Sametime is available in the Extended Server Directory Catalog:
Field Name
ServerName
Description
“Server name” field in the Basics section of the
Server document.
ServerTitle
“Server title” field in the Basics section of the Server
document.
Domain
“Domain name” field in the Basics section of the
Server document.
ServerBuildNumber
“Server build” number field in the Basics section of
the Server document.
Administrator
“Administrator field” in the Basics section of the
Server document.
ServerPlatformDisplay “Operating system” field in the Basics section of the
Server document.
Sametime
“Is this a Sametime server?” field in the Basics
section of the Server document.
Port_0 - Port_7
Ports fields in the Ports - Notes Network Ports
section of the Server document. The Port_0 field is
required. For completeness it is recommended that
you list seven port fields (for example Port_0,
Port_1, Port_2, and so on ).
Protocol_0 - Protocol_7 Protocol fields in the Ports - Notes Network Ports
section of the Server document. For completeness, it
is recommended that you list seven protocol fields
(for example, Protocol_0, Protocol_1, Protocol_2
and so on).
NetName_0 NetName_7
Notes Network fields in the Ports - Notes Network
Ports section of the Server document. For
completeness, it is recommended that you list seven
Notes Network fields (for example, NetName_0,
NetName_1, NetName_2, and so on.
NetAddr_0 NetAddr_7
Net Address fields in the Ports - Notes Network
Ports section of the Server document. The
NetAddr_0 field is required. For completeness, it is
recommended that you list seven Net Address
fields
continued
72 Sametime 3.1 Administrator's Guide
Field Name
Description
Enabled_0 - Enabled_7 Enabled fields in the Ports - Notes Network Ports
section of the Server document. The Enabled_0 field
is required. For completeness, it is recommended
that you list seven Enabled fields.
Sametime Server
“Sametime server” field in the Administration
section of the Person document.
Selection formula
The Advanced tab of the Configuration document provides a “Selection
formula (do not include form)” setting that enables you to specify a selection
formula that ensures only the Directory documents required by Sametime
are used when the Dircat task creates the Directory Catalog. The selection
formula for selecting only the documents required by Sametime is (Type =
“Person”) | (Type = “Group”) | (Type = “Server” and Sametime = “1”).
Note The (Type = “Server” and Sametime = “1”) selection criteria select
server documents that have the “Is this a Sametime server?” field set to Yes.
Directory security considerations
Some Sametime databases contain agents that must access the Domino
Directory to perform functions such as creating a new meeting. The
signature of these agents must be allowed to:
•
Access the primary Domino Directory. (Reader Access level is required.)
•
Run unrestricted LotusScript/Java agents on the Sametime server.
If the Default ACL setting of the Domino Directory is No Access, the
Sametime agents cannot access the Domino Directory, and Sametime cannot
function properly. Adjust the Domino Directory ACL and the “Run
unrestricted LotusScript/Java agents” setting in the Server document for the
Sametime server as described below.
Agent access to the Domino Directory
The default Sametime agent signer is “Sametime Development/Lotus Notes
Companion Products.” If the Default entry in the Domino Directory ACL is
set to No Access, you must:
1. Enter “Sametime Development/Lotus Notes Companion Products” in
the Directory (names.nsf) ACL.
2. Provide the Sametime Development/Lotus Notes Companion Products
ID with the Reader access level in the Directory ACL.
Note If your organization re-signs databases with a different signer, such as
an administrator or server signature, enter that signer in the Directory ACL
and provide it with the Reader access level.
Chapter 3: Using Domino Directories with Sametime 73
Run unrestricted LotusScript/Java agents
The signature that is used to sign the Sametime agents must be allowed to
run unrestricted IBM LotusScript® and Java agents on the Sametime server.
To ensure that the Sametime agent signer can run unrestricted LotusScript
and Java agents on the Sametime server:
1. Open the Server document for the Sametime server.
2. Select the Security tab.
3. Enter the Sametime agent signer (for example, Sametime
Development/Lotus Notes Companion Products) in the “Run
unrestricted LotusScript/Java agents” field.
4. Save the changes to the Server document.
Using an LDAP directory instead of a Domino Directory
Sametime can be configured to connect to an LDAP directory on a
third-party server. When Sametime is configured to connect to an LDAP
directory, Sametime users are managed in an LDAP directory on another
server.
The Domino Directory must exist on the Sametime server to store Domino
server configuration information. The Sametime administrator must also
have a Person document in the Domino Directory to authenticate when
accessing the Sametime Administration Tool. All other users are maintained
in the LDAP Directory. For information about using Sametime in an LDAP
environment, see “Using LDAP with the Sametime server” in Chapter 4.
Managing users in the Domino Directory
This section discusses managing Sametime users in the Domino Directory.
The topics discussed include:
•
Adding users
•
Using Sametime self-registration
•
Managing Sametime users with the Sametime Administration Tool
• Adding users (from the Sametime Administration Tool)
• Deleting users
• Changing a user's password or editing a Person document
• Creating a group
• Deleting a group
• Editing a group
74 Sametime 3.1 Administrator's Guide
Adding users
You can add users to the Domino Directory in any of three ways. You can:
•
Add users with a Domino Administrator client - Follow the standard
procedure for registering a new Lotus Notes user into a Domino
Directory. Ensure that each user has an entry in the “User name” and
“Internet password” fields on a Person document. For more information,
see “Adding users with a Domino Administrator client” later in this
chapter.
•
Add users from the Sametime Administration Tool - This method
enables you to create a Person document containing the credentials that
provide Web browser and Sametime Connect client access to the
Sametime server. This method does not create a Lotus Notes ID. Web
browser access to Domino servers in the domain is also provided if the
Domino Directory is replicated from the Sametime server to the Domino
servers. For more information, see “Adding users (from the Sametime
Administration Tool)” later in this chapter.
•
Use the Sametime server self-registration feature - If you enable the
Sametime self-registration feature, anonymous users can create Person
documents in the Domino Directory. The Person documents contain the
credentials required for Web browser access to the Sametime server.
Lotus Notes IDs are not created by the Sametime self-registration
feature.
If the directory is replicated from the Sametime server to Domino servers
in the domain, the self-registered user also has Web browser access to
the Domino servers. For more information, see “Using Sametime
self-registration” later in this chapter.
Adding users with a Domino Administrator client
To add a Sametime user from the Domino Administrator client, follow the
normal Domino procedure for adding a new user. Use a Domino
Administrator client to register the user into the Directory. The Directory
replication schedule should ensure that the user eventually appears in the
Directory on each server (including the Sametime server) in the domain.
When you register a new user into the Domino Directory, you should ensure
that the Person document for each user includes the information required to
authenticate with and connect to a Sametime server. This information
includes:
•
A user name entered in the “User name” field in the Basics tab of the
Person document.
•
An Internet password entered in the “Internet password” field in the
Basics tab of the Person document.
Chapter 3: Using Domino Directories with Sametime 75
•
A home Sametime server specified in the “Sametime server” field in the
Administration tab of the Person document. This field is required when
you have installed multiple Sametime servers in the Domino domain or
deployed a database enabled with Sametime technology to a Domino
server in the domain.
The “User name” and “Internet password” fields in a Person document are
required to authenticate with the Sametime server with a Web browser and
to log in to the Sametime Connect client. The Sametime server uses the same
Internet and intranet authentication scheme provided by the Domino server
on which it is installed. The Community Services also use this information to
authenticate Sametime Connect users. The home Sametime server ensures
that a client is connected to a specific Sametime server for presence and chat
functionality. For more information, see “Community Services connectivity
and the home Sametime server” in Chapter 5.
Using Sametime self-registration
The Sametime server includes a self-registration feature. This feature allows
any anonymous user who can access the server with a Web browser to create
their own Person document containing a last name, user name, and Internet
password in the Domino Directory on the Sametime server.
A self-registered user can use the Sametime Connect client and access
protected databases on the Sametime server with a Web browser. If the
Domino Directory is replicated from the Sametime server to Domino servers
in the domain, the self-registered user might also be able to access the
protected areas of the Domino servers in the domain with a Web browser.
Note Generally, the Sametime self-registration feature provides an easy
way to populate a Domino Directory with Sametime users. Because an
existing Domino domain usually has a Directory populated with users,
self-registration is disabled by default when Sametime is installed on the
Domino server. Administrators should also consider the security
implications of allowing anonymous users to create Person documents in the
Domino Directory before allowing self-registration on the Sametime server.
To enable the self-registration feature on a Sametime server, perform the
following three procedures. Each of these procedures is described in a
separate topic.
1. Enable self-registration from the Sametime Administration Tool.
2. Add the Sametime signer ID to the Domino Directory (names.nsf) ACL.
3. Review the security recommendations for the self-registration feature.
76 Sametime 3.1 Administrator's Guide
Note If you have integrated multiple Sametime servers into a single
community, and you are using the self-registration feature, self-registration
should be enabled on only one of the Sametime servers. In multiple
Sametime server environments, the Domino Directory is replicated among
the Sametime servers. If self-registration is enabled on multiple Sametime
servers, multiple groups named “Sametime Web Users” will be created in
the Directory. For more information on multiple server environments, see
“Advantages of using multiple Sametime servers” in Chapter 14.
Enable self-registration from the Sametime Administration Tool
This procedure is the first of three required to use the Sametime
self-registration feature. To enable self-registration from the Sametime
Administration Tool:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Select Domino Directory - Domino.
3. In the User Registration settings, place a check mark in the “Allow users
to register themselves in the Domino Directory” check box.
4. You must click the Update button and restart the Sametime server for
this change to take effect.
Next, ensure that the Sametime agent signer is added to the Domino
Directory ACL and has the appropriate access level in the ACL.
Add the Sametime signer ID to the Domino Directory ACL
This procedure is the second of three required to use the Sametime
self-registration feature. In this procedure you must add a signer ID to the
Domino Directory ACL.
The Sametime self-registration feature is supported by a self-registration
database (streg.nsf) on the Sametime server. Agents within the
self-registration database must access the Domino Directory on the
Sametime server to create and modify Person documents in the Directory.
The default signature on these agents is “Sametime Development/Lotus
Notes Companion Products.” To ensure that the agents in the
self-registration database can operate in the Domino Directory, do the
following:
1. Add the “Sametime Development/Lotus Notes Companion Products”
signer to the ACL of the Domino Directory.
Chapter 3: Using Domino Directories with Sametime 77
2. Provide the Sametime Development/Lotus Notes Companion Products
signer with the following Access level and Roles in the Domino
Directory ACL:
• Access level: Author
• Roles: [Group Creator], [Group Modifier], [User Creator], [User
Modifier]
Note Administrators can also sign the self-registration database with
another signer. Normally, an administrator uses the administrator signature
or server signature for this purpose. If you use a different signer, you must
add that signer to the Directory ACL and provide it with the Access level
and Roles specified above.
Next, review the security recommendations for self-registration.
Review the security recommendations for self-registration
This procedure is the last of three required to use the Sametime
self-registration feature. If you are using the self-registration feature, you
should review the security recommendations for self-registration.
The specific recommendations for securing your server when using
self-registration are described in the Security recommendations for
self-registration topic in the Security section of this documentation.
Managing Sametime users with the Sametime Administration Tool
The Sametime Administration Tool provides access to Person and Group
documents in the Domino Directory on the Sametime server. You can use the
Sametime Administration Tool or a Lotus Notes client to delete and edit
Person and Group documents in the Domino Directory on the Sametime
server.
For information about using a Lotus Notes client to manage users in a
Domino Directory, see your existing Domino documentation. If you use a
Lotus Notes client or the Domino Administrator to manage Sametime users,
you should review the topics in How Sametime uses Domino Directory
information.
78 Sametime 3.1 Administrator's Guide
For information about using the Sametime Administration Tool to manage
users in the Domino Directory on the Sametime server, see the following
topics later in this chapter.
•
“Adding users (from the Sametime Administration Tool)”
•
“Deleting users”
•
“Changing a user's password or editing a Person document”
•
“Creating a group”
•
“Deleting a group”
•
“Editing a group”
Adding users (from the Sametime Administration Tool)
You can add users to the Directory using the Sametime Administration Tool.
To add a user, you create a Person document for the user in the Directory
and specify a last name, user name, and Internet password. A Lotus Notes
user ID is not created by this process. The Sametime server is designed for
Web browser access only.
When adding users with the Sametime Administration Tool, the new user
might not be immediately visible in the Directory. A small refresh interval
must pass before the user's name is visible in the Directory. Also, a recently
added user cannot appear in a Sametime presence list until the Community
Services receive an updated list of users from the Domino Directory. For
more information, see “How often to poll for new names added to the
Sametime Community directory” in Chapter 6.
To add a user from the Sametime Administration Tool:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage People.
4. Select Add Person. The Person document appears. If necessary, select
the Basics section.
5. In the Basics section of the Person document, enter the user's first,
middle, and last name in the appropriate fields. Only the last name is
required.
Chapter 3: Using Domino Directories with Sametime 79
6. Enter a name for the user in the “User name” field. An entry in this field
is required for the user to authenticate with the Sametime server.
A user can enter this name when logging in to Sametime Connect or
accessing a database on the Sametime server that requires basic
password authentication. User names are case-sensitive.
You can also enter multiple names in the “User name” field. If you enter
multiple names, ensure that each name is separated by a carriage return.
(Press the Enter key after entering each name.)
Note The name that appears in the top line in the “User name” field is
the name that displays in presence lists in Sametime clients.
7. Enter an Internet password for the person in the “Internet password”
field. An entry in this field is required for the user to authenticate with
the Sametime server. The user is prompted for this password when
logging in to Sametime Connect or accessing any database on the
Sametime server that requires basic password authentication. Internet
passwords are case-sensitive.
Write down the Internet passwords as you assign them. After it is
entered the first time, the Internet password is encrypted on the Person
document and cannot be viewed.
8. Click “Save and Close.” The Person document is added to the Directory.
Deleting users
You can use the Sametime Administration Tool to delete a user from the
Domino Directory on the Sametime server. Deleting a user's Person
document removes the user from the Sametime community and prevents the
user from accessing Sametime Connect or databases on the server that
require basic password authentication.
To delete a user:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage People.
4. Double-click the name of the user you want to delete. The user's Person
document opens.
5. Select Delete Person. The Person document is deleted from the Domino
Directory.
80 Sametime 3.1 Administrator's Guide
Changing a user's password or editing a Person document
You can use the Sametime Administration Tool to change a user's Internet
password. To change a user's Internet password, you must edit the user's
Person document.
To change a password or edit the Person document:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage People.
4. Double-click the name of a user.
5. Select Edit Person. The Person document changes to edit mode.
6. If necessary, select the Basics tab.
7. In the “Internet password” field, delete the existing Internet password
and enter the new Internet password.
8. While the Person document is in edit mode, you can edit any other field
of the Person document.
9. Click “Save and Close.”
Creating a group
You can use the Sametime Administration Tool to create a group document.
Each user that you add to a group document must have a Person document
that contains information in the “Last name,” “User name,” and “Internet
password” fields in the Domino Directory on the Sametime server.
Note Groups larger than 400 members might not display correctly in
Sametime presence lists. If you are creating a group that Sametime Connect
users will add to Sametime Connect contact lists, do not include more than
400 names in the group. For more information on how Sametime uses
groups, see “Group documents” later in this chapter.
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage Groups.
4. Click Add Group.
5. Enter a name for the group in the “Group name” field (for example,
Administrators or Meeting Creators).
6. Select a group type (Multipurpose, Access Control List, Deny List, Mail
Only, and Servers Only). Select Multipurpose if you are creating a Public
Group that users will add to the Sametime Connect client presence list or
a group that will serve more than one purpose.
Chapter 3: Using Domino Directories with Sametime 81
Note You can also select the Mail Only group type when creating
Public Groups that users will add to the Sametime Connect client
presence list. Select Access Control List if the purpose of the group is to
allow or deny access to databases on the Sametime server. Do not select
the Access Control List, Deny List, or Servers Only group types when
creating Public Groups for Sametime Connect users. The Sametime
Connect client does not display the contents of groups that have a group
type of Access Control List, Deny List, or Servers Only. Deny List groups
are usually used only when you have integrated Sametime into a
Domino environment.
7. (Optional) Enter a description of the group in the Description field.
8. List the members of the group in the Members field. Make sure to enter
a name exactly as it is entered in the top line of the “User name” field of
the user's Person document.
For example, assume a person's name is listed in the “User name” field
of the Person document as:
Tom Smith/West/Acme
Tom Smith
When adding the person's name to the Members field of the Group
document, you should enter the name as Tom Smith/West/Acme
because this name appears in the top line in the “User name” field of the
Person document. If the name entered in the Members field of the Group
document is not identical to the name in the top line in the “User name”
field of the Person document, the user will always appear to be off line
when the Group document is opened in a Sametime client presence list.
For example, the user will always appear off line in the group if you
enter Tom Smith instead of Tom Smith/West/Acme.
9. Select the Administration link at the top of the Group document.
10. Enter the names of the group owners in the Owners field. Generally, the
group owner is the administrator creating the group.
11. Click “Save and Close.”
Deleting a group
You can use the Sametime Administration Tool to delete a group from the
Domino Directory on the Sametime server.
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage Groups.
4. Double-click the name of the group you want to delete.
82 Sametime 3.1 Administrator's Guide
5. When the Group document opens, select Delete Group. The Group
document is deleted from the Domino Directory.
Editing a group
To add or delete users from a group or change any other fields in a Group
document, you must use the Sametime Administration Tool to edit the
Group document. To edit a Group document:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Domino Directory - Domino.
3. Choose Manage Groups.
4. Double-click the name of a group.
5. Select Edit Group and make the appropriate changes.
6. Click “Save and Close.”
How Sametime uses Domino Directory information
This section discusses the Domino Directory information that is used by
Sametime. The topics in this section include:
•
Person documents
•
Group documents
•
The Server document
•
Directory views used by Sametime features
Person documents
The Domino Directory maintains a Person document for each user in the
Sametime community (or Domino domain). Each member of the Sametime
community must have a Person document in the Directory to log into the
Sametime Connect client or authenticate with the Sametime server.
A Person document includes many different fields that contain descriptive
information about a user. Most of the fields are optional for Sametime users.
The four most important fields on a Person document for a Sametime user
are the “Last name,” “User name,” “Internet password,” and “Sametime
server” fields.
The “Last name,” “User name,” and “Internet password” fields in the Basics
section of a Person document are required for authentication. For more
information about how these fields are used by the authentication process,
see “Person document, User names, and Internet passwords in the Domino
Directory” in Chapter 13.
Chapter 3: Using Domino Directories with Sametime 83
"Sametime server" field (home Sametime server)
The “Sametime server” field in the Administration tab of a user's Person
document specifies a user's “home” Sametime server. Generally, you must
enter the name of a Sametime server in this field for every Sametime user if
either of the following is true:
•
Multiple Sametime servers are installed and integrated into a single
community.
•
Sametime is installed in a Domino environment and databases
containing Sametime presence lists, such as Sametime TeamRoom or
Discussion databases, have been deployed on Domino servers in the
domain.
The home Sametime server stores a user's Community Services preferences
and other data. When a Sametime server is specified in the “Sametime
server” field of a user's Person document, Sametime ensures that the user
always logs in to that Sametime server to receive the Community Services
presence and chat functionality. For more information, see “Community
Services connectivity and the home Sametime server” in Chapter 5 and
“Integrating a Sametime server into an existing Sametime community” in
Chapter 14.
In an environment that includes only one Sametime server, you must enter
the Sametime server name in the “Sametime server” field if you have
deployed a Sametime database on a Domino server. For more information,
see “Deploying Sametime databases” in Chapter 16.
Group documents
The Domino Directory stores Group documents. A Group document
contains a list of multiple users and appears as a single entry in the Domino
Directory. Group documents can simplify administrative tasks and the
process of adding users to the Sametime Connect client.
Generally, a Group document contains a list of users who perform similar
tasks. For example, all employees in the Marketing department might be
listed in a “Marketing” Group document. All employees in the Engineering
department might be listed in an “Engineering” Group document.
In the Sametime Connect client, groups that are defined by Group
documents in the Directory are referred to as “Public Groups.” Any
Sametime Connect user can browse the Domino Directory to add these
Public Groups to the Sametime Connect contact list. Public groups can
greatly simplify the process of adding users to the Sametime Connect contact
list. For example, the administrator can create a Group document called
“Technical Support” that lists all 40 employees in the Technical Support
department.
84 Sametime 3.1 Administrator's Guide
With a single mouse click, a Sametime Connect user can add the Technical
Support Public group to the Sametime Connect contact list to have presence
(or online awareness) and chat capabilities with all 40 employees in the
Technical Support Group document. Without the Group document, the user
must add the 40 employees to the Sametime Connect contact list one at a
time.
Note Generally, Sametime Connect cannot use a Group document that
contains more than 400 members. For a group that is larger than 400
members, create a Group document that contains other Group documents
and add up to 400 members to each of the subgroups.
Using groups can also simplify administrative tasks. For example, if you
create a group called “Administrators” that lists all users who can perform
administrative tasks, you can add this group to the appropriate database
Access Control Lists (ACLs) and fields on the Server document. If you want
to add an administrator, you can edit the Administrators Group document.
For more information about using Group documents to control access for
administrators, see “Allowing others to access the Sametime Administration
Tool” in Chapter 2.
If you modify the ACL of the Sametime Meeting Center (stconf.nsf) to
require basic password authentication, you can create group documents to
control access for meeting creators and attendees. For example:
1. Turn off anonymous access in the Sametime Meeting Center ACL. Set
the Anonymous and -Default- entries in the ACL to No Access.
2. Create a Group document called “Meeting Creators” that lists all users
who can create new meetings in the Sametime Meeting Center.
3. Add the Meeting Creators group to the ACL of the Meeting Center
database (stconf.nsf).
4. Assign the Author access level to the Meeting Managers group and
select the “Write public documents” check box. Users listed in the
Meeting Creators group can create and attend meetings in the Meeting
Center.
5. Create another group called “Attendees” that lists all users that you
want to attend meetings but not create them.
6. Add the Attendees group to the ACL of the Sametime Meeting Center
database and assign the Attendees group Reader access in the Sametime
Meeting Center. Users listed in the Attendees group can attend meetings
in the Sametime Meeting Center but cannot create them.
After setting up the Meeting Creators and Attendees groups as described
above, you can add or remove user names from the Group documents to
assign or revoke meeting creator and attendee privileges in the Sametime
Meeting Center.
Chapter 3: Using Domino Directories with Sametime 85
For more information about working with Group documents, see “Creating
a group,” “Deleting a group,” or “Editing a group” earlier in this chapter.
The Server document
The following fields in the Server document are needed for each Sametime
server to support online presence:
•
Server name - This field in the Basics tab of the Server document must
contain the name of the Sametime server.
•
Is this a Sametime server? - This field in the Basics tab of the Server
document must be set to Yes to indicate the Server document describes a
Sametime server.
•
Port - This field in the Ports-Notes Network Ports tab of the Server
document must be set to TCPIP.
•
Net Address - This field in the Ports-Notes Network Ports tab must
contain the TCP/IP address of the Sametime server.
Note The settings in the “Sametime” tab of the Server document are not
used by Sametime. Configuration values for the settings available from the
Sametime Administration Tool are stored in the Configuration database
(stconfig.nsf) and the Sametime.ini file on the Sametime server. Changing
settings in the Sametime tab of the Server document has no affect on the
Sametime server.
Directory views used by Sametime features
Online presence for individual users and users listed in groups requires the
use of specific views in the Domino Directory. Each Directory in the
Sametime community must contain the views listed here according to
Sametime feature:
Sametime Feature
Expand a group to list all the unique members
in the group
Views used
$People
$VIMGroups
Determine which groups a user is a member of $MailGroups
$People
$ServerAccess
Determine which servers are Sametime servers $Servers
Authenticate a user
$Users
Browse the Directory for users and groups
$PeopleGroupsFlat
86 Sametime 3.1 Administrator's Guide
Chapter 4
Using LDAP Directories with Sametime
This chapter explains how the Sametime server can be configured to access a
Lightweight Directory Access Protocol (LDAP) directory on an LDAP server.
Using LDAP in this manner enables you to integrate Sametime into an
environment in which LDAP-compliant servers and directories are already
deployed. This chapter discusses the following topics:
•
Using LDAP with the Sametime server
•
Setting up an LDAP connection
•
LDAP Connectivity settings
•
LDAP Basics settings
•
LDAP Authentication settings
•
LDAP Searching settings
•
LDAP Group Contents settings
•
Using SSL to encrypt connections between a Sametime and LDAP server
•
Adding new administrators in the LDAP environment
•
Access Control Lists and LDAP user names
Using LDAP with the Sametime server
Using LDAP with the Sametime server allows you to integrate Sametime
into an environment in which other LDAP-compliant servers and directories
are already deployed. Sametime can be used with LDAPv2 and LDAPv3.
Note For information on using LDAP with a Sametime server that operates
on a platform other than Windows (such as the iSeries and pSeries servers),
see the installation guide (stinstall.nsf or stinstall.pdf) that shipped with the
Sametime server.
Sametime users and groups can be maintained in an existing LDAP directory
on an LDAP server. When Sametime users and groups are maintained in an
existing LDAP directory, it is not necessary to populate the Domino
Directory on the Sametime server with every user and group in the
organization.
87
To use Sametime in an LDAP environment, you must configure the
Sametime server to connect to an LDAP server. When connected to an LDAP
server, Sametime can search and authenticate against the LDAP directory on
the LDAP server on behalf of Sametime clients.
This section includes the following topics related to using Sametime with
LDAP:
•
How LDAP is used with Sametime - Provides basic information about
the purpose of using Sametime with LDAP and the manner in which
Sametime is used with LDAP.
•
Setting up an LDAP connection - Describes the procedures required to
set up an LDAP connection between a Sametime and LDAP server.
•
LDAP Directory Settings - Provides an overview of the LDAP
configuration settings available in the Sametime Administration Tool
and describes the level of LDAP knowledge required to configure the
Sametime LDAP Directory settings. The administrator must configure
the LDAP Connectivity, Basics, Authentication, Searching, and Group
contents settings located within the LDAP Directory settings of the
Sametime Administration Tool.
•
Configuring LDAP Connectivity settings - Provides detailed information
about the configuration settings that enable the Sametime server to
connect to an LDAP server, including information on using SSL for
authentication and encryption of the connection between the Sametime
and LDAP server. This section also explains the configuration settings
that enable a Sametime server to access multiple LDAP servers when
searching for and authenticating users.
•
Configuring LDAP Basics settings - Provides detailed information about
the basic LDAP settings that support searching person and group entries
in an LDAP directory. These settings ensure that user and group names
maintained in an LDAP directory can be displayed in Sametime user
interfaces.
•
Configuring LDAP Authentication settings - Provides detailed
information about the LDAP search filter required to enable users to
authenticate against entries in an LDAP directory. Also explains how to
specify a home Sametime server when Sametime is functioning in an
LDAP environment.
•
Configuring LDAP Searching settings - Provides detailed information on
the LDAP search filters required to conduct searches for people and
groups in an LDAP directory.
88 Sametime 3.1 Administrator's Guide
•
Configuring LDAP Group Contents settings - Provides detailed
information about the LDAP Group Contents setting required to enable
Sametime to examine groups in an LDAP directory. Sametime uses these
settings to resolve the names within a group entry to person or group
entries in an LDAP directory.
•
Using SSL to encrypt connections between the Sametime and LDAP
servers - Provides information on how to encrypt the connections
between the Sametime and LDAP servers using SSL. The administrator
can encrypt all data transmitted between the servers or encrypt only the
passwords that are transmitted between the servers.
•
Access Control Lists and LDAP User Names - Briefly describes rules for
entering LDAP user names in database Access Control Lists (ACLs).
•
Adding new administrators in the LDAP environment - Discusses
adding new Sametime administrators when Sametime is configured to
connect to an LDAP server.
•
Setting up an LDAP connection after selecting the Domino directory
during the server installation - Discusses how to set up a connection to
an LDAP server if you did not choose the LDAP Directory option during
the Sametime server installation.
How LDAP is used with Sametime
The administrator can configure the Sametime server to connect to one or
more LDAP servers. For more information on the LDAP connection set up
procedures, see “Setting up an LDAP connection” later in this chapter.
When Sametime connects to an LDAP server, the following support is
provided for Authentication, Searches, Connectivity, Administration, and
User Management.
89 Chapter 4: Using LDAP Directories with Sametime
Authentication
Sametime supports authentication against an LDAP directory in the
following ways:
•
Sametime Connect, Sametime Meeting Room, and Sametime Broadcast
clients can authenticate using user names and passwords stored in an
LDAP directory on an LDAP server.
•
Only users that are entered in the LDAP directory on the LDAP server
can authenticate with the Sametime server.
The Sametime administrator is an exception. A Sametime administrator
is always authenticated against the Domino Directory when accessing
the Sametime Administration Tool. A Sametime administrator must
have a Person document in the Domino Directory on the Sametime
server to access the Sametime Administration Tool.
•
End users use existing Sametime client interfaces when entering user
names and passwords for authentication purposes. The end user does
not know whether they are authenticating against an LDAP directory or
a Domino directory.
•
Authentication to individual databases on the Sametime server is still
controlled by database ACLs. For information on entering names from
an LDAP directory in a database ACL, see “Access Control Lists and
LDAP User Names” later in this chapter.
•
The Sametime server connects to the LDAP server to perform search and
authentication procedures on behalf of Sametime clients. The Sametime
administrator can specify whether the Sametime server binds to the
LDAP server as an anonymous or authenticated user when making this
connection. For more information, see “Administrator distinguished
name and password for authenticated binding” later in this chapter.
•
The Sametime server can be configured to use SSL for authentication
and encryption when connecting to the LDAP server. For more
information, see “Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server” later in this chapter.
Searches
Sametime supports searches of the LDAP directory in the following ways:
•
Users can search the LDAP directory on an LDAP server to add people
and groups to the Sametime Connect client presence list or privacy list.
Users can also search the LDAP directory when adding users to the
“Restrict To” list available from the New Meeting form in the Sametime
Meeting Center.
•
End users use existing Sametime client interfaces when searching for
other users.
90 Sametime 3.1 Administrator's Guide
•
Searches of the LDAP directory are conducted according to parameters
specified in the Sametime LDAP Directory Settings in the Sametime
Administration Tool. The administrator must configure the LDAP
Directory Settings to ensure the searches are conducted using search
filter and schema settings consistent with the schema of the LDAP
directory to be searched.
Connectivity
Sametime supports connectivity with the LDAP server in the following
ways:
•
Sametime clients connect to the Sametime server. The Sametime server
establishes a network connection to the LDAP server and performs
searches and authentication on behalf of the Sametime clients. Sametime
clients do not connect directly to the LDAP server.
The Sametime server connects to the LDAP server using the LDAP
protocol. By default, this connection occurs on TCP/IP port 389.
•
The Sametime Administrator specifies whether the Sametime server
binds to the LDAP server as an anonymous or authenticated user when
connecting to the LDAP server. For more information, see
“Administrator distinguished name and password for authenticated
binding” later in this chapter.
•
The Sametime server can be configured to access multiple LDAP servers
when searching for and authenticating Sametime users. The Sametime
server can access one LDAP directory per LDAP server.
•
The Sametime server can be configured to use SSL when accessing the
LDAP server.
Administration and user management
Sametime supports administration and user management with LDAP in the
following ways:
•
When using LDAP, Sametime server administrators are authenticated
against the Domino Directory on the Sametime server when accessing
the Sametime Administration Tool. All other users are authenticated
against the LDAP directory on the LDAP server. For more information,
see “Sametime Administration Tool and LDAP environments” in
Chapter 2.
91 Chapter 4: Using LDAP Directories with Sametime
•
The person entries in the LDAP directory must contain a field to hold the
name of a user's home Sametime server. This field does not exist in the
LDAP directory, so the administrator can either add a new field to the
person entries in the LDAP directory or use an existing field such as the
e-mail attribute. Once this field is added to the person entries in the
LDAP directory, the administrator must enter the name of the user's
home Sametime server in the new field in each user's person entry in the
LDAP directory. The administrator must also specify the name of the
field in the LDAP directory that contains the name of the Sametime
server in the LDAP Authentication settings of the Sametime
Administration Tool.
•
Sametime server administrators cannot use the Sametime
Administration Tool to add or modify users and groups in the LDAP
directory on an LDAP server. User accounts must be added and
modified using the software and procedures required by the LDAP
directory on the LDAP server.
The Sametime Administration Tool can be used to perform all other
Sametime administrative procedures when Sametime is configured to
operate as a client to an LDAP server.
•
The Sametime self-registration feature cannot be used when Sametime
connects to an LDAP server. The self-registration feature cannot access
the LDAP directory to create person entries in the LDAP directory.
Note Generally, Netscape servers contain LDAP-native directories, and it is
not necessary to configure those servers for access by LDAP clients. In other
cases, it might be necessary to configure the LDAP server to process LDAP
requests from an LDAP client. Consult the documentation for the LDAP
server for this information.
Setting up an LDAP connection
The three procedures associated with setting up an LDAP connection from
Sametime to an LDAP server are:
1. Select the appropriate LDAP options during the server installation.
2. Alter the Directory Assistance document for the LDAP directory.
3. Configure the LDAP Directory settings in the LDAP document. You can
use either a Lotus Notes client or the Sametime Administration Tool to
configure these settings.
92 Sametime 3.1 Administrator's Guide
Selecting the appropriate LDAP options during the server installation
This procedure is the first of three associated with setting up an LDAP
connection from Sametime to an LDAP server.
During the installation and setup of the Sametime server, you must provide
information that is needed by Sametime to connect to the LDAP server. The
Sametime installation prompts you with a “Select Directory type” dialog
box. In the “Select Directory type” dialog box, you must select “LDAP
Directory” from the drop-down list. After selecting the “LDAP Directory”
option, the setup procedure prompts you for the following information:
•
LDAP Server Name - Enter the fully-qualified DNS name or IP address
of the LDAP server that contains the LDAP directory that Sametime will
access.
•
Port Number for LDAP - Specify the TCP/IP port number on which the
LDAP server listens for LDAP connections. The default port number for
LDAP connections is port 389.
Note The Lotus Sametime 3.1 Installation Guide provides step-by-step
instructions for selecting these options during a Sametime installation. If you
did not select these options during the installation, you can either reinstall
the Sametime server and select the appropriate LDAP options during the
reinstallation or perform the procedures described in Setting up an LDAP
connection after selecting the Domino directory during the server
installation.
About selecting the LDAP directory during the server installation
When you select “LDAP Directory” as the directory type during a Sametime
installation, the installation makes the configuration changes necessary to
enable the Domino components used by Sametime to connect to the LDAP
directory. Specifically, the following occurs when you select the “LDAP
Directory” option during the Sametime installation:
•
A Directory Assistance database (da.nsf) is created by the Sametime
installation on the Domino server on which Sametime resides.
A Directory Assistance document is created in this da.nsf database. This
document is configured by default to enable the Sametime server to
connect to the LDAP directory. It may be necessary to alter the “Base DN
for search” setting in the Directory Assistance document to ensure
Sametime can connect to the LDAP server. This configuration is
described in the next procedure.
•
The filename da.nsf is written in the “Directory Assistance database
name” field in the Server document of the Domino server on which
Sametime is installed. This entry must exist in the Server document to
enable the Domino server to use directory assistance.
93 Chapter 4: Using LDAP Directories with Sametime
Note If a Directory Assistance database named da.nsf exists on the
Domino server at the time the Sametime server is installed, the existing
da.nsf database is overwritten with the da.nsf database created by the
Sametime installation. Also, if there is an existing entry in the “Directory
Assistance database name” field in the Server document, it is
overwritten with “da.nsf.”
Next step
After specifying the correct LDAP options during the installation, you must
alter the Directory Assistance document for the LDAP directory.
Alter the Directory Assistance document for the LDAP directory
This procedure is the second of three associated with setting up an LDAP
connection from the Sametime server to an LDAP server.
The Sametime server installation creates a Directory Assistance database
(da.nsf) on the Sametime server. This database contains a Directory
Assistance document that enables Sametime to connect to the LDAP server
to authenticate Web browser users.
You must ensure the “Base DN for search” setting in this Directory
Assistance document is set appropriately for the LDAP directory used in
your environment. To alter the “Base DN for search” setting in the Directory
Assistance document:
1. From a Lotus Notes client, open the Directory Assistance database on the
Sametime server.
• Choose File - Database - Open.
• Select the Local server.
• Select the Directory Assistance database (da.nsf).
• Click Open.
2. Double-click the name of the Directory Assistance document for the
LDAP server to open the document.
3. Click the LDAP tab.
94 Sametime 3.1 Administrator's Guide
4. In the “Base DN for Search” field, make one of the following entries. The
entry you make depends on the type of LDAP directory used in your
environment.
• Domino directory - An example value is “O=DomainName,” where
“DomainName” is the Lotus Notes domain (for example O=Acme).
• Microsoft Exchange 5.5 directory - An example value is “CN=
recipients, OU=ServerName,O=NTDomainName,” where
ServerName is the Windows server name and NTDomainName is the
Windows NT Domain (for example,
CN=recipients,OU=Acmeserver1,O=NTAcmedomain).
• The Microsoft Exchange 5.5 example above assumes that the directory
is using the default directory schema. If you have changed the schema
of the Microsoft Exchange 5.5 directory, the entry in the “Base DN for
Search” field must reflect the new schema.
• Microsoft Active Directory - An example value is “CN=users,
DC=DomainName, DC=com.”
• Netscape LDAP directory - Use the format O= followed by the
organizational unit that was specified during the Netscape server
setup. If you are uncertain about this entry, use the administrative
features of the Netscape server to determine the appropriate entry.
• IBM SecureWay directory - An example value is “DC=DomainName,
DC=com.”
5. Click Save and Close to save the Directory Assistance document.
Next step
After altering the Directory Assistance document, you must configure the
LDAP Directory settings.
Configure the LDAP Directory settings
This procedure is the last of three associated with setting up an LDAP
connection from Sametime to an LDAP server.
You must configure the LDAP Directory settings on the LDAP document in
the Configuration database to ensure that the Sametime server can search
and authenticate against entries in the LDAP directory.
You can configure the LDAP Directory settings using either a Lotus Notes
client or the Sametime Administration Tool.
If you use a Notes client, you enter the LDAP Directory settings directly into
the fields in the LDAP document in the Configuration database.
If you use the Sametime Administration Tool, you complete the “LDAP
Directory” settings available from the user interface of the Sametime
95 Chapter 4: Using LDAP Directories with Sametime
Administration Tool. The administration tool writes the values to the LDAP
document in the Configuration database.
Procedures for using either the Sametime Administration Tool or the Lotus
Notes client to configure the LDAP Directory settings are included below.
Refer to the help topics for either procedure in the LDAP Directory Settings
section of this documentation for help on individual settings.
Note Configuring the LDAP Directory settings requires previous
experience with LDAP. For more information, see “LDAP knowledge
required to configure the LDAP Directory settings” later in this chapter.
Configuring LDAP Directory settings from the Sametime Administration
Tool
To configure the LDAP settings using the Sametime Administration Tool:
1. Open the Sametime Administration Tool from the “Administer the
Server” link of the Sametime server home page.
2. Select “LDAP Directory.”
The LDAP Directory options are listed below. The LDAP Directory
options contain settings that must be consistent with your LDAP
environment.
Connectivity - Includes settings that ensure the Sametime server can
connect to the LDAP server. For more information, see “Configuring the
LDAP Connectivity settings” later in this chapter.
Basics - Includes settings that ensure that the Sametime server can
search person and group entries in the LDAP directory. For more
information, see “Configuring the LDAP Basics settings” later in this
chapter.
Authentication - Includes settings that ensure that users can
authenticate against entries in an LDAP directory and provides settings
that enable you to specify home Sametime servers when Sametime
connects to an LDAP server. For more information, see “Configuring
LDAP Authentication settings” later in this chapter.
Note If you have deployed more than one Sametime server, or if you
have deployed a Sametime database (such as a TeamRoom or Discussion
database) on a Domino server, you must add a “Sametime server” field
to the Person entries in the LDAP directory and then specify the name of
this field in the Authentication settings of the Sametime Administration
Tool. For more information on this requirement, see “Setting the Home
Sametime Server setting for LDAP” later in this chapter.
Searching - Includes search filter settings that resolve searches for
person or group entries in the LDAP directory. For more information,
see “Configuring LDAP Searching settings” later in this chapter.
96 Sametime 3.1 Administrator's Guide
Group Contents - Includes settings that resolve searches for person or
group entries that are contained within another group entry. For more
information, see “Configuring LDAP Group Contents settings” later in
this chapter.
Configuring LDAP Directory settings using a Lotus Notes client
Use the instructions below to configure the LDAP Directory settings using a
Lotus Notes client.
1. Use the Lotus Notes client on the Sametime server to open the Sametime
Configuration database (stconfig.nsf) on the Sametime server.
• Choose File - Database - Open.
• Select the Local server.
• Select the Sametime Configuration database (stconfig.nsf).
• Click Open.
2. Open the LDAP document in the Configuration database that is
associated with the LDAP server. To open the LDAP document:
• In the right pane of the Configuration database, locate the LDAP
server entry in the Form Name column of the Configuration database.
• Each LDAP Server document is listed to the right and beneath the
LDAP Server entry under the Last Modified Date column. The date
represents the last time the LDAP server document was modified.
• To open an LDAP Server document, double-click the date in the Last
Modified Date column that represents the document.
• When the LDAP Server document opens, double-click the document
to put it in edit mode.
3. To configure the LDAP Directory settings, you can enter values directly
into the editable fields in the LDAP Server document.
The LDAP Directory settings that are available from the LDAP
document in the Configuration database are the same LDAP settings
that are available from the Sametime Administration Tool. However,
some LDAP Directory settings in the LDAP document are worded
differently and arranged in a different order from the LDAP Directory
settings in the Sametime Administration Tool. This documentation
assumes that the administrator is using the Sametime Administration
Tool to configure these settings. Consult the lists below to locate the
documentation in this chapter for individual LDAP Directory settings
that appear in the LDAP document of the Configuration database.
Connection settings
The Connection settings in an LDAP document in the Configuration
database include:
97 Chapter 4: Using LDAP Directories with Sametime
•
Network Address of LDAP Connection - For more information, see
“Host name or IP address of the LDAP server” later in this chapter.
•
Port number for LDAP Connection - For more information, see “Port”
later in this chapter.
•
Login Name for LDAP Connection - For more information, see
“Administrator distinguished name and password for authenticated
binding” later in this chapter. Note that if this field is left blank, the
Sametime server binds to the LDAP server as an anonymous user.
•
Password for LDAP Connection - For more information, see
“Administrator distinguished name and password for authenticated
binding” later in this chapter.
•
SSL Enabled - For more information, see “Use SSL to authenticate and
encrypt the connection between the Sametime server and the LDAP
server” later in this chapter.
•
SSL Port - For more information, see “Use SSL to authenticate and
encrypt the connection between the Sametime server and the LDAP
server” later in this chapter.
•
Search Order - For more information, see “Position of this server in the
search order” later in this chapter.
Search Filter settings
For information on any of the Search Filter settings below, see the topic later
in this chapter that has the same name as the setting. The Search Filter
settings and the help topic for each setting are:
•
“Search filter for resolving person names”
•
“Search filter to use when resolving a user name to a distinguished
name”
•
“Search filter for resolving group names”
Search Base and Scope settings
The Base Objects settings are worded differently in the LDAP document in
the Configuration database than in the Sametime Administration Tool. The
settings and the help topics for each setting are listed below.
•
Base object when searching for person entries - For more information,
see “Where to start searching for people” later in this chapter.
•
Base object when searching for group entries - For more information, see
“Where to start searching for groups” later in this chapter.
98 Sametime 3.1 Administrator's Guide
The Scope settings are worded the same in the LDAP document in the
Configuration database as in the Sametime Administration Tool. The Scope
settings and the help topics for each setting are:
•
“Scope for searching for a person”
•
“Scope for searching for groups”
Schema settings
The Schema settings are worded the same in the LDAP document in the
Configuration database as in the Sametime Administration Tool. The Schema
settings and the help topic for each setting are:
•
The attribute of the person entry that defines the person's name.
•
Attribute used to distinguish between two similar person names.
•
The person object class used to determine if an entry is a person
•
Attribute of a person entry that defines a person's e-mail address
The Groups settings are worded the same in the LDAP document in the
Configuration database as in the Sametime Administration Tool. The Groups
settings and the help topics for each are:
•
Attribute used to distinguish between two similar group names
•
Attribute in the group object class that has the names of the group
members
•
The group object class used to determine if an entry is a group
Home server
If you have deployed more than one Sametime server, or if you have
deployed a Sametime database (such as a TeamRoom or Discussion
database) on a Domino server that does not include Sametime, you must add
a “Sametime server” field to the Person entries in the LDAP directory and
then specify the name of this field in the Home Server field in the LDAP
document in the Configuration database. For more information on this
setting, see “Setting the Home Sametime Server setting for LDAP” later in
this chapter and “Community Services connectivity and the home Sametime
server” in Chapter 5.
LDAP directory settings
The Sametime Administration Tool includes the LDAP Directory settings
that allow the administrator to configure the Sametime server to operate as a
client to an LDAP server. These settings enable the Sametime server to
search the LDAP directory on the LDAP server and authenticate Sametime
users against entries in the LDAP directory.
99 Chapter 4: Using LDAP Directories with Sametime
The LDAP Directory configuration settings are available from the Directory LDAP Directory Settings option of the Sametime Administration Tool.
Before configuring the LDAP Directory settings, the administrator must
perform the procedures described in Setting up the LDAP connection.
Note The administrator must have some experience with LDAP to properly
configure the LDAP Directory settings. For more information on the LDAP
knowledge required, see “LDAP knowledge required to configure the LDAP
Directory settings” later in this chapter.
The available Sametime LDAP Directory configuration settings are:
Connectivity
The Connectivity settings enable the administrator to provide the IP address
and ports the Sametime server uses when connecting to the LDAP server,
and to specify whether the Sametime server binds to the LDAP server as an
anonymous or authenticated user. These settings also enable the Sametime
server to connect to multiple LDAP servers, and to use SSL when connecting
to the LDAP server.
Basics
The Basics settings enable the administrator to specify the basic LDAP
parameters required to conduct searches for people and group entries in an
LDAP directory. Some of these parameters are also required to display the
names of users in Sametime user interfaces. The Basics settings include
parameters that specify the level of a directory from which a search begins,
the scope of a search, and attributes of LDAP directory entries that define
person and group names.
Authentication
The Authentication settings ensure that Sametime users can be authenticated
against entries in an LDAP directory. The administrator must specify an
LDAP search filter that can resolve a name provided by a user to a
Distinguished Name (DN) in an LDAP directory.
The Authentication settings also enable the administrator to specify the field
in the LDAP directory person entries that contains the name of each user's
home Sametime server.
Note The administrator must add a field to the person entries in the LDAP
directory to hold the name of each user's home Sametime server or use an
existing field in the person entries for this purpose.
Searching
The Searching setting enables the administrator to specify the search filters
required to resolve the names of people and groups to specific entries in an
LDAP directory.
100 Sametime 3.1 Administrator's Guide
Group Contents
The Group Contents setting enable the administrator to specify the attribute
of a group entry that contains the names of group members.
Add Administrator
The Add Administrator settings are used to enable additional administrators
to access the Sametime Administration Tool.
Access Control
The Access Control settings enable the administrator to work with Access
Control Lists.
LDAP knowledge required to configure the LDAP Directory settings
Before configuring the LDAP Directory Settings for Sametime, the
administrator should have experience with the Lightweight Directory Access
Protocol (LDAP) and should be familiar with the following LDAP concepts
and procedures:
•
The structure (directory tree) of the LDAP directory the Sametime server
will access
•
The schema of Person and Group entries in the LDAP directory
•
How to construct LDAP search filters to access the attributes of Person
and Group entries in the LDAP directory
Note LDAP defines a standard way to search for and manage entries in a
directory. A detailed discussion of the LDAP standard is outside the scope of
this documentation. Some Web sites that provide detailed information on
LDAP are:
•
http://developer.netscape.com:80/viewsource/ldap_models
/ldap_models.html
•
http://developer.netscape.com/tech/directory/index.html
•
http://msdn.microsoft.com (search for LDAP)
There are also many other Internet sites, Requests for Comments (RFCs), and
publications that discuss LDAP in detail.
Configuring LDAP Connectivity settings
The LDAP Connectivity settings enable the Sametime server to connect to
one or more LDAP servers. The Sametime server can be configured to search
and authenticate against one LDAP directory on each LDAP server to which
it connects.
Accessing LDAP Connectivity settings
To access the LDAP Connectivity settings, select LDAP Directory Connectivity from the Sametime Administration Tool.
101 Chapter 4: Using LDAP Directories with Sametime
If you change a Connectivity setting, you must restart the server for the
change to take effect.
LDAP Connectivity settings
The individual Connectivity settings are listed below. Detailed information
on each setting is provided in subsequent topics. The LDAP Connectivity
settings include:
•
Host name or IP address of the LDAP server
•
Position of this server in the search order
•
Port
•
Administrator distinguished name and password for authenticated
binding
•
Use SSL to authenticate and encrypt the connection between the
Sametime server and the LDAP server
•
Adding or removing an LDAP server
Host name or IP address of the LDAP server
Use the “Host name or IP address of the LDAP server” setting to select the
IP address (or fully qualified DNS name) of the LDAP server for which you
want to change LDAP Connectivity settings. After selecting the Host name
or IP address of the LDAP server, you can change any of the LDAP
Connectivity settings listed below:
•
Position of this server in the search order
•
Port
•
Administrator distinguished name and password for authenticated
binding
•
Use SSL to authenticate and encrypt the connection between the
Sametime server and the LDAP server
•
Adding or removing an LDAP server
Position of this server in the search order
If you have configured the Sametime server to connect to multiple LDAP
servers, use the “Position of this server in the search order” setting to specify
the order in which Sametime will connect to the LDAP servers.
Note To configure Sametime to connect to multiple servers, see “Adding or
removing an LDAP server” later in this chapter.
For example, if you select “1” for this setting, Sametime will search the
LDAP directory on the specified LDAP server before searching any other
LDAP directories available to Sametime.
102 Sametime 3.1 Administrator's Guide
Configuring the “Position of this server in the search order” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server for which you want to change the
search order.
4. In the “Position of this server in the search order” text box, enter the
search-order setting.
5. Click Update and restart the server for the change to take effect.
Port
Use the Port setting to specify the port over which the Sametime server
connects to the LDAP server containing the LDAP directory. Set this port to
the port number on which the LDAP server listens for TCP/IP connections.
The default port for LDAP access and recommended setting is TCP/IP port
389.
Configuring the Port setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server for which you want to change the
LDAP connection port.
4. In the Port setting, enter the port over which the Sametime server
connects to the LDAP server. The default port number is 389.
5. Click Update and restart the server for the change to take effect.
Administrator distinguished name and password for authenticated
binding
When the Sametime server connects to the LDAP server, the Sametime
server can bind to the LDAP server as either an anonymous or authenticated
user. The “Administrator distinguished name” and “Administrator
password” settings determine whether the Sametime server binds to the
LDAP server as an anonymous or authenticated user.
Binding to the LDAP server as an anonymous user
If the “Administrator distinguished name” and “Administrator password”
settings do not contain entries, the Sametime server binds to the LDAP
server as an anonymous user.
103 Chapter 4: Using LDAP Directories with Sametime
In this case, you must ensure the LDAP server is configured appropriately
for anonymous access from a Sametime server. The LDAP server must allow
anonymous binding and allow anonymous access to the attributes of the
LDAP directory entries as described in Required LDAP directory access.
Note If you are using SSL to encrypt connections between the Sametime
and LDAP servers, and you want to encrypt only the passwords transmitted
between the Sametime and LDAP servers, you must allow Sametime to bind
to the LDAP server as an anonymous user. For more information, see “Using
SSL to encrypt connections between the Sametime and LDAP servers” later
in this chapter.
Binding to the LDAP server as an authenticated user
If you want the Sametime server to bind to the LDAP server as an
authenticated user, you must enter an appropriate user name and password
in the “Administrator distinguished name” and “Administrator password”
fields. The Sametime server will transmit this user name and password to
the LDAP server when making its initial connection to the LDAP server. The
LDAP server verifies this user name and password against an entry in the
LDAP directory to authenticate the connection from the Sametime server.
Some notes about the “Administrator distinguished name” and
“Administrator password” settings are included below:
•
Administrator distinguished name - Use this setting to specify the
Distinguished name of an LDAP directory entry that the Sametime
server uses when binding to the LDAP directory.
IBM Lotus software recommends that you create a unique directory
entry that is used only for the purpose of authenticating connections
from the Sametime server to the LDAP server.
After creating the directory entry, you must ensure this directory entry
has the appropriate access rights on the LDAP server. This directory
entry must have at least read access to the attributes of the LDAP
directory entries. For more information on the level of LDAP directory
access required for the Administrator distinguished name directory
entry, see “Required LDAP directory access” below.
•
Administrator password - Use this setting to specify the password
associated with the “Administrator distinguished name” directory entry
described above.
Required LDAP directory access
When accessing the LDAP directory, the Sametime server must have access
to specific attributes of the LDAP directory entries. If you leave the
“Administrator distinguished name” and “Administrator password”
settings blank to allow anonymous binding to the LDAP directory, the
Sametime server must be able to access the LDAP directory entry attributes
listed below as an anonymous user.
104 Sametime 3.1 Administrator's Guide
If you place entries in the “Administrator distinguished name” and
“Administrator password” fields to enable authenticated binding to the
LDAP server, the “Administrator distinguished name” directory entry you
specify must be able to access LDAP directory entry attributes as described
below.
For Person and Group entries, the Sametime server must have access to the
following LDAP directory attribute entries:
•
ObjectClass
•
Any LDAP directory entry attribute that is specified in any search filter
defined in the LDAP Directory Settings in the Sametime Administration
Tool (or on the LDAP document in the Configuration database on the
Sametime server)
For Person entries, the Sametime server must have access to the following
attributes:
•
The attribute used as the person name
•
The attribute used as the person description
•
The attribute used to define the home Sametime server
For Group entries, the Sametime server must have access to the following
attributes:
•
The attribute used as the group name
•
The attribute used as the group description (if this setting is not empty)
•
The attribute used to hold names of the group's members
Enabling authenticated or anonymous binding to the LDAP server
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the LDAP server for which you want to enable authenticated or
anonymous binding.
105 Chapter 4: Using LDAP Directories with Sametime
4. To enable authenticated binding to the LDAP server:
• Enter a user name in the “Administrator distinguished name” field.
Note This user name must meet the requirements discussed in the
“Binding to the LDAP server as an authenticated user” and “Required
LDAP directory access” sections of this topic.
• Enter the password associated with the administrator distinguished
name in the “Administrator password” field.
To enable anonymous binding to the LDAP server, delete any entries
that appear in the “Administrator distinguished name” or
“Administrator password” fields. If these fields are blank, the Sametime
server binds to the LDAP server as an anonymous user.
If you allow anonymous binding, review the information in the “Binding
to the LDAP server as an anonymous user” and “Required LDAP
directory access” sections of this topic.
5. Click Update and restart the server for the change to take effect.
Use SSL to authenticate and encrypt the connection between the
Sametime server and the LDAP server
For tighter security, the Sametime administrator can use SSL to encrypt the
connections between the Sametime and LDAP servers.
The administrator selects the “Use SSL to authenticate and encrypt the
connections between the Sametime server and the LDAP server” setting to
encrypt the connections between the Sametime server and the LDAP server.
The administrator can choose to encrypt all data transmitted between the
Sametime and LDAP servers or to encrypt only the passwords that are
transmitted between the servers. For more information, see “Using SSL to
encrypt connections between the Sametime and LDAP servers” later in this
chapter.
If this setting is not selected, the directory information and passwords
transmitted between the Sametime and LDAP servers are not encrypted.
Adding or removing an LDAP server
Sametime can connect to multiple LDAP servers. Use the “Adding another
LDAP server” setting to enable the Sametime server to connect to a new
LDAP server. Sametime can access one LDAP directory on each LDAP
server to which it connects.
If you no longer want the Sametime server to access an LDAP server, you
can remove the LDAP server from the list of available servers.
When adding an LDAP directory server, you must also specify a position for
the server in the search order.
106 Sametime 3.1 Administrator's Guide
To remove an LDAP server
To remove the LDAP server from the list of available servers:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server you want to remove.
4. Click the Remove button.
5. Restart the Sametime server.
To add a new LDAP server:
To enable the Sametime server to connect to a new LDAP server, you must
perform two procedures:
1. Add the new LDAP server in the Sametime Administration Tool.
2. Create a Directory Assistance document for the new LDAP server.
Instructions for each of these procedures are included below.
Adding a new LDAP server in the Sametime Administration Tool
To add a new LDAP server in the Sametime Administration Tool:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. Below the “Adding an LDAP Server” heading, type the host name or IP
address of the new LDAP server.
4. In the Port field below the “Adding an LDAP Server” heading, specify
the port on which you want to connect to the new LDAP server.
5. Configure the LDAP Directory Settings (Connectivity, Basics,
Authentication, Searching, and Group Contents) that enable Sametime to
search and authenticate against the LDAP directory on the new LDAP
server.
6. After you have set and updated all Sametime LDAP configuration
options, restart the Sametime server.
Create a Directory Assistance document for the new LDAP server
The Directory Assistance database on the Sametime server must contain a
Directory Assistance document that enables the Sametime server to access
the LDAP server. To create the Directory Assistance document, use the
procedure described in Create a Directory Assistance document that enables
the Sametime server to access the LDAP server later in this chapter.
107 Chapter 4: Using LDAP Directories with Sametime
Configuring the LDAP Basics settings
The LDAP Basics settings enable the administrator to specify the basic LDAP
parameters required to conduct searches for people and group entries in an
LDAP directory. The administrator specifies one set of parameters for people
searches and a separate set of parameters for group searches.
Accessing the LDAP Basics settings
To access the LDAP Basics settings, select LDAP Directory - Basics from the
Sametime Administration Tool.
Configuring LDAP Basics settings for People
The LDAP Basics settings for People are listed below. Detailed information
on each setting is provided in subsequent topics. The LDAP Basics settings
for People are:
•
Where to start searching for people
•
Scope for searching for a person
•
The attribute of the person entry that defines the person's name
•
Attribute used to distinguish between two similar person names
•
The object class used to determine if an entry is a person
•
Attribute of a person entry that defines the person's e-mail address
Configuring LDAP Basics settings for Groups
The LDAP Basics settings for Groups are listed below. The LDAP Basics
settings for Groups are:
•
Where to start searching for groups
•
Scope for searching for groups
•
Attribute used to distinguish between two similar group names
•
The group object class used to determine if an entry is a group
Where to start searching for people
The Sametime client user interfaces allow a user to search for individual
users in the LDAP directory.
Use the “Where to start searching for people” setting to specify the base
object of the directory (or level of the directory) from which to start a search
for person entries in the LDAP directory.
The default setting of “” begins the search from the root of the directory.
Note Before accepting the default setting (“”), be aware that some LDAP
directory servers allow the “” value only for searching the LDAP directory
root DSE (Directory Server Entry, or entry with directory server properties)
and only when the search scope is confined to “One level” below the “Where
108 Sametime 3.1 Administrator's Guide
to start searching for people” setting. Also, searching from the root of an
LDAP directory generally results in a less efficient search than specifying a
specific base object such as ou=west, o=acme.
The setting you specify for the “Where to start searching for people” setting
is entirely dependent on the directory schema of the LDAP directory the
Sametime server is accessing. Example settings are:
•
ou=west, o=acme
or
•
o=acme
In the first example, the search for the person entry begins from the LDAP
directory base object ou=west, o=acme. In the second example, the search for
the person entry begins from the base object o=acme.
The extent of the search for person entries is further controlled by the Scope
for searching for a person setting.
Suggested values for this setting are:
•
Microsoft Active Directory - cn=users, dc=domain, dc=com
•
Netscape Directory - o=organizational unit/(i.e. computer name)
•
Microsoft Exchange 5.5 Directory - cn=Recipients, ou=computername,
o=domain
•
Domino Directory - Leave this setting blank.
•
SecureWay Directory - dc=domain, dc=com
Configuring the “Where to start searching for people” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Where to start searching for people” setting.
4. In the “Where to start searching for people” setting, enter the base object
of the LDAP directory from which to start the search for a person entry
(for example, ou=west, o=acme).
5. Click Update and restart the server for the change to take effect.
Scope for searching for a person
Use the “Scope for searching for a person” setting to specify how many
LDAP directory levels below the Where to start searching for people setting
to search when resolving a search for a person entry.
109 Chapter 4: Using LDAP Directories with Sametime
The two available settings are Recursive and One level. Recursive is the
default value.
Recursive
Type recursive to search the entire subtree of directory entries beneath the
“Where to start searching for people” setting (or the base object of the
search).
For example, assume the “Where to start searching for people” setting has
the value “ou=west, o=acme” and the “Scope for searching for a person”
setting has the value “recursive.”
Now assume the user searches on the name “John Smith.” The search begins
at the ou=west, o=acme directory level and searches the entire subtree of the
directory beneath that level.
Such a search might return the following names, depending on the
organization of the directory:
•
cn=John Smith, ou=managers, ou=marketing, ou=west, o=acme
•
cn=John Smith, ou=engineering, ou=west, o=acme
•
cn=John Smith, ou=west, o=acme
The search would fail to turn up the following directory entries because the
“Where to start searching for people” setting in this example begins the
search at the ou=west, o=acme level of the directory:
•
cn=John Smith, o=acme
•
cn=John Smith, ou=engineering, ou=east, o=acme
Note The Search filter for resolving person names setting provides the
search filter that resolves the user's input (John Smith) to a specific person
entry in the LDAP directory.
One level
Type one level to search only the level immediately below the “Where to
start searching for people” setting.
For example, assume the “Where to start searching for people” setting has
the value ou=west, o=acme and the “Scope for searching for a person”
setting has the value “one level.”
Now assume the user searches on the name “John Smith.” The search begins
at the ou=west, o=acme level and searches only one directory level beneath
that level.
110 Sametime 3.1 Administrator's Guide
Such a search might return the following names, depending on the
organization of the directory:
•
cn=John Smith, ou=west, o=acme
•
cn=John Smithson, ou=west, o=acme
The search would fail to find the following directory entries because the
entries are more than one level below the “Where to start searching for
people” setting or are not found beneath the “Where to start searching for
people” setting:
•
cn=John Smith, ou=marketing, ou=west, o=acme
•
cn=John Smith, ou=engineering, ou=east, o=acme.
To configure the “Scope for searching for a person” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to set the “Scope
for searching for a person” setting.
4. In the “Scope for searching for a person” setting, type recursive or one
level. Recursive is the default setting.
5. Click Update and restart the server for the change to take effect.
The attribute of the person entry that defines the person's name
The “The attribute of the person entry that defines the person's name”
setting specifies the attribute of an LDAP directory person entry that is used
to display a user's name in the Sametime end-user interfaces (as the result of
a search or in a privacy or presence list).
The value of this setting can be any attribute of the LDAP directory person
entry, such as cn (common name), sn (surname), givenname, or mail (e-mail
address).
111 Chapter 4: Using LDAP Directories with Sametime
For example, consider an LDAP person entry containing the following
attributes:
•
cn - James Lock
•
givenname - James
•
sn - Lock
•
mail - [email protected]
In this example, if the “The attribute of the person entry that defines the
person's name” setting is “cn,” the search result displays the user's name as
James Lock. If the “The attribute of the person entry that defines the person's
name” setting is mail, the user's name displays as [email protected]
The suggested value for Microsoft Exchange 5.5 Directory, Microsoft Active
Directory, Netscape Directory, Domino Directory servers, and SecureWay
servers is “cn.”
To configure the “The attribute of the person entry that defines the
person's name” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the “The
attribute of the person entry that defines the person's name” setting.
4. In the “The attribute of the person entry that defines the person's name”
setting, enter the appropriate attribute.
5. Click Update and restart the server for the change to take effect.
Attribute used to distinguish between two similar person names
Use the “Attribute used to distinguish between two similar person names”
setting to specify the attribute of a person entry that is used to differentiate
between two users that have the same common name (cn) attribute.
This setting can specify any attribute of a person entry that can differentiate
one person from another person that has the same name. An example value
for this setting is the mail attribute. The mail attribute contains the e-mail
address of an LDAP directory person entry.
To illustrate, assume that a search on the name John Smith returns two
person entries with the common name (cn) John Smith. Since the two John
Smiths will have different e-mail addresses, the mail attribute can be
displayed to enable the user to determine which John Smith is the correct
one.
112 Sametime 3.1 Administrator's Guide
Suggested values for this setting are:
•
Microsoft Exchange 5.5 Directory, Netscape Directory, Domino
Directory, SecureWay Directory: mail
•
Microsoft Active Directory: user principal name
To configure the “Attribute used to distinguish between two similar
person names” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Attribute used to distinguish between two similar person names”
setting.
4. In the “Attribute used to distinguish between two similar person names”
setting, enter the appropriate attribute.
5. Click Update and restart the server for the change to take effect.
The object class used to determine if an entry is a person
In some situations, Sametime must determine whether a person entry
returned by a search is a person or group entry. Use the “The object class
used to determine if an entry is a person” setting to specify the attribute of a
directory entry that identifies the entry as a person.
Sametime assumes that individual users are represented by entries with a
unique objectclass. Sametime compares the name of the objectclass specified
in this setting to the objectclass values of each entry to decide whether the
entry is a person or a group.
Enter the objectclass attribute used for people in the LDAP schema of the
LDAP directory in your environment.
The suggested value for Microsoft Exchange 5.5 Directory, Microsoft Active
Directory, Netscape Directory, Domino Directory, and SecureWay Directory
is “organizationalPerson.”
To change this setting
To set the “The object class used to determine if an entry is a person” setting:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basic settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the “The
object class used to determine if an entry is a person” setting.
113 Chapter 4: Using LDAP Directories with Sametime
4. In the “The object class used to determine if an entry is a person” setting,
enter the objectclass value that identifies a directory entry as a person
(for example, “organizationalPerson”).
5. Click Update and restart the server for the change to take effect.
Attribute of a person entry that defines a person's e-mail address
Use the “Attribute of a person entry that defines a person's e-mail address”
setting to specify the attribute of a person entry that contains the user's
e-mail address.
This setting is required by components of the Sametime server that use the
Session Initiation Protocol (SIP), such as the SIP Gateway. SIP entities are
identified by their e-mail addresses.
Suggested values for this setting are:
•
Microsoft Exchange 5.5 Directory, Netscape Directory, Domino
Directory, SecureWay Directory: mail
•
Microsoft Active Directory: user principal name
To configure the “Attribute of a person entry that defines a person's
e-mail address” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Attribute of a person entry that defines a person's e-mail address”
setting.
4. In the “Attribute of a person entry that defines a person's e-mail
address” setting, enter the appropriate attribute.
5. Click Update and restart the server for the change to take effect.
Where to start searching for groups
The Sametime client user interfaces allow a user to search for groups in the
LDAP directory.
Use the “Where to start searching for groups” setting to specify the base
object of the directory (or level of the directory) from which to start a search
for group entries in the LDAP directory.
The default setting of “” begins the search from the root of the directory.
114 Sametime 3.1 Administrator's Guide
Note Before accepting the default setting (“”), be aware that some LDAP
Directory servers allow the “” value only for searching the LDAP directory
root DSE (Directory Server Entry, or entry with directory server properties)
and only when the search scope is confined to “One level” below the “Where
to start searching for groups” setting. Also, searching from the root of an
LDAP directory generally results in a less efficient search than setting a
specific base object (such as ou=west, o=acme) for the search.
The setting you specify in the “Where to start searching for groups” setting is
entirely dependent on the directory schema of the LDAP directory in your
environment. Example settings are:
•
ou=west, o=acme
or
•
o=acme
In the first example, the search for the group entry begins from the LDAP
directory base object ou=west, o=acme. In the second example, the search for
the group entry begins from the base object o=acme.
The extent of the search for group entries is further controlled by the Scope
for searching for groups setting.
Suggested values for this setting are:
•
Microsoft Active Directory - cn=users, dc=domain, dc=com
•
Netscape Directory - o=organizational unit/(i.e. computer name)
•
Microsoft Exchange 5.5 Directory - cn=Recipients, ou=computername,
o=domain
•
Domino Directory - Leave this setting blank.
•
SecureWay Directory - dc=domain, dc=com
To configure the “Where to start searching for groups” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Where to start searching for groups” setting.
4. In the “Where to start searching for groups” setting, enter the base object
of the LDAP directory from which to start the search for a group entry
(for example, ou=west, o=acme).
5. Click Update and restart the server for the change to take effect.
115 Chapter 4: Using LDAP Directories with Sametime
Scope for searching for groups
Use the “Scope for searching for groups” setting to specify how many levels
below the “Where to start searching for groups” setting to search when
resolving a search for a group entry in the LDAP directory.
The two available settings are Recursive and One level. Recursive is the
default value.
Recursive
Type recursive to search the entire subtree of directory entries beneath the
“Where to start searching for groups” setting.
For example, assume the “Where to start searching for groups” setting has
the value ou=west, o=acme, and the “Scope for searching for groups” setting
has the value “recursive.”
Now assume the user searches on the name “Marketing.” The search begins
at the ou=west, o=acme level and searches the entire subtree of the directory
beneath that level. Such a search might return the following group names,
depending on the organization of the directory:
•
cn=Marketing, ou=Los Angeles, ou=west, o=acme
•
cn=Marketing, ou=San Diego, ou=west, o=acme
•
cn=Marketing, ou=west, o=acme
The search would fail to turn up directory entries such as:
•
cn=Marketing, o=acme
•
cn=Marketing, ou=Pittsburgh, ou=east, o=acme
Note The Search filter for resolving group names setting provides the
search filter that resolves the user's input (Marketing) to a specific group
entry in the LDAP directory.
One level
Type one level to search only the level of directory entries immediately
below the “Where to start searching for groups” setting.
For example, assume the “Where to start searching for groups” setting has
the value ou=west, o=acme, and the “Scope for searching for groups” setting
has the value “one level.”
Now assume the user searches on the name Marketing. The search begins at
the ou=west, o=acme level and searches only one level beneath that level.
Such a search might locate a group entry such as:
•
cn=Marketing, ou=west, o=acme
The search would fail to turn up a directory entry such as:
•
cn=Marketing, ou=Los Angeles, ou=west, o=acme
116 Sametime 3.1 Administrator's Guide
To configure the “Scope for searching for groups” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Scope for searching for groups” setting.
4. In the “Scope for searching for groups” setting, type recursive or one
level. Recursive is the default setting.
5. Click Update and restart the server for the change to take effect.
Attribute used to distinguish between two similar group names
Use the “Attribute used to distinguish between two similar group names”
setting to specify the attribute of a group entry that is used to differentiate
between two groups that have the same common name (cn) attribute.
An example of a value for this setting is the “info” attribute of an LDAP
group entry. In many LDAP directories, the “info” attribute contains
descriptive information about a group.
For example, assume that a search on the name “Marketing” returns two
group entries with the common name Marketing. The information contained
in the info attribute (such as “West region” or “East region”) of the group
entry can be used to distinguish between the two groups.
Suggested values for this setting are:
•
Microsoft Exchange 5.5 Directory - info
•
Netscape Directory, Domino Directory, Microsoft Active Directory,
SecureWay Directory - description
To configure the “Attribute used to distinguish between two similar
group names” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basics settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the
“Attribute used to distinguish between two similar group names”
setting.
4. In the “Attribute used to distinguish between two similar group names”
setting, enter the appropriate attribute.
5. Click Update and restart the server for the change to take effect.
117 Chapter 4: Using LDAP Directories with Sametime
The group object class used to determine if an entry is a group
In some situations, Sametime must determine whether a directory entry
returned by a search is a person or group entry. Use the “The group object
class used to determine if an entry is a group” setting to specify the attribute
of a directory entry that identifies the entry as a group.
Sametime assumes that groups are represented by entries with a unique
objectclass. Sametime compares the name of the objectclass specified in this
setting to the objectclass values of each entry to decide whether the entry is a
group or a person.
Enter the objectclass attribute used for groups in the LDAP schema of the
LDAP directory in your environment.
Suggested values for the setting are:
•
Microsoft Active Directory - group
•
Netscape Directory - groupOfUniqueNames
•
Microsoft Exchange 5.5 and Domino Directories - groupOfNames
•
SecureWay Directory - groupOfUniqueNames
To change “The group object class used to determine if an entry is a
group” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Basics.
3. In the “Basic settings for server” drop-down list, select the LDAP server
that contains the LDAP directory for which you want to modify the “The
group object class used to determine if an entry is a group” setting.
4. In the “The group object class used to determine if an entry is a group”
setting, enter the objectclass value that identifies a directory entry as a
group (for example, “groupOfNames” or “groupOfUniqueNames”).
5. Click Update and restart the server for the change to take effect.
Configuring LDAP Authentication settings
The LDAP Authentication settings are listed below. Detailed information on
each setting is provided in subsequent topics. The LDAP Authentication
settings are:
•
Search filter to use when resolving a user name to a distinguished name
•
Home Sametime Server
118 Sametime 3.1 Administrator's Guide
Search filter to use when resolving a user name to a distinguished
name
To authenticate a user, Sametime must know the Distinguished Name (DN)
of the user's person entry in the LDAP directory. The “Search filter to use
when resolving a user name to a distinguished name” resolves the name (or
text string) provided by a user to a DN for authentication purposes.
To illustrate, consider the following default search filter in which the value
“%s” is substituted for the string provided by the user when logging in :
(&(objectclass=organizationalPerson)(|(cn=%s)(givenname=%s)
(sn=%s)(mail=%s*)))
Note You can find detailed information on the syntax and formatting of
search filters at the following Web site:
http://developer.netscape.com/docs/manuals/directory/41/ag/find.htm#
1046960.
The default search filter above first performs a search for all entries of the
type (or objectclass) organizationalPerson. The search filter then looks for an
exact match with either the common name (cn), given name, or surname (sn)
attribute of the person entry. If the search locates a person entry with an
attribute value that matches the text string provided by the user, the
Sametime server accesses the person entry with that DN when
authenticating the user.
The specific search filter used for this setting must be based on the schema of
the LDAP directory the Sametime server is accessing.
The default value is the suggested value for Microsoft Exchange 5.5,
Microsoft Active Directory, Netscape Directory, Domino Directory, and
SecureWay Directory servers.
Note In some cases, for Microsoft Active Directory it may be necessary to
substitute (user principal name=%s*) for (mail=%s*) in the default search
filter shown above.
To configure the “Search filter to use when resolving a user name to a
distinguished name” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Authentication.
3. In the “Authentication for server” drop-down list, select the LDAP
server that contains the LDAP directory for which you want to modify
the “Search filter to use when resolving a user name to a distinguished
name” setting.
119 Chapter 4: Using LDAP Directories with Sametime
4. In the “Search filter to use when resolving a user name to a
distinguished name” setting, enter the search filter appropriate for the
LDAP directory schema.
5. Click Update and restart the server for the change to take effect.
Setting the Home Sametime Server setting for LDAP
The home Sametime server is the Sametime server on which the preferences
and data of a Community Services user are saved. Users connect to the home
Sametime server for presence and chat functionality. If you have installed
multiple Sametime servers, each user's person entry in an LDAP directory
must contain a field in which a user's home Sametime server can be
specified.
Note For more information on the purpose of the home Sametime server,
see “Community Services connectivity and the home Sametime server” in
Chapter 5.
To support the Home Sametime Server setting requirement in an LDAP
environment, the administrator must do one of the following:
•
Manually add a field to the LDAP directory to hold the name of each
user's home Sametime server. This added field must appear in the
person entry of every Sametime user in the LDAP directory.
•
Use a field that already exists in the person entries of each Sametime
user (such as the e-mail address) for this purpose.
Use the LDAP Home Sametime Server setting in the Sametime
Administration Tool to enter the name of the field that the administrator
uses to hold the name of each Sametime server. This entry can specify a the
name of the field that the administrator has added to the LDAP directory or
the name of an existing field in the LDAP directory person entries that the
administrator chooses for this purpose.
To set the home Sametime server setting for LDAP
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Authentication.
3. In the “Authentication for server” drop-down list, select the appropriate
LDAP server.
4. In the “Home Sametime server” setting, enter the name of the field in
each user's LDAP person entry that contains the name of the user's home
Sametime server.
5. Click Update and restart the server for the change to take effect.
120 Sametime 3.1 Administrator's Guide
After the administrator has added the home “Sametime server” field to the
person entries in the LDAP directory, and specified the name of this field in
the LDAP Directory - Authentication settings of the Sametime
Administration Tool, the administrator must populate the home “Sametime
server” field in each person entry in the LDAP directory.
For each person entry in the LDAP directory, enter the name of a Sametime
server in the home “Sametime server” field. Use the full canonical name of
the Sametime server (for example,
cn=sametime.acme.com/ou=west/o=acme) when entering the server name
in the “Sametime server” field in the LDAP directory.
Note The server name in the LDAP directory is matched to the server name
in the Servers view ($Servers) of the Domino Directory. The name entered in
the “Sametime server” field in the person entries of the LDAP directory
should match the name of the Sametime server as it appears in the Servers
view of the Domino Directory.
The user connects to this server for presence and chat functionality. You
should try to assign an equal number of users to each Sametime server to
spread the load evenly among multiple servers. For more information about
working with multiple Sametime servers, see “Advantages of using multiple
Sametime servers” in Chapter 14.
Configuring the LDAP Searching setting
The LDAP Searching settings are listed below. Detailed information on these
settings are provided in subsequent topics. The LDAP Searching setting is:
•
Search filter for resolving person names
•
Search filter for resolving group names
Search filter for resolving person names
To search for a user name, a Sametime end user enters a text string in the
user interface of a Sametime client. The "Search filter for resolving person
names" setting defines the LDAP search filter responsible for selecting a user name
from the LDAP directory. This search filter matches the text string provided by the
user to information contained within the attributes of LDAP directory person entries.
To illustrate, consider the following default search filter in which the value
“%s” represents the text string provided by the user:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s
)(sn=%s)(mail=%s*)))
Note You can find detailed information on the syntax and formatting of
search filters at the following Web site:
http://developer.netscape.com/docs/manuals/directory/41/ag/find.htm#
1046960.
121 Chapter 4: Using LDAP Directories with Sametime
The default search filter first looks for entries whose type (or object class) is
organizationalPerson. The search filter looks for a prefix match (%s*) with an
entry's common name, a complete match with an entry's given name, or a
complete match with the entry's surname attribute.
Using the default search filter, a search on the person name “James” might
return the following directory entries (provided that each directory entry is
of the objectclass organizationalPerson).
•
Jameson Sanders
•
James Lock
•
James Clark
•
Henry James
Note The “Where to start searching for people” and “Scope for searching
for a person” settings in the Basics - People settings of the Sametime
Administration Tool define the level of the directory tree from which the
search begins and how much of the directory is searched.
The suggested value for this setting for Microsoft Exchange 5.5, Microsoft
Active Directory, Netscape Directory, Domino Directory, and SecureWay
Directory servers is:
(&(objectclass=organizationalPerson)(|(cn=%s*)(givenname=%s
*)(sn=%s*)(mail=%s*))
Note In some cases, Microsoft Active Directory may require you to
substitute (user principal name=%s*) for (mail=%s*) in the search filter
shown above.
To configure the “Search filter for resolving person names” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Searching.
3. In the “Search settings for server” drop-down list, select the LDAP
server that contains the LDAP directory for which you want to modify
the “Search filter for resolving person names” setting.
4. In the “Search filter for resolving person names” setting, enter the search
filter appropriate for the LDAP directory schema.
5. Click Update and restart the server for the change to take effect.
Search filter for resolving group names
To search for a group name, a Sametime end user enters a text string in the
user interface of a Sametime client. The “Search filter for resolving group
names” defines the LDAP search filter responsible for selecting the group
name from an LDAP directory. This search filter matches the text string
122 Sametime 3.1 Administrator's Guide
provided by the user to values listed for the attributes of the LDAP directory
group entries.
To illustrate, consider the following default search filter in which the value
“%s” is substituted for the text string supplied by the user:
(&(objectclass=groupOfNames)(cn=%s*))
Note You can find detailed information on the syntax and formatting of
search filters at the following Web site:
http://developer.netscape.com/docs/manuals/directory/41/ag/find.htm#
1046960.
The default search filter first looks for directory entries of the type (or object
class) groupOfNames. The search filter then looks for a prefix match (%s*)
with the common name (cn) attribute of the groupOfNames entries.
Using the search filter above, a search on the name “Market” might return
the following group entries from the directory (provided that each entry also
has the groupOfNames objectclass attribute):
•
Marketing
•
Marketers
•
Markets
Note The “Where to start searching for groups” and “Scope for searching
for groups” settings in the Basics - Groups settings of the Sametime
Administration Tool define the level of the directory tree from which the
search begins and how much of the directory is searched.
The search filter used for resolving group names must be based on the
schema of your LDAP directory. The suggested value for Microsoft
Exchange 5.5 and Domino directory servers is the default value discussed
above.
The other suggested values for this setting are:
•
Microsoft Active Directory:
(&(objectclass=group)(cn=%s*))
•
Netscape Directory and SecureWay Directory:
(&(objectclass=groupOfUniqueNames)(cn=%s*))
To configure the “Search filter for resolving group names” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Searching.
123 Chapter 4: Using LDAP Directories with Sametime
3. In the “Search settings for server” drop-down list, select the LDAP
server that contains the LDAP directory for which you want to modify
the “Search filter for resolving group names” setting.
4. In the “Search filter for resolving group names” setting, enter the search
filter appropriate for the LDAP directory schema.
5. Click Update and restart the server for the change to take effect.
Configuring the LDAP Group Contents setting
The LDAP Group Contents setting is listed below. Detailed information on
this setting is provided in a subsequent topic. The LDAP Group Contents
settings is:
•
Attribute in the group object class that has the names of the group
members
Attribute in the group object class that has the names of the group
members
If an end user adds a group to a presence list, privacy list, or a list that
restricts meeting attendance, Sametime must obtain the list of members
within the group so that individual members of the group can be displayed.
The “Attribute in the group object class that has the names of the group
members” setting defines the attribute within an LDAP directory group
entry that holds the names of all members of the group.
Suggested values for this setting are:
•
Microsoft Active Directory, Microsoft Exchange 5.5 Directory, and
Domino Directory: member
•
Netscape Directory and IBM Secureway Directory: UniqueMember
This setting assumes that the LDAP directory schema uses a single directory
entry to represent a group, and that names of group members are held in
one attribute that contains multiple values. This assumption is true for
Microsoft Exchange 5.5, Microsoft Active Directory, Netscape Directory, and
Domino 5 environments.
To configure the “Attribute in the group object class that has the names of
the group members” setting
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Group Contents.
3. In the “Settings for determining the content of groups for server”
drop-down list, select the LDAP server that contains the LDAP directory
for which you want to modify the “Attribute in the group object class
that has the names of the group members” setting.
124 Sametime 3.1 Administrator's Guide
4. In the “Attribute in the group object class that has the names of the
group members” setting, enter the appropriate group entry attribute.
5. Click Update and restart the server for the change to take effect.
Using SSL to encrypt connections between the Sametime and LDAP
servers
When Sametime is configured to connect to an LDAP server, the Sametime
server makes five separate connections to the LDAP server. Sametime makes
a separate connection to the LDAP server to perform each of these five tasks:
•
Authenticate users
•
Resolve a user name to a distinguished name as part of the login
procedure
•
Resolve user and group names (for example, as a response to an “Add
Person or Group” request from a Sametime Connect client)
•
Browse the directory
•
Get the content of public groups
The Sametime and LDAP servers exchange directory information, including
user names and passwords, over these connections. To ensure this
information is secure, the administrator can use SSL to encrypt the data that
passes over these connections. The administrator should consider the level of
protection required before enabling SSL. Using SSL to encrypt these
connections can slow the server performance. The administrator has the
following options when using SSL to encrypt the data transmitted between
the Sametime and LDAP servers:
•
Encrypt all data - This option encrypts all directory information (both
user names and passwords) that is transmitted between the Sametime
server and the LDAP server. If you encrypt all data, all five connections
between the Sametime server and LDAP server are encrypted with SSL.
This option provides the most security but also has the greatest affect on
server performance.
•
Encrypt only user passwords - This option encrypts passwords but not
other directory information (such as user names) passing over the
connections between the Sametime and LDAP servers. If you encrypt
only user passwords, only the “authenticating users” connection
between the Sametime server and the LDAP server is encrypted with
SSL. This option provides an intermediate level of security and has less
affect on server performance than encrypting all of the data.
125 Chapter 4: Using LDAP Directories with Sametime
•
Encrypt no data - This option allows all directory information and
passwords to pass unencrypted between the Sametime and LDAP
servers. This option does not affect server performance and should be
used if the administrator feels there is no chance that an unauthorized
user can intercept information transmitted over the connections between
the Sametime and LDAP servers.
Using SSL to encrypt all data transmitted between the Sametime and
LDAP servers
The administrator can use SSL to authenticate and encrypt all data passing
over all five connections between the Sametime and LDAP servers.
Encrypting all data passing between the Sametime and LDAP servers
provides the highest level of security but can slow the performance of the
Sametime server.
Encrypting all data transmitted between the Sametime and LDAP servers
involves three basic procedures:
•
Enabling the “Use SSL to authenticate and encrypt the connection
between the Sametime and the LDAP server” setting in the Sametime
Administration Tool.
•
Modifying the Directory Assistance document of the LDAP server to
encrypt the connection between the servers.
•
Ensuring that the Sametime server trusts the certificate of the LDAP
server.
To encrypt all data passing between the Sametime and LDAP servers, follow
the steps below.
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server to which you want to connect using
SSL.
4. Select the “Use SSL to authenticate and encrypt the connection between
the Sametime server and the LDAP server” option.
5. In the “LDAP SSL port” field, specify the port on which the LDAP server
is listening for SSL LDAP connections. The default port for this setting is
port 636.
6. Click Update and close the Sametime Administration Tool.
7. Perform the procedure described in “Modifying the Directory Assistance
document of the LDAP server to encrypt the connection between the
servers” later in this chapter.
126 Sametime 3.1 Administrator's Guide
8. Perform the procedure described in “Ensuring that the Sametime server
trusts the LDAP server certificate” later in this chapter.
9. Stop and restart the Sametime server.
Using SSL to encrypt only user passwords passing between the
Sametime and LDAP servers
The administrator can use SSL to encrypt passwords but not directory
information (such as user names) passing over the connection between the
Sametime and LDAP servers. This option provides an intermediate level of
security and affects server performance less than encrypting all data that is
transmitted between the Sametime and LDAP servers.
When Sametime is configured in this way, only one connection between the
Sametime and LDAP server is encrypted with SSL; the encrypted connection
is the “authenticating users” connection. Data passing over the other four
connections between the Sametime and LDAP servers is not encrypted. In
this scenario, the Sametime server must bind to the LDAP server as an
anonymous user.
Note Data that passes over the “authenticating users” connection includes
the user names and passwords that all users enter to authenticate when
creating or attending meetings, or logging in to Sametime Connect. User
names and passwords are never sent over the other four connections
between a Sametime and LDAP server unless the Sametime server is
required to authenticate when binding to the LDAP server. If the Sametime
server is required to authenticate when binding to the LDAP server, instead
of binding as an anonymous user, the user name and password the
Sametime server uses to authenticate with the LDAP server is transmitted on
all five connections between the Sametime server and the LDAP server. If
you perform the configurations described here to encrypt only the
“authenticating users” connection, and simultaneously require the Sametime
server to bind to the LDAP server as an authenticated user, the user name
and password Sametime uses to bind to the LDAP directory is passed in the
clear on four connections between the Sametime and LDAP server. To
prevent the Sametime server from transmitting this user name and password
on four unencrypted connections, the Sametime server must bind to the
LDAP server as an anonymous user.
For more information about anonymous binding to the LDAP server, see
“Administrator distinguished name and password for authenticated
binding” earlier in this chapter. For more information about connections to
an LDAP server, see “Using SSL to encrypt connections between the
Sametime and LDAP servers” earlier in this chapter.
Encrypting user passwords passing between the Sametime and LDAP
servers involves five basic procedures:
127 Chapter 4: Using LDAP Directories with Sametime
•
Enabling the Sametime server to bind to the LDAP server as an
anonymous user. To enable the Sametime server to bind to the LDAP
server as an anonymous user, you must ensure that the “Administrator
distinguished name” and “Administrator password” settings in the
Sametime Administration Tool LDAP Directory-Connectivity settings do
not contain entries. For more information, see “Administrator
distinguished name and password for authenticated binding” earlier in
this chapter.
•
Enabling the “Use SSL to authenticate and encrypt the connection
between the Sametime and the LDAP server” setting in the Sametime
Administration Tool.
•
Modifying the ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS setting in
the Sametime.ini file on the Sametime server.
•
Modifying the Directory Assistance document of the LDAP server to
encrypt the connection between the servers.
•
Ensuring that the Sametime server trusts the certificate of the LDAP
server.
To encrypt only user passwords passing between the Sametime and LDAP
servers, follow the steps below.
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server to which you want to connect using
SSL.
4. Make sure that both the “Administrator distinguished name” and
“Administrator password” fields are blank. If either of these fields
contains an entry, remove the entry from the field.
Note Clearing the entries from these fields ensures that the Sametime
server will bind to the LDAP server as an anonymous user. For more
information, see “Administrator distinguished name and password for
authenticated binding” earlier in this chapter.
5. Select the “Use SSL to authenticate and encrypt the connection between
the Sametime server and the LDAP server” option.
6. In the “LDAP SSL port” field, specify the port on which the LDAP server
is listening for SSL LDAP connections. The default port for this setting is
port 636.
7. Click the Update button and close the Sametime Administration Tool.
8. Use a text editor to open the Sametime.ini file located in the
C:\Lotus\Domino directory on the Sametime server.
128 Sametime 3.1 Administrator's Guide
9. In the Sametime.ini file, set the following parameter to “1.”
[Directory]
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
If set to 1, the ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS setting
encrypts one of the five connections to the LDAP server. (Sametime uses
SSL to encrypt the connection to the LDAP server over which users are
authenticated.)
10. Save and close the Sametime.ini file.
11. Perform the procedure described in “Modifying the Directory Assistance
document of the LDAP server to encrypt the connection between the
servers” later in this chapter.
12. Perform the procedure described in “Ensuring that the Sametime server
trusts the LDAP server certificate” later in this chapter.
13. Restart the Sametime server.
Allowing all data to pass unencrypted between the Sametime and
LDAP servers
If the administrator is not concerned with unauthorized users intercepting
transmissions between the Sametime and LDAP servers, the administrator
should disable the “Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server” option in the LDAP
Directory - Connectivity settings of the Sametime Administration Tool.
When this option is disabled, none of the connections between the Sametime
and LDAP servers are encrypted with SSL and all directory information and
passwords pass unencrypted between the two Sametime servers.
To disable the “Use SSL to authenticate and encrypt the connection between
the Sametime server and the LDAP server” option:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Connectivity.
3. In the “Host name or IP address of the LDAP server” drop-down list,
select the name of the LDAP server to which Sametime connects.
4. Verify that the “Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server” option is not
selected. If this option is selected, deselect it.
129 Chapter 4: Using LDAP Directories with Sametime
5. If you deselected the “Use SSL to authenticate and encrypt the
connection between the Sametime server and the LDAP server” option,
click Update and restart the server for the change to take effect.
Note If you had previously set the
ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS parameter in the
Sametime.ini file to 1 to encrypt only passwords, you should also set that
parameter to “0” or remove it from the Sametime.ini file to prevent the
encryption of the server-to-server connection that authenticates users.
Modifying the Directory Assistance document of the LDAP server to
encrypt the connection between the Sametime server and the LDAP
servers
This procedure is required when you use SSL to encrypt all data transmitted
between the Sametime and LDAP server or use SSL to encrypt only user
passwords that are transmitted between the Sametime and LDAP servers.
For more information, see “Using SSL to encrypt all data transmitted
between the Sametime and LDAP servers” earlier in this chapter or “Using
SSL to encrypt only user passwords passing between the Sametime and
LDAP servers” earlier in this chapter.
In this procedure, you modify the Directory Assistance document for the
LDAP server to ensure that the connection between the Sametime server and
the LDAP server is encrypted using SSL.
1. Open the Lotus Notes client on the Sametime server machine. (From the
Windows desktop, choose Start - Run, browse to
C:\Sametime\nlnotes.exe, and click OK.)
2. From the Lotus Notes client, open the Directory Assistance database
(da.nsf).
• Choose File - Database - Open.
• For Server, select Local.
• Select the Directory Assistance database (da.nsf).
• Click Open.
3. Double-click the Directory Assistance document for the LDAP server to
open the document. (The Directory Assistance documents are displayed
in the right pane of the Directory Assistance database.)
4. Click Edit Directory Assistance.
5. Click the LDAP tab.
6. In the “Perform LDAP search for” field, select the “Notes Clients/Web
Authentication” option.
7. In the “Channel encryption” field, select SSL.
130 Sametime 3.1 Administrator's Guide
8. In the Port field, specify the same port that was specified in the “LDAP
SSL port” field of the LDAP Directory - Connectivity options of the
Sametime Administration Tool. (This port is the one on which the LDAP
server listens for SSL connections. The default port for SSL connections
is port 636.)
9. In the “Accept expired SSL certificates” field, select Yes (the default
setting) to accept a certificate from the LDAP directory server, even if the
certificate has expired. For tighter security, select No. If No is selected,
the Sametime server checks the certificate expiration dates. If the
certificate presented by the LDAP server has expired, the connection is
terminated.
10. In the “SSL protocol version” field, select the version number of the SSL
protocol to use. The choices are:
• V2.0 only - This setting allows only SSL 2.0 connections.
• V3.0 handshake - This setting attempts an SSL 3.0 connection. If this
connection attempt fails but Sametime detects that SSL 2.0 is available
on the LDAP server, Sametime attempts the connection using SSL 2.0.
• V3.0 only - This setting allows only SSL 3.0 connections.
• V3.0 and V2.0 handshake - This setting attempts an SSL 3.0
connection, but starts with an SSL 2.0 handshake that displays
relevant error messages. This setting is used to receive V2.0 error
messages when trying to connect to the LDAP server. These error
message might provide information about any compatibility problems
found during the connection.
• Negotiated - This setting allows SSL to determine the handshake and
protocol version required.
11. In the “Verify server name with remote server's certificate” field, select
Enabled (the default setting) to verify the server name with the remote
server's certificate. If Enabled is selected, the Sametime server verifies
the name of the LDAP server with the remote server's certificate. If the
names do not match, the connection is terminated. For more relaxed
security, select Disabled (the server name is not verified with the
certificate).
12. Click Save and Close to close the Directory Assistance document.
13. Close the Directory Assistance database.
Next step
After modifying the Directory Assistance document of the LDAP server to
encrypt the connection between the Sametime server and the LDAP servers,
you must Ensuring that the Sametime server trusts the LDAP server
certificate.
131 Chapter 4: Using LDAP Directories with Sametime
Ensuring that the Sametime server trusts the LDAP server certificate
This procedure is required when you use SSL to encrypt all data transmitted
between the Sametime and LDAP server or use SSL to encrypt only user
passwords that are transmitted between the Sametime and LDAP servers.
For more information, see “Using SSL to encrypt all data transmitted
between the Sametime and LDAP servers” earlier in this chapter or “Using
SSL to encrypt only user passwords passing between the Sametime and
LDAP servers” earlier in this chapter.
This procedure enables the Sametime server to trust the SSL server certificate
of the LDAP server. To ensure the Sametime server trusts the certificate of
the LDAP server, the administrator must perform the following procedures:
•
Install the IKeyMan program on the Sametime server.
•
Create a key database on the Sametime server named “key.kdb” and
store this database in the root Sametime directory.
•
Ensure that the key.kdb database on the Sametime server contains the
SSL trusted root certificate that enables the Sametime server to trust the
SSL server certificate of the LDAP server.
These procedures are described below:
Install the IKeyMan program on the Sametime server
The Sametime server must have access to an SSL trusted root certificate to
complete the SSL handshake when making an SSL connection to the LDAP
server. This certificate is stored in an SSL key database. The tool provided
with a Sametime 3.1 server to create the key database and manage SSL
certificates for Sametime server to LDAP server connections is the IBM
IKeyMan utility.
You must install the IBM IKeyMan utility on the Sametime server so that you
can manage the SSL certificates required to encrypt connections between the
Sametime server and LDAP server with SSL.
To install IKeyMan onto the Sametime server, the administrator must run
the setup.exe file located on Sametime CD2 in the GSKit directory. For
example, to install IKeyMan:
1. Insert the Sametime 3.1 server CD 2 into the Sametime server machine.
2. Open a command prompt on the Sametime server machine.
3. In the command prompt window, change to the CD drive.
4. In the command prompt window, change to the “GSKit” folder on the
Sametime 3.1 server CD 2. (For example, enter “cd GSKit” at the
command prompt.)
132 Sametime 3.1 Administrator's Guide
5. From the <CD drive>:\GSKit directory, enter the following command:
setup.exe GSKit <Sametime installation directory> -s f1setup.iss. For
example, your command string might look like this:
D:\GSKit>setup.exe GSKit C:\Lotus\Domino -s -f1setup.iss
This command performs a silent installation of the IKeyMan program
into the Sametime installation directory on the Sametime server. If your
Sametime server is installed into a directory other than
C:\Lotus\Domino, use the installation directory that is appropriate for
your environment in the command string.
6. To verify that the installation is successful, do the following:
• Check that the C:\Lotus\Domino\IBM\GSK6 folder exists on the
Sametime server.
• Verify that the HKLM\Software\IBM\GSK6 registry key has been
created on the Sametime server machine.
7. After installing the IBM IKeyMan utility, you must define the Java
environment on the Sametime server machine. Follow the steps below:
a. From the Windows desktop, right click on the My Computer icon
and select “System Properties.”
b. Select the “Advanced” tab.
c. Click the “Environment Variables” button.
d. For “System Variables,” select “New.”
e. Enter the following in the Variable Name and Variable Value fields:
Variable Name: JAVA_HOME
Variable Value: C:\Lotus\Domino\ibm-jre\jre
8. Use a text editor to add “com.ibm.spi.IBMCMSProvider” to the list of
providers in the
C:\Lotus\Domino\ibm-jre\jre\lib\security\java.security file. Follow
the steps below:
a. Use a text editor to open the java.security file located in the directory
path shown above on the Sametime server.
b. Type the following line into the list of security providers in the
java.security file: security.provider.3=com.ibm.spi.IBMCMSProvider.
The example below illustrates this line added to the java.security file.
#
# List of providers and their preference orders (see above)
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.spi.IBMCMSProvider
133 Chapter 4: Using LDAP Directories with Sametime
9. Delete the file “gskikm.jar” from the following location:
C:\Lotus\Domino\ibm-jre\jre\lib\ext\gskikm.jar.
Create a key database on the Sametime server named "key.kdb" and
store this database in the root Sametime directory
Use the IKeyMan utility you have just installed to create an SSL key database
named key.kdb on the Sametime server. When creating this database, store
the database in the directory in which Sametime is installed.
Note Sametime 3.1 installs on a Domino server in the same directory in
which Domino is installed. The Domino server installs to the
C:\Lotus\Domino directory by default. If the Domino server is installed in
this default directory, the Sametime server also installs to the
C:\Lotus\Domino directory.
To create the key.kdb database, follow the instructions below:
1. Start the IBM IKeyMan utility. To start the utility, run the gsk6ikm.exe
file located in the C:\Lotus\Domino\IBM\gsk6\bin directory on the
Sametime server.
2. From the IBM IKeyMan menu bar, select Key Database File-New.
3. In the New window, do the following:
a. For Key database type, select “CMS key database file.”
b. For File Name, enter “key.kdb.”
c. For Location, enter “C:\Lotus\Domino” (or other directory in which
Sametime is installed.)
d. Click OK.
4. In the Password prompt window, do the following:
a. Type a password and confirm the password used to access the key
database. The password is at your discretion.
b. Select the “Stash the password to a file?” check box.
c. Click OK.
An information window appears indicating the password is encrypted
and saved in the location C:\Lotus\Domino\key.sth (or <Sametime
install directory>\key.sth).
After creating the key.kdb database, ensure the key.kdb database contains
the appropriate trusted root certificate.
134 Sametime 3.1 Administrator's Guide
Ensuring the key.kdb database on the Sametime server contains the
appropriate trusted root certificate
If the LDAP server is set up to listen for SSL connections, the LDAP server
will include an SSL key database that contains (at minimum) two certificates.
These certificates are:
•
A trusted root (or “signer”) certificate signed by a specific Certificate
Authority (CA), such as VeriSign.
•
A server certificate signed by the same CA as a trusted root certificate.
The LDAP server presents its SSL server certificate to the Sametime server
during the SSL connection handshake. The key database on the Sametime
server (“key.kdb” created above) must contain a trusted root (or “signer”)
certificate that matches the trusted root certificate for the CA that signed the
LDAP server certificate.
For example, if the key database on the LDAP server contains a “VeriSign
Class 4 Public Primary Certification Authority” trusted root certificate and
the LDAP SSL server certificate is signed by VeriSign, the key database on
the Sametime server must also contain a “VeriSign Class 4 Public Primary
Certification Authority” trusted root certificate.
In summary, the SSL connection from the Sametime server to the LDAP
server should succeed if both of the following are true:
•
The key database on the LDAP server and the key.kdb database on the
Sametime server have a trusted root (or “signer”) certificate in common.
•
The two trusted root certificates above are issued by the same CA that
signed the LDAP SSL server certificate.
When the key.kdb database is created, the database contains several trusted
root (or “signer”) certificates by default. If the appropriate trusted root
certificate exists in the key.kdb database by default, no other procedures are
required to ensure that the Sametime server trusts the LDAP server
certificate. The procedure required to ensure the Sametime server trusts the
SSL certificate of the LDAP server is complete.
If the key.kdb database on the Sametime server does not contain the
appropriate trusted root certificate by default, you must obtain a trusted root
certificate from the appropriate CA and then add this certificate to the
key.kdb database using the IKeyMan utility. This procedure is summarized
below:
1. Use your Web browser to contact the Certificate Authority to request a
trusted root (or “signer”) certificate. Contact the Certificate Authority
that signed the LDAP server's SSL server certificate.
135 Chapter 4: Using LDAP Directories with Sametime
Contact a Certificate Authority by browsing to the CA's web site with
your Web browser. For example, to request a certificate from VeriSign,
you begin by browsing to the www.verisign.com Web site. Follow the
instructions on the Web site to request a certificate. Once the certificate
request is approved you receive the certificate by copying it from the
Web site or by secure e-mail. Generally, you provide a file name for the
certificate when receiving it from the CA and store the certificate on a
local directory or a network location accessible from the Sametime
server.
2. After you have received your certificate, start the IKeyMan utility by
running the gsk5ikm.exe file located on the Sametime server.
3. From the IKeyMan utility, select Key Database Open-Open and open the
key.kdb file.
4. Enter the password to access the key.kdb file.
5. From the main IKeyMan window, select “Signer Certificates” from the
drop-down list in the Key database content area.
6. Click the Add button.
7. In the Add CA's Certificate from a File window:
a. Select the appropriate Data type (for example, Base64-encoded
ASCII data).
b. Type the Certificate file name. (This name was specified when
requesting or receiving the file from the CA.)
c. Type the location where the certificate is stored. (This is the local or
network directory to which you downloaded or saved the certificate
after receiving it from the CA.)
d. Click OK.
8. In the Enter a Label window, type the name to be used to identify the
certificate as it is listed in IKeyMan and click OK.
The label is at your discretion but should be descriptive of the certificate.
For example, you could enter “VeriSign Class 4 Public Primary
Certification Authority.”
The IKeyMan main window with signer certificates selected should now
include the certificate you have just added. At this point, the procedure is
complete and you can close IKeyMan.
136 Sametime 3.1 Administrator's Guide
Adding a new administrator in the LDAP environment
When using LDAP, an administrator uses the Sametime Administration Tool
for Sametime server administration. The administrator is authenticated
against the Domino Directory on the Sametime server when accessing the
Sametime Administration Tool.
One Sametime administrator is specified during the Sametime server
installation procedure. To allow other administrators to access the Sametime
Administration Tool, follow the instructions in Adding a new Sametime
administrator.
Note In the LDAP environment, you can use the Sametime Administration
Tool to perform LDAP configuration procedures. You cannot modify entries
in the LDAP directory using the Sametime Administration Tool. Person and
group entries in the LDAP directory must be modified using the software
and procedures required by the LDAP server. See the documentation for
your LDAP server for more information.
Access Control Lists and LDAP User Names
When using LDAP, authentication to individual databases on the Sametime
server is controlled by database ACLs.
To access the database ACLs when Sametime is configured to operate as a
client to an LDAP server:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose LDAP Directory - Access Control.
Administrators should be aware of the following when entering names from
an LDAP directory in the ACL of a database on the Sametime server:
•
When entering the names of users or groups registered in an LDAP
directory to a database ACL, use the fully-qualified Distinguished Name
(DN), but use forward slashes (/) as delimiters instead of commas (,).
For example, if the DN for the user in the LDAP directory is:
uid = Joe Waters, ou=West, o=Acme
enter this name in the database ACL:
uid = Joe Waters/ou=West/o=Acme
•
You can also use an asterisk as a wildcard character when entering
names from an LDAP directory in an ACL. For example, entering
*/ou=West/o=Acme is equivalent to entering all users in the
ou=West, o=Acme branch of the directory to the ACL.
137 Chapter 4: Using LDAP Directories with Sametime
With the exceptions noted above, the ACL settings of Sametime databases
should operate as they do when Sametime is configured to operate with a
Domino Directory. For more information about working with database
ACLs, see “Using database ACLs for identification and authentication” in
Chapter 13.
Setting up an LDAP connection after selecting the Domino directory
during the server installation
During the Sametime server installation, you must specify the directory type
(either Domino or LDAP) used in your Sametime community. If you select
the Domino directory during the installation, and later decide you want to
configure Sametime to connect to an LDAP server, use the procedure below
to set up the LDAP connection to the LDAP server.
Note Using this procedure prevents you from having to reinstall the
Sametime server and specify the LDAP directory type during the server
installation to connect to the LDAP server.
There are six procedures associated with enabling Sametime to connect to an
LDAP server if you have selected the Domino directory during the server
installation:
1. Set up a Directory Assistance database on the Sametime server.
2. Identify the Directory Assistance database on the Sametime server.
3. Create a Directory Assistance document in the Directory Assistance
database that enables the Sametime server to access the LDAP server.
4. Create an LDAP document in the Configuration database (stconfig.nsf)
on the Sametime server.
5. Copy and rename .DLL files.
6. Configure the LDAP Directory settings in the LDAP document. (You can
use either a Lotus Notes client or the Sametime Administration Tool to
configure these settings.)
Set up a Directory Assistance database
This procedure is the first of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
Because Sametime uses Directory Assistance to access an LDAP server, you
must ensure that a Directory Assistance database exists on the Sametime
server. Setting up Directory Assistance enables Web browser users to
authenticate against entries in the LDAP directory when accessing databases
on the Sametime server that require basic password authentication.
138 Sametime 3.1 Administrator's Guide
Note The Sametime Connect client does not require Directory Assistance to
authenticate against the LDAP directory or perform name and group
lookups in the LDAP directory.
You can either create a new Directory Assistance database on the Sametime
server or replicate an existing Directory Assistance database to the Sametime
server.
Use the same process to set up Directory Assistance for a Sametime server as
you would for a Domino server without Sametime. If you have already
created a Directory Assistance database for the Domino environment in
which Sametime is installed, you can replicate the existing Directory
Assistance database to the Sametime server instead of creating a new
Directory Assistance database.
Creating a new Directory Assistance database
To create a new Directory Assistance database:
1. Open the Lotus Notes client on the Sametime server. To open the Notes
client:
• From the Windows desktop, choose Start - Run.
• Browse to the C:\Lotus\Domino\nlnotes.exe file.
• Click OK to run the Notes client.
2. Choose File - Database - New.
3. Create the Directory Assistance database as you would any other
Domino database:
• Create the database on the Local (Sametime) server.
• Provide a database name and filename for the Directory Assistance
database.
• Use the Directory Assistance template (da50.ntf) when creating the
database.
Replicating an existing Directory Assistance database
To replicate an existing Directory Assistance database, follow the normal
Domino procedure for replicating a database. First create a new replica of
the Directory Assistance database on the Sametime server, and then create a
Connection document to schedule replication of the database. See your
existing Domino administration documentation for information on these
procedures.
Next step
After you have ensured that a Directory Assistance database exists on the
Sametime server, you must identify the Directory Assistance database on the
Sametime server.
139 Chapter 4: Using LDAP Directories with Sametime
Identify the Directory Assistance database on the Sametime server
This procedure is the second of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
After you have ensured that a Directory Assistance database exists on the
Sametime server, you must identify the Directory Assistance database on the
Sametime server. Enter the database filename in the “Directory Assistance
database name” field in the Basics section of the Sametime server Server
document.
1. From the Notes client on the Sametime server:
• Choose File - Database - Open.
• Select the Local server.
• Select the Directory or Address Book (names.nsf) file.
• Click Open.
2. Select Server - Servers to open the Servers view.
3. Double-click the name of the Sametime server to open the Server
document.
4. If necessary, select the Basics tab of the Server document.
5. Click Edit Server.
6. In the “Directory Assistance database name” field, enter the filename
(for example, da.nsf) of the Directory Assistance database.
7. Click Save and Close.
Next step
After you have identified the Directory Assistance database on the Sametime
server, create a Directory Assistance document that enables the Sametime
server to access the LDAP server.
Create a Directory Assistance document that enables the Sametime
server to access the LDAP server
This procedure is the third of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
The Directory Assistance database on the Sametime server must contain a
Directory Assistance document that enables the Sametime server to access
the LDAP server. The procedure below explains how to create the Directory
Assistance document for the LDAP server and provides suggested values for
the fields in the Directory Assistance document. You can change the
suggested values as required by your environment.
140 Sametime 3.1 Administrator's Guide
To create the Directory Assistance document:
1. From the Notes client on the Sametime server, open the Directory
Assistance database on the Sametime server.
• Choose File - Database - Open.
• Select the Local server.
• Select the Directory Assistance database (usually named da.nsf).
• Click Open.
2. Click “Add Directory Assistance.”
In the Basics tab, make these settings:
Setting
Domain type
Domain name
Company name
Search order
Group expansion
Nested group expansion
Enabled
Value
Select LDAP.
Enter any descriptive name; the name must be
different from any other in Directory Assistance. Do
not use the Domino domain name.
Enter the name of your company.
The suggested value is 1. The search order specifies
the order this directory is searched relative to other
directories in Directory Assistance.
The suggested setting is Yes. This setting enables
Directory Assistance to examine the contents of
groups in the LDAP directory. This capability is
necessary if you enter the name of a group defined in
the LDAP directory in the ACL of a database on the
Sametime server.
The suggested setting is Yes. This setting enables
Directory Assistance to examine the content of an
LDAP directory group that is a member of another
LDAP directory group. This capability is also used
when an LDAP directory group name is entered in
the ACL of a database on the Sametime server.
Set to Yes to enable Directory Assistance for the LDAP
Directory.
141 Chapter 4: Using LDAP Directories with Sametime
3. Select the Rules tab. Configure Rule 1 as needed for your Domino
environment. The suggested values for Rule 1 are as follows:
• The OrgUnit1, OrgUnit2, OrgUnit3, OrgUnit4, Organization, and
Country fields should all contain an asterisk. Using all asterisks in this
setting ensures that all entries in the LDAP directory can be searched
and authenticated.
Note The Rules setting indicates the names in the directory that can
be authenticated. You can modify the Rules setting as needed
according to the structure of the LDAP Directory the Sametime server
is accessing. For more information on using naming rules in Directory
Assistance, see Administering the Domino System Volume 1 for Domino
5 in your existing Domino documentation. (Domino documentation is
also available from the Web site http://www-10.lotus.com.)
• The “Enabled” and “Trusted for Credentials” fields should both be set
to “Yes.”
4. Select the LDAP tab. The LDAP tab contains the following settings:
Setting
Hostname
Value
The host name for the LDAP server (for example,
ldap.acme.com).
Optional
Authentication
Credential:
Binding parameters to the LDAP server. For more
information, see “Administrator distinguished
name and password for authenticated binding”
earlier in this chapter.
If entries exist in the “Administrator distinguished
name” and “Administrator password” fields in the
LDAP Directory-Connectivity settings of the
Sametime Administration Tool, the Sametime
server binds to the LDAP server as an
authenticated user.
If there are no entries in the “Administrator
distinguished name” or “Administrator
password” fields, the Sametime server binds to the
LDAP server as an anonymous user.
Username
Complete this field if you want your Sametime
server to bind to the LDAP server as an
authenticated user. Otherwise, leave this field
empty. Suggested values for Microsoft Active
Directory server are: cn=qadmin, cn=users,
dc=ubq-qa, dc=com
continued
142 Sametime 3.1 Administrator's Guide
Setting
Password
Value
Complete this field if you want your Sametime
server to bind to the LDAP server as an
authenticated user. Otherwise, leave this field
empty. Enter the password for the Username
specified above.
Base DN for search
Specify a search base. A search base defines where
in the directory tree a search should start.
Suggestions for this setting are:
Domino directory - An example value is
“O=DomainName,” where “DomainName” is the
Lotus Notes domain (for example O=Acme).
Microsoft Exchange 5.5 directory - An example
value is “CN= recipients,
OU=ServerName,O=NTDomainName,” where
ServerName is the Windows server name and
NTDomainName is the Windows NT Domain (for
example,
CN=recipients,OU=Acmeserver1,O=NTAcmedom
ain).
The Microsoft Exchange 5.5 example above
assumes that the directory is using the default
directory schema. If you have changed the schema
of the Microsoft Exchange 5.5 directory, the entry
in the Base DN for search field must reflect the
new schema.
Microsoft Active Directory - An example value is
“CN=users, DC=DomainName, DC=com.”
Netscape LDAP directory - Use the format O=
followed by the organizational unit that was
specified during the Netscape server setup. If you
are uncertain about this entry, use the
administrative features of the Netscape server to
determine the appropriate entry.
Perform LDAP
search for
Channel encryption
Select Notes clients/Web Authentication.
Select None. For information on using Secure
Sockets Layer (SSL) to encrypt the connection
between the Sametime server and the LDAP
server, see “Use SSL to authenticate and encrypt
the connection between the Sametime server and
the LDAP server” earlier in this chapter.
continued
143 Chapter 4: Using LDAP Directories with Sametime
Setting
Port
Value
Enter the port number used to connect to the
LDAP server. The default setting is port 389.
Timeout
The suggested setting is 60 seconds. This setting
specifies the maximum number of seconds allowed
for a search of the LDAP directory.
Maximum number
of entries returned
The suggested setting is 100. This setting specifies
the maximum number of names the LDAP server
will return for the name searched. If the LDAP
server also has a maximum setting, the lower
setting takes precedence.
5. Click “Save and Close.” The warning message notifies you that your
connection does not include SSL settings; you can ignore the warning
and continue with the procedure. For more information on the SSL
configuration, see “Use SSL to authenticate and encrypt the connection
between the Sametime server and the LDAP server” earlier in this
chapter.
Next step
After you create the Directory Assistance document that enables the
Sametime server to access the LDAP server, you must create an LDAP
document in the Configuration database on the Sametime server.
Create an LDAP document in the Configuration database
This procedure is the fourth of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
The Configuration database (stconfig.nsf) stores administration settings
made from the Sametime Administration Tool. These administration settings
are stored on individual documents within the Configuration database. You
must use the Lotus Notes client on the Sametime server to create an LDAP
document in the Configuration database on the Sametime server. The LDAP
document you create will hold the LDAP Directory settings that enable
Sametime to search and authenticate against entries in the LDAP directory.
To create an LDAP document in the Configuration database:
1. From the Notes client on the Sametime server, open the Sametime
Configuration database on the Sametime server.
• Choose File - Database - Open.
• Select the Local server.
• Select the Sametime Configuration database (stconfig.nsf).
144 Sametime 3.1 Administrator's Guide
• Click Open.
2. Select Create - LDAPServer.
A document opens that contains the LDAP administration settings. You
can configure these settings using either the Sametime Administration
Tool or a Lotus Notes client. If you want to use the Lotus Notes client,
leave the document open and continue to the next procedure (see “Next
step” below).
If you want to use the Sametime Administration Tool to configure the
LDAP settings, choose File - Save to save the LDAP document. Close the
LDAP document and close the Lotus Notes client.
Next step
After you have created an LDAP document in the Configuration database,
you must configure the LDAP Directory settings on the LDAP document.
Copy and rename the .DLL files
This procedure is the fifth of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
In this procedure, you must copy and rename some .DLL files from the
C:\Sametime\DirectoryBB\Ldap directory to the C:\Sametime directory.
1. On the Sametime server, create a working directory to copy files to so
that you can rename them.
2. Copy the “STAuthenticationLdap.dll” from the directory
C:\Sametime\DirectoryBB\Ldap to the working directory.
3. In the working directory, rename the “STAuthenticationLdap.dll” file to
“STAuthentication.dll.”
4. Copy the renamed “STAuthentication.dll” file to the C:\Sametime
directory.
Note Copying the “STAuthentication.dll” file to the C:\Sametime
directory will overwrite an existing file of the same name.
5. Copy the file “STGroupsLdap.dll” from the directory
C:\Sametime\DirectoryBB\Ldap to the working directory.
6. Rename the “STGroupsLdap.dll” file to “STGroups.dll.”
7. Copy the renamed STGroups.dll file to the C:\Sametime directory.
Note Copying the “STGroups.dll” file to the C:\Sametime directory
will overwrite an existing file of the same name.
8. Copy the file “STResolveLdap.dll” from the directory
C:\Sametime\DirectoryBB\Ldap to the working directory.
145 Chapter 4: Using LDAP Directories with Sametime
9. Rename the “STResolveLdap.dll” file to “STResolve.dll.”
10. Copy the renamed “STResolve.dll” file to the C:\Sametime directory.
Note Copying the “STResolve.dll” file to the C:\Sametime directory
will overwrite an existing file of the same name.
Next step
After you have copied and renamed the .DLL files, you must configure the
LDAP Directory settings on the LDAP document.
Configuring the LDAP directory settings
This procedure is the last of six associated with enabling Sametime to
connect to an LDAP server if you have selected the Domino directory during
the server installation.
This procedure is described in “Configure the LDAP Directory settings”
earlier in this chapter.
146 Sametime 3.1 Administrator's Guide
Chapter 5
Configuring Ports and Network Connectivity
This chapter discusses the connectivity settings available from the Sametime
Administration Tool and the connection processes of Sametime clients.
This chapter discusses:
•
Ports used by the Sametime server
•
Forward proxy support for Sametime clients
•
Configuring Sametime Networks and Ports administration settings
•
Sametime client connection processes
•
Changing the default connectivity settings of the Sametime Connect for
browsers client
•
HTTP tunneling
•
TCP tunneling of audio/video streams
•
Reverse proxy support for the Sametime server
Ports used by the Sametime server
The tables below list the default ports used by all Sametime services,
including:
•
HTTP Services, Domino Services, LDAP Services, and Sametime
intraserver ports
•
Community Services ports
•
Meeting Services ports
•
Broadcast Services ports
•
Audio/Video Services ports
You can use the Sametime Administration Tool to configure the ports on
which the Sametime services listen for connections from clients.
The port settings for all services can be accessed from the
Configuration-Connectivity-“Networks and Ports” options of the Sametime
Administration Tool.
147
HTTP Services, Domino Services, LDAP Services, and Sametime
intraserver ports
The following ports are used by the Sametime HTTP Services, Domino
Application Services, and LDAP Services.
Default Port Purpose
Port 80
If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Community Services multiplexer on the
Sametime server listens for HTTP connections from Web browsers,
Sametime Connect clients, Sametime Meeting Room clients, and
Sametime Broadcast clients on port 80.
If the administrator does not allow HTTP tunneling on port 80 during
the Sametime installation, the Domino HTTP server listens for HTTP
connections on this port.
Alternate If the administrator allows HTTP tunneling on port 80 during the
HTTP port Sametime installation (or afterward), the Domino HTTP server on
which Sametime is installed must listen for HTTP connections on a
(8088)
port other than port 80. The Sametime installation changes the
Domino HTTP port from port 80 to port 8088 if the administrator
allows HTTP tunneling on port 80 during a Sametime server
installation.
Note If the administrator allows HTTP tunneling on port 80 during
the Sametime installation, Web browsers make HTTP connections to
the Community Services multiplexer on port 80, and the Community
Services multiplexer makes an intraserver connection to the Sametime
HTTP server on port 8088 on behalf of the Web browser.
This configuration enables the Sametime server to support HTTP
tunneling on port 80 by default following the server installation. For
more information, see “About HTTP tunneling” later in this chapter.
Port 389
If you configure the Sametime server to connect to an LDAP server,
the Sametime server connects to the LDAP server on this port. For
more information, see “Using LDAP with the Sametime server” in
Chapter 4.
Port 443
The Domino HTTP server listens for HTTPS connections on this port
by default.
This port is used only if you have set up the Domino HTTP server to
use Secure Sockets Layer (SSL) for Web browser connections. To
configure the Sametime HTTP server to use SSL for Web browser
connections, see “Using SSL with Sametime” in Chapter 13.
continued
148 Sametime 3.1 Administrator's Guide
Default Port Purpose
Port 1352 The Domino server on which Sametime is installed listens for
connections from Notes clients and Domino servers on this port.
Port 9092
The Event Server port on the Sametime server is used for intraserver
connections between Sametime components. This port cannot be used
by other applications on the server.
Port 9094
The Token Server port on the Sametime server is used for intraserver
connections between Sametime components. This port cannot be used
by other applications on the server.
Community Services ports
The following ports are used by the Sametime Community Services. Most of
these ports are configurable.
Default Port Purpose
The Community Services listen for direct TCP/IP connections from the
Port 1516
Community Services of other Sametime servers on this port. If you
have installed multiple Sametime servers, this port must be open for
presence, chat, and other Community Services data to pass between
the servers.
The communications that occur port 1516 also enable one Sametime
server to start a meeting on another server (or “invite” the other server
to the meeting).
continued
Chapter 5: Configuring Ports and Network Connectivity 149
Default Port Purpose
The Community Services listen for direct TCP/IP connections and
Port 1533
HTTP-tunneled connections from the Community Services clients
(such as Sametime Connect and Sametime Meeting Room clients) on
this port.
Note The term “direct TCP/IP connection” means that the Sametime
client uses a unique Sametime protocol over TCP/IP to establish a
connection with the Community Services.
The Community Services also listen for HTTPS connections from the
Community Services clients on this port by default. The Community
Services clients attempt HTTPS connections when accessing the
Sametime server through an HTTPS proxy server. If a Community
Services client connects to the Sametime server using HTTPS, the data
on this connection is not encrypted.
If the administrator does not allow HTTP tunneling on port 80 during
the Sametime installation, the Community Services clients attempt
HTTP-tunneled connections to the Community Services on port 1533
by default. For more information, see “About HTTP tunneling” later in
this chapter.
Port 80
Port 8082
If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Community Services clients can make
HTTP-tunneled connections to the Community Services multiplexer
on port 80. For more information, see “About HTTP tunneling” later in
this chapter.
Note When HTTP tunneling on port 80 is allowed during the
Sametime installation, the Community Services multiplexer listens for
HTTP-tunneled connections on both port 80 and port 1533. The
Community Services multiplexer simultaneously listens for direct
TCP/IP connections on port 1533.
When HTTP tunneling support is enabled, the Community Services
clients can make HTTP-tunneled connections to the Community
Services multiplexer on port 8082 by default.Community Services
clients can make HTTP-tunneled connections on both ports 80 and
8082 by default.
Port 8082 ensures backward compatibility with previous Sametime
releases. In previous releases, Sametime clients made HTTP-tunneled
connections to the Community Services only on port 8082. If a
Sametime Connect client from a previous Sametime release attempts
an HTTP-tunneled connection to a Sametime 3.1 server, the client
might attempt this connection on port 8082.
150 Sametime 3.1 Administrator's Guide
Meeting Services ports
The following default ports are used by the Sametime Meeting Services.
These ports are configurable.
Default Port Purpose
The Meeting Services listen for Sametime protocol over TCP/IP
Port 8081
connections from the Sametime Meeting Room client on this port. The
screen-sharing, whiteboard, send Web page, and question-and-answer
polling components of the Sametime Meeting Room client exchange
data with the server over this connection.
The Meeting Room client can make the TCP/IP connection directly to
the Meeting Services or through a SOCKS proxy server.
The interactive audio and video components of the Sametime Meeting
Room client also exchange call control information over a direct
TCP/IP connection on this port.
Note The term “direct TCP/IP connection” means that the Sametime
client uses a unique Sametime protocol operating over TCP/IP to
establish a connection with the Meeting Services.
If the administrator does not allow HTTP tunneling on port 80 during
the Sametime installation, the Meeting Services clients attempt
HTTP-tunneled connections to the Meeting Services on port 8081 by
default. For more information, see “About HTTP tunneling” later in
this chapter.
Port 80
If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Meeting Room client can make
HTTP-tunneled connections to the Community Services multiplexer
on port 80.
When the Meeting Room client makes an HTTP-tunneled connection
to the Community Services multiplexer, the Community Services
multiplexer makes an intraserver connection to the Meeting Services
on behalf of the Meeting Room client. The intraserver connection
occurs on port 8081 by default.
The Meeting Room client attempts the Sametime protocol over
TCP/IP connection (or “direct TCP/IP connection”) on port 8081
before attempting an HTTP-tunneled connection on port 80.
Port 1503
The Meeting Services listen for T.120 connections from the Meeting
Services of other Sametime servers on this port. If you have installed
multiple Sametime servers, this port must be open between the two
servers for the servers to exchange screen-sharing, whiteboard, and
other Meeting Services data.
continued
Chapter 5: Configuring Ports and Network Connectivity 151
Default Port Purpose
In a multiple Sametime server environment, a single Sametime
Port 1516
meeting can be simultaneously active on multiple Sametime servers.
This functionality is sometimes called “invited servers.” Port 1516
must be open between two Sametime servers to enable one server to
extend a meeting invitation to another server in support of the invited
servers functionality. For more information, see “Advantages of a
single meeting on multiple servers” in Chapter 14.
Broadcast Services ports
The following default ports are used by the Sametime Broadcast Services.
These ports are configurable.
Default Port Purpose
The Broadcast Services listen for Real-Time Streaming Protocol (RTSP)
Port 554
call-control connections over TCP/IP on this TCP/IP port. (RTSP uses
TCP as the transport service.) The Broadcast client can make the RTSP
TCP/IP connection directly to the Broadcast Services or through a
SOCKS proxy server.
If the administrator does not allow HTTP tunneling on port 80 during
the Sametime installation, the Broadcast Services clients attempt
HTTP-tunneled connections to the Broadcast Services on port 554 by
default. For more information, see “About HTTP tunneling” later in
this chapter.
Port 80
If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Broadcast clients can make HTTP-tunneled
connections to the Community Services multiplexer on port 80.
When the Broadcast client makes an HTTP-tunneled connection to the
Community Services multiplexer, the Community Services
multiplexer makes an intraserver connection to the Broadcast
Gateway on behalf of the Broadcast client. The intraserver connection
occurs on port 554 by default. For more information, see “About
HTTP tunneling” later in this chapter.
The Broadcast client attempts the RTSP TCP/IP connection on port
554 before attempting an HTTP-tunneled connection on port 80.
continued
152 Sametime 3.1 Administrator's Guide
Default Port Purpose
The Broadcast Services stream meeting data in RTP format from the
Dynamic
UDP Ports server to the client over UDP ports. The specific UDP ports are chosen
randomly by the Broadcast client and cannot be controlled by the
administrator.
Note The Broadcast Services can also stream audio and video data to
Sametime Broadcast clients. A meeting might include three separate
streams (one each for audio, video, and screen-sharing/whiteboard
data). If the client or server network, or any network between the
Sametime server and the client, does not allow UDP traffic, the
Sametime Broadcast Services will tunnel the streamed data over the
initial RTSP TCP/IP control connection that occurs on port 554.
If the call-control connection was established using HTTP-tunneling
on port 80, the client attempts to tunnel the UDP data through the
HTTP-tunneled connection on port 80 or other port specified by the
administrator. For more information, see “Broadcast client connection
process” later in this chapter.
Port 8083
Broadcast Services use this port for internal control connections
between Broadcast Services components. You should change this port
only if another application on the Sametime server is using port 8083.
1 - 65535
(UDP ports
for
multicast)
The Broadcast Services can take advantage of the bandwidth
efficiency provided by multicast-enabled networks. If your network
supports multicast, the Broadcast Services transmit multicast data
over UDP ports within the 1 to 65535 range.
Note Multicast uses multicast IP addresses, not the IP address of the
Sametime server.
Chapter 5: Configuring Ports and Network Connectivity 153
Audio/Video Services ports
The following default ports are used by the Audio/Video Services. These
ports are configurable.
Default Port
Port 8081
Purpose
The Sametime Meeting Room client establishes a TCP/IP connection
with the Sametime server Meeting Services on this port. The
Audio/Video Services and audio/video components of the Sametime
Meeting Room client use this connection to the Meeting Services for
call-control functions.
Port 1720
The Audio/Video Services listen for H.323 call setup connections from
H.323-compliant clients (such as NetMeeting) on this port. An
H.323-compliant client connects on this port using the Q.931 protocol.
Using the Q.931 protocol, the server transmits a dynamic TCP port to
the client as described below. The dynamic TCP port is used to
continue the call setup process as defined by the H.245 protocol.
Note Sametime Meeting Room clients do not use this port.
49152 - 65535 The dynamic TCP port that is negotiated for the H.245 protocol is
(TCP port
selected from this range of TCP ports. This port is used only by
H.323-compliant clients such as NetMeeting.
range)
Note Sametime Meeting Room clients do not use this port.
49252 - 65535 The Sametime Audio/Video Services listen for inbound audio and
video streams from interactive audio/video clients (such as the
(Dynamic
Sametime Meeting Room client or NetMeeting client) on a range of
UDP port
UDP ports specified by the administrator. The UDP ports are selected
range)
by the Sametime Audio/Video Services dynamically from within the
range of ports specified by the administrator.
The administrator can configure the range of available UDP ports
from the MMP UDP port numbers start at/end at settings available
from the Interactive Audio/Video Services “Networks and Ports”
settings of the Sametime Administration Tool.
Port 8084
If UDP is unavailable between a Sametime Meeting Room client and a
Sametime server, Sametime uses this TCP port when attempting to
tunnel the RTP audio and video streams using the TCP transport.
Tunneling of RTP/UDP data over a TCP port is supported for
Sametime Meeting Room clients, but not H.323-compliant clients such
as NetMeeting.
Port 9093
The Interactive Audio/Video Services use this port for internal control
connections between Interactive Audio/Video Services components.
You should change this port only if another application on the
Sametime server is using port 9093.
154 Sametime 3.1 Administrator's Guide
Proxy support for Sametime clients
The table below shows the client-side proxy types through which clients can
connect to the Sametime server.
Note The term “client-side” proxy refers to a proxy server that is deployed
in the client's network. To access other machines on the Internet, the client
connects to the client-side proxy and the proxy sends requests to the Internet
on behalf of the client. Before sending these requests, the client-side proxy
substitutes its IP address for the address of client. This substitution hides the
IP addresses of internal clients and makes it appear as if all outbound
network traffic originates from a single address (the proxy server). Hiding
internal addresses in this way makes it more difficult for attackers to gain
knowledge of your internal networks. A client-side proxy is sometimes
called a “forward” proxy. A Sametime server can be deployed behind a
reverse HTTP proxy server (or “server-side” proxy). For more information
about using a Sametime server with a reverse proxy server, see “Using
reverse proxy servers with the Sametime server” later in this chapter.
Sametime client
Sametime Connect
SOCKS 4
proxy
supported
SOCKS 5 proxy HTTP proxy HTTPS proxy
supported
supported
supported
Sametime Meeting Room supported
screen-sharing/whiteboa
rd components
not supported supported
not
supported*
Sametime Meeting Room supported
participant list/chat
components
not supported supported
not supported
Sametime Meeting Room supported
interactive audio/video
components
not supported not
supported
not supported
Sametime Broadcast
client
supported
not supported supported
not supported
Presence list components supported
in Sametime Discussion
and TeamRoom
databases
not supported supported
not supported
* Sametime Meeting Room clients can make HTTP connections through an
HTTPS proxy. However, Sametime Meeting Room clients cannot make
HTTPS connections through the HTTPS proxy. Sametime Connect supports
a special feature of HTTPS proxies (called CONNECT) that enables the
Sametime Connect client to maintain a persistent, asynchronous connection
Chapter 5: Configuring Ports and Network Connectivity 155
through an HTTPS proxy. The Meeting Room client does not support
CONNECT.
Overview of Sametime client connectivity
This section includes descriptions of the connectivity settings available from
the Configuration-Connectivity-“Networks and Ports” tab of the Sametime
Administration Tool. These settings control the ports on which the Sametime
server listens for connections from clients and can affect the connection
processes of the clients. For information about the connectivity settings in the
Sametime Administration Tool, see “Configuring Sametime 'Networks and
Ports' settings” later in this chapter.
This section also describes the connection processes of each client to illustrate
how the connectivity settings on the “Networks and Ports” tabs affect the
connection processes of Sametime clients. The connection processes also
explain the client behavior in relation to proxy servers and Proxy
Auto-Configuration (PAC) files. For more information about client
connection processes, including direct TCP/IP connections and
HTTP-tunneled connections, see the following topics later in this chapter:
•
“Sametime Connect client connection processes”
•
“Meeting Room and Broadcast client connection processes”
•
“NetMeeting/H.323 client connection processes”
Configuring Sametime "Networks and Ports" settings
Sametime connectivity settings are available from the “Networks and Ports”
tab of the Sametime Administration Tool. To access the “Networks and
Ports” tab, open the Sametime Administration Tool and select
Configuration-Connectivity-“Networks and Ports.”
The settings on the “Networks and Ports” tab define the host names and
ports on which the Sametime services listen for connections from clients and
control other aspects of connectivity, such as HTTP-tunneling functionality.
Changing these settings can affect the connection processes of clients.
The connectivity options available from the “Networks and Ports” tab
include:
156 Sametime 3.1 Administrator's Guide
•
HTTP Services settings - These settings specify the ports on which the
Domino HTTP server listens for HTTP connections from Web browsers.
If the administrator allows HTTP tunneling on port 80, the Sametime
Community Services multiplexer listens for HTTP connections on port
80, and the Domino HTTP server must listen on a different port to
prevent a port conflict. For more information, see “HTTP Services
settings” later in this chapter.
•
Community Services Network settings - These settings specify the
Community Services host names and ports and affect the connection
processes of Community Services clients, including the client
HTTP-tunneling functionality.
The Community Services support all presence and chat features of
Sametime. The Community Services clients include Sametime Connect,
the Sametime Meeting Room client (participant list and chat
components), and the Community Services of other Sametime servers.
For more information, see “Community Services Network settings” later
in this chapter.
•
Meeting Services Network settings - These settings specify the Meeting
Services host name and ports and affect the connection processes of
Meeting Services clients, including the client HTTP-tunneling
functionality.
The Meeting Services support the starting and stopping of meetings,
screen-sharing, whiteboard, polling, send Web page, and other T.120
activity. The Meeting Services clients include the Sametime Meeting
Room client (screen-sharing, whiteboard, polling, and send Web page
components) and the Meeting Services of other Sametime servers. For
more information, see “Meeting Services Network settings” later in this
chapter.
•
Broadcast Services Network settings - These settings specify the
Broadcast Services host name and ports and affect the connection
processes of the Sametime Broadcast clients, including the client
HTTP-tunneling functionality.
The Broadcast Services support all broadcast meetings. Broadcast
meetings can also include audio and video. When a broadcast meeting
includes audio/video, the Broadcast Services are responsible for
transmitting the audio/video streams to the Broadcast clients. For more
information, see “Broadcast Services Network settings” later in this
chapter and Chapter 9, Configuring the Broadcast Services.
Chapter 5: Configuring Ports and Network Connectivity 157
•
Interactive Audio/Video settings - These settings specify the
Audio/Video Services ports and affect the connection processes of the
Audio/Video Services clients. The Audio/Video Services support all
interactive IP audio and video activity on the Sametime server.
Audio/Video Services clients include the Sametime Meeting Room client
(audio and video components) and H.323-compliant clients such as
NetMeeting. For more information, see “Interactive Audio/Video
Network settings” later in this chapter.
•
Reverse Proxy Support - These settings enable a Sametime server to be
deployed behind a reverse proxy server. The administrator must
configure these settings to ensure that Sametime clients can
communicate with a Sametime server through the reverse proxy server.
For more information see “Using reverse proxy or portal servers with
the Sametime server” later in this chapter and “Configuring a Sametime
server to operate with a reverse proxy server” later in this chapter.
•
About HTTP Tunneling - During installation, the administrator can
allow HTTP tunneling on port 80 for all clients except audio/video
clients. This capability enables the Sametime Connect client, Sametime
Meeting Room client, and Sametime Broadcast clients to connect to the
Sametime server using HTTP over port 80. The Sametime 3.1 server can
support HTTP tunneling on port 80 for all clients when only one IP
address is assigned to the server.
The administrator can also manually assign separate IP addresses to
each of the Sametime services to accommodate the HTTP tunneling on
port 80 functionality. Using multiple IP addresses to support the HTTP
tunneling on port 80 functionality is more efficient than using the a
single IP address to support this functionality. For more information, see
“About http tunneling” later in this chapter.
•
Assigning IP addresses to multiple Sametime servers installed on a
single server machine - If you are operating Sametime on an IBM iSeries
or pSeries server, you can install multiple Sametime servers on a single
server machine. In this scenario, each instance of a Sametime server
operates in a separate partition of the single physical server. When
multiple servers are operating in separate partitions of a single machine,
it is important for each server to be assigned a separate IP address. For
more information, see “Assigning IP addresses to multiple Sametime
servers installed on a single server machine” later in this chapter.
158 Sametime 3.1 Administrator's Guide
HTTP Services settings
Sametime installs on a Domino server and uses the HTTP server provided
with the Domino server.
During a Sametime installation, the administrator can allow HTTP tunneling
on port 80. To support the HTTP tunneling on port 80 functionality, the
Community Services multiplexer on the server listens for HTTP connections
from clients (including Web browsers) on port 80. A Web browser connects
to the Community Services multiplexer on port 80, and the Community
Services multiplexer makes an intraserver connection to the Domino HTTP
server on behalf of the Web browser.
If the administrator allows HTTP tunneling on port 80 during the Sametime
installation, the Domino HTTP server must listen for HTTP connections on a
port other than port 80. In this scenario, the Sametime server installation
programmatically changes the HTTP port of the Domino HTTP server to
port 8088 during the Sametime installation process. It is not necessary to
manually change the setting.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime installation, the Domino HTTP server listens for HTTP
connections on port 80 by default.
For more information about the HTTP tunneling functionality supported by
Sametime, see “About http tunneling” later in this chapter.
On some platforms, you can configure Sametime to operate using a
Microsoft IIS HTTP server or IBM WebSphere HTTP server. For information
on setting up Sametime to use a different HTTP Web server, see the
installation guide that shipped with the Sametime software.
Follow these instructions if you need to change the HTTP port of the Domino
HTTP server:
1. Open the Sametime Administration Tool.
2. Select Configuraton-Connectivity-“Networks and Ports.”
3. Select “Configure HTTP Services on a Web page in its own window.”
4. Select Ports.
5. Select Internet Ports.
If the Domino server is set up for HTTP connections from Web browsers,
you can change the “TCP/IP port number” setting.
The “TCP/IP port number” for the HTTP server is located under the
“Web (HTTP/HTTPS)” column of the settings. To change the port used
by the HTTP server, change the port associated with the “TCP/IP port
number” field. (For example, if you are enabling HTTP tunneling on
Chapter 5: Configuring Ports and Network Connectivity 159
port 80 on a Sametime server that includes a single IP address, you may
want to change the HTTP port from port 80 to 8088.)
6. Select “Internet Protocols.”
7. Select “Domino Web Engine.”
8. Under the “Generating References to this server” section, make the
following changes:
If the HTTP server uses HTTP for Web browser connections:
• In the Protocol setting, select “http.”
• In the “Port number” setting, enter the same port entered in the
“TCP/IP port number” setting in Step 5.
9. Click “Save and Close” to save the Server document.
10. Restart the Domino server for the change to take effect.
Community Services Network settings
The Community Services Network settings control the host names and ports
on which the Sametime Community Services multiplexer listens for
connections from clients. The administrator can also enable or disable the
HTTP tunneling functionality from the Community Services Network
settings.
Access the Community Services Network settings from the Sametime
Administration Tool by selecting Configuration-Connectivity-“Networks
and Ports.”
The Community Services multiplexer (or “mux”) is the component of the
Community Services that handles connections from clients. The Community
Services multiplexer handles TCP/IP connections to the Community
Services.
The Community Services multiplexer is particularly important to
connectivity. In addition to handling TCP/IP connections to the Community
Services, the Community Services multiplexer can also handle
HTTP-tunneled connections to the Community Services, Meeting Services,
and Broadcast Services. For more information, see “Sametime Connect client
connection processes” later in this chapter, “Meeting Room and Broadcast
client connection processes” later in this chapter, and “About http
tunneling” later in this chapter.
160 Sametime 3.1 Administrator's Guide
The Community Services Network settings include:
•
Address for server connections
•
Address for client connections
•
Address for HTTPS-tunneled client connections
•
Enable the Meeting Room client to try HTTP tunneling to the
Community Server after trying other options
•
Address for HTTP-tunneled client connections (Community Services)
Address for server connections (Community Services)
The Community Services Network “Address for server connections” settings
control the IP addresses or DNS names and the ports on which the
Community Services listen for connections from the Community Services of
other Sametime servers.
The “Address for server connections” setting includes these fields:
•
Host name
•
Port number
Host name
The “Host name” field allows an administrator to specify the IP addresses or
DNS names (for example, www.sametime.com) on which the Community
Services multiplexer listens for connections from the Community Services of
other Sametime servers.
If this field is blank, the Community Services multiplexer listens for the
Community Services server-to-server connections on all IP addresses or DNS
names assigned to the machine on which the server is installed.
If only one IP address or DNS name is assigned to the server, Lotus software
recommends leaving the “Host name” field blank.
If you enter one or more IP addresses or DNS names in the “Host name”
field, the Community Services multiplexer listens for server-to-server
connections only on the IP addresses or DNS names specified in the “Host
name” field. When entering multiple IP addresses or DNS names in this
field, separate each entry with a comma.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
“Host name” field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see “Assigning IP addresses to
multiple Sametime servers installed on a single server machine” later in this
chapter.
Chapter 5: Configuring Ports and Network Connectivity 161
If you change this setting, click the Update button and restart the server for
the changes to take effect.
Port number
The “Port number” setting specifies the TCP/IP port (default 1516) on which
the Community Services multiplexer listens for connections from the
Community Services of other Sametime servers. Community Services
server-to-server connections are direct TCP/IP connections that cannot occur
through a proxy server.
This port is also used by the Community Services for intraserver connections
to other components of the Community Services. For example, the
Community Services multiplexer can listen for connections from Community
Services clients on port 1533 and port 80. The Community Services
multiplexer connects to other components of the Community Services on
port 1516.
For more information about working with multiple Sametime servers, see
the following topics in Chapter 14:
•
“Integrating a Sametime server into an existing Sametime community”
•
“Extending Sametime to Internet users”
If you change this setting, click the Update button and restart the server for
the changes to take effect.
Address for client connections (Community Services)
The Community Services Network “Address for client connections” settings
control the IP addresses or DNS names and the ports on which the
Community Services multiplexer listens for TCP/IP connections,
HTTP-tunneled connections, and HTTPS-tunneled connections from clients.
Note The Community Services multiplexer contains a connectivity agent
that enables the multiplexer to simultaneously listen for connections that use
different protocols (HTTP, HTTPS, or TCP/IP) on a single port. This feature
enables Community Services clients to establish connections to the Sametime
server in a wide variety of network environments.
These clients include Sametime Connect clients and Sametime Meeting
Room clients. For information on the connection processes of these clients,
see “Sametime Connect client connection processes” later in this chapter and
“Meeting Room and Broadcast client connection processes” later in this
chapter.
Note The term “TCP/IP connection” means that the clients and server use a
unique Sametime protocol operating over TCP/IP to establish a connection.
The client can make this TCP/IP connection directly to the Community
Services on the Sametime server or through a SOCKS proxy. A direct
162 Sametime 3.1 Administrator's Guide
TCP/IP connection provides the best performance. The direct TCP/IP
connection is also called a “Direct connection using Sametime standard
protocol” in the Sametime Connect client Sametime Connectivity settings.
The “Address for client connections” setting includes these fields:
•
Host name
•
Port number
Host name
The “Host name” field allows an administrator to specify the IP addresses or
DNS names (for example, www.sametime.com) on which the Community
Services multiplexer listens for TCP/IP connections, HTTP-tunneled
connections, and HTTPS-tunneled connections from clients.
If the “Host name” field is blank, the Community Services multiplexer
listens for these connections on all IP addresses or DNS names assigned to
the machine on which the Sametime server is installed.
If only one IP address or DNS name is assigned to the server, Lotus software
recommends leaving the “Host name” field blank.
If you enter one or more IP addresses or DNS names in the “Host name”
field, the Community Services multiplexer listens for TCP/IP connections
only on the IP addresses or DNS names specified in the “Host name” field.
When entering multiple IP addresses or DNS names in this field, separate
each entry with a comma.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
“Host name” field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see “Assigning IP addresses to
multiple Sametime servers installed on a single server machine” later in this
chapter.
The “Host name” field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see “Configuring HTTP tunneling on a machine that uses
multiple IP addresses” later in this chapter.
If you change the “Host name” setting, click the Update button and restart
the server for the change to take effect.
Port number
The “Port number” setting allows an administrator to specify the ports
(default 1533) on which the Community Services multiplexer listens for
TCP/IP connections, HTTP-tunneled connections, and HTTPS-tunneled
connections from Community Services clients, such as the Sametime Connect
client and the Sametime Meeting Room client.
Chapter 5: Configuring Ports and Network Connectivity 163
If multiple ports exist in the “Port number” field, the Community Services
multiplexer listens for these connections on all ports specified in the field.
For example, if the administrator enters ports 1533 and 1522 in this field, the
Community Services multiplexer listens for TCP/IP, HTTP-tunneled, and
HTTPS-tunneled connections on both ports 1533 and 1522. When entering
multiple ports in this field, separate each entry with a comma.
The Meeting Room client automatically attempts a direct TCP/IP connection
to the Community Services multiplexer on these ports after loading in the
user's Web browser.
Note The Meeting Room client will not attempt an HTTP-tunneled
connection to the Community Services on this port. For more information
about the Meeting Room client connection processes, “Meeting Room and
Broadcast client connection processes” later in this chapter.
The Sametime Connect client can attempt a TCP/IP connection, an
HTTP-tunneled connection, or an HTTPS-tunneled connection to the
Community Services on this port. The type of connection the Sametime
Connect client attempts is dependent on the connectivity setting that is
specified in the Options-Preferences-Sametime Connectivity tab of the
Sametime Connect client. For more information about this connection
process, the following topics later in this chapter
•
“Basic Sametime Connect client connection process”
•
“Sametime Connect client connection processes using the Web browser
or Java Plug-in connectivity settings”
If you change the “Port number” setting, click the Update button and restart
the server for the change to take effect.
Address for HTTPS-tunneled client connections (Community Services)
The Community Services Network “Address for HTTPS-tunneled client
connections” settings control the IP addresses or DNS names and the ports
on which the Community Services multiplexer listens for HTTPS-tunneled
connections from the Sametime Connect client. Only the Sametime Connect
client can attempt HTTPS-tunneled connections to the Community Services.
For information about this connection process, see “Sametime Connect client
connection process” later in this chapter.
The “Address for HTTPS-tunneled client connections” setting includes these
fields:
•
Host name
•
Port number
164 Sametime 3.1 Administrator's Guide
Host name
The “Host name” field allows an administrator to specify the IP addresses or
DNS names (for example, www.sametime.com) on which the Community
Services multiplexer listens for HTTPS-tunneled connections from Sametime
Connect clients.
If the “Host name” field is blank, the Community Services multiplexer
listens for HTTPS-tunneled connections on all IP addresses or DNS names
assigned to the machine on which the Sametime server is installed.
If only one IP address or DNS name is assigned to the server, Lotus software
recommends leaving the “Host name” field blank.
If you enter one or more IP addresses or DNS names in the “Host name”
field, the Community Services multiplexer listens for HTTPS-tunneled
connections only on the IP addresses or DNS names specified in the “Host
name” field. When entering multiple IP addresses or DNS names in this
field, separate each entry with a comma.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
“Host name” field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see “Assigning IP addresses to
multiple Sametime servers installed on a single server machine” later in this
chapter.
If you change the “Host name” setting, click the Update button and restart
the server for the changes to take effect.
Port number
The “Port number” setting allows an administrator to specify the ports
(default 1533) on which the Community Services multiplexer listens for
HTTPS-tunneled connections from Sametime Connect clients. If multiple
ports exist in the “Port number” field, the Community Services multiplexer
listens for HTTPS-tunneled connections on all ports specified. For example,
if the administrator enters ports 1533 and 443 in this field, the Community
Services multiplexer listens for HTTPS-tunneled connections on both ports
1533 and 443. When entering multiple ports in this field, separate each entry
with a comma.
The Sametime Connect client attempts HTTPS-tunneled connections through
an HTTPS proxy when the Use Proxy and “Use HTTPS proxy” options are
selected in the Sametime Connect client Sametime Connectivity settings. For
more information, see "Basic Sametime Connect client connection process"
later in this chapter.
Chapter 5: Configuring Ports and Network Connectivity 165
Many organizations have firewall or network configurations that prevent
HTTPS connections on the default port of 1533. For the Sametime Connect
clients to connect to the Community Services multiplexer, you might need to
specify port 443 as the “Address for HTTPS client connections” port. If you
specify port 443 as a Community Services HTTPS-tunneled client connection
port, note the following:
•
The Sametime Connect clients must have the “Use proxy” and “Use
HTTPS proxy” options selected in the Sametime Connectivity settings.
•
The “Community port” setting in the Sametime Connect client Sametime
Connectivity settings must match the Community Services
Network-Address for HTTPS client connections-"Port number" setting in
the Sametime Administration Tool. If you specify port 443 as the
Community Services Network-Address for HTTPS client
connections-"Port number“ setting, the ”Community port“ setting in the
Sametime Connect clients must also specify port 443.
•
Sametime Connect client establishes an HTTPS connection but this
HTTPS connection is not encrypted with SSL. To secure chat messages,
users should select the ”Secure messages I start" option in the
Options-Preferences-Messages settings of the Sametime Connect client.
•
If you have configured the Domino HTTP server to use SSL for Web
browser connections, the Domino HTTP server listens for HTTPS
connections on port 443. In this case, you cannot specify port 443 as the
Community Services Network-Address for HTTPS client
connections-"Port number" setting unless you assign multiple IP
addresses to the Sametime server machine. This configuration would
cause both the Community Services multiplexer and the Domino HTTP
server to listen for HTTPS connections on the same port number and IP
address. For more information on this issue, see the "Things you need to
know" section of the Sametime 3.1 Release Notes (strn31.nsf or
strn31.pdf on the Sametime CD).
If you change the HTTPS Tunneled Client Connections Port setting, click the
Update button and restart the server for the changes to take effect.
Enable the Meeting Room client to try HTTP tunneling to the
Community Server after trying other options
The Community Services Network "Enable the Meeting Room client to try
HTTP tunneling to the Community Server after trying other options" setting
enables the Sametime Meeting Room client to use HTTP to establish
connections with the Community Services multiplexer.
When this setting is enabled, the Sametime Meeting Room client attempts an
HTTP-tunneled connection to the Meeting Services if the following settings
match:
166 Sametime 3.1 Administrator's Guide
•
The "Host name" and "Port number" settings under "Address for HTTP
tunneled client connections" in the Meeting Services Network settings.
•
The "Host name" and "Port number" settings under "Address for HTTP
tunneled client connections" in the Community Services Network
settings.
The Meeting Room client attempts the HTTP-tunneled connection on the
matching port number.
Note the following about this setting:
•
If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, the following settings both specify port 80:
• The "Port number" setting under "Address for HTTP tunneled client
connections" in the Meeting Services Network settings.
• The "Port number" setting under "Address for HTTP tunneled client
connections" in the Community Services Network settings.
This configuration enables the Sametime server to support HTTP
tunneling on port 80 on a Sametime server that uses a single IP address.
For more information, see "About http tunneling" later in this chapter.
•
The Meeting Room client attempts a TCP/IP connection to the
Community Services before attempting an HTTP-tunneled connection to
the Community Services multiplexer. For more information about the
Meeting Room client connection process, see "Meeting Room and
Broadcast client connection processes" later in this chapter.
•
If the "Enable the Meeting Room client to try HTTP tunneling to the
Community Server after trying other options" setting is disabled, the
Meeting Room client will not attempt HTTP-tunneled connections to the
Community Services multiplexer.
The Meeting Room client might attempt HTTP-tunneled connections to
the Meeting Services (instead of the Community Services multiplexer) if
the Meeting Services "Enable the Meeting Room client to try HTTP
tunneling to the Meeting Server after trying other options" setting is
enabled. For more information, see "Enable Meeting Room client to try
HTTP tunneling to the Meeting Server after trying other options" later in
this chapter.
Address for HTTP-tunneled client connections (Community Services)
The Community Services Network "Address for HTTP tunneled client
connections" settings control the IP addresses or DNS names and the ports
on which the Community Services multiplexer listens for HTTP-tunneled
connections from clients.
Chapter 5: Configuring Ports and Network Connectivity 167
The fields included with this setting are:
•
Host name
•
Port number
Host name
The "Host name" field allows an administrator to specify the IP addresses or
DNS names (for example, www.sametime.com) on which the Community
Services multiplexer listens for HTTP-tunneled connections from clients.
If the "Host name" field is blank, the Community Services multiplexer listens
for HTTP-tunneled connections on all IP addresses or DNS names assigned
to the machine on which the Sametime server is installed.
If only one IP address or DNS name is assigned to the server, Lotus software
recommends leaving the "Host name" field blank.
If you enter one or more IP addresses or DNS names in the "Host name"
field, the Community Services multiplexer listens for HTTP-tunneled
connections only on the IP addresses or DNS names specified in the "Host
name" field. When entering multiple IP addresses or DNS names in this
field, separate each entry with a comma.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see "Assigning IP addresses to
multiple Sametime servers installed on a single server machine" later in this
chapter.
The "Host name" field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see "Configuring HTTP tunneling on a machine that uses
multiple IP addresses" later in this chapter.
If you change the Address for HTTP-tunneled connections "Host name"
setting, click the Update button and restart the server for the changes to take
effect.
Port number
The "Port number" field allows an administrator to specify the ports on
which the Community Services multiplexer listens for HTTP-tunneled
connections from Sametime clients.
The default port numbers are dependent on the "Allow HTTP tunneling on
port 80" option available to the Sametime administrator during the Sametime
server installation.
168 Sametime 3.1 Administrator's Guide
•
If the administrator chooses the "Allow HTTP tunneling on port 80"
option during the Sametime server installation, the default port number
is port 80.
•
If the administrator does not choose the "Allow HTTP tunneling on port
80" option during the Sametime server installation, the default port
numbers are ports 1533 and 8082.
If multiple ports exist in this "Port number" field, the Community Services
multiplexer listens for HTTP-tunneled connections on all ports specified. For
example, when ports 80 and 8082 are entered in this field, the Community
Services multiplexer simultaneously listens for HTTP-tunneled connections
on both ports 80 and 8082. When entering multiple ports in this field,
separate each entry with a comma.
Note The Community Services multiplexer will also listen for
HTTP-tunneled connections on the Community Services Network-Address
for client connections-Port number (default 1533).
The Sametime Meeting Room client, the Sametime Connect client, and the
Sametime Broadcast client can make HTTP-tunneled connections to the
Community Services multiplexer. These HTTP-tunneled connections are
discussed below.
Meeting Room client connection to Community Services
When joining a meeting, the Meeting Room client must make separate
connections to the Community Services and the Meeting Services. The
Meeting Room client attempts a TCP/IP connection to the Meeting Services
(on default port 8081) and a separate TCP/IP connection to the Community
Services (on default port 1533). If the network configuration prevents these
TCP/IP connections, the Meeting Room client resorts to HTTP tunneling, as
described below:
•
To establish a Community Services connection, the Meeting Room client
attempts an HTTP-tunneled connection to the Community Services
multiplexer using the Port number specified in the "Port number" field
under "Address for HTTP tunneled client connections" in the
Community Services Network settings. The Community Services
multiplexer handles all connections (TCP/IP or HTTP-tunneled) to the
Community Services.
•
To establish the Meeting Services connection, the Meeting Room client
attempts an HTTP-tunneled connection to the Community Services
multiplexer if both of the following conditions exist:
• The "Enable the Meeting Room client to try HTTP tunneling to the
Community Server after trying other options" setting is enabled.
Chapter 5: Configuring Ports and Network Connectivity 169
• A port specified in the "Port number" field under "Address for HTTP
tunneled client connections" in the Meeting Services Network settings
matches a port number specified in the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings. The connection attempt to the Community
Services multiplexer occurs on the matching port number. (If none of
the port settings in these two "Port number" fields match, the
HTTP-tunneled Meeting Services connection occurs to the Meeting
Services instead of the Community Services multiplexer.)
If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, both the Community Services and
Meeting Services HTTP tunneling ports default to port 80. The
Meeting Room client attempts the HTTP-tunneled Meeting Services
connection to the Community Services multiplexer on port 80 (the
matching port number). The Community Services multiplexer
handles the HTTP-tunneled connection from the client and forwards
the data to the Meeting Services.
For more information, see the following:
• "Meeting Room client connection process using Microsoft VM
(Community Services and Meeting Services)" later in this chapter
• "Meeting Room client connection process using JVM 1.4.1
(Community Services and Meeting Services)" later in this chapter
• "Configuring HTTP tunneling settings" later in this chapter.
Sametime Connect client connection
The Sametime Connect client can attempt an HTTP-tunneled connection to
the Community Services multiplexer when any of the following options are
selected in the Sametime Connectivity tab of the Sametime Connect client:
•
Use my Internet Explorer HTTP settings (Sametime Connect for the
desktop only)
•
Use my Internet Explorer browser settings (Sametime Connect for
browsers only)
•
Direct connection using HTTP protocol
•
Use Proxy and Use HTTP proxy
•
Use my Java Plug-in settings is selected and an HTTP proxy server is
specified in the Java Plug-in settings (applies only when Sametime
Connect for browsers operates with Sun Microsystems JVM 1.4.1)
The Sametime Connect client will use the port specified as the "Community
port" (default 1533) in the Options-Preferences-Sametime Connectivity tab of
the Sametime Connect client to establish an HTTP-tunneled connection with
the Community Services multiplexer. To enable the Sametime Connect client
170 Sametime 3.1 Administrator's Guide
to successfully establish an HTTP-tunneled connection to the Community
Services, the "Community port" setting in the Sametime Connect client must
match one of the port numbers on which the Community Services
multiplexer listens for HTTP-tunneled connections. Note that the
Community Services multiplexer will listen for HTTP-tunneled connections
on these ports:
•
The "Port number" setting under "Address for client connections" in the
Community Services Network settings of the Sametime Administration
Tool
•
The "Port number" setting under "Address for HTTP tunneled client
connections" in the Community Services Network settings of the
Sametime Administration Tool
Note If the Sametime Connect client must connect to the Sametime server
through a firewall that allows only HTTP connections on port 80, the
"Community port" setting on the Sametime Connect client must specify port
80 and one of the Community Services Network administrations settings
listed above must also specify port 80 to enable the client to establish an
HTTP-tunneled connection to the server.
For more information about the Sametime Connect client connection
processes, see the following topics later in this chapter:
•
"Basic Sametime Connect client connection process"
•
"Sametime Connect client connection processes using the Web browser
or Java Plug-in connectivity settings"
•
"Configuring HTTP tunneling settings"
Note The port 8082 setting in the "Port number" field under "Address for
HTTP tunneled client connections" in the Community Services Network
settings ensures backward compatibility with previous Sametime releases. In
previous releases, Sametime clients made direct TCP/IP connections to the
Community Services on port 1533 and HTTP connections on port 8082. If a
Sametime Connect client or Sametime Meeting Room client from a previous
Sametime release attempts an HTTP-tunneled connection to a Sametime 3.1
server, the client might attempt this connection on port 8082 by default.
Listing port 8082 in the HTTP Tunneling port setting ensures that these
clients can establish HTTP-tunneled connections with the Community
Services on the Sametime 3.1 server.
If you change the "Port number" setting, click the Update button and restart
the server for the changes to take effect.
Chapter 5: Configuring Ports and Network Connectivity 171
Meeting Services Network settings
The Meeting Services Network settings control the host names and ports on
which the Meeting Services listen for connections from the Sametime
Meeting Room client. The administrator can also enable or disable the HTTP
tunneling functionality for connections to the Meeting Services from these
settings. Access these settings from the Sametime Administration Tool by
selecting Configuration-Connectivity-"Networks and Ports."
The Meeting Services Network settings include:
•
Address for server connections
•
Address for client connections
•
Enable the Meeting Room client to try HTTP tunneling to the Meeting
Server after trying other options
•
Event Server port
•
Token Server port
Address for server connections (Meeting Services)
The Meeting Services Network "Address for server connections" settings
control the IP address or DNS name and the port on which the Meeting
Services listen for T.120 connections from the Meeting Services of other
Sametime servers. Microsoft NetMeeting (and other T.120-compliant clients)
also attempt connections on this host name and port.
The fields in the "Address for client connections" setting include:
•
Host name
•
Port number
Host name
The Host name field allows an administrator to specify the IP address or
DNS name (for example, www.sametime.com) on which the Meeting
Services listen for T.120 connections from the Meeting Services of other
Sametime servers or from NetMeeting clients.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
The "Host name" field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see "Configuring HTTP tunneling on a machine that uses
multiple IP addresses" later in this chapter.
172 Sametime 3.1 Administrator's Guide
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
If you change the "Host name" field, click the Update button and restart the
server for the changes to take effect.
Port number
The "Port number" field specifies the port (default 1503) on which the
Meeting Services listen for T.120 connections from the Meeting Services of
other Sametime servers or T.120-compliant clients, such as NetMeeting.
T.120 connections are direct TCP/IP connections that cannot occur through a
proxy server.
Note Port 1503, the default setting, is the registered port for T.120
connections.
A Sametime server connects to another Sametime server on this port when
multiple Sametime servers are installed and integrated into the same
community. For more information, see "Advantages of using multiple
Sametime servers" in Chapter 14, "Integrating a Sametime server into an
existing Sametime community" in Chapter 14, or "Extending Sametime to
Internet users" in Chapter 14.
When NetMeeting is used to attend meetings on the Sametime server, a
NetMeeting client also connects to the server on the port number specified
under "Address for server connections" in the Meeting Services Network
settings. NetMeeting clients exchange screen-sharing and whiteboard data
with the server on this port.
Note The screen-sharing and whiteboard features of NetMeeting are not
compatible with the screen-sharing and whiteboard features of the Sametime
Meeting Room client. These two clients cannot exchange screen-sharing and
whiteboard data in the same meeting. For more information, see "Allowing
or preventing the use of NetMeeting for screen sharing and whiteboard" in
Chapter 8.
If you change the "Port number" field, click the Update button and restart the
server for the changes to take effect.
Chapter 5: Configuring Ports and Network Connectivity 173
Address for client connections (Meeting Services)
The Meeting Services network "Address for client connections" settings
control the IP address or DNS name and the port on which the Meeting
Services listen for TCP/IP connections from Sametime Meeting Room clients.
For information on this connection process, see "Meeting Room client
connection process (Community Services and Meeting Services)" later in this
chapter.
Note The term "TCP/IP connection" means that the clients and server use a
unique Sametime protocol operating over TCP/IP to establish a connection.
The client can make this TCP/IP connection directly to the server or make
the TCP/IP connection to the server through a SOCKS proxy. A direct
TCP/IP connection to the Meeting Services results in more efficient
performance than a TCP/IP connection through a SOCKS proxy or an
HTTP-tunneled connection.
The "Address for client connections" settings include these fields:
•
Host name
•
Port number
Host name
The "Host name" field allows an administrator to specify the IP address or
DNS name (for example, www.sametime.com) on which the Meeting
Services listen for direct TCP/IP connections from Sametime clients.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
The "Host name" field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see "Configuring HTTP tunneling on a machine that uses
multiple IP addresses" later in this chapter.
If you change the "Host name" setting, click the Update button and restart
the server for the changes to take effect.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see "Assigning IP addresses to
multiple Sametime servers installed on a single server machine" later in this
chapter.
Port number
The "Port number" field allows an administrator to specify the port (default
8081) on which the Meeting Services listen for TCP/IP connections from the
Sametime Meeting Room client. The Sametime Meeting Room client
174 Sametime 3.1 Administrator's Guide
exchanges screen-sharing, whiteboard, send Web page, question and answer
polling, and other Meeting Services data with the Sametime server on this
port.
The Meeting Room client automatically attempts a direct TCP/IP connection
to the Meeting Services on this port after loading in the user's Web browser.
For more information on the Meeting Room client connection processes, see
"Meeting Room and Broadcast client connection processes" later in this
chapter.
The audio/video components of the Sametime Meeting Room client also use
the connection on this port to exchange call-control data. For more
information, see "Meeting Room client connection process using Microsoft
VM (Audio/Video Services)" later in this chapter or "Meeting Room client
connection process using JVM 1.4.1 (Audio/Video Services)" later in this
chapter.
If you change the Address for client connections "Port number" setting, click
the Update button and restart the server for the changes to take effect.
Enable Meeting Room client to try HTTP tunneling to the Meeting
Server after trying other options
The Meeting Services Network "Enable Meeting Room client to try HTTP
tunneling to the Meeting Server after trying other options" setting enables
the Sametime Meeting Room client to use HTTP to establish connections
with the Meeting Services when a TCP/IP connection fails. This option is
selected by default.
The Sametime Meeting Room client can attempt two different kinds of
connections to the Meeting Services:
•
A connection using a unique Sametime protocol over TCP/IP
•
An HTTP-tunneled connection (The unique Sametime protocol data is
encased within an HTTP request)
Note The Sametime Meeting Room client can make HTTP-tunneled
Meeting Services connections to either the Community Services multiplexer
or the Meeting Services. The "Port number" setting under "Address for HTTP
tunneled client connections" in the Meeting Services Network settings
determines whether this connection occurs to the Community Services
multiplexer or the Meeting Services. For more information, see the "Port
number" heading later in this topic.
For more information on the Meeting Room connection processes, see
"Meeting Room and Broadcast client connection processes" later in this
chapter.
Chapter 5: Configuring Ports and Network Connectivity 175
Address for HTTP tunneled client connections (Meeting Services)
The Meeting Services network "Enable Meeting Room client to try HTTP
tunneling to the Meeting Server after trying other options" setting must be
selected for the "Address for HTTP tunneled client connections" settings to
take effect.
The Meeting Services network "Address for HTTP-tunneled client
connections" settings control the IP addresses or DNS names and the port on
which the Meeting Services listen for HTTP-tunneled connections from the
Sametime Meeting Room client.
Note Sametime uses a unique Sametime protocol over TCP/IP to establish
connections with the Meeting Services. The Sametime protocol data can be
encased within an HTTP request to enable Sametime clients to connect using
HTTP. This capability is referred to as "HTTP tunneling."
Host name
The Address for client connections "Host name" field allows an
administrator to specify the IP address or DNS name (for example,
www.sametime.com) on which the Meeting Services listen for HTTP-tunneled
connections from the Sametime Meeting Room client.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple servers is assigned a
separate IP address. For more information, see "Assigning IP addresses to
multiple Sametime servers installed on a single server machine" later in this
chapter.
If you change the Address HTTP-tunneled client connections "Host name"
setting, click the Update button and restart the server for the changes to take
effect.
Port number
The Address for HTTP tunneled client connections "Port number" setting
allows an administrator to specify the port on which the Meeting Services
listen for HTTP-tunneled connections from Sametime Meeting Room clients.
The default port numbers are dependent on the "Allow HTTP tunneling on
port 80" option available to the Sametime administrator during the Sametime
server installation.
•
If the administrator chooses the "Allow HTTP tunneling on port 80"
option during the Sametime server installation, the default port number
is port 80.
176 Sametime 3.1 Administrator's Guide
•
If the administrator does not choose the "Allow HTTP tunneling on port
80" option during the Sametime server installation, the default port
number is 8081.
To establish an HTTP-tunneled connection to the Meeting Services, the
Meeting Room client can either connect to the Meeting Services or to the
Community Services multiplexer. This "Port number" setting determines
whether the Meeting Room client establishes an HTTP-tunneled connection
to the Community Services multiplexer or the Meeting Services. Note the
following:
•
If a port number in the "Port number" field under "Address for HTTP
tunneled client connections" in the Meeting Services Network settings
matches a port number specified in the "Port number" field under "HTTP
tunneled client connections" in the Community Services Network
settings, the Meeting Room client makes the HTTP-tunneled connection
to the Community Services multiplexer. This connection occurs using the
matching port number.
If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, both the Community Services and Meeting
Services HTTP tunneling ports default to port 80. The Meeting Room
client attempts the HTTP-tunneled Meeting Services connections to the
Community Services multiplexer. The Community Services multiplexer
handles the HTTP-tunneled connection from the client and makes an
intraserver TCP/IP connection to the Meeting Services on behalf of the
client.
Note The Community Services network-"Enable the Meeting Room
client to try HTTP tunneling to the Community Server after trying other
options" setting must also be enabled to allow the Meeting Room client
to make HTTP-tunneled connections to the Community Services
multiplexer.
•
If none of the port numbers specified in the "Port number" field under
"Address for HTTP tunneled client connections" in the Meeting Services
Network settings match a port number specified in the "Port number"
field under "HTTP tunneled client connections" in the Community
Services Network settings, the Meeting Room client makes the
HTTP-tunneled connection to the Meeting Services without using the
Community Services multiplexer. This connection occurs using the port
number specified in the "Port number" field under "Address for HTTP
tunneled client connections" in the Meeting Services Network settings.
For example, if the "Port number" field under "Address for HTTP
tunneled client connections" in the Community Services Network
settings specifies port 80 and the "Port number" field under "Address for
HTTP tunneled client connections" in the Meeting Services Network
Chapter 5: Configuring Ports and Network Connectivity 177
settings specifies port 85, the Meeting Room client makes one
HTTP-tunneled connection to the Community Services multiplexer on
port 80 and a separate HTTP-tunneled connection to the Meeting
Services on port 85.
Note The Meeting Services network-"Enable the Meeting Room client
to make HTTP-tunneled connections to the Meeting Server after trying
other options" setting must also be enabled to allow the Meeting Room
client to make HTTP-tunneled connections to the Meeting Services.
•
The "Host name" settings can also affect whether the Meeting Room
client HTTP-tunneled connection occurs to the Community Services
multiplexer or the Meeting Services. The "Host name" setting can affect
the connection process only if multiple IP addresses or DNS host names
are assigned to the Sametime server.
If the "Host name" field under "Address for HTTP tunneled client
connections" in the Meeting Services Network settings specifies a
different host name than the "Host name" field under "Address for
HTTP tunneled client connections" in the Community Services Network
settings, the Meeting Room client makes the HTTP-tunneled connection
to the Meeting Services regardless of the "Port number" settings. If these
two settings specify different host names, the client does not try an
HTTP-tunneled connection to the Community Services multiplexer.
For more information about configuring the HTTP tunneling settings,
see the following topics later in this chapter:
• "Configuring HTTP tunneling settings"
• "Configuring HTTP tunneling on a machine that uses multiple IP
addresses"
If you change the "Port number" setting, click the Update button and restart
the server for the changes to take effect.
Event server port
The "Event server" port (default 9092) is used for intraserver connections
between components of the Sametime server.
Generally, it is only necessary to change this port if you have installed
multiple Sametime servers on a single server machine or if another
application on the server uses port 9092.
Note If you run Sametime on an IBM iSeries or pSeries machine, you can
install multiple Sametime servers on a single machine, within the same
logical partition. Each Sametime server instance runs on a separate
partitioned Domino server. If you run Sametime on Windows 2000 or
Windows NT, you can only install one server on each Windows machine.
178 Sametime 3.1 Administrator's Guide
If multiple Sametime servers are running on the same machine, you must
ensure that each Sametime server specifies a different port as the "Event
server" port. For example, if Sametime server 1 and Sametime server 2 are
running in separate partitions of a iSeries machine, you can specify port 9092
as the "Event server" port for Sametime server 1 and port 9095 as the "Event
server" port for Sametime server 2. Sametime for iSeries provides an option
to specify the Event server port at the time you configure your Sametime
server.
For more information, see "Assigning IP addresses to multiple Sametime
servers installed on a single server machine" later in this chapter.
Token server port
The "Token server" port (default 9094) is used for intraserver connections
between components of the Sametime server.
Generally, it is only necessary to change this port if you have installed
multiple Sametime servers on a single server machine or if another
application on the server uses port 9094.
Note If you run Sametime on an IBM iSeries or pSeries machine, you can
install multiple Sametime servers on a single machine within the same
logical partition. Each Sametime server instance runs on a separate partition
of the Domino server. If you run Sametime on Windows 2000 or Windows
NT, you can only install one server on each Windows machine.
If multiple Sametime servers are running on the same machine, you must
ensure that each Sametime server specifies a different port as the "Token
server" port. For example, if Sametime server 1 and Sametime server 2 are
running in separate partitions of a iSeries machine, you might want to
specify port 9094 as the "Token server" port for Sametime server 1 and port
9096 as the "Token server" port for Sametime server 2. Sametime for iSeries
provides an option to specify the Token server port at the time you configure
your Sametime server.
For more information, see "Assigning IP addresses to multiple Sametime
servers installed on a single server machine" later in this chapter.
Chapter 5: Configuring Ports and Network Connectivity 179
Broadcast Services Network settings
The Broadcast Services Network settings control the host names and ports on
which the Broadcast Services listen for connections from Sametime
Broadcast clients. The settings also enable the Broadcast Services on the
Sametime server to operate on multicast-enabled networks. Access these
settings from the Sametime Administration Tool by selecting
Configuration-Connectivity-"Networks and Ports."
For more information about the operations of the Broadcast Services, see
"Broadcast Services components and clients" in Chapter 9.
The Broadcast Services Network settings include:
•
Broadcast gateway address for client connections
•
Broadcast gateway address for control connections
•
IP address of Small Group Multicast (SGM) router
•
Enable Web client to try HTTP tunneling after trying other options
•
Use multicast
Broadcast gateway address for client connections
The Broadcast Services network "Broadcast gateway address for client
connections" settings control the IP address or DNS name and the port on
which the Broadcast Services listen for Real-Time Streaming Protocol (RTSP)
TCP/IP call-control connections from Broadcast clients. For more
information on the Broadcast client connection process, see "Meeting Room
and Broadcast client connection processes" later in this chapter.
The "Broadcast gateway address for client connections" settings include the
following fields:
•
Host name
•
Port number
Host name
The "Host name" field allows an administrator to specify the IP address or
DNS name (for example, www.sametime.com) on which the Broadcast
gateway listens for RTSP TCP/IP connections from Broadcast clients.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
The "Host name" field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see "Configuring HTTP tunneling on a machine that uses
multiple IP addresses" later in this chapter.
180 Sametime 3.1 Administrator's Guide
If you change the "Host name" setting, click the Update button and restart
the server for the changes to take effect.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
Port number
The Sametime server Broadcast gateway address for client connections "Port
number" setting allows an administrator to specify the port (default 554) on
which the Broadcast Services gateway listens for RTSP over TCP/IP
call-control connections from the Sametime Broadcast client.
The Broadcast gateway component of the Sametime server provides the
Broadcast client with descriptions of the media streams available for the
broadcast meeting over the connection that occurs on this port. These
descriptions include information concerning the audio codecs and bit rates
of the broadcast media streams. The description also provides the IP address
of the Broadcast Gateway and indicates if multicast is available for
transmission of the broadcast streams.
The Broadcast client attempts a RTSP TCP/IP connection to the Broadcast
Gateway on this port after loading in a Web browser. For more information
on the Broadcast client connection processes, see "Meeting Room and
Broadcast client connection processes" later in this chapter.
If you change the "Port number" setting, click Update and restart the
Sametime server for the change to take effect.
Broadcast gateway address for control connections
The Broadcast Services network "Broadcast gateway address for control
connections" settings control the IP addresses or DNS names and the port on
which the Sametime Broadcast gateway listens for TCP/IP connections from
the Sametime Broadcast gateway controller. The connection between the
Broadcast gateway controller and the Broadcast gateway is an intraserver
connection unless Sametime is customized so that the Broadcast gateway
operates on a different machine than the Sametime server.
Note For more information about the Broadcast gateway and the Broadcast
gateway controller, see "Broadcast Services server components" in Chapter 9.
The "Broadcast gateway address for control connections" setting includes
these fields:
Chapter 5: Configuring Ports and Network Connectivity 181
•
Host name
•
Port number
Host name
The Sametime server "Host name" field allows an administrator to specify
the IP address or DNS name (for example, www.sametime.com) on which
the Broadcast gateway listens for the TCP/IP connection from the Broadcast
gateway controller. (The Broadcast gateway controller uses this "Host name"
when establishing the connection with the Broadcast gateway.)
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
Note By default, the Broadcast gateway and the Broadcast gateway
controller are both installed on the Sametime server machine. If Sametime is
customized so that the Broadcast gateway operates on a separate machine,
enter the IP address or DNS name of the machine on which the Broadcast
gateway is installed.
If you change the "Host name" setting, click Update and restart the Sametime
server for the change to take effect.
Port number
The Sametime server "Port number" setting allows an administrator to
specify the port (default 8083) on which the Broadcast Services gateway
listens for connections from the Broadcast gateway controller. (The
Broadcast gateway controller uses this port when calling the Broadcast
gateway.)
Generally, it is only necessary to change this port if another application on
the server uses port 8083.
If you change the "Port number" setting, click Update and restart the
Sametime server for the change to take effect.
IP address of Small Group Multicast (SGM) router
The Broadcast Services gateway component is compatible with the Small
Group Multicast (SGM) technology developed by IBM. If the SGM protocol
is used in your network, the broadcast gateway component of the Broadcast
Services can route all unicast data through the local SGM router.
182 Sametime 3.1 Administrator's Guide
If you want the Broadcast Services to use SGM when transmitting broadcast
meeting streams on the network, you must enter the DNS name or IP
address of the SGM router in the "IP address of Small Group Multicast
(SGM) router" field. If this field is blank, the SGM protocol is not used when
transmitting the broadcast meeting streams.
The broadcast gateway routes unicast streams through the SGM router.
Using SGM does not affect the multicast functionality provided with the
Broadcast Services. If the "Use multicast" option is selected in the Broadcast
Services Network settings, the Broadcast Services will still attempt to
multicast the broadcast streams. For more information, see "Using multicast"
in Chapter 9.
Enable broadcast client to try HTTP tunneling after trying other options
(Broadcast Services)
The Broadcast Services Network "Enable broadcast client to try HTTP
tunneling after trying other options" setting enables Sametime Broadcast
clients to use HTTP to establish a call-control connection with the Broadcast
Services gateway if a connection over TCP/IP fails.
The Sametime Broadcast client can attempt two different kinds of
connections to the Broadcast Services:
•
A connection using RTSP over TCP/IP
•
An HTTP-tunneled connection (The RTSP data is encased within an
HTTP request.)
Note For more information about the Broadcast client connection process,
see "Meeting Room and Broadcast client connection processes" later in this
chapter.
The Broadcast client can attempt the HTTP-tunneled connection to either the
Community Services multiplexer or the Broadcast Services gateway. The
Broadcast Services "Port number" setting determines whether this connection
occurs to the Community Services multiplexer or the Broadcast Services
gateway. For more information, see the "Port number" heading below.
Broadcast Gateway address for HTTP-tunneled client connections
The Broadcast Services Network "Enable broadcast client to try HTTP
tunneling after trying other options" setting must be selected for the
"Broadcast Gateway address for HTTP-tunneled client connections" settings
to take effect.
The Broadcast Services network "Broadcast Gateway address for
HTTP-tunneled client connections" settings control the IP address or DNS
name and the port on which the Broadcast Services gateway listens for
HTTP-tunneled connections from the Sametime Broadcast client.
Chapter 5: Configuring Ports and Network Connectivity 183
Note Sametime Broadcast clients use RTSP over TCP/IP to establish
connections with the Broadcast Services. The RTSP data can be encased
within an HTTP request to enable Sametime Broadcast clients to connect
using HTTP. This capability is referred to as "HTTP tunneling."
Host name
The Broadcast Gateway address for HTTP-tunneled client connections "Host
name" field allows an administrator to specify the IP address or DNS name
(for example, www.sametime.com) on which the Broadcast Services gateway
listens for HTTP-tunneled connections from the Sametime Broadcast client.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
When only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
The "Host name" field can also be used if you decide to use multiple IP
addresses to support the HTTP tunneling functionality. For more
information, see "Configuring HTTP tunneling on a machine that uses
multiple IP addresses" later in this chapter.
If you change the Address for HTTP-tunneled connections "Host name"
setting, click the Update button and restart the server for the changes to take
effect.
Port number
The Broadcast Gateway address for HTTP-tunneled client connections "Port
number" setting allows an administrator to specify the port on which the
Broadcast Services gateway listens for HTTP-tunneled connections from
Sametime Broadcast clients.
The default port numbers are dependent on the "Allow HTTP tunneling on
port 80" option available to the Sametime administrator during the Sametime
server installation.
•
If the administrator chooses the "Allow HTTP tunneling on port 80"
option during the Sametime server installation, the default port number
is port 80.
•
If the administrator does not choose the "Allow HTTP tunneling on port
80" option during the Sametime server installation, the default port
number is 554.
To establish an HTTP-tunneled connection to the Broadcast Services, the
Broadcast client can either connect to the Broadcast Services or connect to the
184 Sametime 3.1 Administrator's Guide
Community Services multiplexer. This "Port number" setting determines
whether the Broadcast client attempts an HTTP-tunneled connection to the
Community Services multiplexer or the Broadcast Services. The "Host name"
settings can also affect how this connection occurs. Note the following:
•
The Broadcast Services "Enable Web client to try HTTP tunneling after
trying other options" setting must be selected to enable the Broadcast
client to make an HTTP-tunneled connection to either the Community
Services multiplexer or the Broadcast Services.
•
If the port number in the "Port number" field under "Broadcast Gateway
address for HTTP-tunneled client connections" in the Broadcast Services
Network settings matches a port number specified in the "Port number"
field under "Address for HTTP tunneled client connections" in the
Community Services Network settings, the Broadcast client makes the
HTTP-tunneled connection to the Community Services multiplexer. This
connection occurs using the matching port number.
If none of the ports specified in these two settings match, the Broadcast
client makes the HTTP-tunneled connection to the Broadcast Services
(without using the Community Services multiplexer). This connection
occurs using the port number specified in the "Port number" field under
"Broadcast Gateway address for HTTP-tunneled client connections" in
the Broadcast Services Network settings.
If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, both the Community Services and
Broadcast Services HTTP tunneling ports default to port 80. The
Broadcast client attempts the HTTP-tunneled Broadcast Services
connections to the Community Services multiplexer. The Community
Services multiplexer handles the HTTP-tunneled connection from the
client and forwards this data to the Broadcast Services.
•
The "Host name" settings can also affect whether the Broadcast client
HTTP-tunneled connection occurs to the Community Services
multiplexer or the Broadcast Services. The "Host name" setting can affect
the connection process only if multiple IP addresses or DNS host names
are assigned to the Sametime server.
If the following fields specify different host names, the Broadcast client
makes the HTTP-tunneled connection to the Broadcast Services,
regardless of the Broadcast client "Port number" settings:
• The "Host name" field under "Broadcast Gateway address for
HTTP-tunneled client connections" in the Broadcast Services Network
settings
• The "Host name" field under "Address for HTTP tunneled client
connections" in the Community Services Network settings
Chapter 5: Configuring Ports and Network Connectivity 185
If these two settings specify different Host names, the client does not try
an HTTP-tunneled connection to the Community Services multiplexer.
For more information about configuring the HTTP tunneling settings,
see the following topics later in this chapter:
• "About http tunneling"
• "Configuring HTTP tunneling settings"
• "Configuring HTTP tunneling on a machine that uses multiple IP
addresses"
If you change the "Port number" setting, click the Update button and restart
the server for the changes to take effect.
Use multicast
Enable this option if your network environment supports multicast
technology and you want the Broadcast Services to use multicast when
transmitting media streams to Broadcast clients. To support multicast, the
UDP transport must be available on the network, and the network routers
must be multicast-enabled. For more information, see "Using multicast" in
Chapter 9. If you change any of the multicast settings, click Update and
restart the Sametime server for the change to take effect.
Specifying a range of multicast addresses for the Broadcast Services
When the Broadcast Services Network "Use multicast" option is selected, you
can enter a range of Class D multicast IP addresses in the "Multicast
addresses start at IP address" and "Multicast addresses end at IP address"
fields. When a meeting begins, the Broadcast Services randomly select a
multicast address from this range, and begin transmitting data to the
selected address. The Broadcast clients associate themselves with this
multicast address when forming a multicast group.
Note If your environment includes a multicast address allocation server
that supports the Multicast Address Dynamic Client Allocation Protocol
(MADCAP), you can configure Sametime to query that server to obtain a
multicast address instead of allowing Sametime to randomly select one from
a range of addresses. For more information, see "Assign multicast addresses
using MADCAP" below.
Generally, a multicast-enabled application randomly selects an IP address
from the range of Class D IP addresses reserved for multicast use. There are
no network layer protocols that prevent two (or more) different
multicast-enabled applications from selecting the same multicast address. If
two applications select the same multicast address, this "collision" of
addresses can disrupt the transmission of multicast data for both
applications.
186 Sametime 3.1 Administrator's Guide
You should ensure that the Broadcast Services Network multicast address
settings specify a different range of addresses than the Interactive
Audio/Video Network multicast address settings to prevent multicast
address collisions with the Sametime Audio/Video Services.
If the other multicast-enabled applications in your environment also allow
you to specify a range of multicast addresses, be sure to specify a range of
addresses for these applications that is different from the address range
specified for either the Sametime Broadcast Services or Audio/Video
Services.
Note When specifying either the "Multicast addresses start at IP address" or
"Multicast addresses end at IP address" values, you must enter an IP address
that contains four octets (for example, 239.254.254.254). Do not enter an IP
address in which the lowest octet is zero. For example, 224.1.1.1 is
acceptable, but 224.1.1.0 is not. If the lowest octet has a value of zero, the
multicast address range settings do not take effect.
With some multicast environments, you can also associate the range of
multicast addresses you select with a geographically close high-end router
that is designated as a multicast Rendezvous Point (RP) router. This
configuration ensures that the nearby router is chosen as the RP router. If
this is not done, a distant, slow router might be chosen as the RP router,
resulting in poor meeting performance.
Assign multicast addresses using MADCAP
Select the "Assign multicast addresses using MADCAP" setting to enable
Sametime to query a server that supports the Multicast Address Dynamic
Client Allocation Protocol (MADCAP) to obtain a multicast address for the
meeting.
Note MADCAP is an emerging standard that enables hosts to request
multicast address allocation services from multicast allocation servers (such
as the Windows 2000 DHCP server). This protocol can prevent multicast
address conflicts if you have other applications deployed on your network
that require multicast addresses.
If the "Assign multicast addresses using MADCAP" setting is selected, you
must specify the DNS name or IP address of the MADCAP-enabled server
that you want Sametime to query in the "Host name or IP address of the
MADCAP server" setting.
If the "Assign multicast addresses using MADCAP" setting is not selected or
Sametime cannot connect to the MADCAP-enabled server, the Sametime
server randomly selects an IP address from the range specified by the
administrator, as described in "Specifying a range of multicast addresses"
above.
Chapter 5: Configuring Ports and Network Connectivity 187
Specifying the Broadcast Services multicast time-to-live (TTL)
When multicast is enabled, the administrator can control how far the
multicast traffic will propagate on the network before the multicast traffic is
discarded by network routers. The administrator can specify a Time-To-Live
(TTL) for the multicast UDP packets. This TTL setting can limit either the
number of router hops the packets make before they are discarded or the
number of seconds the packets are alive on the network.
The TTL setting measures both time and the number of router hops. The TTL
decrements by one for each second it is alive on the network and also
decrements by one when it passes through a router. If a packet waits in a
router queue for two seconds, the TTL of that packet decrements by three
when it passes through the router. The packets TTL decrements twice for the
two-second wait and once for passing through the router.
On a typical network packets spend much less than a second in the router
queue; the TTL decrements only when passing through the router. In this
case, the TTL measures the number of router hops the packet will make.
However, long delays at the router queues on a busy network can cause the
TTL to expire before making the number of router hops equal to the TTL
setting.
The following table provides general guidelines regarding how far multicast
data will propagate on the network with specific TTL settings.
TTL Setting Scope
1.00
Restricted to the same subnet
16.00
Restricted to the same site
32.00
Restricted to the same region
64.00
Restricted to the same continent
128.00
Unrestricted in scope
188 Sametime 3.1 Administrator's Guide
Interactive Audio/Video Network settings
The Interactive Audio/Video Network settings control the host names and
ports on which the Interactive Audio/Video Services listen for connections
from Sametime Meeting Room clients and H.323-compliant clients such as
NetMeeting.
These settings also enable the Interactive Audio/Video Services on the
Sametime server to operate with an H.323 gatekeeper and to operate on
multicast-enabled networks. Access these settings from the Sametime
Administration Tool by selecting Configuration-Connectivity-"Networks and
Ports."
Note For more information about the operations of the Audio/Video
Services, see "About the Audio/Video Services" in Chapter 10 and
"Audio/Video Services server components" in Chapter 10.
The Interactive Audio/Video Network settings include:
•
Allow H.323 clients (such as NetMeeting) to join a Sametime meeting
•
H.323 server communication address
•
Register Sametime meetings with an H.323 gatekeeper
•
IP address of an H.323 gatekeeper
•
Sametime Multimedia Multipoint Control Unit (MMCU) prefix
•
TCP tunneling address for client connections
•
Multimedia Processor (MMP) start at/end at
•
Multimedia control address
Allow H.323 clients (such as NetMeeting) to join a Sametime meeting
Use this setting to allow users to attend interactive audio/video meetings on
the Sametime server with NetMeeting clients or other H.323-compliant
clients. This setting is enabled by default.
When this setting is enabled, a user with NetMeeting or any
H.323-compliant client can participate in an audio and video meeting that
includes other H.323-compliant clients and Sametime Meeting Room clients.
For information about attending Sametime meetings with a NetMeeting
client, see the Lotus Sametime User's Guide available from the Documentation
link on the Sametime server home page.
If you disable this option, only Sametime Meeting Room clients can
participate in interactive audio and video meetings on the Sametime server.
Note If you enable this option, NetMeeting will be rejected from any
meeting for which meeting data is encrypted. When the "Allow H.323 clients
to join a Sametime meeting" setting is enabled, you should ensure that the
Chapter 5: Configuring Ports and Network Connectivity 189
"Encrypt all Sametime meetings" setting is disabled. Access this setting by
selecting Configuration-Meeting Services-General settings from the
Sametime Administration Tool.
NetMeeting and other H.323-compliant clients can collaborate with
Sametime Meeting Room clients in the audio/video portions of online
meetings, but not in the screen-sharing/whiteboard/polling/send Web
pages portions of meetings. For more information about using NetMeeting
and other T.120/H.323-compliant clients with the Sametime Audio/Video
Services, see:
•
"Allowing or preventing the use of NetMeeting for screen sharing and
whiteboard" in Chapter 8
•
"NetMeeting (H.323-compliant clients)" in Chapter 1
If you change this setting, click Update and restart the Sametime server for
the change to take effect.
H.323 server communication address
If the "Allow H.323 clients (such as NetMeeting) to join a Sametime meeting"
setting is selected, use the "H.323 server communication address" settings to
control the IP addresses or DNS names and the ports on which the
Multimedia Multipoint Control Unit (MMCU) component of the
Audio/Video Services listens for TCP/IP connections from H.323-compliant
clients.
Note H.323 clients such as NetMeeting must make direct TCP/IP
connections to the Audio/Video Services. These clients cannot connect to the
Audio/Video services through a proxy server or through HTTP tunneling.
The "Allow H.323 clients (such as NetMeeting) to join a Sametime meeting"
setting includes these fields:
•
Host name
•
Port number
Host name
The "Host name" field allows an administrator to specify the IP address or
DNS name (for example, www.sametime.com) on which the Audio/Video
Services MMCU listens for connections from H.323-compliant clients.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
190 Sametime 3.1 Administrator's Guide
If only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
If you change the "Host name" setting, click Update and restart the server for
the change to take effect.
Port number
The "Port number" setting allows an administrator to specify the port
(default 1720) on which the Sametime Audio/Video Services MMCU listens
for TCP/IP connections from H.323-compliant clients.
Note H.323-compliant clients use the H.323 connection process when
connecting to the MMCU on the Sametime server. This process involves call
setup and control using the Q.931 and H.245 protocols associated with the
H.323 standard. This port is used for the initial Q.931 connection from the
H.323 client to the MMCU.
For more information about H.323 clients and connections on this port, see
"NetMeeting/H.323 client connections" later in this chapter.
If you change the "Port number" setting, click Update and restart the
Sametime server for the change to take effect.
Register Sametime meetings with an H.323 gatekeeper
If your environment includes an H.323 gatekeeper, this option must be
enabled to ensure that H.323-compliant clients and devices (including H.323
gateways) can connect to the Audio/Video Services on the Sametime Server
through the H.323 gatekeeper. This setting is disabled by default.
When this option is enabled, the Sametime Multimedia Multipoint Control
Unit (MMCU) registers with the H.323 gatekeeper. The Sametime MMCU
must register with the H.323 gatekeeper to ensure that any H.323 client or
device that accesses the H.323 gatekeeper can locate and connect to the
Sametime MMCU.
If your environment also includes an H.323 gateway, the H.323 gateway can
locate and connect to the Sametime MMCU through the H.323 gatekeeper.
This capability enables users that have a PSTN (or telephone) connection to
the H.323 gateway to participate in the audio portions of Sametime
meetings.
For more information about these settings, see "Connecting to the
Audio/Video Services through an H.323 gatekeeper" in Chapter 10.
IP address of H.323 gatekeeper
If you have selected the "Register Sametime meetings with an H.323
gatekeeper" setting, enter the IP address of the machine on which the H.323
gatekeeper is installed. The MMCU component of the Audio/Video Services
Chapter 5: Configuring Ports and Network Connectivity 191
must register with the H.323 gatekeeper as an MCU and an H.323 gateway.
When registering, the MMCU connects to the H.323 gatekeeper using this IP
address.
Sametime Multimedia Multipoint Control Unit (MMCU) prefix
If you have selected the "Register Sametime meetings with an H.323
gatekeeper" setting, enter a number to be used as a prefix when an
H.323-compliant client or H.323 gateway accesses the Sametime
Audio/Video Services through an H.323 gatekeeper. This number identifies
the Audio/Video Services MMCU as a unique device when an
H.323-compliant client connects through an H.323 gatekeeper.
This H.323 gateway prefix is used by H.323 clients or an H.323 gateway
when connecting to a Sametime audio/video meeting through the H.323
gatekeeper. For example, if the Audio/Video Services register with the
H.323 gatekeeper using a prefix of 8 and the H.323 meeting identifier
associated with the Sametime meeting is 1234, the H.323 client or gatekeeper
can connect to the correct meeting through the H.323 gatekeeper by calling
81234 (a combination of the Sametime MMCU prefix and the H.323 meeting
identifier).
If you change these settings, click Update and restart the Sametime server for
the change to take effect.
TCP tunneling address for client connections
When connecting to an interactive audio/video meeting, the Sametime
Meeting Room client makes a connection to the Sametime Meeting Services
and exchanges interactive audio/video call-control information using the
Meeting Services connection. If the call-control connection is successful, the
Meeting Room client and server attempt to receive and transmit the audio
and video streams using the User Datagram Protocol (UDP) transport.
If UDP is unavailable, the RTP and RTCP audio and video streams are
transmitted between the client and server using a TCP connection. This
capability is referred to as "TCP tunneling" and ensures that clients operating
in network environments that do not allow UDP traffic can participate in
interactive audio/video meetings.
Use the "TCP tunneling address for client connections" settings to control the
IP address or DNS name and the port on which the Audio/Video Services
listen for TCP-tunneled connections from the interactive audio/video
components of the Sametime Meeting Room client.
For more information about the Meeting Room client connection processes,
see "Meeting Room and Broadcast client connection processes" later in this
chapter.
192 Sametime 3.1 Administrator's Guide
Note You can use the TCP tunneling address for client connections settings
to enable TCP tunneling of interactive audio/video streams on port 80. This
capability enables a Sametime Meeting Room client that operates behind a
firewall that only allows connections on port 80 to receive all of the data
required to participate in an interactive audio/video meeting over port 80.
This capability is very useful in circumventing the connectivity restrictions
imposed by corporate firewalls. For more information, see "TCP tunneling of
interactive audio/video streams on port 80" later in this chapter.
The "TCP tunneling address for client connections" settings include these
fields:
•
Host name
•
Port number
Host name
The "Host name" field allows an administrator to specify the IP address or
DNS name (for example, www.sametime.com) on which the Audio/Video
Services listen for TCP-tunneled connections from Sametime Meeting Room
clients. The specified IP address or DNS name is used to transmit the
interactive audio and video streams.
If only one IP address or DNS name is assigned to the Sametime server,
Lotus software recommends leaving the "Host name" field blank.
If you change the "Host name" setting, click Update and restart the Sametime
server for the change to take effect.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, use the
"Host name" field to ensure that each of the multiple Sametime servers is
assigned a separate IP address. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
Port number
The "Port number" setting allows an administrator to specify the port
(default 8084) on which the Audio/Video Services listen for TCP-tunneled
connections from Sametime Meeting Room clients. The specified port is used
to tunnel UDP audio and video streams through a TCP connection.
For a complete description of the connection process associated with this
port, see "Meeting Room client connection process using Microsoft VM
(Audio/Video Services)" later in this chapter or "Meeting Room client
connection process using JVM 1.4.1 (Audio/Video Services)" later in this
chapter.
If you change the "Port number" setting, click Update and restart the
Sametime server for the change to take effect.
Chapter 5: Configuring Ports and Network Connectivity 193
Multimedia Processor (MMP) UDP port numbers start at/end at
If the UDP transport is available on all networks between the client and
server, the Audio/Video Services dynamically select the UDP ports on
which to receive audio and video data streams from a range of UDP ports
specified by the Sametime administrator. Use the "Multimedia Processor
(MMP) UDP..." settings to define the range of UDP ports that are available
for the transmission of audio and video data from the clients to the
Audio/Video Services. The default range includes UDP ports 49252 through
65535.
For a complete description of this connection process, see "Meeting Room
client connection process using Microsoft VM (Audio/Video Services)" later
in this chapter or "Meeting Room client connection process using JVM 1.4.1
(Audio/Video Services)" later in this chapter.
If you change these settings, click Update and restart the server for the
change to take effect.
Multimedia control address
The Interactive Audio/Video Network "Multimedia Control Address"
settings control the IP address or DNS name and the port on which the
Sametime Multimedia Processor (MMP) listens for TCP/IP connections from
the Multimedia Multipoint Control Unit (MMCU). The connection from the
MMCU to the MMP is an intraserver connection.
For more information about the MMCU and the MMP, see "Audio/Video
Services server components" in Chapter 10.
The "Multimedia control address" setting includes these fields:
•
Host name
•
Port number
Host name
The Sametime server "Host name" field allows an administrator to specify
the IP address or DNS name (for example, www.sametime.com) the
Sametime MMCU uses when establishing a TCP/IP connection with the
MMP.
Note If you are running Sametime on an IBM iSeries or pSeries server, you
can run multiple Sametime servers on a single machine. In this case, multiple
MMCUs and MMPs might operate on the same physical machine. Use the
"Host name" field to ensure that the MMCU connects to the MMP with the
same IP address as the MMCU. For more information, see "Assigning IP
addresses to multiple Sametime servers installed on a single server machine"
later in this chapter.
194 Sametime 3.1 Administrator's Guide
If you change the "Host name" setting, click Update and restart the server for
the change to take effect.
Port number
The Sametime server "Port number" setting allows an administrator to
specify the port (default 9093) on which the MMP listens for connections
from the MMCU. The MMCU uses this port number when calling the MMP.
Change this port only if another application on the server uses port 9093.
If you change the "Port number" setting, click Update and restart the
Sametime server for the change to take effect.
Community Services connectivity and the home Sametime server
Sametime includes the concept of a home Sametime server. The home
Sametime server plays an important part in client connectivity to the
Community Services. The Sametime Connect client, Sametime Meeting
Room client, and Sametime Links all connect to the Community Services.
If your environment includes multiple Sametime servers or you have
deployed databases enabled with Sametime technology (such as a
TeamRoom, Discussion, or Mail database) on Domino servers, it is
mandatory that every user be assigned to a "home" Sametime server. To
assign a user to a home Sametime server, you must enter the name of the
Sametime server in the "Sametime server" field of the user's Person
document in the Domino Directory. For more information, see "Assigning
users to a home Sametime server" later in this chapter.
Note Sametime 3.1 supports Community Services server clustering that
enables users to receive Community Services functionality from any of a
group of clustered Sametime servers. In this scenario, each user can be
assigned to a home Sametime server cluster instead of a home Sametime
server. For more information, see Chapter 18, Setting up a Community
Services cluster without clustering the Meeting Services.
The concept of the home Sametime server is important to Community
Services connectivity for the following reasons:
Chapter 5: Configuring Ports and Network Connectivity 195
•
Users need a single place to store their Community Services
preferences - The home server is the Sametime server to which each user
logs in to appear in a presence list in a Sametime client or a database
enabled with Sametime technology. The home Sametime server stores a
user's Community Services preferences settings, contact lists, privacy
information, and information about the availability of audio/video
hardware on the user's computer. This information is stored in the Notes
database vpuserinfo.nsf on the user's home Sametime server. The client
must retrieve this information each time the user logs in to the
Community Services. In multiple server environments, this information
must be stored on a single server. If this information were stored on
multiple servers and the user changed the Community Services
preferences settings while logged in to one Sametime server, the user
could receive different Community preferences settings when logging in
to a different Sametime server. For this reason, the user is always
required to log in to the same home Sametime server.
•
Users can only log in to one Sametime server at a time - A user's
presence can only be registered to the Community Services on one
Sametime server at a time. When multiple Sametime servers are
integrated into a single community, the Community Services will not
allow a single user to simultaneously log in to the Community Services
on two separate Sametime servers. If a user attempts to do so, the first
connection to the Community Services is disconnected.
The home Sametime server setting ensures that a user always connects
to a single Sametime server to receive the Community Services
functionality. For example, assume a user's home Sametime server
setting on the Person document is set to Sametime server A. The user
starts the Sametime Connect client and connects to Sametime server A.
The user then attends a meeting on Sametime server B that includes
presence, chat, and whiteboard functionality. The Meeting Room client
launches on the user's machine and receives the whiteboard data from
Sametime server B but is directed to Sametime server A for presence and
chat functionality. The home Sametime server setting ensures that the
user is always directed to Sametime server A for the Community
Services functionality regardless of how many different Sametime clients
they are using. If no home Sametime server is specified for a user and
the user attempts to connect to the Community Services on two different
Sametime servers, all connections to the Community Services are
disconnected.
Note Another characteristic of the Community Services is that a user's
presence can originate from only one machine (or IP address) at a time.
A user who has two machines can only log in to the Community Services
from one of the machines. If the user attempts to log in to the
Community Services from Sametime clients on two separate machines,
196 Sametime 3.1 Administrator's Guide
the client that logged in to the Community Services first is disconnected.
Although the home Sametime server concept does not solve this issue,
the administrator should be aware of this Community Services
characteristic if the user population includes many users with multiple
machines.
Sametime Connect and the home Sametime server
The Sametime Connect client includes settings that enable any user to
specify the Sametime server to which the Sametime Connect client will
connect. The user specifies a particular Sametime server from the Options Preferences - Sametime Connectivity settings on the Sametime Connect
client.
Note By default, the Sametime Connect client Sametime Connectivity
settings specify the server from which it was downloaded as the server to
which it should connect. The Sametime Client Packager allows the
administrator to change the default settings of any Sametime Connect client
downloaded from the server. For more information on the Sametime Client
Packager application, see the Lotus Sametime 3.1 Installation Guide
(stinstall.nsf or stinstall.pdf).
Lotus software recommends that the Sametime Connectivity settings of the
Sametime Connect client and the "Sametime server" setting on a user's
Person document specify the same Sametime server.
If the Sametime Connectivity settings of a user's Sametime Connect client
specify a different Sametime server than the "Sametime server" field of the
user's Person document, the client first connects to the server specified in the
Sametime Connectivity settings of the client, but the connection is redirected
to the server specified in the "Sametime server" field of the Person document.
Logging in to Community Services occurs on the Sametime server specified
in the user's Person document.
Although the redirection described above ensures that a user always logs in
to the home Sametime server, the redirection is not needed if the Sametime
Connectivity settings of the client specify the same Sametime server as the
"Sametime server" setting in a user's Person document. Without the
redirection the connection process operates more efficiently. For more
information on Community Services connection processes, see the following
topics later in this chapter:
•
"Sametime Connect client connection process"
•
"Meeting Room client connection process (Community Services and
Meeting Services)"
Chapter 5: Configuring Ports and Network Connectivity 197
Assigning users to a home Sametime server
To assign a user to a home Sametime server, enter the Sametime server name
in the "Sametime server" field in the Administration section of a user's
Person document in the Domino Directory.
In the "Sametime server" field on the Person document, you can enter the
name of the Sametime server in the Domino hierarchical name format (for
example, sametime.acme.com/west/acme). The "Sametime server" field
automatically converts the name to the full canonical name format. For
example, if you enter sametime.acme.com/west/acme in the "Sametime
server" field, the name is stored as
cn=sametime.acme.com/ou=west/o=acme. You can also use the full
canonical format when entering the server name in the "Sametime server"
field.
Note Community Services reads the server name from the Servers view
($Servers) of the Domino Directory. The name entered in the "Sametime
server" field on the Person document must match the name of the Sametime
server as it appears in the Servers view of the Domino Directory. If you are
using an agent to populate the home "Sametime server" field for several
different users, ensure that the agent specifies the full canonical name of the
server.
For information about assigning users to a home Sametime server when
Sametime is configured to access an LDAP directory, see "Setting the Home
Sametime Server setting for LDAP" in Chapter 4.
Home Sametime servers and self-registration
If you are allowing self-registration, the "Sametime server" field on the
Person document is automatically populated when the user self-registers.
The field is populated with the name of the Sametime server on which the
user self-registered. For more information about self-registration, see "Using
Sametime self-registration" in Chapter 3.
Home Sametime servers and instant meetings
When a user starts an instant meeting, the instant meeting is created on the
user's home Sametime server. If a user starts an "n-way chat" (a chat
involving more than two people), the chat meeting is also created on the
user's home Sametime server.
198 Sametime 3.1 Administrator's Guide
Sametime Connect client connection processes
This section discusses the connection processes of the Sametime Connect
clients. Read this section to gain a better understanding of how the Sametime
Connect clients connect to the server and the configuration settings that
affect the connection processes. These configuration settings include both
settings on the Sametime Connect client and the "Networks and Ports"
settings in the Sametime Administration Tool.
This section discusses the connection processes of both the "Sametime
Connect for the desktop" and "Sametime Connect for browsers" clients. The
Sametime Connect clients connect to the Community Services on the
Sametime server. The Community Services support all Sametime presence
and chat capabilities. Sametime Connect clients can establish connections
with the Community Services using either direct TCP/IP connections or
through HTTP-tunneled connections. The Sametime Connect client can also
connect to the Community Services through an HTTPS proxy.
Sametime is designed to enable Sametime Connect clients that operate
behind restrictive firewalls to connect to the Sametime services using HTTP
over port 80. For detailed information on this capability, see the connection
process topics below for the individual clients and About HTTP tunneling.
The Sametime Connect clients offer a variety of different connectivity
options to ensure connectivity can be established in any network
environment. Because there are many different connectivity options, the
discussion of Sametime Connect client connection processes is divided into
two topics: Basic Sametime Connect client connection process and Sametime
Connect client connection process using the Web browser or Java Plug-in
settings.
Basic Sametime Connect client connection process
The "Basic Sametime Connect client connection process" topic discusses the
basic connection process used by both the Sametime Connect for browser
client and the Sametime Connect for the desktop client. The basic connection
processes of both these clients are very similar and are discussed in a single
topic.
The "Basic Sametime Connect client connection process " topic discusses all
connectivity processes with the exception of the connectivity processes that
occur when the user's Web browser or Java Plug-in settings are used to
establish connections with the server.
Chapter 5: Configuring Ports and Network Connectivity 199
Sametime Connect client connection process using the Web browser
or Java Plug-in settings
The "Sametime Connect client connection process using the Web browser or
Java Plug-in settings" topic discusses the connection processes that can occur
when the Sametime Connect client is configured to establish a connection
using connectivity settings defined in a Web browser or Java Plug-in.
The Sametime Connect for the desktop client and the Sametime Connect for
browsers client have different capabilities when using connectivity settings
defined in a Web browser or Java Plug-in.
•
Sametime Connect for the desktop - This client can establish an HTTP
connection to the Community Services using the connectivity settings
defined in the user's Web browser. This connection process is discussed
in the topic Sametime Connect for the desktop - Use my Internet
Explorer HTTP settings.
•
Sametime Connect for browsers - This client can connect to the
Community Services using the connectivity settings specified in the
user's Web browser or the connectivity settings specified in the Java
Plug-in of the Sun Microsystems Java Virtual Machine (JVM) to establish
connections with the Community Services:
• If the user's Web browser runs under the native Microsoft VM or Sun
Microsystems JVM 1.1, the Sametime Connect for browsers client can
connect to the Community Services on the Sametime server using the
Web browser connectivity settings. This connection process is
discussed in Sametime Connect for browsers - Use my Internet
Explorer browser settings.
• If the user's Web browser runs under Sun Microsystems JVM 1.4.1,
the Sametime Connect for browsers client can connect using the
connectivity settings of the JVM 1.4.1 Java Plug-in. This connection
process is discussed in Sametime Connect for browsers - Use my Java
Plug-in settings.
Basic Sametime Connect client connection process
The Sametime Connect client connects to the Community Services on the
Sametime server. The Community Services support all Sametime presence
and chat capabilities.
This topic discusses the basic connection processes of both the "Sametime
Connect for the desktop" and "Sametime Connect for browsers" clients.
Note This topic describes all Sametime Connect client connection scenarios
with the exception of the connection processes that occur when either the
"Use my Internet Explorer browser settings," "Use my Internet Explorer
HTTP settings," or "Use my Java Plug-in settings" option is selected in the
200 Sametime 3.1 Administrator's Guide
Sametime Connect client Sametime Connectivity settings. For information on
these connection processes, see "Sametime Connect client connection
processes using the Web browser or Java Plug-in connectivity settings" later
in this chapter.
Settings that affect the connection process
The Sametime Connect client connection process is controlled by two groups
of settings: the Sametime Connect client Sametime Connectivity settings
(available on the client) and the Community Services Network settings
(available on the server).
•
The Sametime Connect client Sametime Connectivity settings are
available from the Options - Preferences - Sametime Connectivity menu
in the Sametime Connect client. These settings are stored in the
Connect.ini file on the user's local computer; the Connect.ini file is stored
in the directory in which the Sametime Connect client is installed.
The Sametime Connectivity settings enable the Sametime Connect client
to make a direct TCP/IP connection (also called a "Direct connection
using standard Sametime protocol") or a direct HTTP-tunneled
connection to the Community Services. The Sametime Connectivity
settings also enable Sametime Connect clients that access the Internet or
intranet through HTTP, HTTPS, or SOCKS proxy servers to connect to
the Community Services. Sametime Connect uses the port specified in
the "Community port" setting of the Sametime Connectivity settings
when attempting connections to the Community Services.
Sametime includes a Client Packager application that enables the
administrator to pre-configure the Sametime Connect client with the
Sametime Connectivity settings appropriate for your network
environment. If you use the Client Packager, end users will not have to
adjust the connectivity settings of the client to accommodate your
network environment. For more information about the Client Packager,
see the Lotus Sametime 3.1 Installation Guide (stinstall.nsf and stinstall.pdf)
on the Sametime product CD. This guide is also available from the
Documentation library on the www-10.lotus.com Web site.
•
The Community Services Network settings are available from the
Configuration-Connectivity-"Networks and Ports" settings of the
Sametime Administration Tool. The Community Services Network
settings include the "Address for client connections," the "Address for
HTTPS client connections," and the "Address for HTTP tunneled client
connections." These server-side settings control the IP addresses or DNS
names and the ports on which the Sametime server Community Services
multiplexer listens for Sametime Connect client connections.
Chapter 5: Configuring Ports and Network Connectivity 201
Connection process
The basic connection process of the Sametime Connect client is described
below. The connection process depends on the Connection, "Proxy type,"
and Port settings that are selected in the Sametime Connect client Sametime
Connectivity settings.
1. The user starts the Sametime Connect client. (Sametime Connect for the
desktop runs on the Windows operating system. Sametime Connect for
browsers loads in the user's Web browser).
2. The Sametime Connect client examines the values in the "Host" field and
the "Community Port" field (default 1533) of the Sametime Connect
client Sametime Connectivity settings.
The Sametime Connect client uses the "Host" and "Community Port"
values to determine the Host name and port it should use when
attempting a connection to the Sametime server.
Note For the most efficient connectivity, the Host field of the Sametime
Connect client Sametime Connectivity settings and the "Sametime
server" field of a user's Person document should specify the same
Sametime server (the user's home Sametime server). For more
information, see "Community Services connectivity and the home
Sametime server" earlier in this chapter.
3. The Sametime Connect client uses the "Connection" setting in its
Sametime Connectivity settings to determine how to make the
connection to the Host machine specified in the Sametime Connectivity
settings. The possible "Connection" settings are:
• Use my Internet Explorer HTTP settings (This setting appears in
Sametime Connect for the desktop only)
• Use my Internet Explorer browser settings (This setting appears in
Sametime Connect for browsers only)
• Use my Java Plug-in settings (This setting appears in Sametime
Connect for browsers only)
• Direct connection using standard Sametime protocol
• Direct connection using HTTP protocol
• Use Proxy
Note The order in which these settings appear varies for the Sametime
Connect client for the desktop and the Sametime Connect client for
browsers.
Using the Internet Explorer or Java Plug-in settings - The connection
process that occurs when either the "Use my Internet Explorer HTTP
settings," "Use my Internet Explorer browser settings," or "Use my Java
Plug-in settings" is selected is described in a separate section. For more
202 Sametime 3.1 Administrator's Guide
information about these connection processes, see "Sametime Connect
client connection processes using the Web browser or Java Plug-in
connectivity settings" later in this chapter.
"Direct connection using standard Sametime protocol" - Select this
setting if the Sametime Connect client can make a direct TCP/IP
connection to the Sametime server. Generally, this setting is used when
the connection does not occur through a proxy server, and the network
does not block TCP/IP connections on the port used by the Sametime
Connect client.
When "Direct connection using standard Sametime protocol" is selected
as the Connection type, the Sametime Connect client attempts a
connection to the Community Services multiplexer on the Sametime
server using a unique Sametime protocol over TCP/IP. The client
attempts this connection on the "Community port" (default port 1533)
specified in the Sametime Connect client Sametime Connectivity
settings.
The Community Services on the Sametime server listen for direct
Sametime protocol over TCP/IP connections on the host name and port
specified in the "Community Services Network-Address for client
connections-Host name and Port" settings of the Sametime
Administration Tool. By default, the Community Services listen for this
connection on port 1533.
For this connection to succeed, the port setting specified in the Sametime
Connect client Sametime Connectivity settings must match one of the
ports specified in the "Community Services Network-Address for client
connections-Port number" setting on the Sametime server. (By default,
both of these settings specify port 1533.)
This connection can fail if the connection must pass through a proxy
server or network that prevents direct TCP/IP connections on port 1533
(or other port specified in both the Sametime Connectivity settings of the
Sametime Connect client and the "Community Services
Network-Address for client connections-Port number" setting in the
Sametime Administration Tool). For more information about connecting
through firewalls, see "About http tunneling" later in this chapter and
"Extending Sametime to Internet users" in Chapter 14.
"Direct connection using HTTP protocol" setting - Select this option if
you want the Sametime Connect client to use HTTP to establish a
connection with the Community Services, but you do not want this
connection to occur through an HTTP proxy server.
When "Direct connection using HTTP protocol" is selected, the client
encases the standard Sametime protocol connection information within
an HTTP request. The Sametime Connect client then attempts to
Chapter 5: Configuring Ports and Network Connectivity 203
establish an HTTP connection directly with the Community Services
multiplexer on the Sametime server. The Sametime Connect client
attempts this connection on the "Community port" specified in its
Sametime Connectivity settings.
The Community Services multiplexer can listen for HTTP-tunneled
connections on multiple ports. The Community Services multiplexer
listens for HTTP-tunneled connections on the host name and port
specified in the "Community Services Network-Address for client
connections-Host name and Port" settings of the Sametime
Administration Tool and the host name and port specified in the
"Community Services Network-Address for HTTP tunneled client
connections-Host name and Port number" settings of the Sametime
Administration Tool.
Note If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, the Community Services multiplexer
listens for HTTP-tunneled connections on port 80 by default on the
Community Services Network-Address for HTTP tunneled client
connections-Port number. In this scenario, the Community Services
multiplexer also listens for HTTP-tunneled connections on port 1533 (the
Community Services Network-Address for client connections-Port
number).
This setting is used most frequently to enable Sametime Connect clients
that operate behind restrictive firewalls without HTTP proxy servers to
connect to a Sametime server available to Internet users.
Note The term "restrictive firewalls" refers to firewalls that only allow
HTTP connections to the Internet on port 80 (or another
administrator-defined port).
The "Direct connection using HTTP protocol" connectivity option is
intended primarily to support the HTTP tunneling on port 80
functionality available with the Sametime 3.1 server. For more
information about HTTP tunneling on port 80, see "About http
tunneling" later in this chapter.
If a Sametime Connect client operates behind a firewall that allows only
HTTP connections on port 80 and the client's firewall or network
environment does not include an HTTP proxy server, select the "Direct
connection using HTTP protocol" setting and change the "Community
port" setting in the Sametime Connect client Sametime Connectivity
settings from the default of 1533 to port 80.
The administrator must also ensure that the "Port number" setting under
"Address for HTTP tunneled client connections" in the Community
Services Network settings specified in the Sametime server
administration tool also specifies port 80. Such a configuration should
204 Sametime 3.1 Administrator's Guide
enable a Sametime Connect client operating behind a restrictive firewall
to establish a connection with an Internet Sametime server using HTTP
tunneling over port 80.
Use proxy - Selecting the "Use proxy" option enables the Sametime
Connect client to connect through a SOCKS, HTTP, or HTTPS proxy
server when establishing a connection to the Community Services. After
selecting the "Use proxy" connection type, select the appropriate "Proxy
type" in the Sametime Connect client Sametime Connectivity options.
The available "Proxy type" settings are:
• Use SOCKS4 proxy
• Use SOCKS5 proxy
• Use HTTPS proxy
• Use HTTP proxy
Note You can also select "Use my Internet Explorer HTTP settings,"
"Use my Internet Explorer browser settings," or "Use my Java Plug-in
settings" to establish connections through HTTP and SOCKS proxy
servers. For more information, see "Sametime Connect client connection
processes using the Web browser or Java Plug-in connectivity settings"
later in this chapter.
Use SOCKS4 proxy and Use SOCKS5 proxy - If the Sametime Connect
client connects to a SOCKS proxy server to access the Internet or
intranet, you must select the appropriate SOCKS proxy option (either
Use SOCKS4 proxy or Use SOCKS5 proxy) as the "Proxy type" in the
Sametime Connect client Sametime Connectivity settings.
If you select "Use SOCKS4 proxy" or "Use SOCKS5 proxy," you must
also specify the "Host name" (DNS name or IP address) of the SOCKS
proxy server and the port required to connect to the SOCKS proxy server
in the "Proxy server" options of the Sametime Connect client Sametime
Connectivity settings. For SOCKS5 proxies, you must also specify the
user name and password required for SOCKS5 authentication.
Sametime Connect connects to the SOCKS proxy, and the proxy server
connects to the Community Services on the Sametime server on behalf of
the Sametime Connect client. The client uses the "standard Sametime
protocol" over TCP/IP for this connection. The connection from the
SOCKS proxy to the Community Services occurs on the "Community
port" (default 1533) specified in the Sametime Connect client Sametime
Connectivity settings.
The "Resolve server name locally" setting determines whether the
Sametime server host name is resolved by the Sametime Connect client
or the SOCKS4 or SOCKS5 proxy server.
Chapter 5: Configuring Ports and Network Connectivity 205
When the "Resolve server name locally" setting is selected, the Sametime
Connect client calls a local DNS server to resolve the Sametime server
name. The Sametime Connect client passes the IP address to the SOCKS
proxy; the SOCKS proxy does not resolve the IP address.
When "Resolve server name locally" is not selected, Sametime Connect
does not resolve the DNS name of the Sametime server. Sametime
Connect passes the DNS name of the Sametime server to the SOCKS
proxy, and the SOCKS proxy server calls a DNS server to resolve the
server name.
Some organizations do not allow their internal DNS servers to resolve
the names of external servers for security reasons. If the DNS server is
configured in this way, users should clear the check mark from the
"Resolve server name locally" field. The SOCKS proxy resolves the
external server name by calling a different DNS server (which is not
available on the internal network).
For this connection to succeed, the port specified in the "Community
port" field of the Sametime Connect client Sametime Connectivity
settings must match one of the ports listed in the "Community Services
Network-Address for client connections-Port number" setting in the
Sametime Administration Tool or one of the ports specified in the
"Community Services Network-Address for HTTP tunneled client
connections-Host name and Port number" setting in the Sametime
Administration Tool.
Use HTTP proxy - If the Sametime Connect client connects to an HTTP
proxy to access the Internet or intranet, you can select "Use HTTP proxy"
as the "Proxy type" in the Sametime Connect client Sametime
Connectivity settings.
If "Use HTTP proxy" is selected as the Proxy type, you must also specify
the "Host name" (DNS name or IP address) of the HTTP proxy server
and the port required to connect to the HTTP proxy server in the "Proxy
server" options of the Sametime Connect client Sametime Connectivity
settings.
Note If the HTTP proxy server requires authentication, the user name
and password required for authentication to the HTTP proxy server
must also be entered in the "Proxy server" options of the Sametime
Connect client Sametime Connectivity settings.
When "Use HTTP proxy" is selected, the client encases the standard
Sametime protocol connection information within an HTTP request.
Sametime Connect connects to the HTTP proxy, and the HTTP proxy
server connects to the Community Services multiplexer on the Sametime
server on behalf of the Sametime Connect client. The HTTP connection
to the Community Services multiplexer occurs on the "Community port"
206 Sametime 3.1 Administrator's Guide
(default 1533) specified in the Sametime Connect client Sametime
Connectivity settings.
The Community Services multiplexer on the Sametime server listens for
HTTP connections on all ports specified in the "Port number" field under
"Address for client connections" in the Community Services Network
settings of the Sametime Administration Tool and "Address for HTTP
tunneled client connections" in the Community Services Network
settings of the Sametime Administration Tool.
For this connection to succeed, the port specified as the "Community
port" setting in the Sametime Connect client Sametime Connectivity
settings must match a port number specified in one of these settings in
the Sametime Administration Tool:
• The "Port number" field under "Address for client connections" in the
Community Services Network settings of the Sametime
Administration Tool.
• The "Port number" field under "Address for HTTP tunneled client
connections" in the Community Services Network settings of the
Sametime Administration Tool.
Note If the administrator allows HTTP tunneling on port 80 during the
Sametime server installation, the "Community Services
Network-Address for client connections-Port number" setting default to
port 1533, and the "Community Services Network-Address for HTTP
tunneled client connections-Port number" settings are ports 80 and 8082.
In this configuration, the Sametime Connect client can complete an
HTTP-tunneled connection to the Community Services multiplexer
using either port 1533, 80, or 8082.
For more information about HTTP tunneling on port 80, see "What is
HTTP tunneling?" later in this chapter.
Use HTTPS proxy - If the Sametime Connect client must connect to an
HTTPS proxy to access the Internet or intranet, select the "Use HTTPS
proxy" option in the "Proxy type" settings. If "Use HTTPS proxy" is
selected as the proxy type, you must also specify:
• The "Host name" (DNS name or IP address) of the HTTPS proxy
server
• The port required to connect to the HTTPS proxy server in the "Proxy
server" options of the Sametime Connect client Sametime
Connectivity settings
When "Use HTTPS proxy" is selected, the client encases the standard
Sametime protocol information within an HTTPS request. Sametime
Connect connects to the HTTPS proxy, and the HTTPS proxy server
connects to the Community Services multiplexer on the Sametime server
Chapter 5: Configuring Ports and Network Connectivity 207
on behalf of the Sametime Connect client. The HTTPS connection to the
Community Services multiplexer occurs on the port (default 1533)
specified in the Sametime Connect client Sametime Connectivity
settings.
The Community Services multiplexer on the Sametime server listens for
HTTPS connections on all ports specified in the "Community Services
Network-Address for HTTPS tunneled client connections-Port number"
setting in the Configuration-Connectivity options of the Sametime
Administration Tool.
For this connection to succeed, the port specified as the "Community
port" setting in the Sametime Connect client Sametime Connectivity
settings must match the port listed in the "Community Services
Network-Address for HTTPS tunneled client connections-Port number"
setting.
The "Community port" setting in the Sametime Connect client Sametime
Connectivity settings and the Community Services Network-Address for
HTTPS tunneled client connections-"Port number" setting in the
Sametime Administration Tool both specify port 1533 by default.
Many organizations have firewall or network configurations that
prevent HTTPS connections on the default port of 1533. For the HTTPS
connection to succeed in your network environment, you might need to
specify port 443 for HTTPS connections in both of the following settings:
• The "Community port" setting of the Sametime Connect client
Sametime Connectivity settings
• The "Port number" field under "Address for HTTPS tunneled client
connections" in the Community Services Network settings of the
Sametime Administration Tool
If you have configured the Domino HTTP server to listen for HTTPS
connections from Web browsers on port 443, the Community Services
multiplexer cannot also listen for HTTPS connections on port 443 unless
you assign multiple IP addresses to the Sametime server. For more
information on this issue, see the "Things you need to know" section of
the Sametime 3.1 Release Notes (strn31.nsf or strn31.pdf on the
Sametime CD).
208 Sametime 3.1 Administrator's Guide
Sametime Connect client connection processes using the Web browser
or Java Plug-in connectivity settings
The Sametime Connect clients available with Sametime 3.1 include
connectivity options that enable the clients to use connectivity settings
defined in a Web browser or the connectivity settings defined in the Java
Plug-in for Sun Microsystems Java Virtual Machine (JVM) 1.4.1 to establish
connections with the Community Services on the Sametime server. These
connectivity options are discussed below:
•
Use my Internet Explorer HTTP settings - The "Use my Internet
Explorer HTTP settings" option appears only in the Sametime
Connectivity tab of the Sametime Connect for the desktop client. This
option enables the Sametime Connect for the desktop client to use the
connectivity settings defined in a user's Internet Explorer Web browser
to establish connections with the Sametime server. This connection
process is described in Sametime Connect for the desktop - Use my
Internet Explorer HTTP settings.
The "Use my Internet Explorer HTTP settings" option does not appear in
the Sametime Connect for browsers client.
•
Use my Internet Explorer browser settings - The "Use my Internet
Explorer browser settings" option appears in the Sametime Connectivity
tab of the Sametime Connect for browsers client when the client loads in
a Web browser that runs under the Microsoft VM. The connection
process that occurs when this option is selected is described in Sametime
Connect for browsers - Use my Internet Explorer browser settings.
The "Use my Internet Explorer browser settings" option does not appear
in the Sametime Connect for the desktop client.
•
Use my Java Plug-in settings - The "Use my Java Plug-in settings"
option appears in the Sametime Connectivity tab of the Sametime
Connect for browsers client when the client loads in a Web browser that
runs under the Sun Microsystems JVM 1.4.1. The connection process that
occurs when this option is selected is described in Sametime Connect for
browsers - Use my Java Plug-in settings.
The "Use my Java Plug-in settings" option does not appear in the
Sametime Connect for the desktop client.
Sametime Connect for the desktop - Use my Internet Explorer HTTP
settings
The "Use my Internet Explorer HTTP settings" option appears only in the
Sametime Connectivity tab of the Sametime for the desktop client.
When the "Use my Internet Explorer HTTP settings" option is selected in the
Sametime Connectivity settings, Sametime Connect for the desktop uses the
Chapter 5: Configuring Ports and Network Connectivity 209
proxy connectivity settings defined in the user's Internet Explorer Web
browser to attempt an HTTP-tunneled connection to the Sametime server.
Note Sametime Connect for the desktop cannot use proxy connectivity
settings defined in a Netscape Navigator Web browser. A user must have
the Microsoft Internet Explorer Web browser installed to use the "Use my
Microsoft Internet Explorer browser" setting with the Sametime Connect for
the desktop client.
The connection process for the "Use my Microsoft Internet Explorer browser
settings" option is:
1. The Sametime Connect for browsers client examines the values in the
"Host" field and the "Community Port" field (default 1533) of the
Sametime Connectivity settings available on the client.
The Sametime Connect client uses the "Host" and "Community Port"
values to determine the Host name and port it should use when
attempting a connection to the Sametime server.
Note For the most efficient connectivity, the Host field of the Sametime
Connect client Sametime Connectivity settings and the "Sametime
server" field of a user's Person document should specify the same
Sametime server. For more information, see "Community Services
connectivity and the home Sametime server" earlier in this chapter.
2. The Sametime Connect client uses the Web connectivity (or proxy)
settings of the Web browser to establish a connection with the
Community Services as noted in the subsequent steps.
3. The Sametime Connect client encases the standard Sametime protocol
data within an HTTP request and attempts to connect to the Community
Services multiplexer using HTTP. Encasing this connection protocol data
within an HTTP request is called "HTTP-tunneling."
4. Sametime Connect examines the Internet Explorer Web browser
connectivity settings to attempt the HTTP-tunneled connection to the
Community Services multiplexer. If the Web browser settings:
• Do not specify a proxy server - The HTTP request is sent directly to
the Community Services multiplexer on the Sametime server. This
connection is called a "direct HTTP connection."
• Specify a SOCKS proxy server - The HTTP request is sent to the
Community Services multiplexer through the SOCKS proxy server.
• Specify an HTTP proxy server -The HTTP request is sent to the
Community Services multiplexer through the HTTP proxy server.
In all three cases above, the Host name and "Community port" settings
(default port 1533) specified in the Sametime Connect client are used to
establish the connection to the Community Services multiplexer.
210 Sametime 3.1 Administrator's Guide
For the HTTP-tunneled connection to succeed, the following must be
true:
• The port specified as the "Community port" setting in the Sametime
Connect client Sametime Connectivity settings must match a port
number specified in one of these settings in the Sametime
Administration Tool: the "Port number" field under "Address for
client connections" in the Community Services Network settings of the
Sametime Administration Tool or the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings of the Sametime Administration Tool.
• The IP address or DNS name specified in the Host setting in the
Sametime Connect client Sametime Connectivity settings must
correspond to any IP address or DNS name specified in the "Host
name" field under "Address for HTTP tunneled client connections" in
the Community Services Network settings of the Sametime
Administration Tool. If the Community Services Network-Address
for HTTP tunneled client connections-"Host name" field is blank, the
entry in the Host setting of the Sametime Connect client can
correspond to any IP address or DNS name assigned to the Sametime
server.
• All networks between the Sametime Connect client and the Sametime
server must allow HTTP connections on the port specified as the
"Community port" in the Sametime Connect client. The Community
port setting in the Sametime Connect client must also match a port
specified in the "Port number" field under "Address for client
connections" in the Community Services Network settings of the
Sametime Administration Tool or the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings of the Sametime Administration Tool.
Note The "Enable Web client to try HTTP tunneling after trying other
options" setting must be enabled in the Community Server Network
settings on the "Networks and Ports" tab of the Sametime
Administration Tool for the connection to occur using the port
specified as the "Address for HTTP tunneled client connections" in the
Community Services Network settings of the Sametime
Administration Tool.
5. If the HTTP-tunneled connection does not succeed, an error message
displays to the user.
Chapter 5: Configuring Ports and Network Connectivity 211
Sametime Connect for browsers - Use my Internet Explorer browsers
settings
The "Use my Internet Explorer browser settings" option appears only in the
Sametime Connectivity tab of a Sametime Connect for browsers client that
loads in a Web browser that runs under the Microsoft VM.
When the "Use my Internet Explorer browser settings" option is selected in
the Sametime Connectivity settings, the Sametime Connect for browsers
client can use the proxy connectivity settings defined in the user's Microsoft
Internet Explorer Web browser.
Note Sametime Connect for browsers cannot access proxy connectivity
settings defined in a Netscape Navigator Web browser. Sametime Connect
for browsers uses the Internet Explorer Web browser settings regardless of
whether you are running Sametime Connect for browsers in the Internet
Explorer or Netscape Navigator Web browser.
Sametime Connect for browsers follows this connection process when the
"Use my Internet Explorer browser settings" connectivity option is selected.
1. The Sametime Connect for browsers client examines the values in the
"Host" field and the "Port" field (default 1533) of the Sametime Connect
client Sametime Connectivity settings.
The Sametime Connect for browsers client uses the "Host" and "Port"
values to determine the Host name and port it should use when
attempting a connection to the Sametime server.
Note For the most efficient connectivity, the Host field of the Sametime
Connect client Sametime Connectivity settings and the "Sametime
server" field of a user's Person document should specify the same
Sametime server. For more information, see "Community Services
connectivity and the home Sametime server" earlier in this chapter.
2. Sametime Connect for browsers attempts a direct Sametime protocol
over TCP/IP connection to the Community Services on the port
specified as the "Community port" in the Sametime Connectivity settings
(default port 1533) of the Sametime Connect client.
The Community Services multiplexer on the Sametime server listens for
this connection on the host names and ports specified in the
"Community Services Network-Address for client connections-Host
name and Port number" settings (default port 1533) in the Connectivity
settings of the Sametime Administration Tool.
Sametime Connect for browsers attempts a TCP/IP connection first
because this type of connection provides better performance than the
HTTP-tunneled connection that it subsequently tries. For the TCP/IP
connection to succeed, both of the following must be true:
212 Sametime 3.1 Administrator's Guide
• The host name specified in the Host setting in the Sametime Connect
client Sametime Connectivity settings must correspond to any IP
address or DNS name specified in the "Host name" field under
"Address for client connections" in the Community Services Network
settings of the Sametime Administration Tool. If the Community
Services Network-Address for client connections-"Host name" field is
blank, the entry in the Host setting of the Sametime Connect for
browsers client can correspond to any IP address or DNS name
assigned to the Sametime server.
• The "Port" setting specified in the Sametime Connect client Sametime
Connectivity settings must match one of the ports specified in the
Community Services Network-Address for client connections-"Port
number" setting on the Sametime server. By default, both of these
settings specify port 1533.
This Sametime protocol over a TCP/IP connection can fail if the
connection must pass through a proxy server or if the network
configuration prevents direct TCP/IP connections on port 1533 (or other
port specified in both the Sametime Connectivity settings of the
Sametime Connect client and the Community Services Network-Address
for client connections- "Port number" setting in the Sametime
Administration Tool).
If the Sametime protocol over a TCP/IP connection attempt is not
successful within five seconds, Sametime Connect continues with the
connection process as described below.
3. The Sametime Connect for browsers client encases the standard
Sametime protocol data within an HTTP request and attempts to connect
to the Community Services multiplexer using HTTP.
The client enters a polling state to maintain this connection. This polling
state is referred to as "hybrid polling." With hybrid polling, the client
and server maintain a connection for as long as possible, but might be
required to periodically break and re-create this connection.
Note A hybrid-polling connection provides better support for accessing
the Web browser proxy settings and authenticating through HTTP
proxies than the polled HTTP connection type described in Step 4.
Sametime Connect for browsers examines the Web browser connectivity
settings to attempt this HTTP-tunneled connection (using hybrid
polling) to the Community Services multiplexer. If the Web browser
settings:
• Do not specify a proxy server - The HTTP request is sent directly to
the Community Services multiplexer on the Sametime server.
• Specify a SOCKS proxy server - The HTTP request is sent to the
Community Services multiplexer through the SOCKS proxy server.
Chapter 5: Configuring Ports and Network Connectivity 213
• Specify an HTTP proxy server -The HTTP request is sent to the
Community Services multiplexer through the HTTP proxy server.
In all three cases above, the Host name and "Port" settings (default port
1533) specified in the Sametime Connect for browsers client are used to
establish the connection to the Community Services multiplexer.
For the HTTP-tunneled connection to succeed, the following must be
true:
• The port specified as the "Community port" setting in the Sametime
Connect client Sametime Connectivity settings must match a port
number specified in one of these settings in the Sametime
Administration Tool: the "Port number" field under "Address for
client connections" in the Community Services Network settings of the
Sametime Administration Tool or the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings of the Sametime Administration Tool.
• The IP address or DNS name specified in the Host setting in the
Sametime Connect client Sametime Connectivity settings must
correspond to any IP address or DNS name specified in the "Host
name" field under "Address for HTTP tunneled client connections" in
the Community Services Network settings of the Sametime
Administration Tool. If the Community Services Network-Address
for HTTP tunneled client connections-"Host name" field is blank, the
entry in the Host setting of the Sametime Connect client can
correspond to any IP address or DNS name assigned to the Sametime
server.
• All networks between the Sametime Connect client and the Sametime
server must allow HTTP connections on the port specified as the
"Community port" in the Sametime Connect client. The Community
port setting in the Sametime Connect client must also match a port
specified in the "Port number" field under "Address for client
connections" in the Community Services Network settings of the
Sametime Administration Tool or the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings of the Sametime Administration Tool.
Note The "Enable Web client to try HTTP tunneling after trying other
options" setting must be enabled in the Community Server Network
settings on the "Networks and Ports" tab of the Sametime
Administration Tool for the connection to occur using the port
specified as the "Address for HTTP tunneled client connections" in the
Community Services Network settings of the Sametime
Administration Tool.
214 Sametime 3.1 Administrator's Guide
4. If the Sametime Connect client is unable to establish the HTTP
connection using hybrid polling as described above, the client attempts
to maintain an HTTP-tunneled connection using a continuous-polling
mode.
In this continuous-polling mode, the client continuously makes and
breaks HTTP connections. Note that the client attempts to access any
proxy connectivity settings defined for the Web browser to connect and
authenticate with a proxy when making these polled connections.
The polling functionality enables the Sametime Connect client to
establish connections through proxies that require authentication or
proxies that buffer data. However, the polling functionality can increase
network traffic and limit the scalability of the Sametime server. In some
cases, the Sametime Connect client might not be able to access the Web
browser connectivity settings or authenticate with some HTTP proxies
when using this continuous-polling functionality.
Sametime Connect for browsers - Use my Java Plug-in settings (Sun
Microsystems JVM 1.4.1 only)
The "Use my Java Plug-in settings" option appears only in the Sametime
Connectivity tab of a Sametime Connect for browsers client that loads in a
Web browser that operates with the Sun Microsystems Java Virtual Machine
(JVM) 1.4.1.
Note For information about accessing the connectivity settings of the Java
Plug-in 1.4.1, see "Notes on the connection process" below.
Sametime Connect for browsers follows this connection process when the
"Use my Java Plug-in settings" connectivity option is selected in the
Sametime Connectivity tab of the Sametime Connect for browsers client.
1. The Sametime Connect for browsers client examines the values in the
"Host" field and the "Port" field (default 1533) of the Sametime Connect
client Sametime Connectivity settings.
Sametime Connect for browsers uses the "Host" and "Port" values to
determine the Host name and port it should use when attempting a
connection to the Sametime server.
Note For the most efficient connectivity, the Host field of the Sametime
Connect client Sametime Connectivity settings and the "Sametime
server" field of a user's Person document should specify the same
Sametime server. For more information, see "Community Services
connectivity and the home Sametime server" earlier in this chapter.
2. Sametime Connect for browsers attempts a direct Sametime protocol
over TCP/IP connection to the Community Services on the port
specified as the "Community port" in the Sametime Connectivity settings
(default port 1533) of the Sametime Connect client.
Chapter 5: Configuring Ports and Network Connectivity 215
The Community Services multiplexer on the Sametime server listens for
this connection on the host names and ports specified in the
"Community Services Network-Address for client connections-Host
name and Port number" settings (default port 1533) in the Connectivity
settings of the Sametime Administration Tool.
Sametime Connect for browsers attempts a direct TCP/IP connection
first regardless of how the connectivity settings are configured in the
Java Plug-in Control Panel. The client attempts a direct TCP/IP
connection first because this type of connection provides the best
performance of all possible connection types. For the TCP/IP connection
to succeed, both of the following must be true:
• The host name specified in the Host setting in the Sametime Connect
client Sametime Connectivity settings must correspond to any IP
address or DNS name specified in the "Host name" field under
"Address for client connections" in the Community Services Network
settings of the Sametime Administration Tool. If the Community
Services Network-Address for client connections-"Host name" field is
blank, the entry in the Host setting of the Sametime Connect for
browsers client can correspond to any IP address or DNS name
assigned to the Sametime server.
• The "Port" setting specified in the Sametime Connect client Sametime
Connectivity settings must match one of the ports specified in the
Community Services Network-Address for client connections-"Port
number" setting on the Sametime server. By default, both of these
settings specify port 1533.
This Sametime protocol over a TCP/IP connection can fail if the
connection must pass through a proxy server or if the network
configuration prevents direct TCP/IP connections on port 1533 (or other
port specified in both the Sametime Connectivity settings of the
Sametime Connect client and the Community Services Network-Address
for client connections- "Port number" setting in the Sametime
Administration Tool).
If the Sametime protocol over a TCP/IP connection attempt is not
successful, Sametime Connect continues with the connection process as
described below.
3. The Sametime Connect for browsers client examines the connectivity
settings specified in the Proxies tab of the Java Plug-in Control Panel to
establish the connection with the Community Services on the Sametime
server. The possible settings in the Proxies tab of the Java Plug-in
Control Panel include:
• Use my browser settings
• HTTP
216 Sametime 3.1 Administrator's Guide
• Secure
• Socks
• FTP (Not applicable for Sametime)
• Gopher (Not applicable for Sametime)
The connection processes associated with these settings are described
below.
Use my browser settings is not selected and no proxies are specified If the "Use my browser settings" is not selected and no proxy servers are
specified in the Java Plug-in connectivity settings, Sametime Connect for
browsers attempts a direct HTTP connection to the Community Services
on the Sametime server.
Direct HTTP-tunneled connections are used most frequently to enable
Sametime Connect clients that operate behind restrictive firewalls
without HTTP proxy servers to connect to a Sametime server available to
Internet users.
This connection process is identical to the connection process that occurs
when the "Direct connection using HTTP protocol" option is selected in
the Sametime Connectivity tab of the Sametime Connect client. For
details on this connection process, see the "Direct connection using HTTP
protocol" description in the Basic Sametime Connect client connection
process topic earlier in this chapter.
Note The Sametime Connect for browsers client will also try a direct
HTTP-tunneled connection if the client attempts to connect through a
proxy server but the connection attempt through the proxy fails. For
more information, see "Notes about the connection process" below.
Use my browser settings is selected - When "Use my browser settings"
is specified in the Java Plug-in connectivity settings, Sametime Connect
for browsers will attempt to use the proxy settings of the Web browser to
connect to the Sametime server. In this case, the Sametime Connect client
follows the connection process that is described in "Sametime Connect
for browsers - Use my Internet Explorer browser settings" earlier in this
chapter.
An HTTP proxy is specified - If the "HTTP" fields in the Proxies tab of
the Java Plug-in Control Panel specify an HTTP server address and port,
the Sametime Connect for browsers client attempts to connect to the
Community Services through the specified HTTP proxy server.
In this scenario, the client encases the standard Sametime protocol
connection information within an HTTP request. Sametime Connect for
browsers connects to the HTTP proxy, and the HTTP proxy server
connects to the Community Services multiplexer on the Sametime server
on behalf of the Sametime Connect client.
Chapter 5: Configuring Ports and Network Connectivity 217
The HTTP connection from the Sametime Connect client to the HTTP
proxy server uses the port specified for the HTTP proxy server in the
Proxies tab of the Java Plug-in Control Panel. The HTTP connection from
the HTTP proxy server to the Community Services multiplexer occurs on
the port (default 1533) specified in the Sametime Connect for browsers
client Sametime Connectivity settings.
The Community Services multiplexer on the Sametime server listens for
HTTP connections on all ports specified in the "Port number" field under
"Address for HTTP tunneled client connections" in the Community
Services Network settings of the Sametime Administration Tool.
For this connection to succeed, the ports specified as the "Port" setting in
the Sametime Connect for browsers client must match one of these ports
specified in the Sametime Administration Tool:
• The "Port number" field under "Address for client connections" in the
Community Services Network settings of the Sametime
Administration Tool.
• The "Port number" field under "Address for HTTP tunneled client
connections" in the Community Services Network settings of the
Sametime Administration Tool.
If the HTTP-tunneled connection attempt through the HTTP proxy
server fails, the client attempts a direct HTTP-tunneled connection to the
Community Services on the Sametime server. For details on this
connection process, see the "Direct connection using HTTP protocol"
description in the Basic Sametime Connect client connection process
topic earlier in this chapter.
For more information about HTTP tunneling on port 80, see "About http
tunneling" later in this chapter.
A Secure proxy is specified - If the "Secure" fields in the Proxies tab of
the Java Plug-in Control panel specify an address and port, the
Sametime Connect client attempts to connect to the Community Services
through the specified HTTPS proxy server.
In this scenario, the client encases the standard Sametime protocol
information within an HTTPS request. Sametime Connect for browsers
connects to the HTTPS proxy, and the HTTPS proxy server connects to
the Community Services multiplexer on the Sametime server on behalf
of the Sametime Connect for browsers client.
The HTTPS connection from the Sametime Connect client to the HTTPS
proxy server occurs on the port specified in the Proxies tab of the Java
Plug-in. The HTTPS connection from the HTTPS proxy server to the
Community Services multiplexer occurs on the port (default 1533)
specified in the Sametime Connect for browsers client Sametime
Connectivity settings.
218 Sametime 3.1 Administrator's Guide
The Community Services multiplexer on the Sametime server listens for
HTTPS connections on all ports specified in the "Community Services
Network-Address for HTTPS tunneled client connections-Port number"
setting in the Configuration-Connectivity options of the Sametime
Administration Tool.
For this connection to succeed, the port specified as the "Port" setting in
the Sametime Connect for browsers client Sametime Connectivity
settings must match the port listed in the "Community Services
Network-Address for HTTPS tunneled client connections-Port number"
setting.
The "Port" setting in the Sametime Connect for browsers client Sametime
Connectivity settings and the Community Services Network-Address for
HTTPS tunneled client connections-"Port number" setting in the
Sametime Administration Tool both specify port 1533 by default.
Many organizations have firewall or network configurations that
prevent HTTPS connections on the default port of 1533. For the HTTPS
connection to succeed in your network environment, you might need to
specify port 443 for HTTPS connections in both of the following settings:
• The "Port" setting of the Sametime Connect for browsers client
Sametime Connectivity settings
• The "Port number" field under "Address for HTTPS tunneled client
connections" in the Community Services Network settings of the
Sametime Administration Tool
If you have configured the Domino HTTP server to listen for HTTPS
connections from Web browsers on port 443, the Community Services
multiplexer cannot also listen for HTTPS connections on port 443 unless
you assign multiple IP addresses to the Sametime server. For more
information on this issue, see the "Things you need to know" section of
the Sametime 3.1 Release Notes (strn31.nsf or strn31.pdf on the
Sametime CD).
If the HTTP-tunneled connection attempt through the HTTPS proxy
server fails, the client attempts a direct HTTP-tunneled connection to the
Community Services on the Sametime server.
A Socks proxy is specified - If the "Socks" fields in the Proxies tab of the
Java Plug-in Control panel specify an address and port, the Sametime
Connect for browsers client attempts to connect to the Community
Services through the SOCKS proxy server at the specified address.
In this scenario, Sametime Connect for browsers connects to the SOCKS
proxy, and the proxy server connects to the Community Services on the
Sametime server on behalf of the Sametime Connect client. The client
uses the "standard Sametime protocol" over TCP/IP for this connection.
Chapter 5: Configuring Ports and Network Connectivity 219
The connection from the Sametime Connect for browsers client to the
SOCKS proxy server occurs on the port specified in the Proxies tab of the
Java Plug-in Control Panel. The connection from the SOCKS proxy
server to the Community Services occurs on the "Port" (default 1533)
specified in the Sametime Connect for browsers client Sametime
Connectivity settings.
For this connection to succeed, the port specified in the "Community
port" field of the Sametime Connect client Sametime Connectivity
settings must match one of the ports listed in the "Community Services
Network-Address for client connections-Port number" setting in the
Sametime Administration Tool or one of the ports listed in the
"Community Services Network-Address for HTTPS tunneled client
connections-Port number" setting in the Sametime Administration Tool.
This connection can fail if it must pass through a firewall or network that
blocks the port specified in the "Community port" field of the Sametime
Connect client. For more information about connecting through
firewalls, see "Extending Sametime to Internet users" in Chapter 14 and
"About http tunneling" later in this chapter.
If the connection attempt through the SOCKS proxy server fails, the
client attempts a direct HTTP-tunneled connection to the Community
Services on the Sametime server.
Notes about the connection process
Note the following about the connection process described above:
•
The Java Plug-in connectivity settings used by the client are defined in
the Java Plug-in 1.4.1 Control Panel on a user's machine. The Java
Plug-in Control Panel is accessed from the Windows Control Panel on
the user's machine.
To view or change the connectivity settings defined in the Java Plug-in
Control Panel:
a. Open the Windows Control Panel from the Windows desktop
(Start-Settings-Control Panel).
b. Double-click the "Java Plug-in 1.4.1" icon to open the Java Plug-in
Control Panel.
c. Select the Proxies tab to view or change the Java Plug-in connectivity
settings.
220 Sametime 3.1 Administrator's Guide
•
It is possible to have both the "Use my browser settings" option selected
and a proxy server specified in the Java Plug-in connectivity settings. In
this case, the Sametime Connect for browsers client will exhaust all
possible options to successfully establish a connection. The client will try
to connect using the proxy settings of the Web browser and if that fails
the client will try to connect using the proxy server (HTTP, Secure, or
SOCKS) that is specified in the Java Plug-in connectivity settings.
The order in which these connection attempts occur is determined by
internal operations of the client code and is not within the control of the
connectivity design. The client may attempt to connect using the Web
browser settings first and then attempt to connect through the proxy
defined in the Java Plug-in connectivity options or vice versa.
•
The Sametime Connect for browsers client attempts to make a direct
HTTP-tunneled connection to the Community Services if a connection
attempt through a proxy server fails.
• If the "Use my browser settings" option is selected and all connection
attempts using the proxy settings of the Web browser fail, the client
will attempt a direct HTTP-tunneled connection to the Community
Services in a final effort to establish a successful connection.
• If a proxy server is specified in the Java Plug-in connectivity settings
and the connection attempt through the proxy server fails, the client
will attempt a direct HTTP-tunneled connection to the Community
Services in a final effort to establish a successful connection.
For details on direct HTTP-tunneled connections, see the "Direct
connection using HTTP protocol" description in the Basic Sametime
Connect client connection process topic earlier in this chapter.
•
For information about Sametime Connect for browsers client
connectivity and reverse proxy servers, see "Sametime client
connectivity and reverse proxy servers" later in this chapter.
Changing the default connectivity settings of the Sametime Connect for
browsers client
Following a Sametime server installation, the Sametime Connect for
browsers client will load to a user's web browser with one of the following
connectivity settings selected by default in the
Options-Preferences-Sametime Connectivity tab of the Sametime Connect
client:
•
Use my Internet Explorer browser settings - This setting is selected by
default if the client loads in a web browser that operates with the
Microsoft Virtual Machine (VM).
Chapter 5: Configuring Ports and Network Connectivity 221
•
Use my Java Plug-in settings - This setting is selected by default if the
client loads in a web browser that operates with the Sun Microsystems
Java Virtual Machine (JVM) 1.4.1.
Note For detailed information about the connectivity process that the
Sametime Connect client follows for each connectivity configuration, see
"Basic Sametime Connect client connection process" earlier in this chapter
and "Sametime Connect client connection processes using the Web browser
or Java Plug-in connectivity settings" earlier in this chapter.
The administrator can alter the default connectivity settings of the Sametime
Connect for browsers client. For example, the administrator can alter the
connectivity settings so that the Sametime Connect for browsers client is
configured by default to connect to the Sametime server through a SOCKS
proxy. Performing this configuration ensures that the Sametime Connect for
browsers client loads in a user's web browser with connectivity settings that
are appropriate for the network environment.
Specifying the default connectivity settings of the Sametime Connect for
browsers client prevents end users from having to modify the connectivity
settings. Note that an end user can still manually modify the connectivity
settings from the administrator-specified defaults if necessary.
Note This capability is also very useful for Sametime Connect for browsers
clients that operate in the kiosk mode. Note also that if a user alters the
default connectivity settings when the Sametime Connect for browsers client
operates in kiosk mode, the new connectivity settings will be valid only for
the duration of that instant messaging session. The next time the user starts
the client on that machine, the client will load with the administrator-defined
default connectivity settings. For more information, see "Enabling Sametime
Connect for browsers to function in kiosk mode" in Chapter 6.
Specifying the default configuration settings of the Sametime Connect
for browsers client
To specify the default configuration settings of the Sametime Connect for
browsers client, the administrator must add an applet parameter to the
HTML code on the Sametime server that loads the Sametime Connect for
browsers client.
On a standard Sametime server deployment, the applet code that loads the
Sametime Connect for browsers client is located in the Sametime Resources
database (STSrc.nsf) on the Sametime server. You can use the Domino
Designer client to open the STSrc.nsf database and add the applet parameter
to the existing applet code.
222 Sametime 3.1 Administrator's Guide
For instructions, see the following topics later in this chapter:
•
"Creating the ConnectivityMethod applet parameter"
•
"Adding the ConnectivityMethod parameter to the STSrc.nsf database"
If you have deployed a customized user interface to launch the Sametime
Connect for browsers client, a complete example of the applet code required
to launch the client with a specific default connectivity configuration is
provided in the Example of custom HTML code required to launch the
Sametime Connect for browsers client topic.
Note To accommodate the kiosk mode, some organizations may choose to
create a custom user interface to launch the Sametime Connect for browsers
client. For more information, see 'Enabling Sametime Connect for browsers
to function in kiosk mode" in Chapter 6.
Creating the ConnectivityMethod applet parameter
To specify the connectivity setting that is selected by default when the
Sametime Connect for browsers client loads in a user's Web browser, the
administrator must add a new ConnectivityMethod applet parameter to the
HTML code that loads the Sametime Connect client.
One example of this applet parameter is provided below:
<PARAM NAME="ConnectivityMethod"
VALUE="directST://sametime.ibm.com:1533">
This example applet parameter instructs the Sametime Connect for browsers
client to attempt a "Direct connection using standard Sametime protocol" to
the Sametime server named sametime.ibm.com on port 1533 by default
when the client loads to the user's web browser.
The ConnectivityMethod applet parameter can be constructed to enable the
Sametime Connect client to attempt any supported connection type by
default. The syntax of the ConnectivityMethod applet parameter is discussed
below. Specific examples of the ConnectivityMethod applet parameters
required to support the different connection types are also included.
Syntax of the ConnectivityMethod applet parameter
The complete syntax of the ConnectivityMethod applet parameter is shown
below.
<PARAM NAME="ConnectivityMethod"
VALUE=methodName://serverName:port/proxyType=type&proxyName=nam
e&proxyPort=port&proxyAuthUser=username&proxyAuthPwd=password>
When constructing the ConnectivityMethod applet parameter, note that
applet parameter will always begin with this text string:
Chapter 5: Configuring Ports and Network Connectivity 223
<PARAM NAME="ConnectivityMethod"
The VALUE= component of the text string determines which connectivity
option the client tries by default. The syntax of the VALUE= component is
shown below. Note that the variables of this component are shown in bold:
VALUE=
methodName
://
serverName:port
/proxyType=
type
&proxyName=
name
&proxyPort=port&proxyAuthUser=username&proxyAuthPwd=password
Each of the variable values in this parameter string is discussed below.
•
methodName - The methodName variable can have any of these values:
• directST - This value indicates the client will default to the "Direct
connection using standard Sametime protocol" connection type.
• directHTTP - This value indicates the client will default to the
"Direct connection using HTTP protocol" connection type.
• IESettings - This value indicates the client will default to the "Use
my Internet Explorer browser settings" connection type.
• proxy - This value indicates the client will default to one of the "Use
proxy" connection types. The specific proxy type is determined by
subsequent values in the parameter string as discussed below.
Note For detailed information on each of these connection types, see
"Basic Sametime Connect client connection process" earlier in this
chapter and "Sametime Connect client connection processes using the
Web browser or Java Plug-in connectivity settings" earlier in this
chapter.
•
serverName:port - The serverName:port variable specifies the name of
the Sametime server to which the Sametime Connect client connects and
the port to use for the connection. If the Sametime server name is
sametime.ibm.com, some sample values include:
• sametime.ibm.com:1533
• sametime.ibm.com:8082
The port specified must correspond to the port on which the Sametime
server listens for each specific connection type (as determined by the
methodName variable). For detailed information on the default ports
used for each of the connection types, see "Basic Sametime Connect
client connection process" earlier in this chapter and "Sametime Connect
224 Sametime 3.1 Administrator's Guide
client connection processes using the Web browser or Java Plug-in
connectivity settings" earlier in this chapter.
•
type - The type variable specifies a specific proxy type and is valid only
when "proxy" is used as the methodName. The type variable can have
any of these values:
• HTTP
• HTTPS
• SOCKS4
• SOCKS5
•
name - The name variable specifies the DNS name of the proxy server
and is valid only when "proxy" is used as the methodName. An example
value is HTTPproxy.ibm.com.
•
port - The port variable specifies the port on which the proxy server
listens for connections and is valid only when "proxy" is used as the
methodName. The value depends on the configuration of the proxy
server.
•
username - The username variable specifies the user name required to
authenticate with the proxy server. This variable is required only when
"proxy" is used as the methodName and the proxy server requires
authentication.
•
password - The password variable specifies the password associated
with the username required to authenticate with the proxy server. This
variable is required only when "proxy" is used as the methodName and
the proxy server requires authentication.
Complete examples of the ConnectivityMethod applet parameter
Listed below are some complete examples of the ConnectivityMethod applet
parameter that is used to specify a default connectivity configuration for the
Sametime Connect for browsers client. In each of these examples the
Sametime server to which the client must connect is named
"sametime.ibm.com."
The applet parameter below enables the Sametime Connect for browsers
client to make a direct HTTP connection to a Sametime server on port 8082:
<PARAM NAME="ConnectivityMethod"
VALUE="directHTTP://sametime.ibm.com:8082">
The applet parameter below enables the Sametime Connect for browsers
client to make a connection to a Sametime server on port 8082 using the
connectivity settings specified in an Internet Explorer web browser:
<PARAM NAME="ConnectivityMethod"
VALUE="IESettings://sametime.ibm.com:8082">
Chapter 5: Configuring Ports and Network Connectivity 225
The applet parameter below enables the Sametime Connect for browsers
client to make a connection to a Sametime server through an HTTP proxy
server named "HTTPproxy.ibm.com." The HTTP proxy server listens for
connections on port 8080 and requires authentication. The user name
required to authenticate with the proxy is "Dawn_Ortiz" and the password
associated with this user name is "sametime."
<PARAM NAME="ConnectivityMethod"
VALUE="proxy://sametime.ibm.com:8082/proxyType=HTTP&proxyName=H
TTPproxy.ibm.com&proxyPort=8080&proxyAuthUser=Dawn_Ortiz&proxyA
uthPwd=sametime">
The applet parameter below enables the Sametime Connect for browsers
client to make a connection to a Sametime server through SOCKS4 proxy
server named "SOCKS4proxy.ibm.com." The SOCKS proxy server listens for
connections on port 8080 and does not require authentication.
<PARAM NAME="ConnectivityMethod"
VALUE="proxy://sametime.ibm.com:8082/proxyType=SOCKS4&proxyName
=SOCKS4proxy.ibm.com&proxyPort=8080">
The applet parameter below enables the Sametime Connect for browsers
client to make a connection to a Sametime server through SOCKS5 proxy
server named "SOCKS5.ibm.com." The SOCKS proxy server listens for
connections on port 8080 and requires authentication. The user name
required to authenticate with the proxy is "Dawn_Ortiz" and the password
associated with this user name is "sametime."
<PARAM NAME="ConnectivityMethod"
VALUE="proxy://sametime.ibm.com:8082/proxyType=SOCKS5&proxyName
=SOCKS5proxy.ibm.com&proxyPort=8080&proxyAuthUser=Dawn_Ortiz&pr
oxyAuthPwd=sametime">
Adding the ConnectivityMethod parameter to the STSrc.nsf database
To specify the default connectivity setting for the Sametime Connect for
browsers client, you must add the appropriate ConnectivityMethod applet
parameter to the HTML code on the Sametime server.
In a standard Sametime server deployment, this applet code exists in three
subforms of the Sametime Resources (STSrc.nsf) database on the Sametime
server. To ensure the default connectivity settings go into effect for all
browser types, you must add the ConnectivityMethod applet parameter to
the HTML code in each of these three subforms.
•
WebConnect-IE (This subform applies to the Microsoft Internet Explorer
browsers.)
•
WebConnect-Moz (This subform applies to Netscape 7 and Mozilla
browsers.)
226 Sametime 3.1 Administrator's Guide
•
WebConnect-N4 (This subform applies to the Netscape 4 browsers.)
To add the applet parameter to the HTML code in these subforms:
1. Use the Domino Designer client to open the STSrc.nsf database on the
Sametime server.
2. In Domino Designer expand the "Recent Databases" icon and ensure that
the STSrc.nsf database is selected.
3. Expand "Resources" and click "Subforms."
4. In the Subforms list, double-click on the WebConnect-IE subform.
5. In the work pane at the top of the Domino Designer client, scroll down
until you see the HTML code containing the applet parameters.
Note An applet parameter begins with the text string <paramname=.
6. Add the applet parameter to the list of parameters.
Note Use the information provided in "Creating the
ConnectivityMethod applet parameter" above to determine the correct
syntax for the applet parameter.
7. Save the subform.
8. Repeat steps 4 through 7 for the WebConnect-Moz and WebConnect-N4
subforms.
Example of custom HTML code required to launch the Sametime
Connect for browsers client
Some organizations may choose to create a custom user interface to launch
the Sametime Connect for browsers client. The example below illustrates the
applet code that might be used in a custom HTML page or Domino
application to launch the Sametime Connect for browsers client with a
specific default connectivity configuration. If you create a custom interface
for this purpose, ensure the code includes all necessary parameters as shown
below:
<APPLET>
code=com.lotus.sametime.connectapplet.ConnectApplet.class
height=100% name=ConnectApplet
style="BACKGROUND-COLOR: gray; LEFT: 0px; TOP: 0px" width=100%
MAYSCRIPT=TRUE>
<PARAM NAME="cabinets" VALUE="connect.cab">
<PARAM NAME="SametimeServer" VALUE="">
<PARAM NAME="SametimePort" VALUE="">
<PARAM NAME="TokenUserId" VALUE="">
Chapter 5: Configuring Ports and Network Connectivity 227
<PARAM NAME="TokenValue" VALUE="">
<PARAM NAME="ConnectivityMethod"
VALUE="directHTTP://sametime.ibm.com:8082">
</APPLET>
Note In the example, the Sametime Connect client will be configured by
default to attempt a "Direct connection using HTTP protocol" on port 8082 to
a Sametime server named sametime.ibm.com.
Meeting Room and Broadcast client connection processes
This section discusses the connection processes of the Sametime Meeting
Room and Broadcast clients. Read this section to gain a better understanding
of how the Meeting Room and Broadcast clients connect to the server and
how the "Networks and Ports" settings in the Sametime Administration Tool
are used in these connection processes.
This section discusses the connection processes of both the Sametime
Meeting Room and Broadcast clients. The Sametime Meeting Room client
can connect to Community Services, Meeting Services, and Audio/Video
Services.
The Sametime Broadcast client connects to the Meeting Services for call
control purposes and receives streamed meeting data from the Broadcast
Services.
Both the Meeting Room client and the Broadcast client can establish either
direct TCP/IP connections to the Sametime server or connect to the server
through HTTP-tunneling. Both the Meeting Room and Broadcast clients can
connect to the Sametime server through an HTTP proxy server, a SOCKS
proxy server, or a reverse HTTP proxy server.
Sametime is designed to enable Sametime Meeting Room and Broadcast
clients that operate behind restrictive firewalls to connect to the Sametime
services using HTTP over port 80. For detailed information on this
capability, see the connection process topics below for the individual clients
and About HTTP tunneling.
The connectivity behavior of the clients is different depending on the Java
Virtual Machine used by the Web browser in which the Sametime Meeting
Room or Broadcast client runs.
•
If the Web browsers in your environment operate with the native
Microsoft VM, see "Meeting Room and Broadcast client connection
processes using the Microsoft VM" later in this chapter.
228 Sametime 3.1 Administrator's Guide
•
If the Web browsers in your environment operate with the Sun
Microsystems JVM 1.4.1, see "Meeting Room and Broadcast client
connection processes using the Sun Microsystems JVM 1.4.1" later in this
chapter.
Meeting Room and Broadcast client connection processes using the
Microsoft VM
This section describes the Meeting Room and Broadcast client connection
processes when these clients run in a Web browser that operates with the
native Microsoft VM.
The Meeting Room client follows a different process to establish connections
to the Audio/Video Services than it does to establish connections with other
services. To accommodate this difference the Meeting Room client
connection process to the Audio/Video Services is described in a separate
topic. The topics included in this section include:
•
Meeting Room client connection process using the Microsoft VM
(Community Services and Meeting Services)
•
Meeting Room client connection process using the Microsoft VM
(Audio/Video Services)
•
Broadcast client connection process using the Microsoft VM
Meeting Room client connection process using the Microsoft VM
(Community Services and Meeting Services)
This topic describes the connection process the Meeting Room client uses to
connect to the Community Services and Meeting Services when the Meeting
Room client runs in a Web browser that operates with the Microsoft VM.
Note For information about connecting to meetings that include interactive
audio/video, see "Meeting Room client connection process using the
Microsoft VM (Audio/Video Services)" later in this chapter . For information
about connecting to broadcast meetings, see "Broadcast client connection
process using the Microsoft VM" later in this chapter.
The Sametime Meeting Room client is a signed Java applet that is loaded in a
user's Web browser when a user attends an instant or scheduled meeting.
The user is prompted to accept the Meeting Room client applet when it is
loaded in the Web browser.
The Meeting Room client contains several Java components. During a
meeting, different Java components contained within the Sametime Meeting
Room client require connections to the Community Services and Meeting
Services.
Chapter 5: Configuring Ports and Network Connectivity 229
The Meeting Room Java components that require connections to the
Sametime Community Services and Meeting Services include:
•
Participant List and Chat - These Meeting Room client components
require a connection to the Community Services.
•
Screen sharing, whiteboard, send Web page, and question and answer
polls - These Meeting Room components require a connection to the
Meeting Services.
The steps below describe the connection process the Meeting Room client
uses to connect to the Community Services and Meeting Services when the
Meeting Room client runs in a Web browser that operates with the Microsoft
VM.
1. The Sametime Meeting Room client loads in the user's Web browser
when the user attends an instant or scheduled Sametime meeting.
The host names and port numbers on which the Community Services
and Meeting Services are listening for connections are passed from the
server to the Meeting Room client. (These host names and port numbers
are specified in the Configuration-Connectivity-"Networks and Ports"
tab of the Sametime Administration Tool.)
2. The Sametime Meeting Room client attempts to make separate direct
TCP/IP connections to the Community Services and Meeting Services on
the Sametime server.
Note For the "direct TCP/IP connections," the Meeting Room client
uses unique Sametime protocols over TCP/IP to connect to the
Community Services and Meeting Services; these connections do not
occur through a proxy server. Generally, direct TCP/IP connections
result in optimum meeting performance.
• The Meeting Room client attempts the direct TCP/IP connection to
the Community Services multiplexer using the host names and ports
(default port 1533) specified in the Community Services
Network-Address for client connections-Host name and Port number
settings of the Sametime Administration Tool.
• The Meeting Room client attempts the direct TCP/IP connection to
the Meeting Services using the Host names and ports (default 8081)
specified in the Meeting Services Network-Address for client
connections-Host name and Port number settings of the Sametime
Administration Tool.
These direct TCP/IP connections can fail if the connections must occur
through a proxy server or if any network between the client and server
prevents TCP/IP connections on the ports described above (default
ports 1533 and 8081).
230 Sametime 3.1 Administrator's Guide
If the direct TCP/IP connection attempts are not successful, the Meeting
Room client continues with the connection process as described below.
3. The Meeting Room client examines the proxy server connection settings
defined in the user's Web browser connectivity settings or in a Proxy
Auto-Configuration (PAC) file used by the Web browser.
If a SOCKS proxy is defined in the Web browser proxy settings, or PAC
file, the Meeting Room client attempts to connect to the Community
Services and Meeting Services through the SOCKS proxy. The Meeting
Room client uses the Web browser or PAC file settings to connect to the
SOCKS proxy. The SOCKS proxy connects to the Community Services
and Meeting Services on behalf of the Meeting Room client.
The connections through a SOCKS proxy server use the same protocols
(unique Sametime protocols over TCP/IP) that were used in the direct
TCP/IP connection attempt described in Step 2. The same host names
and ports (1533 and 8081) defined in the Sametime Administration Tool
are also used for these connection attempts.
The connections through the SOCKS proxy server can fail if the
connections must occur through an HTTP proxy server or any network
between the client and server prevents TCP/IP connections on the ports
described above (default ports 1533 and 8081).
Note The default ports are configurable from the "Networks and Ports"
tab of the Sametime Administration Tool.
If the connection attempts using the standard Sametime protocols over
TCP/IP through the SOCKS proxy are not successful, the Meeting Room
client attempts HTTP-tunneled connections to the Community Services
and Meeting Services.
4. To accomplish HTTP tunneling, the Sametime Meeting Room client
encases the unique Sametime protocol connection data within HTTP
connection requests.
5. If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Meeting Room client sends the HTTP requests
containing Community Services and Meeting Services connection data to
the Sametime Community Services multiplexer.
Sametime examines the Web browser proxy server connectivity settings,
or PAC file connectivity settings, when sending the HTTP requests to the
Community Services multiplexer. If the Web browser or PAC file
settings:
• Do not specify a proxy server - The HTTP requests are sent directly
to the Community Services multiplexer on the Sametime server. This
type of connection is called a "direct HTTP connection."
Chapter 5: Configuring Ports and Network Connectivity 231
• Specify a SOCKS proxy server - The HTTP requests are sent to the
Community Services multiplexer through the SOCKS proxy server.
• Specify an HTTP proxy server -The HTTP requests are sent to the
Community Services multiplexer through the HTTP proxy server.
In all three cases above, the "Host name" and "Port number" settings
(default port 80) specified in the "Community Server Network Address
for HTTP-tunneled client connections" settings of the Sametime
Administration Tool are used to establish the connections to the
Community Services multiplexer.
The Community Services multiplexer can differentiate between the
HTTP requests intended for the Community Services and the Meeting
Services by examining code appended to each URL by Sametime clients.
Upon receiving these requests, the Community Services multiplexer:
• Creates an intraserver connection to other Community Services
components and sends the Community Services data to the
Community Services
• Creates an intraserver connection to the Meeting Services and sends
the Meeting Services data to the Meeting Services
The ability of the Community Services multiplexer to receive both
Community Services and Meeting Services requests on a single port
(port 80) enables the Sametime server to support HTTP tunneling over
port 80 even if the Sametime server machine uses only a single IP
address. Previous releases of Sametime required the server machine to
use multiple IP addresses to support HTTP-tunneling on port 80.
Note If the administrator does not allow HTTP tunneling on port 80
during the Sametime installation, the default settings and client behavior
are different than described above. The Meeting Room client attempts an
HTTP-tunneled connection to the Community Services using the "Host
name" and "Port number" settings (default port 1533) specified in the
"Community Server Network-Address for HTTP-tunneled client
connections" settings. The Meeting Room client attempts a separate
HTTP-tunneled connection to the Meeting Services using the "Host
name" and "Port number" settings (default port 8081) specified in the
"Meeting Server Network-Address for HTTP-tunneled client
connections" settings. In this case, the Community Services multiplexer
does not handle the HTTP-tunneled Meeting Services connection. For
more information, see "About http tunneling" later in this chapter.
If the HTTP-tunneled connection succeeds, the Meeting Room client and
Sametime server maintain either a persistent or polled HTTP-tunneled
connection, as described in Steps 6 and 7 below.
232 Sametime 3.1 Administrator's Guide
6. The Meeting Room client attempts to maintain a persistent
HTTP-tunneled connection. (The persistent HTTP-tunneled connection is
sometimes called "Master/Slave HTTP tunneling.")
With this connection, data trickles continuously between the client and
the Sametime server. This persistent connection provides the client with
an event-driven, real-time connection to the server.
Note The persistent HTTP-tunneled connection provides better
performance and uses fewer system and network resources than the
polled HTTP-tunneled connections described in Step 7.
A persistent HTTP-tunneled connection might fail in the following
circumstances:
• The client connects to the Sametime server through a proxy that
buffers or caches data.
• Multiple Java applets running within a single instance of the Web
browser attempt to create additional connections, and exceed the
connection limits imposed by the Web browser. Web browsers limit
the number of HTTP connections the browser can make to a single
server.
• The client is unable to access the Web browser connectivity settings or
authenticate with an HTTP proxy.
7. If a persistent HTTP connection fails or is not possible, the client uses a
continuous polling functionality to maintain the HTTP-tunneled
connections.
In this type of tunneling, the client and server enter a mode in which the
client continuously makes and breaks HTTP connections to post data to
and receive data from the server.
Note that the client can use the proxy authentication settings defined in
the Web browser proxy settings, or PAC file, to authenticate with the
proxy when making these polled HTTP connections. No intervention is
required by the end user for these authentications. The client can also
maintain connectivity through proxies that buffer or cache data.
The polling functionality enables the Sametime Meeting Room client to
maintain connections in almost any network environment as long as the
client can connect to the server using HTTP over port 80. The polling
functionality can increase network traffic. Polling might also affect the
scalability of the server as more system resources are required to
continuously make and break the connections. The polling activity might
be noticeable to the end user but should not prevent the user from
interacting in the meeting or viewing meeting presentations.
Chapter 5: Configuring Ports and Network Connectivity 233
Notes about the connection process
In the Meeting Room client connection process above, Step 6 indicates that
the Meeting Room client attempts to maintain a persistent HTTP-tunneled
connection. Note the following:
•
If the Meeting Room client loads in a Microsoft Internet Explorer
browser, the client can use the Internet Explorer proxy connectivity
settings to establish this persistent connection.
•
If the Meeting Room client loads in a Netscape Navigator browser, the
client might be unable to detect the proxy server connection settings
defined for Netscape Navigator when attempting this persistent
HTTP-tunneled connection. In this case, the Meeting Room client
attempts to establish the connection using the continuous polling mode
described in Step 7. When connecting in this polling mode, the Meeting
Room client might be able to detect the Netscape Navigator proxy
connectivity settings and use them to establish the connection.
Meeting Room client connection process using the Microsoft VM
(Audio/Video Services)
The interactive audio/video components of the Sametime Meeting Room
client must communicate with the Audio/Video Services on the Sametime
server to receive and transmit audio and video streams. This topic describes
the connection process the Meeting Room client uses to connect to the
Audio/Video Services when the Meeting Room client runs in a web browser
that operates with the Microsoft VM.
To interact in an audio/video meeting, the interactive audio/video
components of the Sametime Meeting Room client and the Sametime server
engage in a connection process. This connection process is discussed in two
parts:
•
Call-control connection - First, the Meeting Room client makes a
TCP/IP call control connection to the Sametime server. The interactive
audio/video components of the Meeting Room client exchange call
setup and control data with the Audio/Video Services on the server over
this connection.
•
Transmitting Audio/Video streams - If the call control connection is
successful, the audio/video streams are transmitted between the server
and client using either a unicast UDP stream or a stream that is tunneled
over a TCP connection (TCP tunneling).
Note The call-control connection is a connection from the Sametime
Meeting Room client to the Meeting Services. This is the same Meeting
Services connection that is described in Meeting Room client connection
process using Microsoft VM (Community Services and Meeting Services).
234 Sametime 3.1 Administrator's Guide
Sametime uses the Meeting Services connection that supports the Meeting
Services functionality to transmit the audio/video call-control information.
Call-control connection
The process for the call-control connection for the Meeting Room
audio/video components occurs as follows:
1. The Meeting Room client loads in a Web browser when a user attends a
meeting. The interactive audio and video Java applets are components of
the Sametime Meeting Room client.
The host names and ports on which the Sametime server listens for
connections from clients are passed from the server to the client. These
host names and port numbers are specified in the
Configuration-Connectivity-Networks and Ports tab of the Sametime
Administration Tool.
2. The Meeting Room client attempts a direct TCP/IP connection to the
Meeting Services using the host name and port (default 8081) specified
in the Meeting Services Network-Address for client connections-"Host
name" and "Port number" settings of the Sametime Administration Tool.
If this connection is successful, the connection to the Meeting Services is
used for the exchange of call setup and control information between the
Meeting Room client and the Audio/Video Services on the Sametime
server. The connection process continues with the transmission of the
audio/video streams as described in "Transmitting audio and video
streams" below.
If the direct TCP/IP connection attempt is not successful within five
seconds, the Meeting Room client continues with the connection process
as described below.
3. The Meeting Room client examines the proxy server connection settings
defined in the user's Web browser connectivity settings or in a Proxy
Auto-Configuration (PAC) file used by the Web browser.
If a SOCKS proxy is defined in the Web browser proxy settings, or PAC
file, the Meeting Room client attempts to connect to the Meeting Services
through the SOCKS proxy. The Meeting Room client uses the Web
browser or PAC file settings to connect to the SOCKS proxy. The SOCKS
proxy connects to the Meeting Services on behalf of the Meeting Room
client.
The connection to the Meeting Services through the SOCKS proxy uses
the same unique Sametime protocol over TCP/IP that was used in the
direct TCP/IP connection attempt described in Step 2. The same host
name and port (8081) are also used for this connection attempt.
If this connection is successful, the connection is used for the exchange of
call setup and control information between the Meeting Room client and
Chapter 5: Configuring Ports and Network Connectivity 235
the Audio/Video Services on the Sametime server. The connection
process continues with the transmission of the audio/video streams as
described in "Transmitting audio and video streams" below.
If the connection attempt using the standard Sametime protocol over
TCP/IP through the SOCKS proxy is not successful, the Meeting Room
client attempts an HTTP-tunneled connection to the Meeting Services, as
described below. In this type of connection, the Meeting Room client
encases the unique Sametime protocol connection data within an HTTP
connection request and sends this request to the Sametime server.
4. If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Meeting Room client sends the HTTP request
containing the Meeting Services connection data to the Sametime
Community Services multiplexer.
Sametime examines the Web browser proxy server connectivity settings,
or PAC file connectivity settings, when sending the HTTP requests to the
Community Services multiplexer. If the Web browser or PAC file
settings:
• Do not specify a proxy server - The HTTP requests are sent directly
to the Community Services multiplexer on the Sametime server on
port 80. This type of connection is called a "direct HTTP connection."
• Specify a SOCKS proxy server - The HTTP requests are sent to the
Community Services multiplexer through the SOCKS proxy server.
The SOCKS proxy uses port 80 to connect to the Community Services
multiplexer on behalf of the Sametime client.
• Specify an HTTP proxy server -The HTTP requests are sent to the
Community Services multiplexer through the HTTP proxy server. In
this scenario, the audio/video will fail, as noted below.
Important notes about establishing an audio/video call control
connection using HTTP tunneling:
If the Meeting Room client establishes a call control connection using a
direct HTTP-tunneled connection or an HTTP-tunneled connection the
administrator should review the information provided in this step to
understand the issues associated with establishing audio/video call
control connections using HTTP tunneling.
Interactive audio/video streams can be successfully transmitted when
the call control connection is established using HTTP-tunneling only if
the Sametime server is also configured to support TCP-tunneling of the
interactive audio/video streams on a port that is open through all
networks between the client and server.
The most common configuration for this connectivity is as follows:
236 Sametime 3.1 Administrator's Guide
• The Sametime server is configured to support HTTP tunneling over
port 80 for connections to the Community Services, Meeting Services,
and Broadcast Services. The administrator can specify this
configuration during the Sametime server installation. The
administrator also has the option of enabling HTTP tunneling over
port 80 using multiple IP addresses. For more information about
configuring a Sametime server to support HTTP-tunneling over port
80, see "About http tunneling' later in this chapter.
• If the Sametime server is configured to support HTTP tunneling over
port 80, the administrator can also configure the Sametime server to
support TCP-tunneling of interactive audio/video streams on port 80.
When configured in this way all Sametime meeting data, including
interactive audio/video streams, can be transmitted using port 80. To
configure the Sametime server to support TCP tunneling of
audio/video streams, see "TCP tunneling of interactive audio/video
streams on port 80" later in this chapter.
Although port 80 is the port most likely port to use for both the
HTTP-tunneled call control connection and the TCP tunneling of the
audio and video streams, you can configure this connectivity to occur on
a different port. To do this, you must configure the Sametime server to
support HTTP tunneling on a port other than port 80. For instructions,
see "Changing the HTTP-tunneling port" later in this chapter. Next, you
must configure the TCP tunneling of audio/video streams to occur on
the same port as the HTTP-tunneled connection. For instructions, see
"TCP tunneling of interactive audio/video streams on port 80" later in
this chapter.
Although these are the most common configurations, practically any
configuration is possible using the Networks and Ports tab of the
Sametime Administration Tool. For example, it is possible for the
HTTP-tunneled call control connection to occur on port 1533 (or any
other port) while the TCP tunneling of the audio/video streams occurs
on port 80 (or any other port). The administrator must determine the
appropriate configuration for the network environment.
Note also that the call control connection must be established using a
direct HTTP-tunneled connection between the client and the server, or
an HTTP-tunneled connection through a SOCKS proxy server.
Interactive audio and video is not supported if the client connects to the
Sametime server through an HTTP proxy server. It is not possible to use
TCP tunneling to transmit audio/video streams through an HTTP proxy
server.
Chapter 5: Configuring Ports and Network Connectivity 237
Transmitting audio and video streams
The transmission method for the audio and video streams depends on how
the call control connection was established:
•
If the Meeting Room client direct TCP/IP connection described in Step 2
above is successful, the Audio/Video Services dynamically select the
UDP ports on which to receive audio and video streams from the clients.
These dynamic UDP ports are selected from the range of ports the
administrator specifies in the "Interactive Audio/Video Network Multimedia Processor (MMP) UDP port numbers start/end at" settings
in the Sametime Administration Tool "Networks and Ports" settings.
If any network between the client and the server blocks UDP traffic, the
audio and video streams can be tunneled over a single TCP/IP port.
The administrator can specify the TCP port over which the streams will
be tunneled in the "Interactive Audio/Video Network-TCP tunneling
port" (default 8084) setting in the Sametime Administration Tool. The
port specified as the "TCP tunneling port" must be open through all
firewalls between the client and the server for the client to transmit and
receive TCP-tunneled audio and video streams.
•
If the Meeting Room client TCP/IP connection occurs through a SOCKS4
proxy server (as described in Step 3 above), the audio and video streams
cannot be transmitted through the SOCKS server using UDP. The client
and server transmit the audio and video streams through the SOCKS
proxy server using TCP over the "TCP tunneling port" (port 8084) as
described above. The TCP Tunneling option must be enabled on the
"Networks and Ports" tab of the Sametime Administration Tool, and the
"TCP tunneling port" must be open through all networks between the
client and the server for the transmission through the SOCKS proxy to
succeed.
If necessary, the administrator can change the default TCP Tunneling
port from 8084 to an administrator-specified port. The administrator can
change this port from the "Networks and Ports" tab of the Sametime
Administration Tool.
238 Sametime 3.1 Administrator's Guide
•
If the Meeting Room client call control connection occurs using a direct
HTTP-tunneled connection on port 80, or an HTTP connection through a
SOCKS proxy server on port 80, the Sametime server must also be
configured to support TCP tunneling of interactive audio/video streams
on port 80. If the Sametime server is configured in this way, the audio
and video streams can be transmitted between the Sametime client and
server (either directly or through the SOCKS proxy server) using a TCP
connection on port 80. This configuration enables a Sametime server and
the Meeting Room client to exchange all meeting data, including
interactive audio and video streams using port 80. For more information,
see "TCP tunneling of interactive audio/video streams on port 80" later
in this chapter.
The Meeting Room client can use a port other than port 80 to support
HTTP tunneling and TCP tunneling of the Sametime data. Refer to
"Important notes about establishing an audio/video call control
connection using HTTP tunneling" above.
Note If the client transmits and receives audio and video streams through
the TCP Tunneling port, up to four separate TCP sockets can be created to
accommodate the audio and video streams. Two sockets are created for the
RTP audio and video streams, and two sockets are created for the associated
RTCP streams. Having four separate TCP sockets might affect audio/video
performance because of the system resources required to maintain the
sockets. Transmitting the streams over UDP results in better meeting
performance than the TCP-tunneling method.
Broadcast client connection process using the Microsoft VM
The Broadcast client must connect to the Broadcast Services on the Sametime
server to receive the broadcast meeting streams. This topic describes the
connection process the Broadcast client uses to receive broadcast meeting
streams when the Broadcast client runs in a Web browser that operates with
the Microsoft VM
Note The following meeting streams can be sent during a broadcast
meeting:
•
Screen-sharing/whiteboard
•
Chat
•
Send Web page
•
Question and answer polling
•
Audio
•
Video
To receive broadcast meeting streams, the Broadcast client and the Sametime
server engage in a connection process. This connection process includes:
Chapter 5: Configuring Ports and Network Connectivity 239
•
Call-control connection - First, the Broadcast client makes a Real-Time
Streaming Protocol (RTSP) connection to the Broadcast Services on the
Sametime server. The Broadcast client and Broadcast Services exchange
call-control data over this connection.
•
Receiving Broadcast streams - If the call-control connection is
successful, the Broadcast streams are transmitted from the server to the
client using UDP or are tunneled through the call-control connection. If
the client successfully establishes the call-control connection to the
Broadcast Services, the Broadcast client should also receive the
Broadcast meeting streams successfully.
The broadcast streams can also be transmitted using multicast.
Call-control connection
The steps below describe the connection process the Broadcast client uses to
establish a call-control connection to the Broadcast Services.
1. The Sametime Broadcast client loads in the user's Web browser when the
user attends a Broadcast meeting.
The host names and port numbers on which the Sametime server listens
for connections are passed from the server to the Broadcast client. These
host names and port numbers are specified in the
Configuration-Connectivity-"Networks and Ports" tab of the Sametime
Administration Tool.
2. The Broadcast client attempts a direct RTSP over TCP/IP connection to
the Broadcast gateway component of the Broadcast Services on the
Sametime server. The Broadcast client attempts this connection using the
host names and ports specified in the "Broadcast Services
Network-Broadcast gateway address for client connections-Host name
and Port number" setting (default port 554) in the Broadcast services
network settings of the Sametime Administration Tool.
Generally, a direct RTSP TCP/IP connection results in optimum
performance for the Broadcast client. This connection fails if the
connections must occur through a proxy server or any network between
the client and server blocks TCP/IP connections on the specified port
(default 554).
If the direct RTSP over TCP/IP connection is successful, the client can
begin receiving the broadcast meeting streams as described in
"Receiving broadcast meeting streams" below.
If the direct RTSP over TCP/IP connection is not successful, the
Broadcast client continues with the call-control connection process, as
described in the steps below.
240 Sametime 3.1 Administrator's Guide
3. The Broadcast client examines the proxy server connection settings
defined in the user's Web browser connectivity settings, or defined in a
Proxy Auto-Configuration (PAC) file used by the Web browser.
If a SOCKS proxy is defined in the Web browser proxy settings, or PAC
file, the Broadcast client connects to the SOCKS proxy using the Web
browser or PAC file settings. The SOCKS proxy connects to the
Broadcast Services on behalf of the Broadcast client.
The connection to the Broadcast Services through the SOCKS proxy uses
the same protocol (RTSP over TCP/IP) that was used in the direct
connection attempt described in Step 2. The same host name and port
(default 554) are also used for this connection attempt.
If the RTSP TCP/IP connection through the SOCKS proxy is successful,
the client begins receiving the broadcast meeting streams as described in
"Receiving broadcast meeting streams" below.
If the RTSP TCP/IP connection through the SOCKS proxy fails, the
Broadcast client attempts HTTP-tunneled connections to the Broadcast
Services as described in Step 4.
4. To accomplish HTTP tunneling, the Broadcast client encases the RTSP
connection data within an HTTP connection request.
5. If the administrator allows HTTP tunneling on port 80 during the
Sametime installation, the Broadcast client sends the HTTP requests
containing the Broadcast Services connection data to the Sametime
Community Services multiplexer.
The Broadcast client examines the Web browser proxy server
connectivity settings, or PAC file connectivity settings, when sending the
HTTP requests to the Community Services multiplexer. If the Web
browser or PAC file settings:
• Do not specify a proxy server - The HTTP requests are sent directly
to the Community Services multiplexer on the Sametime server. (This
type of connection is called a "direct HTTP connection.")
• Specify a SOCKS proxy server - The HTTP requests are sent to the
Community Services multiplexer through the SOCKS proxy server.
• Specify an HTTP proxy server -The HTTP requests are sent to the
Community Services multiplexer through the HTTP proxy server.
In all three cases above, the "Host name" and "Port number" settings
(default port 80) specified in the "Community Server Network-Address
for HTTP-tunneled client connections" settings of the Sametime
Administration Tool are used to establish the connections to the
Community Services multiplexer.
The Community Services multiplexer can differentiate between the
HTTP requests intended for the Community Services, Meeting Services,
Chapter 5: Configuring Ports and Network Connectivity 241
and Broadcast Services by examining code appended to each URL by
Sametime clients.
Upon receiving a request for the Broadcast Services, the Community
Services multiplexer creates an intraserver connection to the Broadcast
Services and sends the Broadcast data to the Broadcast Services.
The ability of the Community Services multiplexer to receive
Community Services, Meeting Services, and Broadcast Services requests
on a single port (port 80) enables the Sametime server to support
HTTP-tunneling over port 80 by default, even if the Sametime server
machine uses only a single IP address. (Previous releases of Sametime
required the server machine to use multiple IP addresses to support
HTTP tunneling on port 80.)
Note If the administrator does not allow HTTP tunneling on port 80
during the Sametime installation, the default settings and client behavior
are different than described above. The Broadcast client attempts an
HTTP-tunneled connection to the "Broadcast Services using the "Host
name" and "Port number" settings (default port 554) specified in the
Broadcast Services Network-Broadcast Gateway address for HTTP-tunneled
client connections settings. The Community Services multiplexer does not
handle the Broadcast Services connection. For more information, see
"About http tunneling" later in this chapter.
If an HTTP-tunneled connection succeeds, the Broadcast client and
Sametime server maintain either a persistent or polled HTTP-tunneled
connection, as described in Steps 6 and 7 below.
6. The Broadcast client attempts to maintain a persistent HTTP-tunneled
connection. (The persistent HTTP-tunneled connection is sometimes
called "Master/Slave HTTP tunneling.")
In a persistent HTTP-tunneled connection, data trickles continuously
between the client and the Sametime server. This persistent connection
provides the client with an event-driven, real-time connection to the
server.
Note The persistent HTTP-tunneled connection provides better
performance and uses fewer system and network resources than the
polled HTTP-tunneled connections described in Step 7 below.
A persistent HTTP-tunneled connection might fail in the following
circumstances:
• The client connects to the Sametime server through a proxy that
buffers or caches data.
242 Sametime 3.1 Administrator's Guide
• Multiple Java applets running within a single instance of the Web
browser attempt to create additional connections, and exceed the
connection limits imposed by the Web browser. Web browsers limit
the number of HTTP connections the browser can make to a single
server.
• The client is unable to access the Web browser connectivity settings or
authenticate with an HTTP proxy.
7. If a persistent HTTP connection fails or is not possible, the client uses a
continuous polling functionality to maintain the HTTP-tunneled
connections.
In this type of tunneling, the client and server enter a polling mode in
which the client continuously makes and breaks connections to post data
to and receive data from the server.
Note that the client can use the proxy authentication settings in the Web
browser proxy settings or PAC file to authenticate with the proxy when
making these polled connections. The client can also communicate
through proxies that buffer or cache data.
The polling functionality enables the Sametime Broadcast client to
maintain connections in almost any network environment as long as the
client can connect to the server using HTTP over port 80. The polling
functionality can increase network traffic. Polling might also affect the
scalability of the server as more system resources are required to
continuously make and break the connections. The polling activity might
be noticeable to the end user but should not prevent the user from
viewing meeting presentations.
Receiving broadcast meeting streams
If the initial call control connection described in "Call-control connection"
above is successful, the client and server determine how to transmit and
receive the broadcast meeting RTP streams.
Using the initial call-control connection described in "Call-control
connection" above, the Broadcast Audio/Video Services send data to the
client that describes the available broadcast meeting streams.
The manner in which the client receives the broadcast streams is determined
by two variables:
•
The way in which the call control connection was established
•
The availability of the UDP transport between the client and the server
Most efficient method for transmitting broadcast streams
The most efficient transmission of the broadcast meeting media streams
occurs when both of the following are true:
Chapter 5: Configuring Ports and Network Connectivity 243
•
The Broadcast client established a direct RTSP TCP/IP call control
connection with the Sametime server. The term "direct" indicates that the
client established a TCP/IP connection and did not establish this
connection through a proxy server.
•
The UDP transport is available on all networks between the client and
the server.
If both of the above are true, the Broadcast client can subscribe to the
broadcast meeting streams in either of two ways. The manner in which the
client subscribes to the broadcast streams depends on whether multicast is
available on the user's network.
•
The Broadcast client can subscribe to unicast UDP streams - The
Broadcast client dynamically selects UDP ports on which to receive the
streams. For this method to succeed, UDP traffic must be allowed to pass
through all networks between the Sametime server (Broadcast Gateway
component) and the Broadcast client.
•
The Broadcast client can subscribe to multicast UDP streams - In this
scenario, the Broadcast Gateway component of the Broadcast Services
dynamically selects the UDP ports on which to send the data. These
ports are randomly generated. The client subscribes to a multicast
address on a multicast-enabled router and receives the meeting streams
from the router. This method requires a multicast-enabled network that
allows UDP traffic to pass through all networks between the Sametime
server and the Broadcast client. For more information, see "Using
multicast" in Chapter 9.
Note Transmitting the streams over UDP results in better meeting
performance than the TCP or HTTP tunneling method described in
"Tunneling of broadcast streams" below.
Tunneling of broadcast streams
If UDP is not available on any network between the client and the server, the
broadcast meeting streams are sent to a client using a tunneled connection.
The streams are tunneled over the call-control connection port and can be
tunneled over a direct RTSP TCP/IP connection, an RTSP TCP/IP
connection through a SOCKS proxy server, or an HTTP-tunneled connection.
These tunneling capabilities ensure that any client that can establish a
call-control connection with the Broadcast Services can also receive the
meeting data streams. The possible tunneling scenarios are described below:
•
The Broadcast client establishes a direct RTSP TCP/IP call-control
connection (on default port 554), but UDP is not available between the
client and server - In this scenario, the RTP broadcast streams are
tunneled to the client using TCP over the RTSP TCP/IP control
connection between the client and server.
244 Sametime 3.1 Administrator's Guide
•
The Broadcast client establishes an RTSP TCP/IP call-control connection
through a SOCKS proxy server (on default port 554) - In this scenario,
the RTP broadcast streams are also tunneled using RTSP TCP/IP over
the control connection through the SOCKS proxy server.
•
The Broadcast client established a call-control connection using
HTTP-tunneling - In this scenario, the broadcast meeting RTP streams
are tunneled through the HTTP-tunneled connection between the client
and the server on the "Community Server Network-Address for
HTTP-tunneled client connections" port (default port 80).
If the client established the call-control connection through an HTTP
proxy server, the RTP streams are transmitted through the HTTP proxy
on port 80. If the client established a call-control connection using HTTP
through a SOCKS proxy server, the RTP streams are transmitted using
HTTP through the SOCKS proxy on port 80. If the Broadcast client
established a call-control connection through a direct HTTP connection,
the RTP streams are transmitted directly to the client using HTTP on
port 80.
Notes about the connection process
In the "Call-control connection" process above, Step 6 indicates that the
Broadcast client attempts to maintain a persistent HTTP-tunneled
connection. Note the following:
•
If the Broadcast client loads in a Microsoft Internet Explorer browser, the
client can use the Internet Explorer proxy connectivity settings to
establish this persistent connection.
•
If the Broadcast client loads in a Netscape Navigator browser, the client
might be unable to detect the proxy server connection settings defined
for Netscape Navigator when attempting this persistent HTTP-tunneled
connection. In this case, the Broadcast client attempts to establish the
connection using the continuous polling mode described in Step 7. When
connecting in this polling mode, the Broadcast client might be able to
detect the Netscape Navigator proxy connectivity settings to establish
the connection.
Chapter 5: Configuring Ports and Network Connectivity 245
Meeting Room and Broadcast client connection processes using the Sun
Microsystems JVM 1.4.1
This section discusses the client connection processes and issues associated
with Sametime Meeting Room or Broadcast clients that run in a Web
browser that operates with the Sun Microsystems Java Virtual Machine 1.4.1
and Java Plug-in 1.4.1.
When operating with the Sun Microsystems JVM 1.4.1, the Meeting Room
and Broadcast clients are unable to detect proxy connectivity settings that
are configured in the user's Web browser and cannot use the proxy
connectivity settings specified in the Web browser to establish connections
with the Sametime server.
The Meeting Room and Broadcast clients are able to detect proxy
connectivity settings that are configured in the Java Plug-in 1.4.1 Control
Panel on each user's machine, and can use these proxy connectivity settings
to establish connections with the Sametime server.
Because the Meeting Room and Broadcast clients use the Java Plug-in
Control Panel settings, it may be necessary for the administrator to ensure
that each user's machine has these settings configured appropriately for the
network environment in which the client operates.
This section includes the following topics related to the Meeting Room and
Broadcast client connection processes when running in a Web browser that
operates with the Sun Microsystems JVM 1.4.1:
•
Accessing proxy connectivity settings in the Java Plug-in Control Panel
•
Suggested Java Plug-in configurations for specific network environments
•
Meeting Room client connection process using JVM 1.4.1 (Community
Services and Meeting Services)
•
Meeting Room client connection process using JVM 1.4.1 (Audio/Video
Services)
•
Broadcast client connection process using JVM 1.4.1
Accessing proxy connectivity settings in the Java Plug-in Control
Panel
When the Sun Microsystems JVM 1.4.1 is installed on a user's machine, the
Java Plug-in 1.4.1 Control Panel is accessible from the Windows Control
Panel on the user's machine. The proxy connectivity settings are defined in
the Proxies tab of the Java Plug-in 1.4.1 Control Panel.
Use the following instructions to view or change the connectivity settings
defined in the Java Plug-in on the user's machine:
246 Sametime 3.1 Administrator's Guide
1. Open the Control Panel from the Windows desktop
(Start-Settings-Control Panel).
2. Double-click the "Java Plug-in 1.4.1" icon to open the Java Plug-in
Control Panel.
3. Select the Proxies tab to view or change the Java Plug-in connectivity
settings.
Note The possible settings in the Proxies tab of the Java Plug-in Control
Panel include:
• Use my browser settings
• HTTP
• Secure (Not applicable for the Meeting Room and Broadcast client)
• Socks
• FTP (Not applicable to any Sametime clients)
• Gopher (Not applicable to any Sametime clients)
Suggested Java Plug-in configurations for specific network
environments
The Sametime Meeting Room and Broadcast clients cannot access proxy
connectivity settings specified in a Web browser when running in a Web
browser that operates with the Sun Microsystems JVM 1.4.1. The Meeting
Room and Broadcast clients can access the proxy connectivity settings
specified in the Java Plug-in 1.4.1 Control Panel and use these settings to
establish a connection with the Sametime server.
Because of this limitation, IBM Lotus software recommends the following
configurations to ensure the Sametime Meeting Room and Broadcast clients
can connect to the Sametime server directly or connect to the Sametime
server through an HTTP or SOCKS proxy server. For information about
connectivity issues that occur when connecting to a Sametime server
deployed behind a reverse proxy server, see "Using reverse proxy or portal
servers with the Sametime server" later in this chapter.
Note If you are already familiar with Sametime client connection processes,
the section below provides a summary of the connectivity behavior that
occurs when the Proxies tab of the Java Plug-in Control Panel is configured
in a particular way. If you are not familiar with the Sametime client
connection processes, see either "Meeting Room client connection process
using JVM 1.4.1 (Community Services and Meeting Services)" later in this
chapter, "Meeting Room client connection process using JVM 1.4.1
(Audio/Video Services)" later in this chapter, or Broadcast client connection
process using JVM 1.4.1 later in this chapter.
Chapter 5: Configuring Ports and Network Connectivity 247
•
No proxies exist between the client and the Sametime server - If a
Sametime client can make a direct connection to the Sametime server,
make the following settings in the Proxies tab of the Java Plug-in Control
Panel:
a. Make sure that no proxy servers are specified in the Proxies tab. (The
address and port fields for each type of proxy server must be blank
in the Proxies tab.)
b. The "Use my browser settings" option in the Proxies tab can be
selected or not selected. The Sametime clients cannot access proxy
settings in the user's Web browser when operating with the Sun
Microsystems JVM 1.4.1 so it does not matter if the "Use my browser
settings" is selected or not selected. Even if the "Use my browser
settings" option is selected, the Sametime clients will not use the
browser settings to establish connections with a Sametime server.
When configured in the manner shown above, the client behaves as
follows:
• The client attempts a direct TCP/IP connection to the Sametime
server.
• If the direct TCP/IP connection fails, the client attempts a direct
HTTP-tunneled connection to the Sametime server.
Note The term "direct" connection means that the client can connect
directly to the Sametime server. In this case, the network environment
must not require connections to occur through an HTTP or SOCKS proxy
server.
•
The client must connect to the Sametime server through an HTTP
proxy server - If a Sametime client must connect to an HTTP proxy
server to establish a connection with the Sametime server, make the
following settings in the Proxies tab of the Java Plug-in Control Panel:
• Clear the check mark from the "Use my browser settings" option
• Specify the address of the HTTP proxy server and the port required to
connect to the HTTP proxy server.
When configured in the manner shown above, the client behaves as
follows:
• The client attempts a direct TCP/IP connection to the Sametime
server.
• If the direct TCP/IP connection fails, the client attempts an
HTTP-tunneled connection to the Sametime server through the HTTP
proxy server.
248 Sametime 3.1 Administrator's Guide
•
The client must connect to the Sametime server through a SOCKS
proxy server - If a Sametime client must connect to SOCKS proxy server
to establish a connection with the Sametime server, make the following
settings in the Proxies tab of the Java Plug-in Control Panel:
• Clear the check mark from the "Use my browser settings" option
• Specify the address of the SOCKS proxy server and the port required
to connect to the SOCKS proxy server.
When configured in the manner shown above, the client behaves as
follows:
• The client attempts a direct TCP/IP connection to the Sametime
server.
• If the direct TCP/IP connection fails, the client attempts a TCP/IP
connection through the SOCKS proxy server.
• If the TCP/IP connection through the SOCKS proxy fails, the client
attempts an HTTP-tunneled connection to the Sametime server
through the SOCKS proxy server.
Meeting Room client connection process using JVM 1.4.1 (Community
Services and Meeting Services)
This topic describes the connection process the Meeting Room client uses to
connect to the Community Services and Meeting Services when the Meeting
Room client runs in a Web browser that operates with the Sun Microsystems
JVM 1.4.1.
Note For information about connecting to meetings that include interactive
audio/video, see "Meeting Room client connection process using JVM 1.4.1
(Audio/Video Services)" later in this chapter. For information about
connecting to broadcast meetings, see "Broadcast client connection process
using JVM 1.4.1" later in this chapter.
The Sametime Meeting Room client is a signed Java applet that is loaded in a
user's Web browser when a user attends an instant or scheduled meeting.
The user is prompted to accept the Meeting Room client applet when it is
loaded in the Web browser.
The Meeting Room client contains several Java components. During a
meeting, different Java components contained within the Sametime Meeting
Room client might require connections to the Community Services and
Meeting Services on the Sametime server.
The Meeting Room Java components that require connections to the
Sametime Community Services and Meeting Services include:
•
Participant List and Chat - These Meeting Room client components
require a connection to the Community Services.
Chapter 5: Configuring Ports and Network Connectivity 249
•
Screen sharing, whiteboard, send Web page, and question and answer
polls - These Meeting Room components require a connection to the
Meeting Services.
The steps below describe the connection process the Meeting Room client
uses to connect to the Community Services and Meeting Services when the
Meeting Room client runs in a Web browser that operates with the Sun
Microsystems JVM 1.4.1.
1. The Sametime Meeting Room client loads in the user's Web browser
when the user attends an instant or scheduled Sametime meeting.
The host names and port numbers on which the Community Services
and Meeting Services are listening for connections are passed from the
server to the Meeting Room client. (These host names and port numbers
are specified in the Configuration-Connectivity-"Networks and Ports"
tab of the Sametime Administration Tool.)
2. Regardless of how the connectivity settings are configured in the Proxies
tab of the Java Plug-in Control Panel, the Sametime Meeting Room client
first attempts to make separate direct TCP/IP connections to the
Community Services and Meeting Services on the Sametime server.
Note For the "direct TCP/IP connections," the Meeting Room client
uses unique Sametime protocols over TCP/IP to connect to the
Community Services and Meeting Services; these connections do not
occur through a proxy server. Direct TCP/IP connections result in
optimum meeting performance. For this reason, the client always
attempts direct TCP/IP connections first before resorting to other
connectivity options.
• The Meeting Room client attempts the direct TCP/IP connection to
the Community Services multiplexer using the host names and ports
(default port 1533) specified in the Community Services
Network-Address for client connections-Host name and Port number
settings of the Sametime Administration Tool.
• The Meeting Room client attempts the direct TCP/IP connection to
the Meeting Services using the Host names and ports (default 8081)
specified in the Meeting Services Network-Address for client
connections-Host name and Port number settings of the Sametime
Administration Tool.
These direct TCP/IP connections can fail if the connections must occur
through a proxy server or if any network between the client and server
prevents TCP/IP connections on the ports described above (default
ports 1533 and 8081).
3. If the direct TCP/IP connection attempts described in step 2 fail, the
configuration of the settings in the Proxies tab of the Java Plug-in
250 Sametime 3.1 Administrator's Guide
Control Panel determines how the connections to the Sametime server
are established. The possible configurations are discussed below.
An HTTP proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel
If the Meeting Room client must connect to the Sametime server through
an HTTP proxy server, you should disable the "Use my browser settings"
option in the Java Plug-in Control Panel and enter the HTTP proxy
server address and port in the Proxies tab of the Java Plug-in Control
Panel.
When configured in this way, the Sametime Meeting Room client
encases the Sametime connectivity protocol data in HTTP requests and
sends these requests to the HTTP proxy server. (This capability is
referred to as HTTP-tunneling.) The HTTP proxy server forwards these
requests to the Sametime server on behalf of the clients. The client will
them attempt to establish and maintain an HTTP-tunneled connection to
the Sametime services.
Refer to step 4 in this procedure for a more detailed description of how
these HTTP-tunneled connections are handled by the Sametime server.
A SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel
If the Meeting Room client must connect to the Sametime server through
a SOCKS proxy server, you should disable the "Use my browser
settings" option in the Java Plug-in Control Panel and enter the SOCKS
proxy server address and port in the Proxies tab of the Java Plug-in
Control Panel.
If a SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel, the Sametime Meeting Room client will make the
following connection attempts:
a. The Sametime Meeting Room client attempts to make separate
TCP/IP connections to the Community Services and Meeting
Services on the Sametime server through the SOCKS proxy server.
The connections through a SOCKS proxy server use the same
protocols (unique Sametime protocols over TCP/IP) that were used in
the direct TCP/IP connection attempt discussed in step 2 above. The
same host names and ports (1533 and 8081) defined in the Sametime
Administration Tool are also used for these connection attempts.
The connections through the SOCKS proxy server can fail if the
connections must occur through an HTTP proxy server or any
network between the client and server prevents TCP/IP connections
on the ports described above (default ports 1533 and 8081).
Chapter 5: Configuring Ports and Network Connectivity 251
Note The default ports are configurable from the "Networks and
Ports" tab of the Sametime Administration Tool.
b. If the connection attempts using the standard Sametime protocols
over TCP/IP through the SOCKS proxy are not successful, the
Meeting Room client attempts to make HTTP-tunneled connections
to the Community Services and Meeting Services through the
SOCKS proxy server.
In this case, the Meeting Room client encases the Sametime
Connectivity protocol data in HTTP requests and sends these requests
to the SOCKS proxy. The SOCKS proxy server sends these
HTTP-tunneled requests to the Sametime server on behalf of the
Meeting Room client. The client will then attempt to establish and
maintain an HTTP-tunneled connection to the Sametime services
through the SOCKS proxy server.
Refer to step 4 in this procedure for a more detailed description of
how these HTTP-tunneled connections are handled by the Sametime
server.
No proxies are specified the Proxies tab
If no proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel, the Sametime Meeting Room client can establish direct
HTTP-tunneled connections with the Community Services and the
Meeting Services on the Sametime server.
Direct HTTP-tunneled connections occur directly from the Meeting
Room client to the services on the Sametime server and are not
established through a proxy server.
Refer to step 4 in this procedure for a more detailed description of how
these HTTP-tunneled connections are handled by the Sametime server.
Notes about this connectivity configuration:
• No proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel if the address and port fields associated with the proxy
server fields of the Proxies tab are blank.
• The Java Plug-in Control Panel includes a "Use my browser settings"
option. This setting has no affect on this connection process. If no
proxy servers are specified in the Proxies tab, the client attempts to
establish direct HTTP-tunneled connections with the Community
Services and the Meeting Services regardless of whether the "Use my
browser settings" option is or is not selected. A Sametime client
cannot access the proxy settings specified in the Web browser when
operating with the Sun JVM 1.4.1.
252 Sametime 3.1 Administrator's Guide
• Direct HTTP-tunneled connections may be useful if a Sametime client
must make a connection to a Sametime server through a client-side
firewall that allows outbound HTTP traffic, but the firewall does not
include an HTTP proxy server.
4. As noted in the previous steps, the client will eventually resort to
HTTP-tunneling to establish connections with the Community Services
and Meeting Services if other connections attempts fail or are not
possible.
This step discusses the way in which HTTP-tunneled connections are
established with the Sametime server.
The HTTP tunneling capabilities work differently depending on whether
the administrator allows or does not allow HTTP tunneling on port 80.
The administrator has the option of allowing or not allowing HTTP
tunneling on port 80 during the server installation.
If HTTP tunneling on port 80 is allowed - If HTTP tunneling on port 80
is allowed during the Sametime server installation, the Meeting Room
client sends the HTTP requests containing Community Services and
Meeting Services connection data to the Sametime Community Services
multiplexer.
The "Host name" and "Port number" settings (default port 80) specified
in the "Community Server Network Address for HTTP-tunneled client
connections" settings of the Sametime Administration Tool are used to
establish the connections to the Community Services multiplexer.
The Community Services multiplexer can differentiate between the
HTTP requests intended for the Community Services and the Meeting
Services by examining code that is appended to each URL by Sametime
clients. Upon receiving these requests, the Community Services
multiplexer:
• Creates an intraserver connection to other Community Services
components and sends the Community Services data to the
Community Services.
• Creates an intraserver connection to the Meeting Services and sends
the Meeting Services data to the Meeting Services.
The ability of the Community Services multiplexer to receive both
Community Services and Meeting Services requests on a single port
(port 80) enables the Sametime server to support HTTP tunneling over
port 80 even if the Sametime server machine uses only a single IP
address. This connectivity capability is sometimes referred to as
"single-port mode."
If HTTP tunneling on port 80 is not allowed - If the administrator does
not allow HTTP tunneling on port 80 during the Sametime server
Chapter 5: Configuring Ports and Network Connectivity 253
installation, the Meeting Room client attempts to establish an
HTTP-tunneled connection to the Community Services and a separate
HTTP-tunneled connection to the Meeting Services.
The Meeting Room client attempts an HTTP-tunneled connection to the
Community Services using the "Host name" and "Port number" settings
(default port 1533) specified in the "Community Server
Network-Address for HTTP-tunneled client connections" settings.
The Meeting Room client attempts a separate HTTP-tunneled connection
to the Meeting Services using the "Host name" and "Port number"
settings (default port 8081) specified in the "Meeting Server
Network-Address for HTTP-tunneled client connections" settings.
If the Meeting Room client is successful in establishing connections with
the Community Services and Meeting Services using either a single port
(port 80) or two separate ports (1533 and 8081), the Meeting Room client
and Sametime server maintain either a persistent or polled
HTTP-tunneled connection as noted below.
Maintaining a persistent HTTP-tunneled connection - When
establishing a connection using HTTP-tunneling, the Meeting Room
client first attempts to maintain a persistent HTTP-tunneled connection.
(The persistent HTTP-tunneled connection is sometimes called "hybrid
polling" or "master/slave HTTP tunneling.")
With this connection, data trickles continuously between the client and
the Sametime server. This persistent connection provides the client with
an event-driven, real-time connection to the server.
Note The persistent HTTP-tunneled connection provides better
performance and uses fewer system and network resources than the
polled HTTP-tunneled connections described below.
A persistent HTTP-tunneled connection might fail in the following
circumstances:
• The client connects to the Sametime server through a proxy that
buffers or caches data.
• Multiple Java applets running within a single instance of the Web
browser attempt to create additional connections, and exceed the
connection limits imposed by the Web browser. Web browsers limit
the number of HTTP connections the browser can make to a single
server.
• The client is unable to access the Web browser connectivity settings or
authenticate with an HTTP proxy.
Maintaining a polled HTTP tunneled connection - If a persistent HTTP
connection fails or is not possible, the client uses a continuous polling
functionality to maintain the HTTP-tunneled connections.
254 Sametime 3.1 Administrator's Guide
In this type of tunneling, the client and server enter a mode in which the
client continuously makes and breaks HTTP connections to post data to
and receive data from the server.
The polling functionality overcomes most of the limitations that cause
persistent HTTP-tunneled connections to fail.
The polling functionality enables the Sametime Meeting Room client to
maintain connections in almost any network environment as long as the
client can connect to the server using HTTP. The polling functionality
can increase network traffic. Polling might also affect the scalability of
the server as more system resources are required to continuously make
and break the connections. The polling activity might be noticeable to
the end user but should not prevent the user from interacting in the
meeting or viewing meeting presentations.
Meeting Room client connection process using JVM 1.4.1 (Audio/Video
Services)
The interactive audio/video components of the Sametime Meeting Room
client must communicate with the Audio/Video Services on the Sametime
server to receive and transmit audio and video streams. This topic describes
the connection process the Meeting Room client uses to connect to the
Audio/Video Services when the Meeting Room client runs in a Web browser
that operates with the Sun Microsystems JVM 1.4.1.
To interact in an audio/video meeting, the interactive audio/video
components of the Sametime Meeting Room client and the Sametime server
engage in a connection process. This connection process is discussed in two
parts:
•
Call-control connection - First, the Meeting Room client makes a
TCP/IP control connection to the Audio/Video Services on the
Sametime server. The interactive audio/video components of the
Meeting Room client exchange call setup and control data with the
Audio/Video Services over this connection.
•
Transmitting Audio/Video streams - If the call control connection is
successful, the audio/video streams are transmitted between the server
and client using either unicast UDP or TCP tunneling.
Note The call-control connection is a connection from the Sametime
Meeting Room client to the Meeting Services. This is the same Meeting
Services connection that is described in Meeting Room client connection
process using Microsoft VM (Community Services and Meeting Services).
Sametime uses the Meeting Services connection that supports the Meeting
Services functionality to transmit audio/video call-control information.
Chapter 5: Configuring Ports and Network Connectivity 255
Call-control connection
The process for the call control connection for the Meeting Room
audio/video components occurs as follows:
1. The Meeting Room client loads in a Web browser when a user attends a
meeting. The interactive audio and video Java applets are components of
the Sametime Meeting Room client.
The host names and ports on which the Sametime server listens for
connections from clients are passed from the server to the client. These
host names and port numbers are specified in the
Configuration-Connectivity-Networks and Ports tab of the Sametime
Administration Tool.
2. Regardless of how the connectivity settings are configured in the Proxies
tab of the Java Plug-in Control Panel, the Sametime Meeting Room client
first attempts a direct TCP/IP connection to the Meeting Services using
the host name and port (default 8081) specified in the Meeting Services
Network-Address for client connections-"Host name" and "Port number
settings of the Sametime Administration Tool.
If this direct TCP/IP connection is successful, the connection to the
Meeting Services is used for the exchange of call setup and control
information between the Meeting Room client and the Audio/Video
Services on the Sametime server. The audio and video streams are
transmitted between the server and the client as described in
"Transmitting audio and video streams" below.
If the direct TCP/IP connection attempt is not successful, the Meeting
Room client continues with the connection process as documented in
step 3.
3. Audio/video connectivity can only be successful if the call control
connection occurs in one of these ways:
• Using a direct TCP/IP connection (as described in step 2 above).
• Using a TCP/IP connection or an HTTP tunneled connection that
occurs through a SOCKS proxy server
• Using a direct HTTP-tunneled connection
Note The call control connection cannot occur through an HTTP proxy
server. Interactive audio and video streams cannot be transmitted
between the client and server if the call control connection occurs
through an HTTP proxy server.
If the direct TCP/IP connection attempt described in step 2 fails, the
configuration settings in the Proxies tab of the Java Plug-in Control Panel
determine how the connection process proceeds. To enable a call control
connection to be successfully established for the purpose of transmitting
256 Sametime 3.1 Administrator's Guide
audio and video streams, the Java Plug-in Control Panel must be
configured in one of these two ways:
• A SOCKS proxy server is specified
• No proxies are specified
Each of these possibilities is discussed below:
A SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel
If the Meeting Room client must connect to the Sametime server through
a SOCKS proxy server, you should disable the "Use my browser
settings" option in the Java Plug-in Control Panel and enter the SOCKS
proxy server address and port in the Proxies tab of the Java Plug-in
Control Panel.
If a SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel, the Sametime Meeting Room client will make the
following connection attempts:
a. The Sametime Meeting Room client attempts to make a TCP/IP
connection to the Meeting Services on the Sametime server through
the SOCKS proxy server.
The connection through the SOCKS proxy server uses the same
protocol (unique Sametime protocol over TCP/IP) that was used in
the direct TCP/IP connection attempt discussed in step 2 above. The
same host name and port (default 8081) defined in the Sametime
Administration Tool are also used for this connection attempt.
If the TCP/IP connection through the SOCKS proxy is successful, the
connection to the Meeting Services is used for the exchange of call
setup and control information between the Meeting Room client and
the Audio/Video Services on the Sametime server. The audio and
video streams are transmitted between the server and the client as
described in "Transmitting audio and video streams" below.
The connections through the SOCKS proxy server can fail if the
connections must occur through an HTTP proxy server or any
network between the client and server prevents TCP/IP connections
on the ports described above (8081).
Note The default ports are configurable from the "Networks and
Ports" tab of the Sametime Administration Tool.
b. If the connection attempt using the standard Sametime protocol over
TCP/IP through the SOCKS proxy is not successful, the Meeting
Room client attempts to make an HTTP-tunneled connection to the
Meeting Services through the SOCKS proxy server.
Chapter 5: Configuring Ports and Network Connectivity 257
In this case, the Meeting Room client encases the Sametime
Connectivity protocol data in an HTTP request and sends this request
to the SOCKS proxy. The SOCKS proxy server sends this
HTTP-tunneled request to the Sametime server on behalf of the
Meeting Room client.
The client will attempt this connection to the Sametime server using
the port specified as the Community Services Network-Address for
HTTP-tunneled client connections-Port number (default 1533) in the
Sametime Administration Tool.
Although this HTTP-tunneled connection occurs by default on port
1533, it is likely the administrator will need to enable the Sametime
server to support HTTP-tunneling on port 80 to enable the
audio/video connectivity to succeed.
There are several important issues pertaining to audio/video
connectivity when the call control connection is established using
HTTP tunneling. To maintain clarity in this discussion, these issues
are discussed in step 4 below.
No proxies are specified the Proxies tab
If no proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel, the Sametime Meeting Room client can establish direct
HTTP-tunneled connections with the Meeting Services on the Sametime
server.
A direct HTTP-tunneled connection is a connection that occurs directly
from the Meeting Room client to the Meeting Services on the Sametime
server and does not pass through a proxy server.
The client will attempt this connection to the Sametime server using the
ports specified in the Community Services Network-Address for
HTTP-tunneled client connections-Port number setting (default 1533) in
the Networks and Ports tab of the Sametime Administration Tool.
Notes on this connectivity configuration:
• No proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel if the address and port fields associated with the proxy
servers are blank.
• The Java Plug-in Control Panel includes a "Use my browser settings"
option. This setting has no affect on this connection process. If no
proxy servers are specified in the Proxies tab, the client attempts to
establish direct HTTP-tunneled connections with the Community
Services and the Meeting Services regardless of whether the "Use my
browser settings" option is or is not selected. A Sametime client
cannot access the proxy settings specified in the Web browser when
operating with the Sun JVM 1.4.1.
258 Sametime 3.1 Administrator's Guide
• Direct HTTP-tunneled connections may be useful if a Sametime client
must make a connection to a Sametime server through a client-side
firewall that allows outbound HTTP traffic, but the firewall does not
include an HTTP proxy server.
Although this HTTP-tunneled connection occurs by default on port
1533, it is likely the administrator will need to enable the Sametime
server to support HTTP-tunneling on port 80 to enable the
audio/video connectivity to succeed.
There are several important issues pertaining to audio/video
connectivity when the call control connection is established using
HTTP tunneling. To maintain clarity in this discussion, these issues
are discussed in step 4 below.
4. The information in step 4 is not relevant if a Sametime Meeting Room
client establishes a call control connection with the Sametime server
using a direct TCP/IP connection or a TCP/IP connection through a
SOCKS proxy.
However, if the Meeting Room client establishes a call control
connection using a direct HTTP-tunneled connection or an
HTTP-tunneled connection the administrator should review the
information provided in this step to understand the issues associated
with establishing audio/video call control connections using HTTP
tunneling.
Interactive audio/video streams can be successfully transmitted when
the call control connection is established using HTTP-tunneling only if
the Sametime server is also configured to support TCP-tunneling of the
interactive audio/video streams on a port that is open through all
networks between the client and server.
The most common configuration for this connectivity is as follows:
• The Sametime server is configured to support HTTP tunneling over
port 80 for connections to the Community Services, Meeting Services,
and Broadcast Services. The administrator can specify this
configuration during the Sametime server installation. The
administrator also has the option of enabling HTTP tunneling over
port 80 using multiple IP addresses. For more information about
configuring a Sametime server to support HTTP-tunneling over port
80, see "About http tunneling" later in this chapter.
Chapter 5: Configuring Ports and Network Connectivity 259
• If the Sametime server is configured to support HTTP tunneling over
port 80, the administrator can also configure the Sametime server to
support TCP-tunneling of interactive audio/video streams on port 80.
When configured in this way all Sametime meeting data, including
interactive audio/video streams, can be transmitted using port 80. To
configure the Sametime server to support TCP tunneling of
audio/video streams, see "TCP tunneling of interactive audio/video
streams on port 80" later in this chapter.
Although port 80 is the port most likely port to use for both the
HTTP-tunneled call control connection and the TCP tunneling of the
audio and video streams, you can configure this connectivity to occur on
a different port. To do this, you must configure the Sametime server to
support HTTP tunneling on a port other than port 80. For instructions,
see "Changing the HTTP-tunneling port" later in this chapter. Next, you
must configure the TCP tunneling of audio/video streams to occur on
the same port as the HTTP-tunneled connection. For instructions, see
"TCP tunneling of interactive audio/video streams on port 80" later in
this chapter.
Although these are the most common configurations, practically any
configuration is possible using the Networks and Ports tab of the
Sametime Administration Tool. For example, it is possible for the
HTTP-tunneled call control connection to occur on port 1533 (or any
other port) while the TCP tunneling of the audio/video streams occurs
on port 80 (or any other port). The administrator must determine the
appropriate configuration for the network environment.
Note also that the call control connection must be established using a
direct HTTP-tunneled connection between the client and the server, or
an HTTP-tunneled connection through a SOCKS proxy server.
Interactive audio and video is not supported if the client connects to the
Sametime server through an HTTP proxy server. It is not possible to use
TCP tunneling to transmit audio/video streams through an HTTP proxy
server.
Transmitting audio and video streams
The manner in which audio and video streams are transmitted depend on
how the call control connection was established:
•
If the Meeting Room client direct TCP/IP connection described in Step 2
above is successful, the Audio/Video Services dynamically select the
UDP ports on which to receive audio and video streams from the clients.
These dynamic UDP ports are selected from the range of ports the
administrator specifies in the "Interactive Audio/Video Network Multimedia Processor (MMP) UDP port numbers start/end at" settings
in the Sametime Administration Tool "Networks and Ports" settings.
260 Sametime 3.1 Administrator's Guide
If any network between the client and the server blocks UDP traffic, the
audio and video streams can be tunneled over a single TCP/IP port.
The administrator can specify the TCP port over which the streams will
be tunneled in the "Interactive Audio/Video Network-TCP tunneling
port" (default 8084) setting in the Sametime Administration Tool. The
port specified as the "TCP tunneling port" must be open through all
firewalls between the client and the server for the client to transmit and
receive TCP-tunneled audio and video streams.
•
If the Meeting Room client TCP/IP connection occurs through a SOCKS
proxy server (as discussed in Step 3 above), the audio and video streams
cannot be transmitted through the SOCKS server using UDP. The client
and server transmit the audio and video streams through the SOCKS
proxy server using TCP over the "TCP tunneling port" (port 8084) as
described above. The TCP Tunneling option must be enabled on the
"Networks and Ports" tab of the Sametime Administration Tool, and the
"TCP tunneling port" must be open through all networks between the
client and the server for the transmission through the SOCKS proxy to
succeed.
If necessary, the administrator can change the default TCP Tunneling
port from 8084 to an administrator-specified port. The administrator can
change this port from the "Networks and Ports" tab of the Sametime
Administration Tool.
•
If the Meeting Room client call control connection occurs using a direct
HTTP-tunneled connection on port 80, or an HTTP connection through a
SOCKS proxy server on port 80, the Sametime server must also be
configured to support TCP tunneling of interactive audio/video streams
on port 80. If the Sametime server is configured in this way, the audio
and video streams can be transmitted between the Sametime client and
server (either directly or through the SOCKS proxy server) using a TCP
connection on port 80. This configuration enables a Sametime server and
the Meeting Room client to exchange all meeting data, including
interactive audio and video streams using port 80. For more information,
see "TCP tunneling of interactive audio/video streams on port 80" later
in this chapter.
The Meeting Room client can use a port other than port 80 to support
HTTP tunneling and TCP tunneling of the Sametime data, as noted in
Step 4 above.
Note If the client transmits and receives audio and video streams through
the TCP Tunneling port, up to four separate TCP sockets can be created to
accommodate the audio and video streams. Two sockets are created for the
RTP audio and video streams, and two sockets are created for the associated
RTCP streams. Having four separate TCP sockets might affect audio/video
performance because of the system resources required to maintain the
Chapter 5: Configuring Ports and Network Connectivity 261
sockets. Transmitting the streams over UDP results in better meeting
performance than the TCP-tunneling method.
Broadcast client connection process using JVM 1.4.1
The Broadcast client must connect to the Broadcast Services on the Sametime
server to receive the broadcast meeting streams. This topic describes the
connection process the Broadcast client uses to receive broadcast meeting
streams when the Broadcast client runs in a Web browser that operates with
the Sun Microsystems JVM 1.4.1.
Note The following meeting streams can be sent during a broadcast
meeting:
•
Screen-sharing/whiteboard
•
Chat
•
Send Web page
•
Question and answer polling
•
Audio
•
Video
To receive broadcast meeting streams, the Broadcast client and the Sametime
server engage in a connection process. This connection process includes:
•
Call-control connection - First, the Broadcast client makes a Real-Time
Streaming Protocol (RTSP) connection to the Broadcast Services on the
Sametime server. The Broadcast client and Broadcast Services exchange
call-control data over this connection.
•
Receiving Broadcast streams - If the call-control connection is
successful, the Broadcast streams are transmitted from the server to the
client using UDP or are tunneled through the call-control connection. If
the client successfully establishes the call-control connection to the
Broadcast Services, the Broadcast client should also receive the
Broadcast meeting streams successfully.
The broadcast streams can also be transmitted using multicast.
Call-control connection
The steps below describe the connection process the Broadcast client uses to
establish a call-control connection to the Broadcast Services.
1. The Sametime Broadcast client loads in the user's Web browser when the
user attends an instant or scheduled Sametime meeting.
The host names and port numbers on which the Sametime server listens
for connections are passed from the server to the Broadcast client. These
host names and port numbers are specified in the
262 Sametime 3.1 Administrator's Guide
Configuration-Connectivity-"Networks and Ports" tab of the Sametime
Administration Tool.
2. Regardless of how the connectivity settings are configured in the Proxies
tab of the Java Plug-in Control Panel, the Sametime Broadcast client first
attempts to make a direct RTSP over TCP/IP connection to the Broadcast
gateway component of the Broadcast Services on the Sametime server.
The Broadcast client attempts this connection using the host names and
ports specified in the "Broadcast Services Network-Broadcast gateway
address for client connections-Host name and Port number" setting
(default port 554) in the Broadcast services network settings of the
Sametime Administration Tool.
Generally, a direct RTSP TCP/IP connection results in optimum
performance for the Broadcast client. This connection fails if the
connections must occur through a proxy server or any network between
the client and server blocks TCP/IP connections on the specified port
(default 554).
If the direct RTSP over TCP/IP connection is successful, the client can
begin receiving the broadcast meeting streams as described in
"Receiving broadcast meeting streams" below.
If the direct RTSP over TCP/IP connection is not successful, the
Broadcast client continues with the call-control connection process, as
described in the steps below.
3. If the direct RTSP over TCP/IP connection attempts described in step 2
fail, the configuration of the settings in the Proxies tab of the Java Plug-in
Control Panel determines how the connections to the Sametime server
are established. The possible configurations are discussed below.
An HTTP proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel
If the Broadcast client must connect to the Sametime server through an
HTTP proxy server, you should disable the "Use my browser settings"
option in the Java Plug-in Control Panel and enter the HTTP proxy
server address and port in the Proxies tab of the Java Plug-in Control
Panel.
When configured in this way, the Sametime Broadcast client encases the
Sametime connectivity protocol data in HTTP requests and sends these
requests to the HTTP proxy server. (This capability is referred to as
HTTP-tunneling.) The HTTP proxy server forwards these requests to the
Sametime server on behalf of the clients. The client will then attempt to
establish and maintain an HTTP-tunneled connection to the Broadcast
services.
Refer to step 4 in this procedure for a description of how these
HTTP-tunneled connections are handled by the Sametime server.
Chapter 5: Configuring Ports and Network Connectivity 263
A SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel
If the Broadcast client must connect to the Sametime server through a
SOCKS proxy server, you should disable the "Use my browser settings"
option in the Java Plug-in Control Panel and enter the SOCKS proxy
server address and port in the Proxies tab of the Java Plug-in Control
Panel.
If a SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel, the Broadcast client will make the following
connection attempts:
a. The Broadcast client attempts to make TCP/IP connection to the
Broadcast Services on the Sametime server through the SOCKS
proxy server.
This connection through a SOCKS proxy server uses the same
protocols (RTSP over TCP/IP) that was used in the direct TCP/IP
connection attempt discussed in step 2 above. The same host name
and port (554) defined in the Sametime Administration Tool are also
used for this connection attempt.
This connection through the SOCKS proxy server can fail if the
connection must occur through an HTTP proxy server or any network
between the client and server prevents TCP/IP connections on the
port described above (default port 554).
Note The default ports are configurable from the "Networks and
Ports" tab of the Sametime Administration Tool.
b. If the connection attempts using RTSP over TCP/IP through the
SOCKS proxy is not successful, the Broadcast client attempts to make
HTTP-tunneled connections to the Broadcast Services through the
SOCKS proxy server.
In this case, the Broadcast client encases the Sametime connectivity
data in HTTP requests and sends these requests to the SOCKS proxy.
The SOCKS proxy server sends these HTTP-tunneled requests to the
Sametime server on behalf of the Broadcast client. The client will then
attempt to establish and maintain an HTTP-tunneled connection to
the Broadcast Services through the SOCKS proxy server.
Refer to step 4 in this procedure for a description of these how
HTTP-tunneled connections are handled by the Sametime server.
No proxies are specified the Proxies tab
If no proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel, the Broadcast client can establish direct HTTP-tunneled
connections with the Broadcast Services on the Sametime server.
264 Sametime 3.1 Administrator's Guide
Direct HTTP-tunneled connections occur directly from the Broadcast
client to the services on the Sametime server and are not established
through a proxy server.
Refer to step 4 in this procedure for a description of how these
HTTP-tunneled connections are handled by the Sametime server.
Notes:
• No proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel if the address and port fields associated with the proxy
servers are blank.
• The Java Plug-in Control Panel includes a "Use my browser settings"
option. It does not matter if the "Use my browser settings" option is or
is not selected in the Java Plug-in Control Panel. When a Sametime
client runs in a Web browser that operates with the Sun Microsystems
JVM 1.4.1, the Sametime client cannot access the proxy settings
specified in the Web browser even if the "Use my browser settings"
option is selected in the Java Plug-in Control Panel.
• Direct HTTP-tunneled connections may be useful if a Sametime client
must make a connection to a Sametime server through a client-side
firewall that allows outbound HTTP traffic, but the firewall does not
include an HTTP proxy server.
4. This step discusses the way in which HTTP-tunneled connections are
established with the Sametime server.
When the direct TCP/IP connection attempt described in step 2 above
fails, the Broadcast client will attempt to make an HTTP-tunneled
connection to the Broadcast Services in the following scenarios:
• An HTTP proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel. In this case, the Broadcast client will attempt
an HTTP-tunneled connection to the Broadcast Services through the
HTTP proxy server.
• A SOCKS proxy server is specified in the Proxies tab of the Java
Plug-in Control Panel and the Sametime protocol over TCP/IP
connection attempts through the SOCKS proxy server to the
Broadcast Services fails. In this case, the Broadcast client will attempt
HTTP-tunneled connections to the Broadcast Services through the
SOCKS proxy server.
• No proxy servers are specified in the Proxies tab of the Java Plug-in
Control Panel. In this case, the Broadcast client will attempt direct
HTTP-tunneled connections to the Sametime server. No attempt is
made to establish an HTTP-tunneled connection to the Sametime
server through a proxy server.
Chapter 5: Configuring Ports and Network Connectivity 265
The HTTP tunneling capabilities work differently depending on whether
the administrator allows or does not allow HTTP tunneling on port 80.
The administrator has the option of allowing or not allowing HTTP
tunneling on port 80 during the server installation.
If HTTP tunneling on port 80 is allowed - If HTTP tunneling on port 80
is allowed during the Sametime server installation, the Broadcast client
sends the HTTP requests containing Broadcast Services connection data
to the Sametime Community Services multiplexer.
The "Host name" and "Port number" settings (default port 80) specified
in the "Community Server Network Address for HTTP-tunneled client
connections" settings of the Sametime Administration Tool are used to
establish the connections to the Community Services multiplexer.
The Community Services multiplexer can differentiate between the
HTTP requests intended for the Community Services, Meeting Services,
and Broadcast Services by examining code that is appended to each URL
by Sametime clients.
Upon receiving a Broadcast Services request, the Community Services
multiplexer creates an intraserver connection to the Broadcast Services
and sends the Broadcast Services data to the Broadcast Services.
The ability of the Community Services multiplexer to receive
Community Services, Meeting Services, and Broadcast Services requests
on a single port (port 80) enables the Sametime server to support HTTP
tunneling over port 80 even if the Sametime server machine uses only a
single IP address. This connectivity capability is sometimes referred to as
"single-port mode."
If HTTP tunneling on port 80 is not allowed - If the administrator does
not allow HTTP tunneling on port 80 during the Sametime server
installation, the Broadcast client attempts to establish an HTTP-tunneled
connection to the Broadcast Services (instead of the Community Services
multiplexer).
The Meeting Room client attempts an HTTP-tunneled connection to the
Broadcast Services using the "Host name" and "Port number" settings
(default port 554) specified in the "Broadcast Services Network-Address
for HTTP-tunneled client connections" settings.
If the Broadcast client is successful in establishing an HTTP-tunneled
connections with the Broadcast Services using either port 80 or port 554,
the Broadcast client maintains either a persistent or polled
HTTP-tunneled connection as noted below.
Maintaining a persistent HTTP-tunneled connection - When
establishing a connection using HTTP-tunneling, the Broadcast client
first attempts to maintain a persistent HTTP-tunneled connection. (The
266 Sametime 3.1 Administrator's Guide
persistent HTTP-tunneled connection is sometimes called "hybrid
polling" or "master/slave HTTP tunneling.")
With this connection, data trickles continuously between the client and
the Sametime server. This persistent connection provides the client with
an event-driven, real-time connection to the server.
Note The persistent HTTP-tunneled connection provides better
performance and uses fewer system and network resources than the
polled HTTP-tunneled connections described below.
A persistent HTTP-tunneled connection might fail in the following
circumstances:
• The client connects to the Sametime server through a proxy that
buffers or caches data.
• Multiple Java applets running within a single instance of the Web
browser attempt to create additional connections, and exceed the
connection limits imposed by the Web browser. Web browsers limit
the number of HTTP connections the browser can make to a single
server.
• The client is unable to access the Web browser connectivity settings or
authenticate with an HTTP proxy.
Maintaining a polled HTTP tunneled connection - If a persistent HTTP
connection fails or is not possible, the client uses a continuous polling
functionality to maintain the HTTP-tunneled connections.
In this type of tunneling, the client and server enter a mode in which the
client continuously makes and breaks HTTP connections to post data to
and receive data from the server.
The polling functionality overcomes most of the limitations that cause
persistent HTTP-tunneled connections to fail.
The polling functionality enables the Sametime Broadcast client to
maintain connections in almost any network environment as long as the
client can connect to the server using HTTP. The polling functionality
can increase network traffic. Polling might also affect the scalability of
the server as more system resources are required to continuously make
and break the connections.
Receiving broadcast meeting streams
If the initial call control connection described in "Call-control connection"
above is successful, the client and server determine how to transmit and
receive the broadcast meeting RTP streams.
Using the initial call-control connection described in "Call-control
connection" above, the Broadcast Services send data to the client that
describes the available broadcast meeting streams.
Chapter 5: Configuring Ports and Network Connectivity 267
The manner in which the client receives the broadcast streams is determined
by two variables:
•
The way in which the call control connection was established
•
The availability of the UDP transport between the client and the server
Most efficient method for transmitting broadcast streams
The most efficient transmission of the broadcast meeting media streams
occurs when both of the following are true:
•
The Broadcast client established a direct RTSP TCP/IP call control
connection with the Sametime server. The term "direct" indicates that the
client established a TCP/IP connection and did not establish this
connection through a proxy server.
•
The UDP transport is available on all networks between the client and
the server.
If both of the above are true, the Broadcast client can subscribe to the
broadcast meeting streams in either of two ways. The manner in which the
client subscribes to the broadcast streams depends on whether multicast is
available on the user's network.
•
The Broadcast client can subscribe to unicast UDP streams - The
Broadcast client dynamically selects UDP ports on which to receive the
streams. For this method to succeed, UDP traffic must be allowed to pass
through all networks between the Sametime server (Broadcast Gateway
component) and the Broadcast client.
•
The Broadcast client can subscribe to multicast UDP streams - In this
scenario, the Broadcast Gateway component of the Broadcast Services
dynamically selects the UDP ports on which to send the data. These
ports are randomly generated. The client subscribes to a multicast
address on a multicast-enabled router and receives the meeting streams
from the router. This method requires a multicast-enabled network that
allows UDP traffic to pass through all networks between the Sametime
server and the Broadcast client. For more information, see "Using
multicast" in Chapter 9.
Note Transmitting the streams over UDP results in better meeting
performance than the TCP or HTTP tunneling method described in
"Tunneling of broadcast streams" below.
Tunneling of broadcast streams
If UDP is not available on any network between the client and the server, the
broadcast meeting streams are sent to a client using a tunneled connection.
The streams are tunneled over the call-control connection port and can be
tunneled over a direct RTSP TCP/IP connection, an RTSP TCP/IP
connection through a SOCKS proxy server, or an HTTP-tunneled connection.
These tunneling capabilities ensure that any client that can establish a
268 Sametime 3.1 Administrator's Guide
call-control connection with the Broadcast Services can also receive the
meeting data streams. The possible tunneling scenarios are described below:
•
The Broadcast client establishes a direct RTSP TCP/IP call-control
connection (on default port 554), but UDP is not available between the
client and server - In this scenario, the RTP broadcast streams are
tunneled to the client using TCP over the RTSP TCP/IP control
connection between the client and server.
•
The Broadcast client establishes an RTSP TCP/IP call-control connection
through a SOCKS proxy server (on default port 554) - In this scenario,
the RTP broadcast streams are also tunneled using RTSP TCP/IP over
the control connection through the SOCKS proxy server.
•
The Broadcast client established a call-control connection using
HTTP-tunneling - In this scenario, the broadcast meeting RTP streams
are tunneled through the HTTP-tunneled connection between the client
and the server on the "Community Server Network-Address for
HTTP-tunneled client connections" port (default port 80).
If the client established the call-control connection through an HTTP
proxy server, the RTP streams are transmitted through the HTTP proxy
on port 80. If the client established a call-control connection using HTTP
through a SOCKS proxy server, the RTP streams are transmitted using
HTTP through the SOCKS proxy on port 80. If the Broadcast client
established a call-control connection through a direct HTTP connection,
the RTP streams are transmitted directly to the client using HTTP on
port 80.
NetMeeting/H.323 client connection process
NetMeeting and other T.120- and H.323-compliant clients can connect to the
Meeting Services and the Audio/Video Services to participate in meetings
on the Sametime server. This topic briefly describes the ports used by
NetMeeting and other T.120- and H.323-compliant clients. These clients
generally do not support connections through SOCKS or HTTP proxy
servers.
NetMeeting uses the T.120 connection process when connecting to a
Sametime server to participate in screen-sharing/whiteboard meetings on
the Sametime server.
NetMeeting uses the H.323 connection process when connecting to a
Sametime server to participate in audio/video meetings on the Sametime
server.
Chapter 5: Configuring Ports and Network Connectivity 269
When a NetMeeting user accesses the Sametime server through a firewall, all
firewalls between the client and the server must allow connections on the
ports listed below.
Note Port 1720, the Dynamic TCP port, and the Dynamic UDP ports are
used for audio/video connections and transmissions. These ports are
relevant only if you have installed the Sametime Multimedia Services.
The table below identifies the ports used by NetMeeting and other T.120and H.323-compliant clients.
Port
Port 1503
Purpose
The Sametime Meeting Services listen for T.120 connections from NetMeeting on this
port. This port is generally used to pass screen-sharing and whiteboard data between
NetMeeting and the Sametime server. NetMeeting clients cannot interact in
screen-sharing and whiteboard meetings with Sametime Meeting Room clients.
However, when all meeting participants are using NetMeeting, the meeting
participants can interact using the screen-sharing and whiteboard features available
with NetMeeting when attending a meeting on the Sametime server.
Port 1720
The Sametime Audio/Video Services listen for Q.931 call-signaling connections from
H.323 clients on this port. This port is used when a NetMeeting or other H.323 client
attends an audio/video meeting on the Sametime server. NetMeeting clients can
interact with Sametime Meeting Room clients in the audio/video portions of online
meetings.
Dynamic TCP
port
As a result of the Q.931 call-signaling connection described above, the Sametime
Audio/Video Services transmit a dynamic TCP port to the NetMeeting client. This
port is required to continue with the call setup process defined by the H.245 protocol.
Dynamic UDP
ports
The RTP audio and video streams are transmitted over UDP. All networks between
the client and the server must allow the transmission of UDP data.
270 Sametime 3.1 Administrator's Guide
About HTTP tunneling
Many corporate networks restrict all connections to machines outside of the
corporate network with the exception of HTTP connections on port 80.
Sametime provides HTTP tunneling functionality that enables Sametime
clients to make all necessary connections to the Sametime server using HTTP
over port 80 (with the exception of interactive audio/video connections).
This functionality is especially useful if you deploy a Sametime server for
Internet users or in situations where Sametime users operate behind a
firewall and the Sametime server is not located in the network protected by
that firewall.
Sametime 3.1 supports HTTP tunneling on port 80 when the Sametime
server uses only a single IP address. If you allow HTTP tunneling on port 80
during the Sametime server installation, you do not need to adjust any
connectivity settings in the Sametime Administration Tool or add IP
addresses to the Sametime server machine to enable the HTTP tunneling on
port 80 functionality.
The HTTP-tunneling settings in the Sametime Administration Tool provide
the administrator with the flexibility to configure the HTTP-tunneling
functionality to accommodate a variety of different network environments.
For example, Sametime can be configured to support HTTP tunneling on
ports other than port 80 on a machine that includes a single IP address.
Sametime can also be set up so that HTTP-tunneled connections are handled
by the individual services instead of the Community Services multiplexer.
As with previous Sametime releases, you can also assign multiple IP
addresses to the Sametime 3.1 server to support HTTP tunneling on port 80.
Read the following topics for a better understanding of the HTTP-tunneling
functionality and the administrative settings that control it:
•
What is HTTP tunneling on port 80? - Briefly elaborates on the purpose
of HTTP tunneling on port 80 and provides a connection scenario to
illustrate its advantages.
•
Configuring HTTP tunneling settings on a server that uses a single IP
address - Discusses the administration settings that control the HTTP
tunneling functionality. This section explains how to change the
HTTP-tunneling port on a server that includes a single IP address.
Chapter 5: Configuring Ports and Network Connectivity 271
•
HTTP tunneling on port 80 using multiple IP addresses (optional) - If
your Sametime server is used heavily, you can improve server
performance by assigning multiple IP addresses to the Sametime server
to support the HTTP tunneling on port 80 functionality. This section
discusses how the administrator can bind separate host names or IP
addresses to each Sametime service to support HTTP tunneling on port
80. Using multiple IP addresses lessens the number of connection sockets
required to maintain connectivity and might improve the I/O
performance of the server.
•
Sametime Connect client 2.5 and 3.1 compatibility issues with HTTP
tunneling on port 80 - Discusses compatibility issues that occur when a
Sametime 2.5 connect client connects to a Sametime 3.1 server that
supports HTTP tunneling on port 80 or a Sametime 3.1 Connect client
connects to a Sametime 2.5 server that supports HTTP tunneling on port
80.
What is HTTP tunneling on port 80?
If you have extended a Sametime server to Internet users, the configuration
of a remote client's firewall might prevent the client from connecting to the
Sametime server. For example, to exchange presence and chat data with
other clients in a meeting, a Sametime client connects to the Community
Services on a Sametime server using TCP/IP port 1533 (by default). To
exchange screen-sharing and whiteboard data, a Sametime client connects to
the Meeting Services using TCP/IP port 8081 (by default).
Many firewalls allow only HTTP connections on port 80 and will block the
connection attempts that occur on ports 1533 and 8081. To establish
connections in these environments, Sametime clients can automatically
attempt a connection using HTTP tunneling over port 80. Using this
tunneled connection, Sametime clients are able to communicate with the
Community Services, Meeting Services, or Broadcast Services.
The example connection scenario below illustrates the advantages of the
HTTP-tunneling functionality.
Connection scenario
In this scenario, a user ("Gina") is operating behind a corporate firewall and
attempting to attend a meeting on a Sametime server that is available to
Internet users. Gina's firewall allows HTTP connections to the Internet over
port 80 but blocks all other connections.
1. A Sametime Administrator ("Ted") employed by Meetings Incorporated
in Los Angeles deploys a Sametime server for access by Internet users.
2. An Internet user in Denver ("Gina") employed by the Acme corporation,
and unknown to Ted, accesses the Sametime server in Los Angeles with
272 Sametime 3.1 Administrator's Guide
a Web browser using HTTP over port 80. Gina clicks on the name of a
meeting in the Sametime Meeting Center to attend the meeting.
3. The Sametime Meeting Room client loads from the Sametime server to
the Web browser on Gina's computer.
4. The Meeting Room client on Gina's machine attempts to establish
connections to the Community Services on the Sametime server on the
default TCP/IP port 1533 and to the Meeting Services on the default
TCP/IP port 8081. The Acme corporation's firewall, which allows
outbound connections only on HTTP port 80, blocks the outbound
Sametime connections on both ports 1533 and 8081.
5. The Sametime Meeting Room client automatically attempts
HTTP-tunneled connections for both Community Services and the
Meeting Services to the Community Services multiplexer using port 80.
The Community Services multiplexer can differentiate between HTTP
connection requests intended for the Community Services and Meeting
Services. The Community Services multiplexer creates intraserver
connections to the Community Services and Meeting Services and passes
the Community Services and Meeting Services data over these
connections.
Note The Broadcast client can also make HTTP-tunneled connections to
the Community Services multiplexer using port 80. The Community
Services multiplexer also forwards the Broadcast Services data to the
Broadcast Services over an intraserver connection.
6. The HTTP-tunneled connection to the Community Services multiplexer
on port 80 is successful because Gina's firewall allows HTTP connections
on that port.
As many corporate networks allow only HTTP connections on port 80, this
functionality increases the possibility that users in restrictive network
environments can attend meetings on a Sametime server that is extended to
the Internet.
Configuring HTTP-tunneling settings on a server that uses a single IP
address
This section discusses the settings in the Sametime Administration Tool that
control the HTTP-tunneling functionality and how these settings are used
when a Sametime server uses a single IP address.
If the administrator allows HTTP tunneling on port 80 during the Sametime
server installation, the Community Services multiplexer handles all
HTTP-tunneled connections, including connections to the Community
Services, Meeting Services, and Broadcast Services. The ability of the
Community Services multiplexer to handle HTTP connections for three
Chapter 5: Configuring Ports and Network Connectivity 273
different services on a single port enables the Sametime server to support
HTTP tunneling on port 80 when the server uses a single IP address.
To illustrate how the settings in the Sametime Administration Tool affect the
connectivity, three examples are provided. The three examples assume you
have installed Sametime on a machine that uses a single IP address. These
examples illustrate how to:
•
Allow HTTP tunneling on port 80 after the server installation
•
Change the HTTP-tunneling port from port 80 to a different port
•
Make HTTP-tunneled connections to individual services instead of the
Community Services multiplexer
Allowing HTTP tunneling on port 80 after the server installation
If your Sametime server uses a single IP address and you did not allow
HTTP tunneling on port 80 during the Sametime server installation, follow
the example below to enable HTTP tunneling on port 80.
1. Open the Sametime Administration Tool.
2. Select Configuration-Connectivity-"Networks and Ports."
3. Ensure that the "Community Services Network-Enable the Meeting
Room client to try HTTP tunneling to the Community Server after trying
other options" setting is enabled.
4. In the "Community Services Network-Address for HTTP tunneled client
connections" settings:
• If your Sametime server operates on a Windows server, you can leave
the "Host name" field blank.
If your Sametime server operates on an IBM iSeries server, you must
specify the fully-qualified host name of the Sametime server in the
"Host name" field.
• In the "Port number" field, delete port 1533 and enter port 80.
5. In the "Meeting Services Network-Address for HTTP tunneled client
connections" settings:
• If your Sametime server operates on a Windows server, you can leave
the "Host name" field blank.
If your Sametime server operates on an IBM iSeries server, you must
specify the fully-qualified host name of the Sametime server in the
"Host name" field.
• In the "Port number" field, delete port 8081 and enter port 80.
6. In the "Broadcast Services Network-Broadcast Gateway address for
HTTP-tunneled client connections" settings:
274 Sametime 3.1 Administrator's Guide
• If your Sametime server operates on a Windows server, you can leave
the "Host name" field blank.
If your Sametime server operates on an IBM iSeries server, you must
specify the fully-qualified host name of the Sametime server in the
"Host name" field.
• In the "Port number" field, delete port 554 and enter port 80.
7. Change the HTTP port used by the Domino server to a port other than
port 80. For more information, see "HTTP Services settings" earlier in
this chapter.
8. Click Update and restart the server for the change to take effect.
For more detailed information on how the HTTP-tunneling settings function,
see "Explanation of HTTP-tunneling settings" later in this chapter.
Changing the HTTP-tunneling port
If your Sametime server uses a single IP address and you want to change the
HTTP-tunneling port from port 80 to a different port, follow the procedure
below. The example below assumes you are changing the HTTP tunneling
port from port 80 to port 85.
1. Open the Sametime Administration Tool.
2. Select Configuration-Connectivity-"Networks and Ports."
3. Ensure that the "Community Services Network-Enable Meeting Room
client to try HTTP tunneling to the Community Server after trying other
options" setting is enabled.
4. In the "Community Services Network-Address for HTTP tunneled client
connections" settings:
• Leave the "Host name" field blank. This setting is only used if the
Sametime server machine uses multiple IP addresses or host names.
For more information, see "Configuring HTTP tunneling on a machine
that uses multiple IP addresses" later in this chapter.
• In the "Port number" field, delete port 80 and enter port 85.
5. In the "Meeting Services Network-Address for HTTP tunneled client
connections" settings:
• Leave the "Host name" field blank.
• In the "Port number" field, delete port 80 and enter port 85.
6. Ensure that the "Broadcast Services Network-Enable Web client to try
HTTP tunneling after trying other options" setting is enabled.
7. In the "Broadcast Services Network-Broadcast Gateway address for
HTTP-tunneled client connections" settings:
• Leave the "Host name" field blank.
Chapter 5: Configuring Ports and Network Connectivity 275
• In the "Port number" field, delete port 80 and enter port 85.
8. Click Update and restart the server for the change to take effect.
For more detailed information on how the HTTP-tunneling settings function,
see "Explanation of HTTP tunneling settings" later in this chapter.
Connecting to individual services instead of the Community Services
multiplexer
If the Sametime server uses a single IP address, you can configure each
Sametime service so that clients make separate HTTP-tunneled connections
to the individual services instead of connecting to the Community Services
multiplexer and relying on the Community Services multiplexer to forward
the data to the Sametime services.
However, if the Sametime server uses a single IP address, each service must
be assigned a different port number if you want clients to connect to
individual services instead of the Community Services multiplexer. If you
configure the Sametime server in this way, clients cannot make
HTTP-tunneled connections to all services over port 80.
For example, assume you make the following settings in the "Networks and
Ports" tab of the Sametime Administration Tool:
•
In the "Community Services Network-Address for HTTP tunneled client
connections-Port number" field, delete port 80 and enter port 1533. In the
"Meeting Services Network-Address for HTTP tunneled client
connections-Port number" field, delete port 80 and enter port 8081.
•
In the "Broadcast Services Network-Broadcast Gateway address for
HTTP-tunneled client connections-Port number" field, delete port 80 and
enter port 554.
In this configuration, a Sametime client would make HTTP-tunneled
connections to the Community Services using port 1533, the Meeting
Services using port 8081, and the Broadcast Services using port 554. The
Community Services connections occur to the Community Services
multiplexer. The Meeting Services connections occur to the Meeting Services
and the Broadcast Services connections occur to the Broadcast Services.
Neither the Meeting Services connection nor the Broadcast Services
connection is handled by the Community Services multiplexer.
Note The port settings described above are the default port settings for
HTTP-tunneled connections if the administrator does not allow HTTP
tunneling on port 80 during the Sametime server installation.
If all users in your network environment must use HTTP to access the
Sametime server, but users are not required to access the server via port 80,
the configuration described above might improve server performance by
lessening the connectivity load of the Community Services multiplexer.
276 Sametime 3.1 Administrator's Guide
Fewer connection sockets are created when clients connect to each service
individually instead of connecting to the Community Services multiplexer
and relying on the multiplexer to forward data to the services.
Explanation of HTTP tunneling settings
The configuration settings that determine whether the HTTP-tunneled
connection occurs to the individual service or the Community Services
multiplexer are:
•
Community Services Network-Enable the Meeting Room client to try
HTTP tunneling to the Community Server after trying other options
•
Community Services Network-Address for HTTP tunneled client
connections-Host name and Port number
•
Meeting Services Network-Enable the Meeting Room client to try HTTP
tunneling to the Meeting Server after trying other options
•
Meeting Services Network-Address for HTTP tunneled client
connections-Host name and Port number
•
Broadcast Services Network-Enable Web client to try HTTP tunneling
after trying other options
•
Broadcast Services Network-Broadcast Gateway address for
HTTP-tunneled client connections-Host name and Port number
For Meeting Room and Broadcast client connectivity, these settings operate
as follows:
•
If the "Community Services Network-Enable the Meeting Room client to
try HTTP tunneling to the Community Server after trying other options"
is selected, the Meeting Room client can attempt an HTTP-tunneled
connection to the Community Services multiplexer.
The Meeting Room client attempts the connection to the Community
Services multiplexer only when the following settings match:
• The "Host name" and "Port number" settings under "Address for
HTTP tunneled client connections" in the Meeting Services Network
settings.
• The "Host name" and "Port number" settings under "Address for
HTTP tunneled client connections" in the Community Services
Network settings.
Upon receiving the HTTP-tunneling connection request, the Community
Services multiplexer forwards the data to the Meeting Services.
If the "Community Services Network-Enable the Meeting Room client to
try HTTP tunneling to the Community Server after trying other options"
setting is not selected, the Meeting Room client cannot attempt an
HTTP-tunneled connection to the Community Services multiplexer.
Chapter 5: Configuring Ports and Network Connectivity 277
•
If the "Meeting Services Network-Enable the Meeting Room client to try
HTTP tunneling to the Meeting Server after trying other options" setting
is selected, the Meeting Room client can attempt an HTTP-tunneled
connection to the Meeting Services (instead of the Community Services
multiplexer).
The primary purpose of this setting is to enable Meeting Room clients to
make the HTTP-tunneled connection to the Meeting Services without
requiring the clients to access the Meeting Services through the
Community Services multiplexer. Connecting to the Meeting Services
without using the Community Services multiplexer might improve
server performance.
The Meeting Room client attempts the connection to the Meeting
Services only when the "Meeting Services Network-Address for HTTP
tunneled client connections-Host name and Port number" settings do not
match the "Community Services Network Address for HTTP tunneled
client connections-Host name and Port number" settings.
If the "Meeting Services Network-Enable the Meeting Room client to try
HTTP tunneling to the Meeting Server after trying other options" setting
is not selected, the Meeting Room client cannot attempt an
HTTP-tunneled connection to the Meeting Services.
•
If the "Broadcast Services Network-Enable Web client to try HTTP
tunneling after trying other options" setting is selected, the Broadcast
client can attempt an HTTP-tunneled connection to either the
Community Services multiplexer or the Broadcast Services.
The Broadcast client attempts the connection to the Community Services
multiplexer only when the "Broadcast Services Network-Broadcast
Gateway address for HTTP-tunneled client connections-Host name and
Port number" setting match the "Community Services Network Address
for HTTP tunneled client connections-Host name and Port number"
setting.
The Broadcast client attempts the connection to the Broadcast Services
only when the "Broadcast Services Network-Broadcast Gateway address
for HTTP-tunneled client connections-Host name and Port number"
settings do not match the "Community Services Network Address for
HTTP tunneled client connections-Host name and Port number" settings.
Connecting to the Broadcast Services without using the Community
Services multiplexer might improve server performance.
If the "Broadcast Services Network-Enable Web client to try HTTP
tunneling after trying other options" setting is not selected, the Broadcast
client cannot attempt an HTTP-tunneled connection to either the
Community Services multiplexer or the Broadcast Services.
For Sametime Connect client connectivity, note the following:
278 Sametime 3.1 Administrator's Guide
•
The Sametime Connect client attempts (or does not attempt)
HTTP-tunneled connections based on the Sametime Connectivity
settings in the Sametime Connect client. You cannot enable or disable
HTTP-tunneling functionality for the Sametime Connect client from the
Configuration-Connectivity-"Networks and Ports" tab of the Sametime
Administration Tool. For more information, see the following topics
earlier in this chapter:
• "Basic Sametime Connect client connection process"
• "Sametime Connect client connection processes using the Web
browser or Java Plug-in connectivity settings"
•
The "Community Port" setting in the Sametime Connect client must
match the port setting in the Community Services Network settings on
the Sametime server for the connection to be successful. For more
information, see the following topics earlier in this chapter:
• "Basic Sametime Connect client connection process"
• "Sametime Connect client connection processes using the Web
browser or Java Plug-in connectivity settings"
•
There are compatibility issues with the Sametime Connect 2.5 and
Sametime Connect 3.1 clients when connecting to servers configured to
support HTTP tunneling on port 80. For more information, see
"Sametime Connect client 2.5 and 3.1 compatibility issues with HTTP
tunneling on port 80" later in this chapter.
Configuring HTTP tunneling on a server that uses multiple IP
addresses
Assigning multiple IP addresses to support HTTP tunneling on port 80 is an
optional procedure the administrator can perform to improve the I/O
performance of the Sametime server. Lotus software recommends this
approach if a large number of users connect to your Sametime server using
HTTP tunneling over port 80.
The administrator has the option of assigning a separate IP address to each
of the Sametime services. In this configuration, the Community Services,
Meeting Services, and Broadcast Services are bound to separate IP addresses
and each service listens as a separate entity for HTTP connections on port 80.
This configuration might result in more efficient I/O performance on the
server but requires the administrator to perform the configuration
procedures described below.
Note Unlike previous releases of Sametime, the Sametime 3.1 server can be
configured to support TCP tunneling of audio/video streams on port 80. The
procedures in this section are focused primarily on setting up HTTP
tunneling on port 80 for the Community Services, Meeting Services, and
Chapter 5: Configuring Ports and Network Connectivity 279
Audio/Video Services. However, f you want to set up both HTTP tunneling
of Community Services, Meeting Services, and Broadcast Services data and
TCP tunneling of Audio/Video Services streams, notes have been added to
the procedures in this section that explain all additional procedures needed
to set up TCP tunneling of audio/video streams on port 80. For more
detailed information about TCP tunneling of audio/video streams, see "TCP
tunneling of interactive audio/video streams on port 80" later in this chapter.
Configuration procedures required
To assign multiple IP addresses to support HTTP tunneling on port 80, the
administrator must perform the procedures listed below. Each procedure is
described separately.
1. Use the Sametime Administration Tool to bind the base DNS name for
the Sametime server to the Sametime HTTP server.
2. Add three new IP addresses to the Sametime server machine.
3. Set up your DNS server to map the new IP addresses to required DNS
names.
4. Configure the HTTP-tunneling settings in the Sametime Administration
Tool.
Bind the base DNS name for the Sametime server to the Sametime
HTTP server
This procedure is the first of four required when using multiple IP addresses
to support HTTP tunneling over port 80.
In this procedure, you use the Sametime Administration Tool to bind the
Sametime HTTP server to the base DNS name currently used for the
Sametime server. Before performing this procedure, ensure that your DNS
server already has one DNS name mapped to the IP address of the Sametime
server machine (for example, www.sametime1.com). To bind the base DNS
name for the Sametime server to the Sametime HTTP server:
1. From the Sametime server home page, select "Administer the server" to
open the Sametime Administration Tool.
2. Select Configuration.
3. Select Connectivity.
4. Select "Networks and Ports.."
5. Select "Configure HTTP services on a Web page in its own window." The
HTTP section of the Server document in the Domino Directory opens
and displays in a separate window on the computer.
280 Sametime 3.1 Administrator's Guide
6. Under the Basics heading in the "Host name" field, enter the base DNS
name for the Sametime HTTP server (for example,
www.sametime1.com).
In the "Host name" field, also enter 127.0.0.1. This entry is required for
the Sametime Administration Tool to operate in this configuration. Place
a comma between the DNS name of the HTTP server and the 127.0.0.1
entry (for example: www.sametime1.com, 127.0.0.1).
7. In the "Bind to Host name" field, select Enabled.
8. Click "Save & Close." (This button is located at the top of the Server
document.) When the document closes, the Server - Servers view of the
Domino Directory displays in the window.
9. Close the window displaying the Server - Servers view of the Domino
Directory.
Next, Add three new IP addresses to the Sametime server machine.
Add three new IP addresses to the Sametime server machine
This procedure is the second of four required when using multiple IP
addresses to support HTTP-tunneling over port 80.
To ensure that each Sametime service has its own IP address, the Sametime
server machine requires four IP addresses. One IP address was mapped to
the base DNS name in the previous procedure. You must add three
additional IP addresses to the Sametime server machine so that the
Community Services, Meeting Services, and Broadcast Services can be
associated with individual IP addresses.
Note If you also want to support TCP tunneling of audio/video streams on
port 80, you must add one more IP address. In this scenario, the Sametime
server requires five IP addresses because the Audio/Video Services must
also be associated with an individual IP address.
To add additional IP addresses to the Sametime server, you can either add
additional Network Interface Cards (NICs) to the Sametime server machine
or assign multiple IP addresses to a single NIC.
Adding additional NICs
You can add three new NIC cards (one each for Community Services,
Meeting Services, and Broadcast Services) and assign an IP address to each
NIC. The computer's I/O might operate more efficiently if you add a
separate NIC for each of the services.
Note If you want to support TCP tunneling of audio/video streams on port
80, add a fourth NIC to support the Audio/Video Services and assign an IP
address to the NIC.
Chapter 5: Configuring Ports and Network Connectivity 281
Assigning multiple IP addresses to a single NIC
To assign multiple IP addresses to a single NIC on a Windows machine:
1. On the Windows desktop, right-click on "My Network Places" and select
"Properties."
2. Right click on the "Local Area Connection" icon to which you would add
the IP address. Select Properties.
3. In the "Local Area Connection Properties" dialog ensure the "General"
tab is selected.
• In the "This connection uses the following items:" area, select "Internet
Protocol (TCP/IP)."
• Select the "Properties" button.
4. In the "Internet Protocol (TCP/IP) Properties" dialog box, select "Use the
following IP address" and enter the primary (currently assigned) IP
address of the system in the "IP address:" field.
5. Click the "Advanced" button in the lower-right corner of the "Internet
Protocol (TCP/IP) Properties" dialog box.
6. In the "Advanced TCP/IP Settings" dialog ensure the "IP Settings" tab is
selected.
7. In the "IP Settings" section of the "IP Settings" tab, click the Add button.
8. In the "TCP/IP Address" dialog, enter the IP address and Subnet mask
settings and click Add.
9. At this point, the new IP address is added. If necessary, use the "Default
gateways" section of the "Advanced TCP/IP Settings" dialog to add a
new gateway for the system.
Next, set up your DNS server to map the IP addresses to required DNS
names.
Set up your DNS server to map the IP addresses to required DNS
names
This procedure is the third of four required when using multiple IP
addresses to support HTTP-tunneling over port 80.
After you have added three new IP addresses to the Sametime server
machine, set up your DNS server to map the three new IP addresses to the
following DNS names, where xxx.xxx.xxx is the base DNS name that is
bound to the Sametime HTTP server:
•
community-xxx.xxx.xxx
•
meeting-xxx.xxx.xxx
282 Sametime 3.1 Administrator's Guide
•
broadcast-xxx.xxx.xxx For example, if the base DNS name to which you
have bound the Sametime HTTP server is www.sametime1.com, map
the three new IP addresses to the following names:
•
community-www.sametime1.com
•
meeting-www.sametime1.com
•
broadcast-www.sametime1.com
The Community Server prepends "community-" to the base DNS name of the
server to provide the Community Server with a unique DNS name. The
Community Server multiplexer listens on port 80 for connections to the
Community Services on this name. This name is passed from the server to
the client when the client attends a meeting.
The Meeting Server prepends "meeting-" to the base DNS name of the server
to provide the Meeting Server with a unique DNS name. The Meeting Server
listens on port 80 for connections on this name.
The Broadcast server prepends "broadcast-" to the base DNS name and
listens on port 80 for connections on this name.
Note If you want to support TCP tunneling of audio/video streams on port
80, you must also map the IP address associated with the Audio/Video
Services to a DNS name. The DNS name that you associate with the IP
address of the Audio/Video Services is at your discretion. It is not necessary
to adhere to any specific naming convention for the Audio/Video Services
DNS name. In this example, we assume you map the DNS name
"av-www.sametime1.com" to the Audio/Video Services.
Next, configure the HTTP tunneling settings in the Sametime Administration
Tool.
Configure the HTTP-tunneling settings in the Sametime Administration
Tool
This procedure is the last of four required when using multiple IP addresses
to support HTTP tunneling over port 80.
In this procedure, you use the Sametime Administration Tool to bind the
Community Services, Meeting Services, and Broadcast Services to the DNS
names that were mapped to the three new IP addresses in the previous
procedure.
1. From the Sametime server home page, select "Administer the server" to
open the Sametime Administration Tool.
2. Select Configuration.
3. Select Connectivity.
4. Select "Networks and Ports.."
Chapter 5: Configuring Ports and Network Connectivity 283
5. In the Community Services Network settings, make the following
settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
• In the "Address for HTTP tunneled client connections-Host name"
setting, enter the Community Services DNS name that you mapped to
an IP address in the previous procedure. The Community Services
DNS name has the format community-xxx.xxx.xxx, where xxx.xxx.xxx
is the DNS name that is bound to the HTTP server (for example,
community-www.sametime1.com).
• In the "Address for HTTP tunneled client connections-Port number"
setting, enter 80 if it is not already listed.
6. In the Meeting Services Network settings, make the following settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
• In the "Address for HTTP tunneled client connections-Host name"
setting, enter the Meeting Services DNS name that you mapped to an
IP address in the previous procedure. The Meeting Services DNS
name has the format meeting-xxx.xxx.xxx, where xxx.xxx.xxx is the
DNS name that is bound to the HTTP server (for example,
meeting-www.sametime1.com).
• In the "Address for HTTP tunneled client connections-Port number"
setting, enter 80 if it is not already listed.
7. In the Broadcast Services Network settings, select the following settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
• In the "Broadcast Gateway address for HTTP-tunneled client
connections-Host name" setting, enter the Broadcast Services DNS
name that you mapped to an IP address in the previous procedure.
The Broadcast Services DNS name has the format
broadcast-xxx.xxx.xxx, where xxx.xxx.xxx is the DNS name that is
bound to the HTTP server (for example,
broadcast-www.sametime1.com).
• In the "Broadcast Gateway address for HTTP-tunneled client
connections-Port number" setting, enter 80 if it is not already listed.
8. Click update and restart the Sametime server for the changes to take
effect.
284 Sametime 3.1 Administrator's Guide
Additional configurations required for Sametime on IBM iSeries servers
When configuring a Sametime server to use multiple IP addresses to support
HTTP tunneling over port 80 on an IBM iSeries server, you must perform
these additional configurations:
•
In the Community Services Network settings of the Sametime
Administration Tool, you must also enter the Community Services DNS
name in the "Address for Client Connections-Host Name" field.
Following the examples provided above, you must enter
community-www.sametime1.com in the "Address for Client
Connections-Host Name" field.
•
Each of your users who are using the Sametime Connect for the desktop
client must have it configured to connect to the Community Services
DNS name (for example, community-www.sametime1.com).
Additional configurations required to support TCP tunneling of
audio/video streams on port 80
If you want to support the TCP tunneling of audio/video streams on port 80,
you must use the Sametime Administration Tool to perform these additional
configurations:
1. In the Configuration-Connectivity-Networks and Ports tab of the
Sametime Administration Tool, configure the Audio/Video Network
settings as follows:
• In the "TCP tunneling address for client connections-Host name"
setting, enter the DNS name for the Audio/Video Services
(av-www.sametime1.com in this example).
• In the "TCP tunneling address for client connections-Port number"
setting, delete the port 8084 entry and enter 80.
2. In the Configuration-Audio/Video-Connection Speed Settings tab of the
Sametime Administration Tool, configure the settings as follows:
a. In the drop-down list immediately below the "Audio/Video and
Broadcast Connection Speeds" heading, select the "Meetings with
modem users" setting.
For "Audio bit rate," select 6.3 Kbps
For "Video bit rate," select 16 Kbps
For "Screen sharing and whiteboard bit rate for broadcast meeting
only," select 16 Kbps
b. In the drop-down list immediately below the "Audio/Video and
Broadcast Connection Speeds" heading, select the "Meetings with
LAN/WAN users" setting.
For "Audio bit rate," select 6.3 Kbps
For "Video bit rate," select 16 Kbps
Chapter 5: Configuring Ports and Network Connectivity 285
For "Screen sharing and whiteboard bit rate for broadcast meeting
only," select 16 Kbps
Note To support TCP tunneling of audio/video streams, the lowest
possible bit rates must be selected for the streaming data to ensure
acceptable performance for the end users. For more information, see
"TCP tunneling of interactive audio/video streams on port 80" later in
this chapter.
Notes about client connection processes using HTTP tunneling on port
80
Administrators should be aware of the following issues concerning clients
that connect to the Sametime server using HTTP-tunneled connections.
These issues apply regardless of whether the server uses a single IP address
or multiple IP addresses to support the HTTP-tunneling functionality.
•
Clients that do not operate behind restrictive firewalls can still make
direct TCP/IP connections to Sametime services on the Meeting Services
Network-Address for client connections-Port number (default 8081),
Community Services Network-Address for client connections-Port
number (default 1533), and Broadcast Services Network-Broadcast
gateway address for client connections-Port number (default 554). Direct
TCP/IP connections operate more efficiently than HTTP-tunneled
connections, and clients automatically attempt these connections before
attempting HTTP-tunneled connections. Only clients that cannot
establish direct TCP/IP connections will attempt the HTTP-tunneled
connection. For more information about client connection processes, see
"Sametime Connect client connection processes" earlier in this chapter
and "Meeting Room and Broadcast client connection processes" earlier in
this chapter.
•
A Sametime Connect client that operates behind a firewall that only
allows outbound connections on port 80 can connect to the Community
Services using HTTP over port 80. The following configurations are
required in the Sametime Connect client Sametime Connectivity settings
for the connection to succeed:
• Change the "Community port" setting to port 80.
• If the client does not access the Internet through an HTTP proxy,
select "Direct connection using HTTP protocol" for the Connection
type.
• If the client accesses the Internet through an HTTP proxy server,
select "Use proxy" as the Connection type. For proxy type, select "Use
HTTP proxy" and specify the DNS name or IP address of the HTTP
proxy and the port on which to connect to the proxy.
286 Sametime 3.1 Administrator's Guide
Note You can also select "Use my Internet Explorer HTTP settings,"
"Use my Internet Explorer Web browser settings," or "Use my Java
Plug-in settings" to establish connections to the Community Services
through HTTP tunneling on port 80. If you select one of these settings,
you must also ensure that the "Community port" setting in the Sametime
Connectivity settings is set to port 80. For more information, see
"Sametime Connect client connection processes using the Web browser
or Java Plug-in connectivity settings" earlier in this chapter.
•
No end-user configurations are required for the end user to connect to
the Sametime server using the Sametime Meeting Room or Sametime
Broadcast clients. These clients receive all connection information from
the server dynamically when a user attends a meeting.
Sametime Connect client 2.5 and 3.1 compatibility issues with HTTP
tunneling on port 80
A Sametime 2.5 server does not support HTTP tunneling on port 80 when
using a single IP address. With Sametime 2.5, HTTP tunneling on port 80 is
supported only if the administrator assigned multiple IP addresses to the
Sametime server.
A Sametime 3.1 server supports HTTP tunneling on port 80 when using a
single IP address. This difference in HTTP tunneling support creates some
compatibility issues regarding Sametime Connect client connectivity in the
following scenarios:
•
A Sametime 2.5 Connect client connecting to a Sametime 3.1 server
configured to support HTTP tunneling on port 80 using a single IP
address.
•
A Sametime 3.1 Connect client connecting to a Sametime 2.5 server
configured to support HTTP tunneling on port 80.
These compatibility issues are discussed below.
Note For information about connectivity issues that occur when a Sametime
Connect client attempts connections on port 443 or 563 to a Sametime server,
see the "Things you need to know" section of the Sametime 3.1 Release Notes
(strn31.nsf or strn31.pdf on the Sametime CD).
Sametime 2.5 Connect clients connecting to a Sametime 3.1 server
configured to support HTTP tunneling on a single IP address
The Sametime 2.5 Connect client is designed to connect using HTTP
tunneling on port 80 to a server that uses multiple IP addresses.
When a Sametime 2.5 server is configured to listen for HTTP-tunneled client
connections on port 80, the server listens for Community Services
connections on the server name "Community-hostname." For example, if
your Sametime 2.5 server is named sametimeserver.acme.com, the server
Chapter 5: Configuring Ports and Network Connectivity 287
listens for HTTP-tunneled Community Services connections on the name
"Community-sametimeserver.acme.com."
Note On a Sametime server that listens for HTTP-tunneled connections on
multiple IP addresses, the Meeting Services listen for HTTP-tunneled
connections on the server name "Meeting-hostname," the Broadcast Services
listen for HTTP-tunneled connections on the server name
"Broadcast-hostname," and the Community Services listen for
HTTP-tunneled connections on the server name "Community-hostname."
Each of those distinct host names are associated with a separate IP address.
This configuration is described in Configuring HTTP tunneling on a server
that uses multiple IP addresses.
When the Sametime 2.5 Connect client starts, the client connects to the
Sametime server that is specified in the "Host" field of the Sametime Connect
client Sametime Connectivity tab.
If port 80 is entered in the "Community port" field of the Sametime 2.5
Connect client Sametime Connectivity tab, the client automatically prepends
the string "Community-" to the host name specified in the "Host" field of the
Sametime Connect client Sametime Connectivity tab.
For example, if the host name "sametimeserver.acme.com" is specified in the
"Host" field and port 80 is specified in the "Community port" field of the
Sametime Connect client Sametime Connectivity tab, the Sametime 2.5
Connect client attempts an HTTP-tunneled connection to the
"Community-sametimeserver.acme.com" host name. The prepending of the
"Community-" string to the host name is hard-coded in the client and cannot
be changed or deleted by the administrator.
When a Sametime 3.1 server is configured to listen for HTTP-tunneled
connections on port 80 on a single IP address, the Sametime 3.1 server listens
for all HTTP-tunneled connections on a single DNS name. For example, the
Sametime 3.1 server might listen for the HTTP-tunneled connections on port
80 on the "sametimeserver.acme.com" host name.
Note The Community Services multiplexer on a Sametime 3.1 server is
designed to listen for all HTTP-tunneled Community Services, Broadcast
Services, and Community Services connections on a single DNS name
(associated with a single IP address). The Community Services multiplexer
handles the connection for each service, makes an intraserver connection to
the service, and forwards the data to the service.
As a result, when port 80 is specified in the "Community port" setting in the
Sametime 2.5 Connect client, the client attempts a Community Services
connection to the host name "Community-sametimeserver.acme.com," while
a Sametime 3.1 server listens for this connection on the host name
288 Sametime 3.1 Administrator's Guide
"sametimeserver.acme.com." As the client attempts the connection to a
different host name than the server listens on, the connection cannot succeed.
If your Sametime community includes Sametime 2.5 Connect clients, and
these clients must connect to a Sametime 3.1 server configured to listen for
HTTP-tunneled client connections on a single IP address, the administrator
can perform the following configurations to enable the Sametime 2.5
Connect client to connect to the Sametime 3.1 server:
1. Add the name "Community-hostname"
("Community-sametimeserver.acme.com" in the example) to the DNS
server and associate "Community-sametimeserver.acme.com" to the
same IP address as the sametimeserver.acme.com server name. This
configuration ensures that both the
"Community-sametimeserver.acme.com" and
"sametimeserver.acme.com" server address resolve to the IP address of
the Sametime server.
2. Open the Sametime Administration Tool on the Sametime 3.1 server. In
the Sametime Administration Tool:
a. Select Configuration-Connectivity.
b. In the Community Services Network-Address for HTTP-tunneled
client connections-Host Name field, make sure that both of these
host names are entered:
• Community-host name (Community-sametimeserver.acme.com in the
example.)
• Host name (Sametimeserver.acme.com in the example.)
Note: Separate multiple entries in the Host Name field with a comma.
For example, enter community-sametimeserver.acme.com,
sametimeserver.acme.com.
c. Ensure that the Community Services Network-Address for
HTTP-tunneled client connections-Port Number setting specifies
port 80.
Configuring the Sametime 3.1 server in this way ensures that the Sametime
2.5 Connect clients can make HTTP-tunneled connections on port 80 to the
Sametime 3.1 server. Note also that the Sametime 2.5 Connect clients must
specify port 80 in the "Port" setting of the Sametime Connect client Sametime
Connectivity tab when making these connections.
Sametime 3.1 Connect client connecting to a Sametime 2.5 server
configured to support HTTP tunneling on port 80
The following compatibility issue can occur if a Sametime 3.1 client attempts
an HTTP-tunneled connection to a Sametime 2.5 server on port 80.
Chapter 5: Configuring Ports and Network Connectivity 289
When a Sametime 2.5 server is configured to listen for connections on port
80, the server listens for Community Service connections on the server name
"Community-hostname."
If the "Host" field in the Sametime Connectivity tab of a Sametime 3.1
Connect client specifies a Sametime 2.5 server, and the "Community port"
setting of the Sametime 3.1 Connect client specifies port 80, the Sametime 3.1
client will attempt a connection to a Sametime 2.5 server on port 80.
When the Sametime 3.1 Connect client attempts this connection to the
Sametime 2.5 server, the Sametime 3.1 Connect client attempts the
connection to the host name specified in the "Host" field of the Sametime
Connectivity tab. Unlike the Sametime 2.5 Connect client, the Sametime 3.1
Connect client does not prepend "Community-" to the host name specified in
the "Host" field of the Sametime Connectivity tab when attempting
connections on port 80.
For example, if the "Host" field of a Sametime 3.1 Connect client specifies
"sametimeserver.acme.com," the Sametime 3.1 Connect client attempts the
connection to the "sametimeserver.acme.com" host name. A Sametime 2.5
server listens for this connection on the
"Community-sametimeserver.acme.com" address. Since the client and server
specify different host names for this connection, the connection cannot
succeed.
In this scenario, the user of the Sametime 3.1 Connect client must enter the
host name "Community-sametimeserver.acme.com" in the "Host" field of the
Sametime 3.1 Connect client Sametime Connectivity tab to connect to the
Sametime 2.5 server.
290 Sametime 3.1 Administrator's Guide
TCP tunneling of interactive audio/video streams on port 80
The information in this section assumes the reader is familiar with the HTTP
tunneling functionality supported by the Sametime server. If you are not
familiar with the Sametime HTTP-tunneling functionality, see "About http
tunneling" earlier in this chapter.
During a Sametime server installation, a Sametime 3.1 server can be
configured to support HTTP-tunneling on port 80 for Community Services,
Meeting Services, and Broadcast Services data. This configuration enables all
meeting activity supported by these services to transmit between a Sametime
client and the Sametime server using HTTP over port 80.
When a Sametime server is configured to support HTTP tunneling on port 80
for the Community Services, Meeting Services, and Broadcast Services data,
the administrator can also configure the Sametime server to support TCP
tunneling of interactive audio/video streams on port 80.
Configuring a Sametime server in this way enables a Meeting Room client
that connects to the Sametime server using HTTP tunneling on port 80 to
also receive interactive audio/video streams over a TCP/IP connection on
port 80.
Note In previous Sametime releases, Meeting Room clients that connected
to the Sametime server using HTTP tunneling could not receive the
interactive audio and video streams. This limitation prevented these clients
from participating in interactive audio/video meetings. With Sametime 3.1,
the TCP tunneling of interactive audio/video streams enables a client that
can access the Sametime server only over port 80 to participate in the full
range of meeting activities supported by Sametime, including interactive
audio and video.
This section includes the following topics pertaining to TCP tunneling of
interactive audio/video streams on port 80:
•
Issues associated with TCP tunneling of interactive audio/video streams
- The administrator should be familiar with these issues before enabling
TCP tunneling of audio/video streams on port 80.
•
Enabling TCP tunneling of interactive audio/video streams on port 80 This topic includes the step-by-step instructions for enabling TCP
tunneling of audio/video streams.
Issues associated with TCP tunneling of interactive audio/video
streams
Before enabling TCP tunneling of interactive audio/video streams on port
80, the administrator should be aware of the following issues associated with
using TCP connections to transmit interactive audio/video streams:
Chapter 5: Configuring Ports and Network Connectivity 291
•
A Sametime server can also transmit the audio and video streams using
RTP over UDP. Using UDP to transmit audio/video streams consumes
less network bandwidth and is more efficient than TCP. Also, additional
processing is required at the server to handle TCP connections. TCP
tunneling of the audio/video streams does not scale as well as
transmitting audio/video streams using UDP.
If it is possible to configure the network environment to support the
transmission of audio/video streams between client and server using
UDP, you should do so. Use TCP tunneling only when transmitting
audio/video streams over UDP is not possible.
Note To understand the client connection process that determines
whether audio/video streams are transmitted via UDP or TCP, see
either "Meeting Room client connection process using the Microsoft VM
(Audio/Video Services)" earlier in this chapter or "Meeting Room client
connection process using JVM 1.4.1 (Audio/Video Services)" earlier in
this chapter.
•
Audio and video latency (or delay) increases when tunneling audio and
video streams over TCP. (Latency refers to the amount of time that
elapses from the time a sender transmits data until this data arrives at
the receiver.)
•
The lowest bandwidth audio and video codecs must be used to
compress the audio and video streams to get reasonable performance for
end users.
•
If a user must communicate with the Sametime server through a firewall
that allows only HTTP on port 80, the user will be unable to receive the
interactive audio/video streams from the Sametime server on port 80.
The firewall must be configured so that both HTTP and TCP data can
pass through the firewall on port 80.
•
TCP tunneling of audio/video streams through an HTTP proxy server is
not possible. A Sametime Meeting Room client that establishes an
HTTP-tunneled audio/video call control connection to the Sametime
server through an HTTP proxy server cannot participate in an interactive
audio/video meeting.
To receive the TCP-tunneled interactive audio and video streams, the
HTTP-tunneled audio/video call control connection must be established
either:
• Directly between the client and the server (the connection is not
routed through any type of proxy server)
• Through a SOCKS proxy server.
For detailed information about the audio/video call control connection
and the way in which the Meeting Room client establishes connections
292 Sametime 3.1 Administrator's Guide
with the Audio/Video Services, see either "Meeting Room client
connection process using the Microsoft VM (Audio/Video Services)"
earlier in this chapter or "Meeting Room client connection process using
JVM 1.4.1 (Audio/Video Services)" earlier in this chapter.
For step-by-step instructions to enable the TCP-tunneling of interactive
audio/video streams on port 80, see "Enabling TCP tunneling of interactive
audio/video streams on port 80" later in this chapter.
Enabling TCP tunneling of interactive audio/video streams on port 80
During the Sametime server installation, the administrator can select an
option to enable HTTP tunneling on port 80 for Community Services,
Meeting Services, and Broadcast Services data. The HTTP tunneling on port
80 option provided during the Sametime server installation enables a
Sametime server to support HTTP tunneling on port 80 for these services on
a single IP address. The instructions in this section assume the administrator
has selected the HTTP tunneling option during the Sametime server
installation, and the Sametime server is currently supporting HTTP
tunneling on port 80 on a single IP address.
Note If you did not enable the HTTP tunneling on port 80 functionality
during the Sametime server installation, you can manually enable it using
the procedures described in Configuring HTTP-tunneling settings on a
server that uses a single IP address earlier in this chapter.
If you have enabled the HTTP tunneling on port 80 functionality, you can
follow the steps below to enable TCP tunneling of audio/video streams on
port 80.
1. Add a new IP address to the Sametime server for the Audio/Video
Services.
2. Map the new IP address to a DNS name on your DNS server.
3. Configure the Networks and Ports settings in the Sametime
Administration Tool.
4. Configure the Connection Speed Settings in the Sametime
Administration Tool.
Add a new IP address to the Sametime server for the Audio/Video
Services
This procedure is the first of four required to enable TCP tunneling of
interactive audio/video streams on port 80.
To enable TCP tunneling of interactive audio/video streams on port 80, the
Audio/Video Services must be assigned an individual IP address (separate
from the IP address already assigned to the Sametime server). To make this
Chapter 5: Configuring Ports and Network Connectivity 293
possible, you must add an additional IP address to the Network Interface
Card (NIC) on the Sametime server.
Note It is not possible for a Sametime server that uses a single IP address to
support TCP tunneling of interactive audio/video streams on port 80.
Assigning an additional IP address to a single NIC
To assign an additional IP address to a NIC on a Windows machine:
1. On the Windows desktop, right-click on "My Network Places" and select
"Properties."
2. Right click on the "Local Area Connection" icon to which you would add
the IP address. Select Properties.
3. In the "Local Area Connection Properties" dialog ensure the "General"
tab is selected.
• In the "This connection uses the following items:" area, select "Internet
Protocol (TCP/IP)."
• Select the "Properties" button.
4. In the "Internet Protocol (TCP/IP) Properties" dialog box, select "Use the
following IP address" and enter the primary (currently assigned) IP
address of the system in the "IP address:" field.
5. Click the "Advanced" button in the lower-right corner of the "Internet
Protocol (TCP/IP) Properties" dialog box.
6. In the "Advanced TCP/IP Settings" dialog ensure the "IP Settings" tab is
selected.
7. In the "IP Settings" section of the "IP Settings" tab, click the Add button.
8. In the "TCP/IP Address" dialog, enter the IP address and Subnet mask
settings and click Add.
9. At this point, the new IP address is added. If necessary, use the "Default
gateways" section of the "Advanced TCP/IP Settings" dialog to add a
new gateway for the system.
Next
Map the new IP address to a DNS name on your DNS server.
Map the new IP address to a DNS name on your DNS server
This procedure is the second of four required to enable TCP tunneling of
interactive audio/video streams on port 80.
After adding the new IP address to the Sametime server, make sure you map
the IP address to a DNS name for the Audio/Video Services on your DNS
server.
294 Sametime 3.1 Administrator's Guide
The example provided in this documentation assumes that you map the new
IP address to the DNS name "av-sametime.ibm.com."
Next
Configure the Networks and Ports settings in the Sametime Administration
Tool.
Configure the Networks and Ports settings in the Sametime
Administration Tool
This procedure is the third of four required to enable TCP tunneling of
interactive audio/video streams on port 80.
In this procedure, you use the Sametime Administration Tool to assign the
new host name (or DNS name) to the Audio/Video Services and specify port
80 as the port to use for TCP-tunneling of the audio/video streams.
In addition, you must also specify a host name for HTTP-tunneled
connections to the Community Services, Meeting Services, and Broadcast
Services in the Networks and Ports tab of the Sametime Administration Tool.
The example provided below assumes the following:
•
The primary DNS name assigned to the Sametime server is
sametime.ibm.com
•
The DNS name you have added to the Sametime server for the
Audio/Video Services is av-sametime.ibm.com
When a Sametime server is configured to support HTTP tunneling on port 80
on one IP address for the Community Services, Meeting Services, and
Broadcast Services and TCP tunneling on port 80 on a separate IP address
for the Audio/Video Services, you must specify the primary DNS name of
the Sametime server (sametime.ibm.com) as the host name on which the
Community Services, Meeting Services, and Broadcast Services will listen for
HTTP-tunneled connections. You must assign the newly-added DNS name
(av-sametime.ibm.com) to the Audio/Video Services. Follow the instructions
below.
1. From the Sametime Administration Tool, select
Configuraton-Connectivity.
2. Select the Networks and Ports tab (if necessary).
3. In the Community Services Network settings, make the following
settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
Chapter 5: Configuring Ports and Network Connectivity 295
• In the "Address for HTTP tunneled client connections-Host name"
setting, enter the primary DNS name of the Sametime server
(sametime.ibm.com).
• In the "Address for HTTP tunneled client connections-Port number"
setting, enter 80 if it is not already listed.
4. In the Meeting Services Network settings, make the following settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
• In the "Address for HTTP tunneled client connections-Host name"
setting, enter the primary DNS name of the Sametime server
(sametime.ibm.com).
• In the "Address for HTTP tunneled client connections-Port number"
setting, enter 80 if it is not already listed.
5. In the Broadcast Services Network settings, make the following settings:
• Ensure the "Enable Web client to try HTTP-tunneling after trying
other options" setting is selected.
• In the "Broadcast Gateway address for HTTP tunneled client
connections-Host name" setting, enter the primary DNS name of the
Sametime server (sametime.ibm.com).
• In the "Broadcast Gateway address for HTTP tunneled client
connections-Port number" setting, enter 80 if it is not already listed.
6. In the Interactive Audio/Video Network settings, make the following
settings:
• In the "TCP tunneling address for client connections-Host name"
setting, enter the DNS name for the Audio/Video Services
(av-sametime.ibm.com).
• In the "TCP tunneling address for client connections-Port number"
setting, delete the port 8084 entry and enter 80.
7. Click update.
8. Leave the Sametime Administration Tool open. You must use the
Sametime Administration Tool in the next procedure.
Additional configurations required for Sametime on IBM iSeries servers
To enable TCP tunneling of audio/video streams over port 80 on an IBM
iSeries server, you must perform these additional configurations:
In the Community Services Network settings of the Sametime
Administration Tool, you must also enter the Sametime server primary DNS
name in the "Address for Client Connections-Host Name" field. Following
the examples provided above, you must enter sametime.ibm.com in the
"Address for Client Connections-Host Name" field.
296 Sametime 3.1 Administrator's Guide
Each user of the Sametime Connect for the desktop client must have the
client configured to connect to the Community Services DNS name (for
example, sametime.ibm.com).
Next
Configure the Audio/Video connection speed settings in the Sametime
Administration Tool.
Configure the Audio/Video connection speed settings in the Sametime
Administration Tool
This procedure is the last of four required to enable TCP tunneling of
interactive audio/video streams on port 80.
In this procedure, you use the Sametime Administration Tool to set the
Audio/Video Connection Speed Settings on the Sametime server to support
the TCP-tunneling of audio/video streams.
To support the TCP-tunneling of audio/video streams, the administrator
must select the lowest possible bit rate settings as the "Audio/Video and
Broadcast Connection Speeds" values to limit the amount of data that
comprises the streams. Limiting the amount of data transmitted in these
streams ensures acceptable performance for the end user.
Notes:
•
When the administrator selects a low bite rate setting, the administrator
invokes a low-bandwidth codec to handle the compression of the data
streams. The TCP connection sockets over which the audio and video
streams are tunneled cannot handle the amount of data generated by the
high-bandwidth codecs. Using high bandwidth codec to compress the
data stream results in poor performance for the end user.
•
The instructions below indicate that you should set the low bit rate
settings for both "Meetings with modem users" and "Meetings with
LAN/WAN users." Setting low bit rate settings for both of these options
prevents end users from accidentally invoking the high bandwidth
codecs when creating a meeting. For detailed information about the
Connection Speed Settings, see "Connection Speed Settings for
Audio/Video Services" in Chapter 10.
To ensure that the low-bandwidth codecs are used to compress the
streaming data:
1. From the Sametime Administration Tool, select
Configuraton-Audio/Video Services-Connection Speed Settings.
2. In the drop-down list immediately below the "Audio/Video and
Broadcast Connection Speeds" heading, select the "Meetings with
modem users" setting.
Chapter 5: Configuring Ports and Network Connectivity 297
• For Audio bit rate, select 6.3 Kbps
• For Video bit rate, select 16 Kbps
• For Screen sharing and whiteboard bit rate for broadcast meeting
only, select 16 Kbps
3. In the drop-down list immediately below the "Audio/Video and
Broadcast Connection Speeds" heading, select the "Meetings with
LAN/WAN users" setting.
• For Audio bit rate, select 6.3 Kbps
• For Video bit rate, select 16 Kbps
• For Screen sharing and whiteboard bit rate for broadcast meeting
only, select 16 Kbps
4. Click Update and restart the server for the change to take effect.
Note This concludes the procedure required to enable TCP tunneling of
interactive audio/video streams on port 80. Note also that in some cases you
can improve the audio/video performance by adjusting the "Audio/Video
jitter buffer" setting available from the Configuration-Audio/Video
Services-Connection Speed Settings tab of the Sametime Administration
Tool. The optimal value for this setting depends on the characteristics of the
network on which Sametime is deployed. You should experiment with
settings that fall in the 100 to 500 millisecond range to find the optimal value
for this setting in your environment. For more information, see
"Audio/Video jitter buffer" in Chapter 10.
298 Sametime 3.1 Administrator's Guide
Assigning IP addresses to multiple Sametime servers installed on a
single server machine
If you are operating Sametime on an IBM iSeries server, you can install
multiple Sametime servers on a single server machine, within the same
logical partition. In this scenario, each Sametime server instance runs on a
separate partitioned Domino server.
Note Do not install multiple Sametime servers on a Windows NT or
Windows 2000 server. You can install only one Sametime server on each
Windows server.
When multiple Sametime servers are running on separate Domino partitions
within the same logical partition of an IBM iSeries server, it is important for
each Sametime server to be assigned a separate IP address. If you are also
running any other Domino servers or HTTP servers within the same logical
partition, you must also be certain that those servers are assigned a separate
IP address to avoid port conflicts.
For detailed instructions on properly preparing your iSeries TCP/IP
environment for Sametime and configuring multiple Sametime servers
within the same logical partition, see the Installation Guide (stinstall.nsf or
stinstall.pdf) that was shipped with Sametime for iSeries.
Connecting to other Sametime servers
If you install multiple Sametime servers, the services of the Sametime servers
must establish connections with each other to ensure that:
•
A meeting started on one Sametime server can be simultaneously active
on another Sametime server.
•
Users with different home Sametime servers have presence and chat
capabilities with all users in the community.
For more information about working with multiple servers and
server-to-server connections, see the following topics in Chapter 14:
•
"Advantages of using multiple Sametime servers"
•
"Configuring ports for server-to-server connections"
Chapter 5: Configuring Ports and Network Connectivity 299
Connecting Meeting Servers
The Connecting Meeting Servers option available from the
"Configuration-Connectivity-Servers in this Community" settings of the
Sametime Administration Tool is used only if you have installed multiple
Sametime servers.
The administrator creates Connection Records to connect Meeting Servers as
part of the process of integrating a new Sametime server into an
environment in which other Sametime servers are already operating. These
Connection Records are required for the invited servers to operate correctly.
For more information about this process, see the following topics in Chapter
14:
•
Advantages of using multiple Sametime servers
•
Integrating a Sametime server into an existing Sametime community
•
Creating Connection Records to connect Sametime servers
Using the Servers in this Community settings
The "Servers in this Community" settings available from the
Configuration-Connectivity settings of the Sametime Administration Tool
are used only if you have installed multiple Sametime servers.
The administrator configures the "Servers in this Community" settings as
part of the process of integrating a new Sametime server into an
environment in which other Sametime servers are already operating. For
more information about this process, see the following topics in Chapter 14:
•
"Advantages of using multiple Sametime servers"
•
"Integrating a Sametime server into an existing Sametime community"
•
"Configuring the 'Meeting Servers That Are Connected' options"
300 Sametime 3.1 Administrator's Guide
Extending a Sametime server to the Internet
Many organizations need to conduct Sametime meetings that can be
attended both by users on the corporate intranet and users from the Internet.
Because of the number and complexity of connections that can be required to
connect to a Sametime server, it might be unacceptable for many
organizations to open ports through the firewall to enable Internet clients to
connect to a Sametime server on the corporate intranet.
The recommended solution for extending Sametime meetings to Internet
users involves a multiple Sametime server deployment. This solution enables
users on the corporate intranet and users from the Internet to attend the
same Sametime meetings without jeopardizing the security of the corporate
intranet. This solution requires you to:
•
Install a Sametime server on the corporate intranet.
•
Install a Sametime server in the network DMZ.
•
Connect the two Sametime servers.
•
Configure the firewalls to enable the servers and clients to establish the
appropriate connections with the servers.
For more information, see "Extending Sametime to Internet users" in Chapter
14.
Using reverse proxy or portal servers with the Sametime server
A Sametime 3.1 server can be deployed behind a reverse proxy server or a
portal server. This section discusses issues related to using reverse HTTP
proxy servers with a Sametime server. The issues discussed in this section
also apply to deploying a Sametime server behind a portal server.
When a Sametime 3.1 server is deployed on an internal network behind a
reverse proxy server, the reverse proxy server operates as an intermediary
between the Sametime server and the Sametime clients. All Sametime data
flowing between the Sametime server and its clients passes through the
reverse proxy server.
To accomplish its security objectives, a reverse proxy server manipulates the
data that passes through it. The manipulation of Sametime data by the
reverse proxy server imposes specific requirements and limitations on the
use of reverse proxy servers with the Sametime server.
This section includes the following topics related to the use of reverse HTTP
proxy servers with the Sametime server:
Chapter 5: Configuring Ports and Network Connectivity 301
•
What is a reverse proxy server?
•
Requirements and limitations associated with using a reverse proxy
server with the Sametime server
•
Configuring mapping rules on a reverse proxy server
•
Configuring a Sametime server to operate with a reverse proxy server
•
Sametime client connectivity and reverse proxy servers
What is a reverse proxy server?
A reverse proxy server is a security device that is usually deployed in a
network DMZ to protect HTTP servers (or Sametime servers) on a corporate
intranet. The reverse proxy server performs security functions that protect
the internal servers from attacks by users on the Internet.
The reverse proxy server protects internal HTTP servers by providing a
single point of access to the internal network. Providing a single point of
access to all HTTP servers on an internal network offers these specific
security advantages and network access characteristics:
•
The administrator can use the authentication and access control features
of the reverse proxy server to control who can access the internal servers
and control which servers each individual user can access. When a
reverse proxy is deployed, the authentication process and access rights
to multiple internal servers can be controlled from a single machine,
which simplifies the security configuration.
•
All traffic to your intranet servers appears to be destined for a single
network address (the address of the reverse proxy server).
When a reverse proxy server is deployed, only URLs that are associated
with the reverse proxy server are made public to Web browser users.
Users from the Internet use these URLs to access the reverse proxy
server. The reverse proxy server handles these requests from Internet
users and redirects these requests to the appropriate internal HTTP
server.
The administrator performs URL mapping configurations on the reverse
proxy server that make this redirection possible. When configuring the
reverse proxy server, the administrator maps the URLs that are used to
access the reverse proxy server to the real URLs of the internal HTTP
servers. When an Internet user sends a URL to the reverse proxy server,
the reverse proxy server examines the URL and uses these mapping
configurations (or rules) to rewrite the URL.
The reverse proxy server rewrites the URL by replacing the server
address provided by the Internet user (a reverse proxy address) with the
real address of the internal server. The HTTP request is then sent on the
internal network from the reverse proxy server to the internal server.
302 Sametime 3.1 Administrator's Guide
•
All traffic sent to Internet users from your internal servers appears to
originate from a single network address.
When an internal HTTP server (or Sametime server) responds to a
request from an Internet user, the internal server sends the response to
the reverse proxy server and the reverse proxy server sends the response
to the Internet user. The response sent on the Internet to the Internet user
contains the address of the reverse proxy server, not the address of the
internal HTTP server.
Unlike previous Sametime releases, Sametime 3.1 is designed to enable
Sametime clients to establish and maintain connectivity with a Sametime
server when these clients connect to the Sametime server through a reverse
proxy server.
The security functionality of reverse proxy servers described above imposes
specific requirements and limitations on the use of reverse proxy servers
with Sametime. See any of the following topics later in this chapter for
specific information about using reverse proxy servers with a Sametime
server.
•
"Requirements and limitations associated with using a reverse proxy
server with the Sametime server"
•
"Configuring mapping rules on a reverse proxy server to support
Sametime"
•
"Configuring a Sametime server to operate with a reverse proxy server"
•
"Sametime client connectivity and reverse proxy servers"
Requirements and limitations of Sametime 3.1 reverse proxy support
The requirements and limitations associated with using a reverse proxy
server with Sametime include:
•
Reverse proxy server requirements
•
Sametime client limitations and requirements
•
Sametime server limitations
•
Secure Sockets Layer (SSL) issues and requirements
•
Client certificate authentication issues
•
Sametime Enterprise Meeting Server (EMS) restrictions
Each of these topics is discussed under a separate heading below.
Reverse proxy server requirements
This section lists the requirements and issues that are specific to the reverse
proxy server.
Chapter 5: Configuring Ports and Network Connectivity 303
•
URL specification requirement (affinity-id requirement) - Only reverse
proxy servers that use the following URL specification to access
protected internal servers can be used with Sametime:
http[s]://hostname:port/affinity-id/
The "affinity-id" is an administrator-defined alias for an internal
Sametime server. This affinity-id must be present in the URLs sent from
Web browsers to the reverse proxy server to enable Web browser users
to access the Sametime server through the reverse proxy. For detailed
information on this mandatory requirement of the reverse proxy server,
see "Configuring mapping rules on a reverse proxy server" later in this
chapter.
•
Multiple reverse proxy servers must use the same DNS name and
mapping configurations - If you have deployed multiple reverse proxy
servers in your network environment, and you expect users to access
your Sametime server(s) through multiple reverse proxy servers, each of
the reverse proxy servers must have the same DNS name and the same
mapping configurations as noted below:
• DNS name - All reverse proxy servers must use the same DNS name.
For example, if one reverse proxy server is named
reverseproxy.ibm.com all other reverse proxy servers must be named
reverseproxy.ibm.com. If the reverse proxy servers have different
DNS names, the Sametime clients will be unable to maintain
communications with a Sametime server deployed behind the reverse
proxy servers.
Note If a network environment includes multiple reverse proxy
servers that have the same DNS names, a connection dispatching
device (such as an IBM WebSphere EdgeServer) is usually used to
distribute connections from Web browsers to the multiple reverse
proxy servers. These devices are frequently used to load balance
connections to multiple machines.
• Mapping configurations - Each reverse proxy server must use
identical mapping rules and configurations to govern the translation
of URLs sent by Web browsers to the reverse proxy server for the
purpose of accessing an internal Sametime server. If the translation of
these URLs to the URLs of the internal Sametime servers does not
occur in exactly the same way on each of the reverse proxy servers,
the Sametime clients will be unable to maintain communications with
a Sametime server deployed behind the reverse proxy server.
Note Each Sametime server must be represented by the same
"affinity-id" in the mapping rules on each of the reverse proxy servers.
304 Sametime 3.1 Administrator's Guide
For more information about the affinity-id and mapping rules, see
"Configuring mapping rules on a reverse proxy server" later in this
chapter.
•
The reverse proxy server must use cookies for authentication - When
an end user uses a Web browser to access and authenticate with the
reverse proxy server, the reverse proxy server must send an
authentication cookie to the Web browser. All subsequent HTTP
requests from a Sametime client will then pick up this cookie and use it
for automatic authentication with the reverse proxy server.
Reverse proxy servers that rewrite URLs for authentication purposes are
not supported. Some reverse proxy servers append authentication and
session information to the end of URLs embedded in HTML that passes
through the proxy back to the client. The client will include this
appended data on subsequent requests to the reverse proxy server.
When the reverse proxy server receives these subsequent requests from
the client, the reverse proxy server strips the authentication data and
rewrites the URL to accomplish the internal routing of requests. A
Sametime server cannot operate behind a reverse proxy server that
handles authentication data in this way.
•
A lengthy timeout value should be specified for the authentication
cookies - The administrator should specify a lengthy timeout value for
authentication cookies generated by the reverse proxy server.
If the authentication cookie expires when the user is attending a meeting,
the user is disconnected from the meeting. To re-enter the meeting, the
user must go through the inconvenient process of reconnecting to the
reverse proxy, reauthenticating with the reverse proxy, and waiting for
the Java applets to be reloaded to the Web browser.
Setting a lengthy timeout value for authentication cookies can prevent
unexpected user disconnections due to an authentication cookie
expiration. Generally, the authentication cookie should be valid for the
entire length of the longest meetings that are routinely conducted on the
Sametime server deployed behind the reverse proxy server.
Sametime client/Web browser limitations and JVM requirements
The following Sametime clients can communicate with Sametime servers
through a reverse proxy server:
•
Sametime Meeting Room client
•
Sametime Broadcast client
•
Sametime Connect for browsers (the Java version of Sametime Connect)
•
Sametime Links applications built with Sametime developer toolkits
Chapter 5: Configuring Ports and Network Connectivity 305
Note Sametime Connect for the desktop (the Windows version of Sametime
Connect) cannot be used with a Sametime server that is deployed behind a
reverse proxy server.
The Sametime Meeting Room client and the Sametime Broadcast client can
communicate with a Sametime server through a reverse proxy server when
running with the following Web browsers and Java Virtual Machines
(JVMs):
•
An Internet Explorer 6 browser that operates with the Microsoft native
VM or the Sun Microsystems JVM 1.4.1 (and associated Java Plug-in).
•
A Netscape 7 browser that operates with the Sun Microsystems JVM
1.4.1 (and associated Java Plug-in).
The Sametime Connect for browsers client and Sametime Links applications
can communicate with a Sametime server through a reverse proxy server
when running in an Internet Explorer 6 or Netscape 7 browser that operates
with the Sun Microsystems JVM 1.4.1. These clients may not function
appropriately with other JVMs, including the native Microsoft VM provided
for Internet Explorer.
Sametime server limitations
The following limitations apply to Sametime server features when the
Sametime server is deployed behind a reverse proxy server.
•
Audio/video is not available - Audio/video streams cannot be
transmitted to Sametime clients that access the Sametime server through
a reverse proxy server.
•
TeamRoom and Discussion databases are not available - A user that
connects to the Sametime server through a reverse proxy server cannot
use the TeamRoom and Discussion databases on the Sametime server.
•
Access to the Sametime Administration Tool is not available - A user
that connects to the Sametime server through a reverse proxy server
cannot access the Sametime Administration Tool. The user can open a
Web browser that is installed on the Sametime server to access the
Sametime Administration Tool. The user can also connect to the
Sametime server from an internal network location that does not route
HTTP traffic through the reverse proxy server to access the Sametime
Administration Tool.
Secure Sockets Layer (SSL) issues and requirements
Note the following about SSL and Sametime in a reverse proxy environment:
•
Secure Sockets Layer (SSL) can be used to encrypt data transmitted
between the Sametime clients and the reverse proxy server.
•
SSL cannot be used to encrypt data transmitted between the Sametime
servers and the reverse proxy server.
306 Sametime 3.1 Administrator's Guide
If SSL is used to encrypt data transmitted between Web browsers and the
reverse proxy server, the administrator must perform the mapping
configurations on the Sametime server necessary to map the HTTPS data
received from the Web browser to the HTTP required by the Sametime
server.
The reverse proxy must also be configured to translate the HTTP data
received from the Sametime server to the HTTPS data required by the client.
When a reverse proxy server is configured to support SSL, the reverse proxy
server sends an SSL server certificate to the Web browser during the SSL
connection handshake. The Java 1.4.1 Plug-in used by the Web browser must
have access to a Signer certificate that is signed by the same Certificate
Authority (CA) as the server certificate that is sent by the reverse proxy.
By default, the Java Plug-in has access to several different Signer certificates
that can be used for this purpose. To view the Signer certificates that are
available to the Java Plug-in 1.4.1, use the Java Plug-in Control Panel as
noted below:
a. From the Windows desktop, open the Control Panel (Select
Start-Settings-Control Panel).
b. Double-click on the Java Plug-in 1.4.1 icon to open the Java Plug-in
Control Panel.
c. Click the Certificates tab.
d. Select the Signer CA radio button.
The server certificate sent by the reverse proxy server to the client
Web browser must be signed by one of the CAs that appears in the
signer CA list for the SSL connection handshake to succeed.
Client certificate authentication issues
If the reverse proxy server is configured to require client certificate
authentication, the client certificate for an individual user must be imported
into the Java Plug-in 1.4.1 Control Panel on that user's machine. You can use
the Certificates tab of the Java Plug-in Control Panel to import the client
certificate into the Java Plug-in key store. For example:
a. From the Windows desktop on a user's machine, open the Control
Panel (Select Start-Settings-Control Panel).
b. Double-click on the Java Plug-in 1.4.1 icon to open the Java Plug-in
Control Panel.
c. Click the Certificates tab.
d. In the Certificates column, select "Secure Site."
e. Click the Import button to import the client certificate.
Chapter 5: Configuring Ports and Network Connectivity 307
Sametime Enterprise Meeting Server restrictions
The Sametime 1.0 Enterprise Meeting Server that operates with Sametime 3.1
servers cannot be deployed behind a reverse proxy server.
Configuring mapping rules on a reverse proxy server to support
Sametime
When a Sametime server is deployed behind a reverse proxy server, the
administrator must configure mapping rules on the reverse proxy server.
These mapping rules enable the reverse proxy server to translate (or rewrite)
a URL associated with the reverse proxy server to the URL of an internal
Sametime server.
This section discusses how mapping rules are configured on a reverse proxy
server to accomplish the translation (or rewriting) of URLs when the reverse
proxy operates with Sametime. This section includes the following topics:
•
Affinity-id (server alias) requirement of the reverse proxy server
•
Example of URL mapping configurations on the reverse proxy server
Affinity-id (server alias) requirement of the reverse proxy server
Only reverse proxy servers that support the use of an affinity-id (or server
alias) in the URLs that are associated with internal servers can be used with
Sametime. Specifically, the reverse proxy server must support this URL
specification to access protected internal servers:
http[s]://hostname:port/affinity-id/
In this example, the "hostname" represents the DNS name of the reverse
proxy server and the affinity-id is an alias for an internal server that is
protected by the reverse proxy server. A specific example of this URL format
is:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
In the example above, the text sting "st01" is the affinity-id. The affinity-id is
an alias for a specific Sametime server (such as sametime.ibm.com) that is
protected by the reverse proxy server. The affinity-id is used by the reverse
proxy server to direct incoming requests to the specific internal Sametime
server.
For example, if the incoming URL from the Web browser is:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
and the mapping rules on the reverse proxy server map the "st01" affinity-id
to the Sametime server named "sametime.ibm.com," the affinity-id ensures
the reverse proxy server rewrites the incoming URL to:
http[s]://sametime.ibm.com/stcenter.nsf
308 Sametime 3.1 Administrator's Guide
Essentially, the affinity-id is an administrator-defined alias for an internal
Sametime server. The affinity-id is defined in the mapping rules of the
reverse proxy server. If you have multiple Sametime servers deployed
behind a reverse proxy server, each Sametime server must have an
individual affinity-id as indicated below:
Mapping rule for client-provided URL:
Routed to internal server:
/st01/*
http://sametime1.ibm.com/*
/st02/*
http://sametime2.ibm.com/*
It is mandatory that any reverse proxy server that operates with a Sametime
server support the affinity-id (or server alias) in URLs.
For additional information about configuring mapping rules on reverse
proxy server, see "Example of URL mapping configurations on the reverse
proxy server" below.
Important: The Sametime Administration Tool on a Sametime server
contains a "Server Alias" setting. This Server Alias setting must specify the
same affinity-id that is used to represent the Sametime server in the mapping
rules on the reverse proxy server. For more information, see "Configuring a
Sametime server to operate with a reverse proxy server" later in this chapter.
Example of URL mapping configurations on the reverse proxy server
This section provides basic examples of how an administrator might
configure URL mapping configurations for a reverse proxy server deployed
in front of a Sametime server.
When a user connects to a Sametime server through a reverse proxy server,
the reverse proxy server must be configured to support the following actions
that enable Sametime users to attend meetings and participate in chat
sessions:
•
The user must be able to click on links in the Sametime server home
page and navigate to the various HTML pages of the UI. This capability
requires the reverse proxy server to rewrite the URLs of the HTML
pages that comprise the Sametime UI.
•
The Sametime Java applet clients that load in a user's Web browser must
be able to connect to the services on the Sametime server. Since these
connections must occur through the reverse proxy server, the reverse
proxy server must also be able to rewrite the URLs required to establish
these connections to the services on the Sametime server.
The following sections provide examples of the mapping configurations
required to accomplish the two tasks above.
Chapter 5: Configuring Ports and Network Connectivity 309
Reverse proxy mapping configurations that enable a Web browser user to
navigate the Sametime user interface
The example below illustrates how an administrator can configure the
reverse proxy server to enable users to navigate the HTML pages of the
Sametime user interface. This example assumes the following:
•
The Sametime server name is "sametime.ibm.com."
•
The URL required to access the reverse proxy server is
"reverseproxy.ibm.com."
•
The affinity-id chosen by the administrator for the Sametime server is
"st01."
Listed below are two entities of the Sametime server user interface and the
URLs required to access these entities on a Sametime server with the server
name "sametime.ibm.com."
•
Sametime server home page - The Sametime server URL for the server
home page is http://sametime.ibm.com/stcenter.nsf.
•
Active Meeting page - The Sametime server URL for the Active Meeting
page is
http://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?OpenVie
w.
Example 1 - Translating the URL of the server home page
To access the Sametime server home page through a reverse proxy server,
the Web browser would send the following URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
The reverse proxy server must contain a mapping rule that translates this
URL into the following URL required to access the home page Sametime
server:
http[s]://sametime.ibm.com/stcenter.nsf
Example 2 - Translating the URL of the Active Meeting page
If the user selects the Attend a Meeting link in the Sametime user interface to
view the list of active meetings, the Web browser would send the following
URL to the reverse proxy server:
http[s]://reverseproxy.ibm.com/st01/stconf.nsf/vwWebActiveM
eetings?OpenView
The reverse proxy server must contain a mapping rule that translates this
URL into the following URL required to access the Sametime server Active
Meetings page:
http[s]://sametime.ibm.com/stconf.nsf/vwWebActiveMeetings?O
penView
310 Sametime 3.1 Administrator's Guide
A single mapping rule can be used to translate all URLs associated with
the Sametime server user interface
Through the use of wildcards, the administrator can create a single mapping
rule on the reverse proxy server to translate all URLs associated with the
Sametime server interface. Following the examples above, the administrator
can create a mapping rule that translates the following URL from the Web
browser:
http[s]://reverseproxy.ibm.com/st01/*
To this Sametime server URL:
http[s]://sametime.ibm.com/*
A single mapping rule that accomplishes this type of URL translation should
enable users to access all entities of the Sametime user interface through a
reverse proxy server.
Note It is not mandatory to configure the mapping rules as described
above. The actual configuration of the mapping rules on the reverse proxy
server is at the discretion of the administrator. When configuring the
mapping rules note that the URL for any entity of the Sametime server user
interface will begin with the Sametime server name (sametime.ibm.com in
this example).
Reverse proxy mapping configurations that enable Sametime Java applet
connectivity through the reverse proxy server
The following example URL mappings enable the Sametime Java applet
clients running in a user's Web browser to connect to the Community
Services, Meeting Services, and Broadcast Services on the Sametime server
through the reverse proxy server:
Example 1 - Mapping configuration for Community Services connectivity
This example illustrates the mapping configurations that enable a Java
applet client to connect to the Community Services:
If the incoming URLs from the Java applet are:
http[s]://proxy.ibm.com/st01/communityCBR/
http[s]://proxy.ibm.com/st01/CommunityCBR/
The mapping rules on the reverse proxy must translate these URLs to:
http://sametime.ibm.com:8082/communityCBR
http://sametime.ibm.com:8082/CommunityCBR
Note The mapping configuration for the Community Services
connectivity should contain two case-sensitive mapping rules as
indicated above. Some pieces of the Java code contain the lowercase "c"
in "communityCBR" and some pieces of the Java code use the uppercase
Chapter 5: Configuring Ports and Network Connectivity 311
"C" in "CommunityCBR." This difference may prevent connections if the
proxy is case-sensitive.
Example 2 - Mapping configuration for Meeting Services connectivity
This example illustrates the mapping configurations that enable a Java
applet client to connect to the Meeting Services:
If the incoming URL from the Java applet is:
http[s]://proxy.ibm.com/st01/MeetingCBR
The mapping rule on the reverse proxy must translate this URL to:
http://sametime.ibm.com:8081/MeetingCBR
Example 3 - Mapping configuration for Broadcast Services connectivity
This example illustrates the mapping configurations that enable a Java
applet client to connect to the Broadcast Services:
If the incoming URL from the Java applet is:
http[s]://proxy.ibm.com/st01/BroadcastCBR
The mapping rule on the reverse proxy must translate this URL to:
http://sametime.ibm.com:554/BroadcastCBR
Notes about the Java applet connectivity mapping rule examples
During a Sametime server installation, the administrator has the option of
allowing or not allowing HTTP tunneling on port 80.
If the administrator does not allow HTTP tunneling on port 80 during the
Sametime server installation, it is necessary to configure separate mapping
rules for each of the three Sametime services (Community Services, Meeting
Services, and Broadcast Services).
Note Four mapping rules are required: two for the Community Services,
one for the Meeting Services, and one for the Broadcast Services as shown in
the three examples above.
When the administrator does not allow HTTP tunneling on port 80, each of
the Sametime services listens for HTTP connections on a different port:
•
The Community Services listen for HTTP connections on port 8082. Port
8082 is reflected in the mapping rule for Community Services
connections above. You can view or change this port setting from the
Community Services Network - Address for HTTP-tunneled client
connections option in the Networks and Ports tab of the Sametime
Administration Tool.
312 Sametime 3.1 Administrator's Guide
•
The Meeting Services listen for HTTP connections on port 8081. Port
8081 is reflected in the mapping rule for Meeting Services connections
above. You can view or change this port setting from the Meeting
Services Network - Address for HTTP-tunneled client connections
option in the Networks and Ports tab of the Sametime Administration
Tool.
•
The Broadcast Services listen for HTTP connections on port 554. Port 554
is reflected in the mapping rule for Broadcast Services connections
above. You can view or change this port setting from the Broadcast
Services Network - Address for HTTP-tunneled client connections
option in the Networks and Ports tab of the Sametime Administration
Tool.
Because each of these Sametime services listens for a connection on a
separate port, separate mapping rules must be established for each of the
services. The mapping rule must specify the port on which each of the
services is listening for connections.
Note If you change the HTTP-tunneling port number for a specific service
in the Sametime Administration Tool, the mapping rules you configure on
the reverse proxy server must reflect the new port number.
If the administrator allows HTTP tunneling on port 80 during the Sametime
server installation, the Sametime clients connect to all of the services on a
single port. With this configuration, the single mapping rule that enables
users to navigate the Sametime server user interface will also enable the
Sametime clients to make connections to the Sametime services.
When HTTP tunneling on port 80 is allowed, the Community Services
multiplexer on the Sametime server listens for HTTP connections on behalf
of the HTTP Services, Community Services, Meeting Services, and Broadcast
Services on the Sametime server. The Community Services multiplexer
listens for connections to all of these services on a single port (port 80).
Note When operating in this mode, the Community Services multiplexer on
the Sametime server can distinguish between HTTP requests destined for the
HTTP Services, Community Services, Meeting Services, and Broadcast
Services and establish intraserver connections to each of the services. For
example, if the Community Services multiplexer receives an HTTP request
for the Meeting Services on port 80, the Community Services handles the
request and creates an intraserver connection to the Meeting Services. The
Community Services multiplexer then forwards the request to the Meeting
Services. The ability of the Community Services multiplexer to handle
requests for multiple services in this way is sometimes referred to as "single
port mode."
When the administrator allows HTTP tunneling on port 80 (that is, when the
Sametime server is operating in single port mode), the mapping rules for
Chapter 5: Configuring Ports and Network Connectivity 313
Java applet connectivity are much simpler. Since all connections from the
Sametime Java applet clients occur on the same port, it is not necessary to
specify individual ports for each service in the mapping rules.
In this scenario, the administrator would only need to ensure that this
incoming URL from the Sametime Java applets:
http[s]://proxy.ibm.com/st01/*
Is translated to this URL by the mapping rules on the reverse proxy server:
http://sametime.ibm.com/*
Note that server performance is not as efficient when the Sametime server is
configured to support HTTP tunneling on port 80 because of the connectivity
burden placed on the Community Services multiplexer. For more
information, see "About HTTP tunneling" earlier in this chapter.
Configuring a Sametime server to operate with a reverse proxy server
The administrator must use the Sametime Administration Tool on the
Sametime server to configure the Sametime server to operate with a reverse
proxy server.
There are two settings the administrator must configure in the
Configuration-Connectivity-Networks and Ports tab of the Sametime
Administration Tool to enable a Sametime server to operate with a reverse
proxy server. These settings include:
•
Enable Reverse Proxy Discovery on the client - Selecting this setting
allows the administrator to enable or disable the reverse proxy support.
This setting enables the logic in the Sametime clients that enables them
to connect to a Sametime server through the reverse proxy server. This
setting is disabled by default.
Note Enabling this setting does not require that all users on your
corporate intranet access the Sametime server through the reverse proxy
server. Users on your corporate intranet that are not required to route
connections through the reverse proxy servers can still establish
connections with the Sametime server using the standard Sametime
client connection processes. For more information, see "Connecting to a
Sametime server without going through the reverse proxy server" later
in this chapter.
•
Server Alias - The Server Alias setting must specify the affinity-id that
the administrator uses to represent this Sametime server in the mapping
rules on the reverse proxy server.
Note The term "Server Alias" is synonymous with affinity-id.
314 Sametime 3.1 Administrator's Guide
For example, if the administrator uses the text string "st01" as the
affinity-id that represents the Sametime server in the mapping rules on
the reverse proxy server, the administrator must also enter "st01" as the
value for the Server Alias setting in the Sametime Administration Tool.
Following a Sametime server installation, the Server Alias setting
defaults to the Sametime server name that is extracted from the
fully-qualified DNS name of the Sametime server. For example, if the
fully-qualified DNS name of the Sametime server is
"sametime.ibm.com," the default value for the Server Alias is
"sametime."
Note An administrator may want to change the default Server Alias
setting to avoid using the real Sametime server name as the affinity-id in
the mapping rules on the reverse proxy server. If the real Sametime
server name is used as the affinity-id on the reverse proxy server, the
real server name will appear in URLs transmitted on the Internet.
For more information about the affinity-id, see "Configuring mapping
rules on a reverse proxy server to support Sametime" later in this
chapter.
Enabling reverse proxy support on a Sametime server
To enable reverse proxy support on a Sametime server:
1. From the Sametime server home page, click the "Administer the Server"
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Connectivity.
4. If necessary, select the Networks and Ports tab.
5. At the bottom of the Networks and Ports tab, select "Enable Reverse
Proxy Discovery on the client."
6. In the "Server Alias" text box, type the text string that is used as the
affinity-id that represents this Sametime server in the mapping
configurations on the reverse proxy server (for example, type st01).
7. Click Update and restart the Sametime server for the changes to take
effect.
Sametime client connectivity and reverse proxy servers
This section briefly discusses Sametime client connectivity issues when the
Sametime Meeting Room client, Sametime Broadcast client, and Sametime
Connect for browsers client operate with a reverse proxy server..
These connectivity issues are discussed in the following topics:
Chapter 5: Configuring Ports and Network Connectivity 315
•
Connecting to the Sametime server without using the reverse proxy
server
•
Notes about Sametime client connectivity through a reverse proxy server
Connecting to a Sametime server without using the reverse proxy
server
When a Sametime server is configured to operate with a reverse proxy
server, users on the corporate intranet that are not required to route
connections through the reverse proxy server can still connect to the
Sametime server using the standard Sametime client connection processes.
Note In this scenario, both intranet and Internet users connect to the same
Sametime server. Connections from Internet users are routed through the
reverse proxy server while connections from intranet users are not routed
through the reverse proxy server.
To configure a Sametime server to operate with a reverse proxy server, the
administrator must select the "Enable Reverse Proxy Discovery on the client"
setting in the Sametime Administration Tool. Selecting this setting:
•
Enables the additional logic in the Meeting Room client, Broadcast client,
and Sametime Connect for browsers client that the clients use to connect
to a Sametime server through a reverse proxy server.
•
Does not disable the existing connectivity logic in these Sametime
clients.
Enabling the "Enable Reverse Proxy Discovery on the client" setting
enhances the existing logic in the Sametime clients by adding the reverse
proxy connection logic to the existing logic. The existing logic is still
present and operable within the clients. This design enables clients that
do not connect to the Sametime server through the reverse proxy server
to follow the standard Sametime client connection processes when
connecting to the Sametime server.
Note For detailed information about the standard Sametime client
connection processes, see "Meeting Room and Broadcast client
connection processes" earlier in this chapter.
To illustrate this point, the Meeting Room client connection process that
occurs when the "Enable Reverse Proxy Discovery on the client" setting is
selected is summarized below.
1. Upon loading in a user's Web browser, the Sametime Meeting Room
client attempts a direct TCP/IP connection to the Sametime server.
If the direct TCP/IP connection attempt fails, the Meeting Room client
continues with the connection process as described below.
Note Step 1 is part of the standard Sametime client connection process.
316 Sametime 3.1 Administrator's Guide
2. If the user's Web browser detects the existence of a forward SOCKS
proxy server, the Meeting Room client will attempt the TCP/IP
connection through the forward SOCKS proxy server to the Sametime
server.
If the TCP/IP connection through the SOCKS proxy server is not
successful, the Meeting Room client continues with the connection
process as described below.
Note Step 2 is part of the standard Sametime client connection process.
3. If the TCP/IP connection attempt is not successful, the Meeting Room
client attempts to detect the reverse proxy server.
If the reverse proxy server is detected, the Meeting Room client attempts
to connect to the Sametime server through the reverse proxy server
using HTTP tunneling. The client programmatically detects the address
of the reverse proxy server. No client-side configurations are required to
enable the Sametime client to detect the reverse proxy server.
Note Step 3 represents the major difference in the connection process
that occurs when the "Enable Reverse Proxy Discovery on the client"
setting is selected.
4. If the reverse proxy server is not detected, the Sametime clients will still
attempt to connect to the Sametime server using HTTP tunneling but the
connection attempts will not be made to the reverse proxy server.
Note These HTTP-tunneled connection attempts are part of the
standard Sametime client connection processes as discussed in the
Meeting Room and Broadcast client connection processes section earlier
in this chapter. These connection attempts enable Sametime clients that
do not connect to the Sametime server through the reverse proxy server
to establish HTTP-tunneled connections to the Sametime server.
Notes about Sametime client connectivity through a reverse proxy
server
This section provides additional notes about Sametime client connectivity
through a reverse proxy server.
Generally, there are no client-side configurations required to enable a
Sametime Meeting Room client, Sametime Broadcast client, or Sametime
Connect for browsers client to connect to a Sametime server through a
reverse proxy server.
If the administrator has selected the "Enable reverse proxy discovery on
client" setting and specified the "Affinity ID" setting in the Sametime
Administration Tool on the Sametime server, the Sametime clients should be
able to programmatically detect the presence of the reverse proxy server and
connect to the Sametime server through the reverse proxy server.
Chapter 5: Configuring Ports and Network Connectivity 317
If these clients must connect to the reverse proxy server through a forward
(or client-side) HTTP or SOCKS proxy server, the connectivity settings
(address and port) of the forward proxy server should be specified the
locations noted below:
•
If the Sametime client runs in a Web browser that operates with the Sun
Microsystems Java Virtual Machine (1.4.1), the forward proxy server
address and port are specified in the Sun Microsystems Java Plug-in
Control Panel on the user's machine. (The Java Plug-in Control Panel is
available from the user's Windows Control Panel).
•
If the Sametime client runs in a Web browser that operates with the
native Microsoft Virtual Machine (VM), the forward proxy server
address and port are specified in the proxy configuration settings of the
Web browser.
Note the following about using Sametime Connect for browsers with a
reverse proxy server:
•
The Sametime Connect for browsers client loads in the user's Web
browser with either the "Use my Java Plug-in settings" option or the "Use
my Internet Explorer Browser settings" option selected by default in the
Options-Preferences-Sametime Connectivity tab. User's should not
change this default setting when operating with a reverse proxy server.
These connectivity settings ensure the client will make either a direct
connection to the Sametime server or connect through a forward proxy
server if one is defined in the Web browser connectivity settings or Java
Plug-in as noted above.
•
The Sametime Connect for browsers client includes a "Host name" and
"Port" setting in the Options-Preferences-Sametime Connectivity tab. The
values in these settings are ignored when the Sametime server is
configured to operate with a reverse proxy server. (In a normal
Sametime deployment, these settings specify the Host name of the
Sametime server to which the client should connect and the port number
on which the Sametime server listens for connections from Sametime
Connect clients).
318 Sametime 3.1 Administrator's Guide
Chapter 6
Configuring the Community Services
This chapter describes the Community Services administration settings and
features.
The Community Services administration settings:
•
Control the number of user names that appear on a page in the “add to
contact list” feature in the Sametime Connect client user interface.
•
Control the time intervals in which Community Services receive updates
from the Directory to maintain current lists of users and servers in the
Sametime Community.
•
Control the maximum number of connections to Community Services.
•
Show or hide the links in the Sametime server user interface that enable
users to download the Windows or Java versions of Sametime Connect.
The Java version of Sametime Connect is referred to as “Sametime
Connect for browsers” and the Windows version of Sametime Connect is
referred to as “Sametime Connect for the desktop.”
•
Enable or disable the following features in Sametime Connect:
• File transfer (If this feature is enabled, the administrator can set a
maximum file size for transferred files)
• The send announcements feature
• Automatic login
•
Force a name entry prompt to appear when the ACL settings of the
Sametime Meeting Center database allow anonymous access. This name
entry prompt allows each user to enter a name that is displayed in the
presence list available in the Sametime Meeting Center or other database
enabled with Sametime technology. The administrator can also specify
whether anonymous users can search or browse entries in the directory.
•
Enable or disable the Sametime server's ability to accept authentication
tokens generated by the Secrets and Tokens databases. You can disable
this feature if all of the servers in your environment are Sametime 3.1
servers and databases enabled with Sametime technology (such as
Discussion and TeamRoom databases) are not in use.
319
This chapter also explains how you can:
•
Enable the Sametime Connect for browsers client to operate in kiosk
mode if multiple users must access this client from a single Sametime
server.
•
Deploy a Community Services multiplexer on a separate machine to
improve the performance of the Community Services.
About the Community Services
The Sametime Community Services support all presence (or awareness) and
text chat activity in a Sametime community. Any Sametime client that
contains a presence list must connect to the Community Services. The
Community Services clients include the Sametime Connect client, the
Participant List and chat components of the Sametime Meeting Room client,
and presence lists in Sametime Discussion or TeamRoom databases.
Basic functionality supported by the Community Services includes:
•
Handling client login requests.
•
Handling connections from clients that access the Sametime server
through a direct TCP/IP connection, HTTP, HTTPS, or SOCKS proxy
servers. Community Services clients connect to the Community Services
multiplexer component, which can be deployed on a separate machine
from the core Sametime server.
•
Providing directory access for user name search and display purposes.
•
Providing directory access to compile lists of all Sametime servers and
users in the community.
•
Dissemination of presence and chat data to all users connected to
Community Services.
•
Maintenance of privacy information for online users.
•
Interacting with the Meeting Services to create meetings in which
collaborative activities supported by the Community Services, Meeting
Services, and Audio/Video Services are available.
•
Handling connections from the Community Services on other Sametime
servers when multiple servers are installed. Server-to-server connections
for the Community Services occur on default TCP/IP port 1516.
320 Sametime 3.1 Administrator's Guide
Note Port 1516 is also used by the Meeting Services. In a multiple
server environment, port 1516 must be open between two Sametime
servers to enable a single Sametime meeting to be simultaneously active
on both Sametime servers. This functionality is sometimes called
“invited servers.” For more information, see “Advantages of a single
meeting on multiple servers” in Chapter 14.
•
Logging of Community Services events to the Sametime log (stlog.nsf).
•
Enabling the administrator to force a name entry prompt to appear when
the ACL settings of the Sametime Meeting Center database (or any other
database that includes Sametime technology) allow anonymous access.
This name entry prompt ensures that the presence list in the Sametime
database can display a unique name for the user.
•
Capturing transcripts of chat conversations that occur on the Sametime
server for later retrieval. Developers must implement a chat logging
feature to capture and retrieve transcripts of chat conversations.
Community Services configuration settings
Community Services support all online presence (or awareness), instant
messaging, and chat features and activities available with Sametime.
Presence, instant messaging, and chat features exist in the Sametime Connect
client, the Sametime Meeting Room client Participant List, and in presence
list components of Sametime Discussion and TeamRoom databases.
Developers can also user the Sametime toolkits to implement presence and
chat features in custom applications.
The Community Services configuration settings control the interaction of the
Community Services with a Domino or LDAP directory and the maximum
number of Community Services users allowed on the server.
The Community Services configuration settings also enable the
administrator to control whether the Java or Windows version of Sametime
Connect is available to end users. The Java version of Sametime Connect is
called “Sametime Connect for browsers” in the end user interface while the
Windows version is called “Sametime Connect for the desktop.” The
administrator also controls whether the automatic login feature of Sametime
Connect for browsers is available to end users.
Note You can also create a Community Services server cluster to support
failover and load balancing for the Community Services or enable the
Session Initiation Protocol (SIP) Gateway functionality to support instant
messaging between two different SIP-enabled communities. For more
information, see “Creating Sametime server clusters” in Chapter 17 or
Chapter 7, Enabling the Session Initiation Protocol (SIP) Gateway.
Chapter 6: Configuring the Community Services 321
You can access the Community Services configuration settings from the
Sametime Administration Tool by selecting Configuration - Community
Services.
The three types of Community Services configuration settings are:
General settings
The General settings allow the administrator to:
•
Control the number of entries on each page in the dialog boxes that
show names in the directory.
•
Control how often to poll for new names added to the Sametime
Community directory.
•
Control how often to poll for new servers added to the Sametime
Community.
•
Control the maximum number of user and server connections to the
Community services.
•
Allow users to authenticate using either LTPA or Sametime Tokens.
•
Display the “Download Sametime Connect for the Desktop” link.
Server Features settings
The Server Features settings allow the end user to determine which
Community Services options are available for end users. The administrator
can:
•
Enable or disable the end-user ability to transfer files
•
Enable or disable the end-user ability to send announcements
Sametime Connect for browsers settings
The administrator can use the Community Services configuration settings to
determine which options are available in the Java version of Sametime
Connect (“Sametime Connect for browsers”). These settings do not affect the
Windows version of Sametime Connect (“Sametime Connect for the
desktop”). To change the settings for “Sametime Connect for the desktop,”
you must use the Sametime Client Packager.
The Community Services configuration settings for “Sametime Connect for
browsers” allow you to:
•
Enable or disable the end-user ability to save the user name, password,
and proxy information when logging in to the Community Services from
Sametime Connect. This capability controls whether users can use the
automatic login feature of Sametime Connect.
•
Display the “Launch Sametime Connect for browsers” link.
322 Sametime 3.1 Administrator's Guide
The Sametime Administration Tool also allows you to send a Message from
the administrator to all users logged in to the Community Services.
Community Services connectivity settings
For information about the ports used by the Community Services and the
available connectivity options, see “Community Services Network settings”
in Chapter 5.
Community Services server clusters
You can create a Community Services server cluster to support failover and
load balancing for a large community of Community Services users. For
more information on creating a Community Services cluster, see “Overview
of Community Services clustering” in Chapter 17.
Number of entries on each page in dialog boxes that show names in
the directory
The “Number of entries on each page in dialog boxes that show names in the
directory” setting controls the number of user and group names that display
when a user browses the Domino Directory on the Sametime server.
Note If you have configured the Sametime server to connect to an LDAP
server, see “Using LDAP with the Sametime server” in Chapter 4 for
information about using directory browsing features with an LDAP
directory.
An end user can browse the names and groups listed in the Domino
Directory on the Sametime server (or Domino Directories available through
Directory Assistance) when performing the following operations:
•
Adding users or groups to the contact list (or presence list) in the
Sametime Connect client
•
Adding users or groups to a privacy list (or Who Can See If I Am Online
list) in the Sametime Connect client
•
Restricting meeting attendance when creating a meeting in the Sametime
Meeting Center
When an end user browses the names and groups in the directory, the
directory entries (names and groups) are listed on “pages” in a dialog box.
The “Number of entries on each page in dialog boxes that show names in the
directory” setting controls the number of entries that appear on each of these
pages in the dialog box. The end user can select entries from these pages
when adding users to the contact list, a Privacy list, or meeting attendance
Restrictions list. The default is 100 entries per page, the minimum is five
entries, and the maximum is 1440 entries.
Chapter 6: Configuring the Community Services 323
It is best to use a setting between 100 and 200 entries. Higher settings cause
more data to be transmitted on the network when a user browses the
Domino Directory.
To change the number of directory entries that appear on each page in the
end-user dialog boxes:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. In the “Number of entries on each page in dialog boxes that show names
in the directory” field, enter the number of entries that you want to
appear on each page.
5. Click the Update button and restart the server for the change to take
effect.
How often to poll for new names added to the Sametime Community
directory
The Sametime Community Services maintain a cache that contains
information about the users and groups in the community. The user
information that is stored in this cache is gathered from the Domino or
LDAP directory. This cache must be updated (or refreshed) periodically to
ensure that users who have recently been added to a directory can be
displayed in the presence lists of all Sametime clients.
The “How often to poll for new names added to the Sametime Community
directory” setting controls how frequently the cache of user names
maintained by Community Services is updated with new information from
the Domino or LDAP directory. The update occurs only if changes are made
to the directory during the update interval. The default setting is 60 minutes,
the minimum setting is 5 minutes, and the maximum setting is 1440 minutes.
Note Low settings result in frequent updates from the directory and can
adversely affect the performance of the server. Lower settings also cause
more data to be transmitted on the network.
To change how frequently the Domino or LDAP directory is polled for new
user names (and how often the cache is updated):
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
324 Sametime 3.1 Administrator's Guide
4. In the “How often to poll for new names added to the Sametime
Community directory” field, specify a new number to control the time
interval (in minutes) in which polling (and updates, if necessary) will
occur.
5. Click the Update button and restart the server for the change to take
effect.
How often to poll for new servers added to the Sametime Community
If you have installed more than one Sametime server, the Community
Services on each Sametime server must maintain a list of all other Sametime
servers in the Sametime Community. Community Services uses this list to
ensure that users who have different home Sametime servers or different
home clusters can see each other in presence lists and communicate through
instant messaging and chat.
Note For more information on multiple Sametime server environments, see
“Advantages of using multiple Sametime servers” in Chapter 14. For more
information about Community Services clusters, see “Overview of
Community Services clustering” in Chapter 17.
Before installing a Domino server, you must register the Domino server by
creating a Server document for it in the Domino directory. Each Server
document includes an “Is this a Sametime server?” field that identifies the
server as a Sametime server. Community Services uses these fields to build a
list of Sametime servers in the domain (or community). The Sametime
Administration Tool includes a setting that allows the administrator to
control the time interval in which the Community Server receives an
updated list of all Sametime servers from the Domino Directory. The default
setting is 60 minutes, the minimum setting is five minutes, and the
maximum setting is 1440 minutes.
To change how frequently the Domino Directory is polled to detect a new
Sametime server:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. In the “How often to poll for new servers added to the Sametime
Community” field, specify the time interval in minutes in which polling
(and updates, if necessary) will occur.
5. Click the Update button and restart the server for the change to take
effect.
Chapter 6: Configuring the Community Services 325
Maximum user and server connections to the Community server
The administrator can specify the maximum number of connections allowed
to Community Services. The connections include both Sametime client
connections and Sametime server-to-server connections.
A client connection (or Community Services login) occurs when a user starts
the Sametime Connect client, joins a meeting with the Sametime Meeting
Room client, or accesses a Sametime Discussion or TeamRoom database that
contains a presence list.
The lower limit is 50 connections and the upper limit is 20,000. Use the upper
limit only for servers with high-level processing capabilities of at least 512
MB of RAM, a 1 MB network card, and dual processors. Generally, a server
that meets the minimum system requirements can support 8,000 TCP/IP
connections.
Note You can deploy a Community Services multiplexer on a separate
machine from the Sametime server. In this scenario, you cannot use the
“Maximum user and server connections to the Community server” field in
the Sametime Administration Tool to specify the maximum number of
connections to the Community Services. When a Community Services
multiplexer is deployed on a different machine than the Sametime server,
you must use the VPMX_CAPACITY= setting in the Sametime.ini file on the
multiplexer machine to specify the maximum number of connections. For
more information, see “Deploying a Community Services multiplexer on a
separate machine” later in this chapter.
Server-to-server connections occur when the administrator has installed
multiple Sametime servers and different home Sametime servers are
specified for users. When users have different home Sametime servers, two
users can be connected to Community Services on two different Sametime
servers. A server-to-server connection must be established to enable these
users to see each other in presence lists and chat with each other.
To change the maximum user and server connections to the Community
Services:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. In the “Maximum user and server connections to the Community
server” field, specify the maximum number of connections allowed to
the Community Server.
5. Click the Update button and restart the server for the change to take
effect.
326 Sametime 3.1 Administrator's Guide
Allow users to authenticate using either LTPA or Sametime Tokens
(stauths.nsf and stautht.nsf)
When the “Allow users to authenticate using either LTPA or Sametime
Tokens” option is selected in the Community Services-Configuration settings
of the Sametime Administration Tool, the Sametime server accepts
authentication tokens generated by both the Domino Single-Sign On (SSO)
feature and the Secrets and Tokens databases on the Sametime server. This
option is selected by default.
When the “Allow users to authenticate using either LTPA or Sametime
Tokens” option is not selected, the Sametime server accepts authentication
tokens generated only by the Domino SSO feature (LTPA tokens).
The “Allow users to authenticate using either LTPA or Sametime Tokens”
option must be selected when you require basic password authentication to
the Sametime Meeting Center and:
•
The Sametime 3.1 server and Sametime servers from previous releases
(Sametime 2.0, 2.5, or 3.0) function as part of a single Sametime
community.
•
All of the servers in your environment are Sametime 3.0 or 3.1 servers
and databases enabled with Sametime technology (such as TeamRoom
and Discussion databases) are in use in the community.
The “Allow users to authenticate using either LTPA or Sametime Tokens”
option can be disabled when you require basic password authentication to
the Sametime Meeting Center and both of the following are true:
•
All Sametime servers in your environment are Sametime 3.0 or 3.1
servers.
•
Sametime TeamRoom and Discussion databases are not in use in your
environment.
Note By default, anonymous access is allowed to the Sametime Meeting
Center and authentication by token is not enforced on the Sametime server.
For more information, see “Authentication by token using LTPA and
Sametime Tokens” in Chapter 13 and “Turning off anonymous access to the
Sametime Meeting Center” in Chapter 13.
Display the "Download Sametime Connect for the desktop" link
Sametime includes two versions of the Sametime Connect client: a
standalone Windows application and a signed Java applet that runs in a
user's Web browser. The standalone Windows application is called
“Sametime Connect for the desktop.” Use the “Display the 'Launch
Sametime Connect for the desktop' link” setting to make the Windows
version of Sametime Connect available or unavailable to end users.
Chapter 6: Configuring the Community Services 327
Note The Java version of Sametime Connect is called “Sametime Connect
for browsers.” The availability of this client is controlled from the Display
the “Launch Sametime Connect for browsers” link setting. By default, both
versions of Sametime Connect are available to end users.
End users download and install Sametime Connect for the desktop by
accessing the Sametime server home page with a Web browser, selecting the
“Download” link, and selecting the “Download the Sametime Connect
client” link from the Download page.
The administrator uses the “Display the 'Download Sametime Connect for
the Desktop' link” setting to show or hide the “Download the Sametime
Connect client” link on the Download page.
If the administrator disables the “Display the 'Download Sametime Connect
for the desktop' link” setting, the “Download the Sametime Connect client”
link is hidden on the Download page and end users are unable to download
and install Sametime Connect for the desktop. All other references to
“Sametime Connect for the desktop” are also hidden in the user interface
when the administrator disables this setting.
To allow or prevent users from downloading and installing Sametime
Connect for the desktop (the Windows version of Sametime Connect):
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. To allow end users to download and install Sametime Connect on their
Windows desktops, place a check mark in the “Display the 'Download
Sametime Connect for the Desktop' link” check box. Selecting this check
box causes the “Download the Sametime Connect client” link to appear
on the Download page on the Sametime server.
To prevent end users from downloading and installing Sametime
Connect on their Windows desktops, clear the check mark from the
“Display the 'Download Sametime Connect for the Desktop' link” check
box. When this setting is disabled, the “Download the Sametime Connect
client” link is hidden from the end users.
5. Click the Update button and restart the server for the change to take
effect.
328 Sametime 3.1 Administrator's Guide
Allow users to transfer files to each other
Community Services allow end users to transfer files to each other over the
network while using Sametime Connect or attending a Sametime meeting.
The administrator can enable or disable this feature. When you enable this
feature, both authenticated and anonymous users can transfer files.
The file transfer feature does not work with Sametime Links. For more
information about Sametime Links, refer to the Sametime Software
Development Kit (SDK) documentation.
Caution Computer viruses can be spread through transferred files. To
protect against this possibility, users should have current anti-virus software
installed. The anti-virus software real-time protection settings should be
enabled and set to scan all files.
Enabling file transfer
To enable the file transfer feature:
1. Select the “Allow users to transfer files to each other” check box on the
Configuration - Community Services tab in the Sametime
Administration Tool.
Enabling this feature might increase the amount of network bandwidth
consumed by Sametime users. This functionality is similar to allowing
users to attach files to an e-mail and transmit these files on the network.
2. Enter a maximum file size for transferred files, in KB. The default
maximum size is 1000 KB. Keep in mind that the larger this number, the
more network bandwidth it is possible for Sametime users to consume
with file transfers.
When you select this check box, a user who is sending a file can:
•
Send a file to anyone who is online (with active or away status) in
Sametime Connect or in an online meeting. Users cannot send files to
people whose status is offline or “do not disturb,” and audience
members in a broadcast meeting cannot send or receive files. The
transferred file must be within the size limit set by the administrator in
step 2 above.
•
Send a file to only one person at a time.
•
Enter a description of the file.
•
Receive notification that the file has been sent.
•
Receive notification that the other user has accepted or rejected the file.
Note Users must send files to other users in the Sametime Community.
It is not possible to send a file to an AOL Instant Messenger user or to
someone in an external community using the SIP Gateway functionality.
Chapter 6: Configuring the Community Services 329
The person receiving the file can:
•
Accept or reject the file.
•
See how large the file is before sending it.
•
Save and open the file on his or her computer.
Disabling file transfer
To disable the file transfer feature for authenticated users, clear the “Allow
authenticated users to transfer files to each other” check box on the
Configuration - Community Services tab in the Sametime Administration
Tool. When you disable this feature, all references to file transfer are hidden
from users in the end user interface.
Allow users to send announcements
Community Services allow end users to send unencrypted announcements
to others who are online in the Sametime Community. The administrator can
enable or disable this feature.
Note Users of Sametime Links can receive announcements, but cannot
respond to announcements. For more information about Sametime Links,
refer to the Sametime Software Development Kit documentation.
Allowing users to send announcements
To allow users to send announcements, select the “Allow users to send
announcements” check box in the Configuration - Community Services
settings of the Sametime Administration Tool.
When you enable this feature end users can:
•
Send unencrypted announcements to anyone who is online in Sametime
Connect or in an online meeting. (To receive an announcement, a user
must be online, and in either active or away status. Users who are offline
or have a status of “do not disturb” do not receive announcements.)
Note Users must send announcements to other users in the Sametime
Community. It is not possible to send an announcement to an AOL
Instant Messenger user or to someone in an external community using
the SIP Gateway functionality.
•
Allow the recipients of the announcement to respond to the
announcement, or prevent them from responding.
Note If a user who is receiving the announcement is logged in from more
than one Community Services application (for example, if a user is in an
online meeting and in a Sametime Discussion database), the announcement
will only be sent to that user once.
330 Sametime 3.1 Administrator's Guide
Preventing users from sending announcements
To prevent users from sending announcements, clear the “Allow users to
send announcements” check box in the Configuration - Community Services
settings of the Sametime Administration Tool. When you disable this feature,
all menu items and toolbar buttons for sending announcements are removed
from the end user interfaces of both versions of Sametime Connect
(“Sametime Connect for the desktop” and “Sametime Connect for browsers.
”)
Allow Connect users to save their user name, password, and proxy
information (automatic login)
Sametime Connect includes a feature that saves a user's login information
and logs that user into the Connect client automatically. The administrator
can enable or disable this setting in the Java version of Sametime Connect
(“Sametime Connect for browsers”) in the Community Services
configuration settings of the Sametime Administration Tool.
Note You must use the Sametime Client Packager to enable or disable this
feature in “Sametime Connect for the desktop.” For more information about
the Sametime Client Packager, see the Lotus Sametime 3.1 Installation Guide
(stinstall.nsf or stinstall.pdf).
Enabling automatic login
To enable automatic login for “Sametime Connect for browsers,” select the
“Allow Connect users to save their user name, password, and proxy
information (automatic login)” check box in the Configuration - Community
Services options of the Sametime Administration Tool.
When you enable the automatic login feature, a user can select an
“Automatically log me on” option when starting Sametime Connect. If the
user selects this option, the user name, password, and connectivity
information for the user are stored on the Sametime server. The next time the
user starts Sametime Connect, this information is automatically retrieved
from the server. This feature prevents users from having to enter the user
name and password each time Sametime Connect is started.
Note An end user can also select the Options - Preferences - Logon
Information settings in the Sametime Connect client to enable automatic
login to a Sametime or America Online (AOL) server. Note that the user
names, passwords, and connectivity information for both the Sametime and
AOL server are stored on the Sametime server.
Chapter 6: Configuring the Community Services 331
Disabling automatic login
Organizations that require strict security might have policies that prevent
storing user names and passwords on the server. If you do not want the user
names and passwords stored on the server, you should disable the automatic
login feature of Sametime Connect. When automatic login is disabled, all
automatic login features are hidden in the user interface of the Sametime
Connect client and automatic login is unavailable to the end users.
To disable the automatic login feature for “Sametime Connect for browsers,”
clear the “Allow Connect users to save their user name, password, and
proxy information (automatic login)” check box in the Configuration Community Services options of the Sametime Administration Tool.
Display the "Launch Sametime Connect for browsers" link
Sametime includes two versions of the Sametime Connect client: a
standalone Windows application and a signed Java applet that runs in a
user's Web browser. The Java version of Sametime Connect is called
“Sametime Connect for browsers.” Use the “Display the 'Launch Sametime
Connect for browsers' link” setting to make the Java version of Sametime
Connect available or unavailable to end users.
Note The version of Sametime Connect that runs as a standalone Windows
application is called “Sametime Connect for the desktop.” The availability of
this client is controlled from the Display the 'Download Sametime Connect
for the desktop' link setting. By default, both versions of Sametime Connect
are available to end users.
End users start Sametime Connect for browsers by accessing the Sametime
server home page with a Web browser, dragging the cursor over the
“Launch Sametime Connect” option and selecting the “Launch Sametime
Connect for browsers” link. The Web page containing Sametime Connect for
browsers is loaded to the user's Web browser. Sametime Connect for
browsers establishes connections with the Community Services using the
process described in Sametime Connect client connection process.
The administrator uses the “Display the 'Launch Sametime Connect for
browsers' link” setting to show or hide the “Launch Sametime Connect for
browsers” link on the Sametime home page. If the administrator disables this
setting, the “Launch Sametime Connect for browsers” link is hidden on the
Sametime server home page and end users cannot use Sametime Connect for
browsers. All other references to Sametime Connect for browsers are also
hidden in the end user interface when this setting is disabled.
332 Sametime 3.1 Administrator's Guide
Note When both versions of the Sametime Connect client are available to
end users, the link on the server home page that launches the Java version of
Sametime Connect reads “Launch Sametime Connect for browsers.” If the
administrator makes only Sametime Connect for browsers available to end
users, the link reads “Launch Sametime Connect.”
To allow or prevent user access to Sametime Connect for browsers:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Community Services.
4. To allow end users to use the Java version of Sametime Connect, place a
check mark in the “Display the 'Launch Sametime Connect for browsers'
link” check box. Selecting this check box causes the “Launch Sametime
Connect for browsers” link to appear on the Sametime server home
page. To prevent end users from using the Java version of Sametime
Connect, clear the check mark from the “Display the 'Launch Sametime
Connect for browsers' link” check box. When the check mark is cleared
from this setting, the “Launch Sametime Connect for browsers” link is
hidden from the end users.
5. Click the Update button and restart the server for the change to take
effect.
Anonymous Access Settings for Community Services
Anonymous access is allowed to the Sametime Meeting Center database
(stconf.nsf) on the Sametime server by the default Access Control List (ACL)
settings of the database. When the ACL settings of a database allow
anonymous access, a user is not authenticated and is not required to enter a
user name and Internet password when accessing the database.
Note The “Anonymous users can participate in meetings or enter virtual
places” setting in the Configuration - Community Services - Anonymous
Access settings of the Sametime Administration Tool must also be selected to
allow an anonymous user to enter the Sametime Meeting Center. This setting
is selected by default.
The Community Services Anonymous Access Settings in the Sametime
Administration Tool allow the administrator to force a name entry dialog
box to appear when anonymous access is allowed by the ACL settings of the
Sametime Meeting Center (or any other database that includes Sametime
technology). The name entry dialog box accepts any name the user provides
and has no security functions. The name entered by the user is for presence
list display purposes only.
Chapter 6: Configuring the Community Services 333
The display name serves to uniquely identify the user in any presence list in
the Sametime Meeting Center or other database enabled with Sametime
technology.
If you allow anonymous access to the Sametime Meeting Center (or other
Sametime database that includes a presence list), and you do not force this
name entry dialog box to appear, every user present in the meeting or
database is listed as “Anonymous” in the presence list.
Note To force users to authenticate (enter a user name and password that is
verified against entries in a directory) when accessing a database, change the
database ACL settings. For more information, see “Using database ACLs for
identification and authentication” in Chapter 13 and “Basic password
authentication and database ACLs” in Chapter 13.
The administrator can also specify the level of access that anonymous users
have to the directory. These administrative settings control an anonymous
user's ability to search for entries in a directory or browse a list of all entries
in the directory.
The Anonymous Access settings include:
• Anonymous users can participate in meetings or enter virtual places.
• Users of Sametime applications (databases such as stconf.nsf or Web
sites) can specify a display name so that they do not appear online as
“Anonymous.”
• Default domain for anonymous users
• Default name
• Directory Searching and Browsing options.
• Users cannot search or browse the Directory
• Users can type names (resolve users and groups) to add them to an
awareness list.
• Users can browse the directory (see a list of names) or type names
(resolve users and groups).
• Users can browse the directory to see group content and names, or
type names (resolve users and groups).
334 Sametime 3.1 Administrator's Guide
Anonymous users can participate in meetings or enter virtual places
The “Anonymous users can participate in meetings or enter virtual places”
setting must be selected to enable an anonymous user to attend a meeting in
the Sametime Meeting Center (stconf.nsf) or access any other database that
includes Sametime functionality (such as a presence list).
Note The ACL settings of the Sametime Meeting Center (stconf.nsf) must
also allow anonymous access to enable anonymous users to attend meetings
in the Sametime Meeting Center.
When the “Anonymous users can participate in meetings or enter virtual
places” setting is selected, the administrator can use the following settings in
the Configuration - Community Services - Anonymous Access tab of the
Sametime Administration Tool to control how the anonymous users enter
display names when accessing the Sametime Meeting Center.
•
Users of Sametime applications (databases such as stconf.nsf or Web
sites) can specify a display name so that they do not appear online as
anonymous.
•
Default domain name for anonymous users.
•
Default name.
Note The settings listed above do not take effect unless the “Anonymous
users can participate in meetings or enter virtual places” setting is selected.
About "virtual places"
A “virtual place” is a programming concept. An example of a virtual place is
an online meeting or a particular Discussion database.
Users can enter a virtual place and have awareness of other users in the
same virtual place. For example, a user can enter a Sametime meeting and
use the Participant List of the Meeting Room client to have awareness of
other users who are attending the same meeting (or who are in the same
“virtual place”). This capability is sometimes called “Place-based
awareness.”
Place-based awareness differs from “Community-wide awareness.” In the
example above, the Participant List in the Sametime Meeting Room client
displays the names of users who are attending the meeting, but does not
display members of the Sametime community who are online, but not
attending the meeting. With Community-wide awareness, users can have
awareness of any user in the Community (any user entered in the directory)
who is online. Sametime Connect provides users with Community-wide
awareness functionality. Anonymous users are not allowed to have
Community-wide awareness in any Sametime clients.
The Sametime Software Development Kit provides developers with the
capability to build programs that create virtual places. The “Anonymous
Chapter 6: Configuring the Community Services 335
users can participate in meetings or enter virtual places” setting also controls
the ability of anonymous users to enter virtual places created by
custom-built applications created with the Sametime Software Development
Kit.
For more information on virtual places, see the Sametime Software
Development Kit documentation available from the SDK link on the
Sametime server home page.
Users of Sametime applications can specify a display name so that
they do not appear online as "anonymous."
The “Users of Sametime applications can specify a display name so that they
do not appear online as anonymous” setting enables an anonymous user to
enter a unique display name when accessing a database or application (such
as the Sametime Meeting Center) that includes a Sametime presence list. This
display name allows the anonymous user to be individually identified in any
presence lists in the Sametime application.
The following conditions are required to allow anonymous users to access a
Sametime application or database. Both of these conditions exist by default
following a Sametime server installation:
•
The ACL settings of the database (for example, the Sametime Meeting
Center) must allow anonymous access.
•
The “Anonymous users can participate in meetings or enter virtual
places” setting in the Configuration - Community Services - Anonymous
Access settings of the Sametime Administration Tool must be selected.
When both of the above conditions are true, you can select the “Anonymous
users of Sametime applications can specify a display name so that they do
not appear online as anonymous” setting to force a name entry dialog box to
appear when an anonymous user enters the Sametime Meeting Center (or
other Sametime database that includes a presence list).
The name entry dialog box that appears enables a user to enter a name so
that the user can be individually displayed in the Sametime Meeting Room
Participant List (or any other presence list in a Sametime database). The
name entry dialog box accepts any name that the user enters; the name is for
display purposes only in the presence list. The user is not authenticated.
If the ACL settings of a Sametime database allow anonymous access and the
“Anonymous users of Sametime applications can specify a display name so
that they do not appear online as anonymous” setting is not selected, users
are not required to enter a user name when attending a meeting. Every
meeting participant is displayed as “Anonymous” in the Sametime Meeting
Room Participant List (or other presence list). Meeting participants will be
unable to distinguish one participant from another in the presence list.
336 Sametime 3.1 Administrator's Guide
Note For information on the ACL settings required to prevent anonymous
users from accessing a Sametime database, see “Anonymous access and the
Sametime Meeting Center” in Chapter 13.
If the “Users of Sametime applications can specify a display name…” setting
is selected, you can also edit the “Default domain for anonymous users” and
“Default name” settings described below.
Default domain for anonymous users
If the “Users of Sametime applications can specify a display name so that
they do not appear online as anonymous” setting is selected, you are forcing
a name entry dialog box to appear when a user accesses a Sametime
database (such as stconf.nsf) that has ACL settings that allow anonymous
access.
The “Default domain for anonymous users” setting enables a domain name
to be automatically appended to the name entered by the user at the name
entry dialog box.
For example, if the “Default domain for anonymous users” setting contains
the entry “/Guest,” and a user enters “John Smith” at the name entry dialog
box, the user's name appears as “John Smith/Guest” in the Meeting Room
Participant List.
Default name
If the “Users of Sametime applications can specify a display name so that
they do not appear online as anonymous” setting is selected, you are forcing
a name entry dialog box to appear when a user accesses a Sametime
database (such as stconf.nsf) that has ACL settings that allow anonymous
access.
The “Default name” setting enables you to specify a name to appear by
default in the name entry dialog box.
For example, if the “Default name” setting contains the entry “User,” the
first person entering a meeting sees “User” displayed by default in the user
name field of the name entry dialog box. If the person accepts the default
and enters the meeting, the person is identified as “User 1” in any
Participant List or presence list in the database.
For each person who accepts the default name, the number that follows the
default name is incremented by one. For example, the next two users who
accept the default name setting in the name entry dialog box are identified as
“User 2” and “User 3” in any Participant List or presence list in the database.
Chapter 6: Configuring the Community Services 337
Directory Searching and Browsing options
In some cases, the administrator might need to specify the level of access that
an anonymous user of a database enabled with Sametime technology has to
the directory.
For security purposes, the administrator can limit an anonymous user's
ability to view names in the directory. The “Directory Searching and
Browsing” options might be used to prevent anonymous users from
browsing all names in a directory or searching for names in the directory.
Also, applications that are custom-built by Sametime developers using the
Sametime Software Development Kit might require specific Community
Services “Directory Searching and Browsing” settings configurations to
enable the custom applications to function properly.
Note The term “anonymous user” refers to a user who is not authenticated
when accessing a database enabled with Sametime technology. The ACL
settings of the database determine whether a user is authenticated or
allowed to access the database anonymously.
The four “Directory Searching and Browsing” options are described below.
Users cannot search or browse the directory
If this option is selected, anonymous users cannot search or browse the
directory.
Users can type names (resolve users and groups) to add them to an
awareness list
If this option is selected, anonymous users can type text in an end-user
search interface to search for person or group entries in the directory.
However, users cannot view (or browse) a list containing all entries in the
directory. Users might perform such searches to add users to a presence list.
Users can still browse the directory when scheduling meetings in the
Sametime Meeting Center. This setting does not affect a user's ability to
browse the directory when creating a meeting in the Sametime Meeting
Center.
Users can browse the directory (see a list of names) or type names
(resolve users and groups)
If this option is selected, anonymous users can type text in an end-user
search interface and search for group or person entries in the directory.
Anonymous users can also browse lists that contain all entries in the
directory. When this option is selected, anonymous users can see all group
and name entries in the directory, but cannot see the content of a group entry
(the list of names within a group entry).
338 Sametime 3.1 Administrator's Guide
Note If Sametime is configured to connect to an LDAP server, users cannot
browse the LDAP directory on the LDAP server.
Users can browse the directory when scheduling meetings in the Sametime
Meeting Center. This setting does not affect a user's ability to browse the
directory when creating a meeting in the Sametime Meeting Center.
Users can browse the directory to see group content and names, or
type names (resolve users and groups)
If this option is selected, anonymous users have all searching and browsing
privileges described for the “Users can browse the directory (see a list of
names) or type names (resolve users and groups)” setting above. In addition,
users can search and browse within group entries in the directory and access
the user and group names that are specified within group entries in the
directory.
Users can browse the directory and examine the contents of groups in the
directory when scheduling meetings in the Sametime Meeting Center. This
setting does not affect a user's ability to browse the contents of groups when
creating a meeting in the Sametime Meeting Center.
Allowing users to control the default screen location and size of chat
windows
When a Sametime server is in its default state, end users cannot control the
default screen location or screen size of chat windows. For example, when a
Sametime Connect user initiates a chat session with another user, the chat
window always pops up immediately to the left of the Sametime Connect
window.
The administrator can configure a Sametime server so that users can
determine the screen location and size that a chat window will have when
the window first pops up on the user's screen.
Note This configuration must be performed on a user's “home” Sametime
server for the user to have access to this feature. For more information about
the home Sametime server, see “Community Services connectivity and the
home Sametime server” in Chapter 5.
When the administrator has configured a user's home Sametime server in
this way, the end user can perform the following actions to control the
default screen location and size of chat windows:
1. An end user initiates a chat session with another user from the Sametime
Connect client. The chat window pops up immediately to the left of the
Sametime Connect client.
Chapter 6: Configuring the Community Services 339
2. The end user moves the chat window to the upper-left corner of the
screen (or any other desired screen location) and resizes the chat
window.
3. The end user selects the “Set dialog as default” item from the “Options”
menu in the chat window.
After the user has performed these actions, the chat window will always pop
up at the screen location and size that it has at the time the user selects the
“Set dialog as default” menu item. The chat window pops up at this location
and size any time the user initiates a chat session with another user or
another user initiates a chat session with this user.
After the user sets a default screen location and size for the chat window, the
user has the following options for controlling chat window behavior:
•
The user can move the chat window from the selected default location
without changing the default location. For example, the user can move
the chat window from the upper-left corner of the screen to the
lower-right corner of the screen. The chat window will remain
positioned in the lower right corner of the screen for the remainder of
the chat session (unless the user moves it again).
When the user starts a new chat session with a different user, the initial
chat window for the new chat session will pop up at the user-defined
default location (the upper-left corner of the screen), not the location to
which the screen was moved in the previous chat.
•
The user can move the chat window from the selected default location
and specify a new default location. For example, the user can move the
chat window from the upper-left corner of the screen to the lower-right
corner and select the “Set dialog as default” menu item. The lower-right
corner of the screen becomes the new default screen location. The initial
chat window for all subsequent chat sessions will pop up in the
lower-right corner of the screen.
One-to-one chat windows and n-way chat windows
There are two different chat windows launched from Sametime clients:
“one-to-one” chat windows and “n-way” chat windows. The default
locations of these windows must be set separately.
A “one-to-one chat window” launches when one user engages one other user
in a chat session. An “n-way chat window” launches when one user invites
more than one other user to a chat session (an “n-way” chat session is any
chat session consisting of three or more users).
A user must specify individual default locations for each of these chat
windows. For example, if the user selects the “Set dialog as default” menu
item while engaged in a one-to-one chat, this setting will only apply to the
340 Sametime 3.1 Administrator's Guide
one-to-one chat window. The user must also select the “Set dialog as
default” menu item while engaged in an n-way chat to set the default
location of the n-way chat window. The default setting for the one-to-one
chat window can be different than the default setting of the n-way chat
window.
Note This feature does not control the default location and size of the
Meeting Room client window that appears when a user starts an instant
meeting from Sametime Connect. This feature applies only to chat windows.
Enabling users to select the default location and size of chat windows
To enable users to select the default location and size of chat windows, the
administrator must add an ST_FIX_CHAT_SUPPORTED setting to the
[Client] section of the Sametime.ini file on the Sametime server.
To enable users to select the default location and size of chat windows:
1. Use a text editor to open the Sametime.ini file on the Sametime server.
The Sametime.ini file is located in the Sametime installation directory.
Note Sametime installs into the same directory as the Domino server.
The default Sametime installation directory is C:\Lotus\Domino.
2. The Sametime.ini file contains a [Client] section. At the bottom of the
[Client] section, manually add the following setting by typing it into the
Sametime.ini file:
ST_FIX_CHAT_SUPPORTED=1
Note You can change the value of the setting above to zero to disable
this feature. For example, ST_FIX_CHAT_SUPPORTED=0 disables the
feature.
3. Save and close the Sametime.ini file and restart the Sametime server.
After the administrator enables the feature and restarts the server, end users
can use the “Set dialog as default” setting in the Sametime Connect client to
set the default locations of chat windows.
Chat Logging
Programming tools are available to implement chat logging on a Sametime
server. The chat logging feature can capture all chat conversations that occur
on the Sametime server, including instant messages, chat conferences (chats
involving more than two people), and Meeting Room chats. The text of these
conversations is stored on the server and retrievable through the chat
logging feature.
Chapter 6: Configuring the Community Services 341
For more information on chat logging, see the Sametime Software
Development Kit documentation available from the SDK link at the bottom
of the Sametime server home page.
Deploying a Community Services multiplexer on a separate machine
This section discusses the performance advantages and procedures
associated with deploying a Community Services multiplexer on a separate
machine from the Sametime server.
Note This section discusses deploying a separate multiplexer in front of a
Sametime server machine (or machines) that does not operate as part of a
Community Services cluster. If you want to deploy a separate Community
Services multiplexer to handle connections for a Community Services
cluster, do not use the procedures in this section. To deploy a separate
Community Services multiplexer in front of a Community Services cluster,
see “Deploying separate Community Services multiplexers (optional)” in
Chapter 18.
Each Sametime server contains a Community Services multiplexer (or MUX)
component. The function of the Community Services multiplexer is to handle
and maintain connections from Sametime clients to the Community Services
on the Sametime server.
During a normal Sametime server installation, the Community Services
multiplexer is installed with all other Sametime components on the
Sametime server machine. The Sametime server CD provides an option to
install only the Community Services multiplexer component. This option
enables the administrator to install the Community Services multiplexer on a
different machine than the Sametime server.
When the Sametime Community Services multiplexer is installed on a
different machine than the Sametime server:
•
The Sametime Connect clients connect to the Community Services
multiplexer machine, not the Sametime server. This configuration frees
the Sametime server from the burden of managing the live client
connections; the multiplexer machine is dedicated to this task.
•
The Community Services multiplexer maintains a single IP connection to
the Sametime server. The data for all Community Services clients is
transmitted over this single IP connection to the Community Services on
the Sametime server.
In this scenario, the Community Services connection-handling load is
removed from the Sametime server. The Sametime server does not need to
employ system resources to maintain thousands of client connections.
342 Sametime 3.1 Administrator's Guide
Removing the connection-handling load from the Sametime server ensures
these system resources can be dedicated to other Community Services
processing tasks.
The Community Services multiplexer machine dedicates its system resources
to handling client connections but does not perform other Community
Services processing. Distributing the Community Services workload between
multiple servers in this way enables the Community Services on the
Sametime server to handle a larger number of connections (users) and to
function more efficiently.
Performance improvements with a separate multiplexer
If the Community Services multiplexer operates on the same machine as the
Sametime server, the Sametime server can handle approximately 8,000 to
10,000 Community Services connections and also perform other Community
Services processing tasks adequately.
However, if the Sametime server is not required to expend system resources
to maintain client connections, the server can service approximately 100,000
connections. (The Sametime server is capable of processing the Community
Services data that is passed over 100,000 connections if it does not have to
maintain the connections themselves.)
Note This estimate of 100,000 connections assumes that the Meeting
Services and Broadcast Services are not in use. If the Sametime server is
simultaneously supporting interactive meetings and broadcast meetings, it
will support fewer Community Services users.
When a Sametime Community Services multiplexer is installed on a separate
machine, the Community Services multiplexer can support approximately
20,000 live IP port connections. You can also deploy multiple Community
Services multiplexers in front of a Sametime server.
To summarize the performance benefits of a separate multiplexer
deployment, consider the following example:
•
You can install three separate Community Services multiplexers in front
of a single Sametime server. If each Community Services multiplexer
handles 20,000 connections, as many as 60,000 users can be connected to
a single Sametime server at one time.
•
If the Sametime server is capable of servicing 100,000 connections, the
server performance will not degrade under the load produced by 60,000
connections.
Chapter 6: Configuring the Community Services 343
•
If the multiplexer operates on the Sametime server instead of being
deployed separately, the Sametime server can service a maximum of
10,000 users. By deploying three separate multiplexers in front of a
single Sametime server, you can service 50,000 more users (assuming
one connection per user) than if the multiplexer operates on the same
machine as the Sametime server.
•
If you deploy separate multiplexers in the manner described above, you
can also implement a rotating DNS system, or IBM WebSphere Edge
Server, in front of the multiplexers to load balance connections to the
separate multiplexers.
To deploy separate Community Services multiplexers in your Sametime
environment, see “Installing and setting up a separate Community Services
multiplexer” below.
Installing and setting up a separate Community Services multiplexer
Installing and setting up a separate Community Services multiplexer
involves the following considerations an procedures:
1. Community Services multiplexer preinstallation considerations.
2. Install the Community Services multiplexer.
3. Configure security settings in the Configuration database on the
Sametime server.
4. Configure settings in the Sametime.ini file on the multiplexer machine.
5. Configure client connectivity to the multiplexer machine.
6. (Optional) Dynamically load balancing connections to the multiplexers.
Community Services multiplexer preinstallation considerations
Considering the requirements of the Community Services multiplexer
machine is the first of six procedures associated with installing and setting
up a separate Community Services multiplexer.
Consider the following before installing a Community Services multiplexer
on a separate machine:
•
The minimum system requirements for the Community Services
multiplexer machine are the same as the system requirements for the
core Sametime server. For more information, see the Sametime Installation
Guide (stinstall.nsf or stinstall.pdf).
A machine that meets the minimum system requirements should be able
to handle approximately 20,000 simultaneous client connections.
Testing indicates that machines with dual 1133 MHz CPUs and 2 GB of
RAM can handle approximately 30,000 simultaneous client connections.
344 Sametime 3.1 Administrator's Guide
•
TCP/IP connectivity must be available between the Community Services
multiplexer machine and the Sametime server. Port 1516 is the default
port for the connection from the Community Services multiplexer
machine to the Sametime server.
Next step:
Install the Community Services multiplexer machine
Install the Community Services multiplexer
Installing the Community Services multiplexer machine is the second of six
procedures associated with installing and setting up a separate Community
Services multiplexer.
To install the Community Services multiplexer:
1. Insert the Sametime CD into the Community Services multiplexer
machine and choose the option to install the Community Services
multiplexer (or MUX).
2. Follow the instructions on the installation screens. Ensure that you enter
the DNS name or IP address of the Sametime server to which the
multiplexer will connect. The DNS name or IP address of the Sametime
server is the only significant parameter you must enter during the
Community Services multiplexer installation
3. You can repeat these steps to install additional Community Services
multiplexers on other machines.
Next step:
Configure security settings in the Configuration database on the Sametime
server.
Configure security settings in the Configuration database on the
Sametime server
Configuring security settings in the Configuration database is the third of six
procedures associated with installing and setting up a separate Community
Services multiplexer.
After you have installed the Community Services multiplexer on a separate
machine, you must configure the Sametime server to accept connections
from the Community Services multiplexer.
A Sametime server only accepts connections from a Community Services
multiplexer that is listed in the stconfig.nsf database on the Sametime server.
Specifically, the Community Services multiplexer machine must be listed in
the “CommunityTrustedIps” field of a “CommunityConnectivity” document
in the stconfig.nsf database. This security setting prevents a Community
Services multiplexer on unauthorized machines from connecting to the
Sametime server.
Chapter 6: Configuring the Community Services 345
To enable the Sametime server to accept connections from the Community
Services multiplexer(s):
1. Use a Lotus Notes client to open the stconfig.nsf database on the
Sametime server.
2. Open the CommunityConnectivity document in the stconfig.nsf
database by double-clicking on the date associated with the document.
If the CommunityConnectivity document does not exist in the
stconfig.nsf database, you must create it. To create the
CommunityConnectivity document, choose
Create-CommunityConnectivity from the menu bar in the stconfig.nsf
database.
3. In the “CommunityTrustedIps” field, enter the IP addresses of the
Community Services multiplexer machine(s). If you enter multiple
addresses, separate each address with a comma.
Note The IP addresses of SIP Connector machines associated with a
Sametime community are also entered in this field.
4. Save and close the CommunityConnectivity document.
Next step:
Configure settings in the Sametime.ini file on the multiplexer machine.
Configure settings in the Sametime.ini file on the multiplexer machine
Configuring settings in the Sametime.ini file is the fourth of six procedures
associated with installing and setting up a separate Community Services
multiplexer.
When the multiplexer is installed on a separate machine, the configuration of
the multiplexer is controlled by the settings in the Sametime.ini file on the
multiplexer machine. In most cases, it is not necessary to change any of the
settings in the Sametime.ini file but you should review the information
below to be sure.
The configuration parameters in the Sametime.ini file include:
•
The host name of the Sametime server to which the Community Services
multiplexer connects (specified during the Community Services
multiplexer installation and in the stconfig.nsf database as discussed in
the previous procedure).
•
The port the Community Services multiplexer uses to establish the
connection with the Sametime server (default port 1516).
•
The maximum number of simultaneous connections allowed to the
multiplexer.
346 Sametime 3.1 Administrator's Guide
To specify a maximum number of simultaneous connections, use the
VPMX_CAPACITY= parameter of the Sametime.ini file. The default
value is 20,000 connections (for example, VPMX_CAPACITY=20000).
Notes about the VPMX_CAPACITY= setting:
• The Sametime Administration Tool contains a
Configuration-Community Services-Maximum user and server
connections to the Community Server setting that controls the
maximum number of Community Services connections allowed to the
Sametime server. When the Community Services multiplexer is
installed on a separate machine, Community Services users do not
connect to the Sametime server and the “Maximum user and server
connections to the Community Server” setting cannot be used to
control the maximum number of connections allowed. Use the
VPMX_CAPACITY= parameter in the Sametime.ini file to control the
maximum number of connections instead of the setting in the
Sametime Administration Tool.
• Multiplexer machines that meet the minimum system requirements
can successfully handle 20,000 connections. This value may vary
depending on the processing capabilities of the multiplexer machine.
Multiplexer machines that have dual 1133 MHz CPUs and 2GB of
RAM can successfully handle as many as 30000 connections.
If it is necessary to modify the settings above, open the Sametime.ini file on
the Community Services multiplexer machine with a text editor, alter the
setting, and save the Sametime.ini file.
Next step:
Configuring client connectivity to the Community Services multiplexer
machine.
Configuring client connectivity to the Community Services multiplexer
machine
Configuring client connectivity to the Community Services multiplexer
machine is the fifth of six procedures associated with installing and setting
up a separate Community Services multiplexer.
After you have installed and configured the Community Services
multiplexer, you must ensure that Sametime Connect clients are configured
to connect to the Community Services multiplexer instead of the Sametime
server.
A Sametime Connect client attempts to connect to the network address
specified in the Options-Preferences-Sametime Connectivity-Host setting
available on the Sametime Connect client.
Chapter 6: Configuring the Community Services 347
To ensure that Sametime Connect clients connect to the Community Services
multiplexer machine instead of the Sametime server machine, each user in
the Sametime community must enter the DNS name or IP address of the
Community Services multiplexer machine in the “Host” field of the
Sametime Connect clients. For example, each user may need to perform this
procedure:
1. Open Sametime Connect.
2. Choose Options-Preferences-Sametime Connectivity.
3. In the Host field enter the DNS name of the Community Services
multiplexer machine.
If you have deployed multiple Community Services multiplexers, your
user community should connect to these multiplexers in a balanced
fashion. For example, if you have deployed two Community Services
multiplexers, half of your users should configure the Sametime Connect
client to connect to multiplexer 1 and the other half of the users should
configure Sametime Connect to connect to multiplexer 2.
Notes about configuring client connectivity:
•
If users have not yet downloaded the Sametime Connect clients from the
Sametime server, you can run the Sametime client packager application
on a Sametime server to ensure that each Sametime Connect client
downloaded from a Sametime server is pre-configured with the
appropriate connectivity settings for your environment. Using the client
packager prevents end users from having to manually change the
connectivity settings. For more information, see the Sametime
Installation Guide (stinstall.nsf or stinstall.pdf).
•
The next topic discusses an optional configuration you can employ to
provide a more dynamic form of connection load balancing across
multiple Community Services multiplexer machines than is discussed
above. If you dynamically load balance connections to the multiplexers,
the Host field in the Sametime Connect client must contain the DNS
name or IP address of the load balancing mechanism, not the
multiplexer machine as described above.
Next step:
(Optional) Dynamically load balancing client connection to the multiplexers.
(Optional) Dynamically load balancing client connection to the
multiplexers
Dynamically load balancing connections to multiple Community Services
multiplexers is the last of six procedures associated with installing and
setting up a separate Community Services multiplexer.
348 Sametime 3.1 Administrator's Guide
Dynamically load balancing connections is an optional procedure. Also, this
procedure is only valid when you have installed multiple Community
Services multiplexers.
To dynamically load balance client connections to multiple Community
Services multiplexers, you can do one of the following:
•
Set up a rotating DNS system to accomplish load balancing. Use rotating
DNS to associate the IP addresses of the Community Services
multiplexer machines to a single DNS name.
For example, associate the IP address of Community Services
multiplexer machine 1 (11.22.33.44) and Community Services
multiplexer machine 2 (11.22.33.55) to the DNS name
cscluster.sametime.com.
•
Set up an IBM WebSphere Edge Server (Network Dispatcher) in front of
the Sametime servers that you intend to cluster. Use the WebSphere
Edge Server Network Dispatcher to distribute connections to the
Community Services multiplexer machines. See the documentation for
the IBM WebSphere Edge Server for more information.
Notes about dynamically load balancing client connections to the
multiplexers:
•
The topic “Set up the load-balancing mechanism (rotating DNS or
Network Dispatcher)” in Chapter 18 illustrates a rotating DNS system
set up in front of a separate multiplexer deployment. Note that the
deployment shown in that topic illustrates multiple multiplexers in front
of a Community Services server cluster instead of a single, non-clustered
Sametime server.
•
For information about rotating DNS limitations, see “Rotating DNS
Limitations with cached DNS resolve requests” in Chapter 18.
Enabling Sametime Connect for browsers to function in kiosk mode
In some Sametime deployments, it may be necessary for multiple users to
access the Sametime Connect for browsers client on a Sametime server from
the same client machine. For example, several different users may access the
Sametime Connect client from the same public computer in an airport. In
situations where it is necessary for multiple users to access the Sametime
Connect for browsers client from the same client machine, you can enable
the Sametime Connect for browsers client to function in kiosk mode.
When the Sametime Connect for browsers client loads on a computer, a
JavaConnect.ini file is created on that computer. The JavaConnect.ini file
Chapter 6: Configuring the Community Services 349
stores many of the client preference settings that a user selects from the
menus in the Sametime Connect for browsers client.
When different users access the Sametime Connect for browsers client from
the same machine, each user will start a different instance of the Sametime
Connect for browsers client on that machine. These different instances of the
Sametime Connect for browsers client will modify the single JavaConnect.ini
file on that machine. In this scenario, it is possible for a current user to gain
access to the preferences settings of a previous user because the
JavaConnect.ini file will contain the values specified by the most recent user.
This possibility may pose some security risks and may also cause the
Sametime Connect for browsers client to operate in unexpected ways for the
end users.
To prevent these problems, you can configure the Sametime Connect for
browsers client to operate in kiosk mode.
When the Sametime Connect for browsers client operates in kiosk mode, the
client preference settings are not stored on the client machine (the
JavaConnect.ini file is not created on the client machine). The client
preference settings are stored in memory and the settings a user makes are
valid only for the duration of the current instant messaging session. When
the user closes the Sametime Connect for browsers client, the settings are lost
and cannot be picked up by a subsequent instance of the Sametime Connect
client that loads on that machine.
When the Sametime Connect for browsers client operates in kiosk mode, the
administrator can also set the default connectivity configuration of the
Sametime Connect for browsers client. Specifying the default connectivity
configuration ensures that the client loads with the default connectivity
settings required to successfully connect to the Sametime server from the
client machine. For more information about specifying the default
connectivity configuration, see “Changing the default connectivity settings
of the Sametime Connect for browsers client” in Chapter 5.
Note If you enable the Sametime Connect for browsers client to operate in
kiosk mode, it is not mandatory to also specify the default connectivity
configuration of the Sametime Connect for browsers client. Specifying the
default connectivity configuration is a separate optional procedure from
enabling the client to function in kiosk mode.
Enabling the kiosk mode
To enable kiosk mode, the administrator must add the following applet
parameter to the HTML code on the Sametime server that loads the
Sametime Connect for browsers client.
<PARAM NAME="KioskMode" VALUE="1">
350 Sametime 3.1 Administrator's Guide
Note If this parameter specifies any value other than 1, the Sametime
Connect for browsers client will not operate in kiosk mode. The client will
operate in its default mode and the preferences settings will be saved in the
JavaConnect.ini file on the client machine.
On a standard Sametime server deployment, the applet code that loads the
Sametime Connect for browsers client is located the Sametime Resources
database (STSrc.nsf) on the Sametime server. You can use the Domino
Designer client to open the STSrc.nsf database and add the applet parameter
to the existing applet code. For instructions, see “Enabling the kiosk mode by
adding an applet parameter to the HTML in the STSrc.nsf database" later in
this chapter.
Note If you enable the kiosk mode by adding the applet parameter to the
HTML in the STSrc.nsf database, the Sametime Connect for browsers client
will operate in kiosk mode for all users of this Sametime server. If some of
those users access the Sametime server from private workstations, those
users will not be able to specify permanent preferences settings for the
Sametime Connect for browsers client.
To accommodate the kiosk mode, some organizations may choose to
customize the user interface of the Sametime server by creating a custom
HTML page or Domino application specifically to launch the Sametime
Connect for browsers client. This custom interface would be accessible only
from those client machines that must operate in the kiosk mode. This
possibility is briefly discussed in “Example of custom HTML code that
enables the kiosk mode.”
Enabling the kiosk mode by adding an applet parameter to the HTML in
the STSrc.nsf database
To enable the kiosk mode on a standard deployment of the Sametime server,
you must add the required applet parameter to the HTML code in the
Sametime Resources (STSrc.nsf) database on the Sametime server.
This applet code exists in three subforms of the Sametime Resources
(STSrc.nsf) database on the Sametime server. To ensure the default
connectivity settings go into effect for all browser types, you must add the
ConnectivityMethod applet parameter to the HTML code in each of these
three subforms.
•
WebConnect-IE (This subform applies to the Microsoft Internet Explorer
browsers.)
•
WebConnect-Moz (This subform applies to Netscape 7 and Mozilla
browsers.)
•
WebConnect-N4 (This subform applies to the Netscape 4 browsers.)
To add the applet parameter to the HTML code in the STSrc.nsf database:
Chapter 6: Configuring the Community Services 351
1. Use the Domino Designer client to open the STSrc.nsf database on the
Sametime server.
2. In Domino Designer expand the “Recent Databases” icon and ensure
that the STSrc.nsf database is selected.
3. Expand “Resources” and click “Subforms.”
4. In the Subforms list, double-click on the WebConnect-IE subform.
5. In the work pane at the top of the Domino Designer client, scroll down
until you see the HTML code containing the applet parameters.
Note The applet parameters begin with the text string
“<paramname=.”
6. Add the applet parameter below to the list of applet parameters in the
WebConnect-IE subform:
<paramname="KioskMode" value="1">
7. Save the subform.
8. Repeat steps 4 through 7 for the WebConnect-Moz and WebConnect-N4
subforms.
Note When enabling the kiosk mode, you may also want to add an applet
parameter that specifies the default connectivity configuration of the
Sametime Connect for browsers client. For more information, see “Changing
the default connectivity setting of the Sametime Connect for browsers client”
in Chapter 5.
Example of custom HTML code that loads the Sametime Connect for
browsers client
The example below illustrates the applet code that might be used in a custom
HTML page or Domino application to launch the Sametime Connect for
browsers client in the kiosk mode. If you create a custom interface for this
purpose, ensure the code includes the kiosk mode applet parameter as
shown below:
<APPLET>
code=com.lotus.sametime.connectapplet.ConnectApplet.class
height=100% name=ConnectApplet
style="BACKGROUND-COLOR: gray; LEFT: 0px; TOP: 0px" width=100%
MAYSCRIPT=TRUE>
<PARAM NAME="cabinets" VALUE="connect.cab">
<PARAM NAME="SametimeServer" VALUE="">
<PARAM NAME="SametimePort" VALUE="">
<PARAM NAME="TokenUserId" VALUE="">
352 Sametime 3.1 Administrator's Guide
<PARAM NAME="TokenValue" VALUE="">
<PARAM NAME="KioskMode" VALUE="1">
</APPLET>
Note When enabling the kiosk mode, you may also want to add an applet
parameter that specifies the default connectivity configuration of the
Sametime Connect for browsers client. For more information, see “Changing
the default connectivity setting of the Sametime Connect for browsers client”
in Chapter 5.
Chapter 6: Configuring the Community Services 353
Chapter 7
Enabling the SIP Gateway
The Session Initiation Protocol (SIP) Gateway uses SIP to enable instant
messaging and audio/video collaboration between a Sametime community
and another online collaboration community that supports SIP.
This chapter discusses the following topics concerning the SIP Gateway:
•
Using SIP functionality with Sametime
•
Overview of Sametime SIP components
•
Setting up the SIP Gateway functionality
•
Disabling the SIP Gateway functionality
•
Encrypting SIP traffic with Transport Layer Security (TLS)
•
Requiring client certificate authentication for SIP connections
•
Audio/Video connectivity with SIP
•
End user experience with the SIP Gateway
Using the SIP functionality with Sametime
The Sametime SIP functionality is designed primarily to support instant
messaging and audio/video communications between two Sametime
communities. The SIP functionality can also be used to enable users in your
Sametime community to communicate using instant messaging or
audio/video with users in any other online collaboration community that
supports SIP. For example, Microsoft Instant Messenger and America Online
may support SIP at some point in the future.
You can enable the SIP functionality for a Sametime server that is installed
on a Microsoft Windows operating system or a Sametime server that is
installed on an IBM iSeries server. For more information about using SIP
functionality with Sametime, see the topic below that is appropriate for your
environment:
•
“Using the SIP functionality in a Microsoft Windows environment” later
in this chapter
•
“Using the SIP functionality in an IBM iSeries environment” later in this
chapter
355
Using the SIP functionality in a Windows environment
This topic provides an overview of using the SIP functionality with
Sametime servers on Windows NT or Windows 2000 servers.
To use the SIP functionality with Sametime servers that operate in a
Windows environment, the Sametime community must be “SIP-enabled.” A
Sametime community is “SIP-enabled” if the following three conditions are
true:
•
The “SIP Connector” is installed and connected to the “SIP Gateway” on
the Sametime 3.1 server.
A “SIP Gateway” is the Sametime server component that supports the
SIP functionality. The SIP Gateway installs automatically with all other
Sametime server components during a Sametime 3.1 installation.
A “SIP Connector” is a separate SIP component that installs on a
different machine than the SIP Gateway. The SIP Connector connects to
the SIP Gateway on the Sametime server and handles connections to and
from other SIP-enabled communities on behalf of the SIP Gateway.
The SIP Connector component must be installed from the Sametime 3.1
server CD.
•
The SIP Gateway functionality is enabled on the Sametime server.
The administrator enables the SIP Gateway functionality by configuring
settings on documents in the Sametime Configuration database
(stconfig.nsf) on the Sametime server.
For step-by-step instructions on enabling the SIP functionality for a
Sametime community in a Windows environment, see “Setting up the SIP
Gateway functionality (Windows environment)” later in this chapter.
After enabling the SIP functionality, the administrator also has the option of
using Transport Layer Security (TLS) to encrypt SIP data transmitted
between the SIP-enabled communities or requiring client certificate
authentication for connections between SIP Connectors in two separate
communities. For information about encrypting data transmitted between
different communities with Transport Layer Security (TLS), see “Encrypting
SIP traffic with Transport Layer Security (TLS)” later in this chapter.
Using the SIP functionality in an IBM iSeries environment
This topic provides an overview of using the SIP functionality in an
environment in which the Sametime servers are installed on IBM iSeries
servers.
To use the SIP functionality with Sametime servers that operate in an IBM
iSeries environment, the Sametime community must be “SIP-enabled.” A
Sametime community is “SIP-enabled” if the following conditions are true:
356 Sametime 3.1 Administrator's Guide
•
The SIP Gateway functionality is enabled on a Sametime 3.1 server. The
administrator enables the SIP Gateway functionality by configuring
settings on documents in the Sametime Configuration database
(stconfig.nsf) on the Sametime server.
•
A “SIP Connector” is installed and connected to the SIP Gateway on the
Sametime 3.1 for iSeries server.
A SIP Connector is a separate component that connects to the SIP
Gateway on the Sametime server and handles connections to and from
other SIP-enabled communities on behalf of the SIP Gateway.
In an iSeries environment, you have two options regarding the SIP
Connector installation.
• You can use the “integrated SIP Connector” that installs with the
Sametime 3.1 server. The integrated SIP Connector installs
automatically as part of the Sametime 3.1 iSeries installation, but must
be manually enabled by the administrator following the installation.
The integrated SIP Connector is most useful if two communities can
communicate over a corporate intranet and do not need to establish
connections over the Internet.
• You can install a “standalone SIP Connector” on a separate machine.
In this scenario, the SIP Connector installs on a separate machine
running a Windows NT or 2000 server. The standalone SIP Connector
handles connections to and from the SIP Gateway that is installed on
the Sametime 3.1 iSeries server.
The standalone SIP Connector is useful if two Sametime communities
must establish connections over the Internet.
If you prefer to install the standalone SIP Connector on a Windows
system, you can install the SIP Connector from a Sametime 3.1 for
iSeries CD.
For step-by-step instructions on enabling the SIP functionality for a
Sametime community in an iSeries environment, see “Setting up the SIP
Gateway functionality (iSeries environment)” later in this chapter.
After enabling the SIP functionality, the administrator also has the option of
using Transport Layer Security (TLS) to encrypt SIP data transmitted
between the SIP-enabled communities or requiring client certificate
authentication for connections between SIP Connectors in two separate
communities. Unlike previous Sametime iSeries releases, TLS encryption is
supported for both integrated SIP Connector and standalone SIP Connector
deployments. For information about encrypting data transmitted between
different communities with Transport Layer Security (TLS), see “Encrypting
SIP traffic with Transport Layer Security (TLS)” later in this chapter.
Chapter 7: Enabling the SIP Gateway 357
Overview of SIP components
This topic provides the following basic information about SIP, the Sametime
SIP Gateway, and the Sametime SIP Connector.
•
What are SIP and SIMPLE
•
SIP Gateway overview
•
SIP Connector overview
•
SIP proxies and connections
What are SIP and SIMPLE
Session Initiation Protocol (SIP) is a general-purpose application-layer
signaling protocol that can establish, modify, or terminate real-time calls and
multimedia sessions over IP networks. Extensions to SIP enable it to
establish sessions that include audio, video, or instant messaging and
presence data.
SIP for Instant Messaging and Presence Leveraging (SIMPLE) is an extension
to the SIP protocol that supports instant messaging and presence
functionality.
Detailed discussions of SIP and SIMPLE are outside the scope of this
documentation. For more detailed information about these protocols, see the
following Internet Engineering Task Force (IETF) documents:
•
SIP - IETF RFC 3261
•
SIMPLE - draft-ietf-simple-im-01; draft-ietf-simple-presence-06
•
CPIM (Common Presence and Instant Messaging) draft-ietf-impp-cpim-msgfmt-06; draft-ietf-impp-cpim-pidf-03
Sametime SIP Gateway overview
The Sametime SIP Gateway component is installed on a Sametime 3.1 server
during the Sametime 3.1 server installation. Once installed, the SIP Gateway
operates as a server application on the Sametime server.
The functionality supported by the SIP Gateway is summarized below.
When a SIP Gateway is installed on a Sametime server in your community:
•
Users in your SIP-enabled community can add a user from another
SIP-enabled community to the contact list in Sametime Connect. Users in
the other community can also add users in your community to the
buddy lists of their clients.
358 Sametime 3.1 Administrator's Guide
In the SIP environment, a user enters the Internet e-mail address of
another user when adding a user to the contact list or buddy list. For one
user to successfully add another user to a contact list or buddy list, both
users must have an Internet e-mail address defined in the directory.
(E-mail addresses are usually defined in a user's person entry in the
directory accessed by the Sametime server.)
Note SIP defines users and other entities by their Internet e-mail
addresses.
•
Users in your community have awareness of the online/offline status (or
“presence”) of users in the other SIP-enabled community. Users in the
other community can also see the online/offline status of users in your
community.
•
Users in either community can initiate instant messaging sessions or
instant audio/video sessions with users in the other community. Only
one-to-one instant messaging sessions or audio/video sessions are
supported. Instant messaging sessions or audio/video sessions
involving more than two users (also called “n-way” meetings) are not
supported between users in different communities.
An instant messaging session between two users cannot include
audio/video as an additional meeting activity. Similarly, an
audio/video meeting cannot include chat as an additional meeting
activity. Collaboration sessions that use the SIP Gateway functionality
must be “instant messaging only” or “audio/video only” sessions; a
single session cannot include both instant messaging and audio/video.
•
A user in your community can use the privacy features of Sametime
Connect to prevent a user in another community from seeing the online
status of the user in your community.
Note Privacy is not symmetrical between communities. For example,
assume Susan operates in your community and Juan operates in a
remote SIP-enabled community. Susan can use the privacy features of
Sametime Connect to prevent Juan from detecting her online status.
Even though Susan has concealed her online status from Juan, Susan can
still detect Juan's online status. (This type of non-symmetrical presence
in which Susan can see Juan but Juan cannot see Susan is referred to as
“lurking.”)
Similarly, assuming Juan's instant messaging client includes privacy
features, Juan can conceal his online status from Susan. Even though
Juan has concealed his online status from Susan, Juan can still detect
Susan's online status if Susan does not use the privacy features of
Sametime Connect to conceal her status. If Susan conceals her online
status from Juan and Juan conceals his online status from Susan, neither
user can detect the online status of the other user.
Chapter 7: Enabling the SIP Gateway 359
Sametime SIP Connector overview
A separate component, called the SIP Connector, must be installed and
operational before the SIP Gateway functionality is available to users in your
community.
When using the SIP functionality with Sametime servers that run on the
Windows operating system, the SIP Connector must be installed on a
different Windows machine than the Sametime server. You specify the
Sametime server to which the SIP Connector connects during the SIP
Connector installation.
When using the SIP functionality with the Sametime servers that run on the
IBM iSeries operating system, you have the option of using an “integrated
SIP Connector” which installs and runs on the IBM iSeries machine with all
other components of the Sametime server or a “standalone SIP Connector”
which installs on a separate server running a Windows operating system.
Note Generally, in the iSeries environment, you install a standalone SIP
Connector if it is necessary for two Sametime communities to establish
connections using the Internet. For more information, see the topic “Review
the SIP Connector planning considerations (iSeries environment)” later in
this chapter.
The SIP Connector handles connections with the external community. The
SIP Connector handles both inbound and outbound connections.
Specifically, the SIP Connector:
•
Receives outbound SIP data from the local SIP Gateway.
•
Constructs outbound SIP messages.
•
Creates connections to a SIP-enabled component in the other community
(for example, another SIP Connector that supports a different Sametime
community, or a SIP proxy server that supports the community).
•
Receives connections from a SIP-enabled component in another
community.
•
Parses inbound SIP messages.
•
Forwards the inbound messages to the SIP Gateway on the Sametime
server.
The administrator must configure a SIP Connector to accept connections
from or create connections to a specific SIP-enabled community (or
communities).
360 Sametime 3.1 Administrator's Guide
A single SIP Connector may be configured to support connections to one or
more external communities. Multiple SIP Connectors can also be deployed to
support connections to multiple external communities. For example, if you
want users in your community to communicate with users in Sametime
communities A and B, you can install one SIP Connector to support
connections with Sametime community A and a separate SIP Connector to
support connections with Sametime community B. Both of these SIP
Connectors can connect to the same SIP Gateway in your community.
You can also install multiple SIP Connectors and configure them to support
connections to the same external community to ensure continuity of service
in case of a server failure. If one SIP Connector machine becomes
unavailable, the other machine can continue handling the connections.
SIP proxies and connections
A SIP proxy server is an intermediate component usually located between a
SIP-enabled community and the Internet. The SIP proxy is responsible for
routing and delivering all calls to a SIP-enabled community. With the
Sametime SIP functionality, the SIP Connector and SIP Gateway together act
as a SIP proxy server.
When allowing connections to SIP-enabled communities in other DNS
domains (for example, acme.com), the administrator can specify the DNS
name of the SIP proxy associated with the other domain. All calls from your
community to the external community are routed through that SIP proxy.
If the administrator does not specify the name of a specific SIP proxy,
Sametime performs a DNS lookup to determine if a SIP proxy exists for that
DNS domain. If Sametime is unable to locate a SIP proxy using DNS,
Sametime attempts a SIP connection to the domain using port 5060 (the
default SIP connection port).
Setting up the SIP Gateway functionality
This section explains how to set up the SIP Gateway functionality in both the
Windows and iSeries server environments. Follow the procedure below that
is appropriate for your environment:
•
Setting up the SIP Gateway functionality (Windows server environment)
•
Setting up the SIP Gateway functionality (iSeries server environment)
Chapter 7: Enabling the SIP Gateway 361
Setting up the SIP Gateway functionality (Windows environment)
Use the instructions in this section to set up the SIP Gateway functionality if
your Sametime servers run on the Windows NT or 2000 operating system.
To set up the SIP Gateway functionality and SIP-enable your Sametime
community in a Windows environment, perform the procedures below.
1. Review the SIP Connector planning considerations (Windows
environment).
2. Install the SIP Connector (Windows environment).
3. Configure the SIP Gateway and SIP Connector parameters (Windows
environment).
Detailed instructions for each of these procedures are provided in
subsequent topics.
Review the SIP Connector planning considerations (Windows
environment)
Reviewing the SIP Connector planning considerations is the first of three
procedures required to set up the SIP Gateway functionality in a Windows
environment.
If your Sametime 3.1 server resides on a Windows NT or Windows 2000
server, you must install the SIP Connector on a separate, dedicated machine.
Do not install the SIP Connector on the same machine as a Sametime server.
The SIP Connector system requirements and other SIP Connector planning
considerations are discussed below:
SIP Connector system requirements
The system requirements for the SIP Connector machine are the same as the
system requirements for a Sametime server. These requirements include:
•
Operating System - Windows NT 4.0 with Service Pack 6a, Windows
2000 with Service Pack 1 or 2, Windows 2000 Advanced Server with
Services Pack 2.
•
Processor - Pentium II with 400 MHz minimum
•
RAM - 1 GB recommended; 500 MB minimum
•
Disk space - 500 MB minimum
•
Disk swap space - 64 MB
•
Network software - TCP/IP network software installed
SIP Connector planning considerations
Before installing the SIP Connector, consider the following:
362 Sametime 3.1 Administrator's Guide
•
If the users in your community do not need to use the Internet to
communicate with users in another community, you can install the SIP
Connector on any intranet machine that has a LAN or WAN connection
to the Sametime server containing the SIP Gateway. The SIP Connector
machine must be able to establish a TCP/IP connection to the Sametime
server on port 1516.
The SIP Connector must be able to receive connections from other
SIP-enabled communities on TCP/IP port 5060 (the default SIP port).
If you intend to encrypt connections to your SIP-enabled community
with the Transport Layer Security (TLS) protocol, the SIP Connector
must be able to receive connections from other SIP-enabled communities
on TCP/IP port 5061 (the default TLS/SIP port). For more information,
see “Encrypting SIP traffic with Transport Layer Security (TLS)” later in
this chapter.
•
If the SIP Connector must connect to other SIP-enabled communities
using the Internet, you can install the SIP Connector on a machine
outside your corporate firewall (in the network DMZ). The SIP
Connector machine must be available for connections from Internet
users on port 5060 (or 5061 if TLS is used for encryption).
If you position the SIP Connector outside the firewall in the network
DMZ, the SIP Connector machine must be able to initiate connections to
the Sametime server machine inside the firewall that contains the SIP
Gateway. (The default port for these connections is port 1516.)
It may be necessary to configure the firewall with a set of access rules
that establish trust between the Sametime server on your intranet and
the SIP Connector machine in the network DMZ. (For example, the
access rules might allow those machines to make SIP connections to each
other through the firewall on port 5060 but prevent other machines from
connecting to them).
•
Optionally, you can install multiple SIP connectors. For example, if you
want users in your community to connect to two separate external
SIP-enabled communities, you may want to install two separate SIP
Connectors. Installing multiple SIP Connectors can spread the
connection handling load among multiple machines; each SIP Connector
handles the incoming and outgoing connections for only one of the
external communities.
You can also install two SIP connectors and configure both SIP
Connectors to handle connections for the same external SIP-enabled
community. This configuration ensures that a SIP Connector is available
if one SIP Connector machine fails.
Next step:
Install the SIP Connector (Windows environment).
Chapter 7: Enabling the SIP Gateway 363
Install the SIP Connector (Windows environment)
Installing the SIP Connector is the second of three procedures required to set
up the SIP Gateway functionality in a Windows environment.
To install a SIP Connector:
1. You can install the SIP Connector from the Sametime 3.1 CD or
download the SIP Connector from the Web.
2. During the installation, you must enter the following:
• The IP address or DNS name of a Sametime 3.1 server. This address
enables the SIP Connector to locate and establish a connection with
the SIP Gateway on the Sametime server.
• A SIP Connector name. SIP Connector configuration data is organized
under this name. The SIP Connector requires this name to get its
configuration parameters. You can use the DNS name of the SIP
Connector machine as the SIP Connector name.
The server address and SIP Connector name are the only significant
parameters required by the SIP Connector installation.
Note The SIP Connector configuration parameters are stored in a
CommunityConnector document in the stconfig.nsf database on the
Sametime server. You create this document later in this process.
Next step:
Configure the SIP Gateway and SIP Connector parameters (Windows
environment).
Configuring the SIP Gateway and SIP Connector parameters (Windows
environment)
Configuring the SIP Gateway and SIP Connector parameters is the last of
three procedures required to set up the SIP Gateway functionality in a
Windows environment.
Configuring the SIP Gateway and SIP Connector parameters is accomplished
in four steps. These steps include:
1. Enabling connections to other communities and enabling e-mail address
translation (Windows environment).
2. Configuring the community connectivity parameters (Windows
environment).
3. Configuring the SIP Connector parameters (Windows environment).
4. Enabling the SIP Connector to authenticate when connecting to the
Sametime server (Windows environment).
Each of these steps is described in detail in a subsequent topic.
364 Sametime 3.1 Administrator's Guide
Enabling connections to other communities and enabling e-mail
address translation (Windows environment)
Enabling connections to other communities and enabling e-mail address
translation is the first of four steps required to configure the SIP Gateway
and SIP Connector parameters.
In this step you perform two separate configurations; you enable connections
to other communities and enable e-mail address translation:
•
Enabling connections to other communities allows the SIP Gateway to
initiate connections to and receive connections from another SIP-enabled
community.
•
Enabling e-mail address translation ensures that users in your Sametime
community can be identified by their Internet e-mail addresses.
Users from another community must specify the Internet e-mail
addresses of the users in your community when adding them to contact
lists or buddy lists. Enabling e-mail address translation ensures the
internal user IDs used by Sametime can be translated to the appropriate
Internet e-mail addresses.
Note SIP entities are identified by e-mail address. For one user to
successfully add another user to a contact list or buddy list, both users
must have an Internet e-mail address defined in the directory. (E-mail
addresses are usually defined in a user's person entry in the directory
accessed by the Sametime server.) A user that does not have an e-mail
address defined in the directory can add other users to a contact list or
buddy list, but will not be able to communicate with those users or
detect their online status.
To enable connections to other communities and enable e-mail address
translation, you must alter settings in the “CommunityGateway” document
of the Configuration database (stconfig.nsf):
1. Use a Lotus Notes client to open the stconfig.nsf database on the
Sametime server on which you have installed the SIP Gateway (which is
installed automatically with Sametime Service Pack 1).
2. Open the CommunityGateway document by double-clicking on the date
associated with the document.
If the CommunityGateway document does not exist in the stconfig.nsf
database, you must create it. To create the CommunityGateway
document, choose Create-CommunityGateway from the menu bar in the
stconfig.nsf database.
3. In the “Support external communities” field, select “True.”
Chapter 7: Enabling the SIP Gateway 365
Selecting “True” in this field enables the SIP Connector to initiate
connections to and receive connections from other SIP-enabled
communities.
Note To disable connections to other communities, set the “Support
external communities” value to “False.” Setting this value to “False” is
the quickest way to disable all SIP functionality for the community.
4. In the “ConvertID” field, select “True.”
Selecting “True” in this field enables e-mail address translation.
Note To disable e-mail address translation, set the “ConvertID” field to
“False.”
5. Save the CommunityGateway document.
6. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Important You must enable e-mail address translation on every Sametime
server in the community. Repeat all of the steps above in the Configuration
database of every Sametime server in the community.
Next step:
Configuring community connectivity parameters.
Configuring community connectivity parameters (Windows
environment)
Configuring community connectivity parameters is the second of four steps
required to configure the SIP Gateway and SIP Connector parameters.
In this procedure, the administrator creates an ExternCommunity document
in the Sametime Configuration database (stconfig.nsf). The administrator
uses the settings in this ExternCommunity document to specify the
parameters that enable the SIP Gateway to connect to another SIP-enabled
community.
The connectivity parameters specified in this procedure include:
•
A name for the external community
•
The DNS domains that comprise the external community
•
The DNS name of the SIP proxy (or SIP Connector) for the external
community
•
The port to use when connecting to the SIP proxy that handles
connections for the external community.
366 Sametime 3.1 Administrator's Guide
To configure the community connectivity parameters:
1. Open the ExternCommunity document in the stconfig.nsf database by
double-clicking on the date associated with the document.
If the ExternCommunity document does not exist in the stconfig.nsf
database, you must create it. To create the ExternCommunity document,
choose Create-Other-ExternCommunity from the menu bar in the
Configuration database (stconfig.nsf).
2. In the “Community Name” field, enter a name for the external
community. The name is at your discretion. You might want to choose a
name that represents the organization associated with this community.
(For example, IBM).
3. In the “Domains” field, enter the domain names associated with the
instant messaging community of the organization specified above. This
entry can consist of one domain name, or a group of domain names. You
can also use wildcards when specifying domain names. For example,
*.ibm.com, lotus.com, tivoli.com, ubique.com.
4. In the “DNS” field, enter the fully-qualified DNS name of the SIP proxy
that handles connections for the other SIP-enabled community. The SIP
Connector attempts to connect to this SIP proxy (or SIP Connector for
another Sametime community).
Note If you leave the “DNS” field blank, Sametime performs a DNS
lookup to locate the SIP proxy associated with the domain(s) specified
above. If Sametime is unable to locate a SIP proxy, Sametime attempts a
SIP connection to the domain(s) using the port specified below.
5. In the “Port” field, enter the port the SIP Connector uses when
attempting SIP connections to the SIP proxy or domain(s) specified
above. The default port for SIP connections is port 5060.
6. Set the “Encryption” field to “Disabled” unless you intend to encrypt SIP
connections between communities with Transport Layer Security (TLS).
For more information, see “Encrypting SIP traffic with Transport Layer
Security (TLS)” later in this chapter.
7. Leave the “Certificate distinguished” name field blank unless you intend
to require client certificate authentication for connections between SIP
Connectors. For more information, see “Enabling client certificate
authentication” later in this chapter.
8. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Next step:
Configuring SIP Connector parameters.
Chapter 7: Enabling the SIP Gateway 367
Configuring SIP Connector parameters (Windows environment)
Configuring SIP Connector parameters is the third of four steps required to
configure the SIP Gateway and the SIP Connector parameters.
In this procedure, the administrator creates a CommunityConnector
document in the Sametime Configuration database (stconfig.nsf). The
administrator uses the settings in this CommunityConnector document to
specify the parameters that control the functioning of the SIP Connector.
The SIP Connector parameters include:
•
The name of the SIP Connector machine
•
The IP address of the SIP Connector machine
•
The port on which the SIP Connector listens for connections
•
The names of the communities for which the SIP Connector handles
connections (these names are defined in the ExternCommunity
document created in the previous procedure).
To configure the SIP Connector parameters:
1. Open the CommunityConnector document in the stconfig.nsf database
by double-clicking on the date associated with the document.
If the CommunityConnector document does not exist in the stconfig.nsf
database, you must create it. To create the CommunityConnector
document, choose Create-CommunityConnector from the menu bar in
the Configuration database (stconfig.nsf).
2. In the “Connector Name” field, enter a name for the SIP Connector. If
you specified a SIP Connector name during the SIP Connector
installation, this field should contain the name specified for the SIP
Connector during the installation. (Generally, the DNS name of the
machine on which the SIP Connector is installed is used as the Connector
Name.)
3. In the “IP” field, enter the IP address of the machine on which the SIP
Connector is installed. The SIP Connector listens for SIP connections on
this IP address.
If this field is left blank, the SIP Connector listens for SIP connections on
all IP addresses assigned to the SIP Connector machine.
368 Sametime 3.1 Administrator's Guide
4. In the “Port” field, enter 5060. The SIP Connector listens for SIP
connections from the SIP Gateway or another SIP-enabled community
on this port. Port 5060 is the default port for SIP connections.
Note that if the “IP” field is blank, and the “Port” field specifies 0 (zero),
the SIP Connector will not listen for clear text (or unencrypted) SIP
connections. A SIP Connector in another community cannot make an
unencrypted SIP connection to the SIP Connector. If you configure the
SIP Connector parameters in this way, you must encrypt SIP traffic with
Transport Layer Security (TLS).
5. (Optional) In the “TLS IP” field, enter the IP address of the machine on
which the SIP Connector is installed. The SIP Connector listens for
TLS-encrypted SIP connections on this IP address.
If this field is left blank, the SIP Connector listens for TLS-encrypted SIP
connections on all IP addresses assigned to the SIP Connector machine.
Note The “TLS IP” field is only relevant if you use TLS to encrypt
connections between the SIP-enabled communities. For more
information, see “Encrypting SIP traffic with Transport Layer Security
(TLS)” later in this chapter.
6.
(Optional) In the “TLS Port” field, enter the port number on which the
SIP Connector will listen for TLS-encrypted connections. The default
port number for these connections is port 5061.
Note that if the “TLS IP” field is blank, and the “TLS Port” field specifies
0 (zero), the SIP Connector will not listen for TLS-encrypted SIP
connections.
Note The “TLS Port” field is only relevant if you use TLS to encrypt
connections between the SIP-enabled communities. For more
information, see “Encrypting SIP traffic with Transport Layer Security
(TLS)” later in this chapter.
7. In the “Supported Communities” field, enter the names of the
communities for which this SIP Connector will handle connections.
These are the “Community Names” as defined in the
ExternCommunities documents created when you configured the
community connectivity parameters in the previous procedure.
8. Choose File - Save to save the CommunityConnector document.
9. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Next step:
Enabling the SIP Connector to authenticate when connecting to the
Sametime server.
Chapter 7: Enabling the SIP Gateway 369
Enabling the SIP Connector to authenticate when connecting to the
Sametime server (Windows environment)
Enabling the SIP Connector to authenticate when connecting to the
Sametime server is the last of four steps required to configure the SIP
Gateway and the SIP Connector.
A Sametime server will only accept connections from SIP Connectors that are
listed in its stconfig.nsf database. Specifically, the IP addresses of all SIP
Connectors that connect to a Sametime server must be listed in the
“CommunityTrustedIps” field of the “CommunityConnectivity” document
in the stconfig.nsf database on the Sametime server.
Sametime uses the IP address of the SIP Connector machine to authenticate
connections from the SIP Connector (or verify that the SIP Connector is
known to the Sametime server). Using the IP address for authentication
prevents a SIP Connector on an unauthorized machine from connecting to
the Sametime server.
To enable the SIP Connector to authenticate when connecting to the
Sametime server:
1. Open the CommunityConnectivity document in the stconfig.nsf
database by double-clicking on the date associated with the document.
If the CommunityConnectivity document does not exist in the
stconfig.nsf database, you must create it. To create the
CommunityConnectivity document, choose
Create-CommunityConnectivity from the menu bar in the stconfig.nsf
database.
2. In the “CommunityTrustedIps” field, enter the IP address(es) of the SIP
Connector machine(s).
Note The IP addresses of Community Services multiplexer machines
associated with a Community Services cluster are also entered in this
field.
3. Save and close the CommunityConnectivity document.
Note Sametime SIP Connectors can also be deployed with Sametime
servers that operate as part of a Community Services cluster.
After you enable the SIP Connector to authenticate, you have completed all
procedures required to set up the SIP Gateway functionality in a Windows
environment. Your Sametime community is now SIP-enabled and users in
your community can communicate with users in a different SIP-enabled
community. Note that the other Windows-based Sametime community must
also be “SIP-enabled” by completing the procedures described in this
section.
370 Sametime 3.1 Administrator's Guide
Setting up the SIP Gateway functionality (iSeries environment)
Use the instructions in this section to set up the SIP Gateway functionality if
your Sametime servers run on IBM iSeries servers.
To set up the SIP Gateway functionality and SIP-enable your Sametime
community in an IBM iSeries server environment, perform the procedures
below.
1. Review the SIP Connector planning considerations (iSeries
environment).
2. Installing or enabling the SIP Connector (iSeries environment).
3. Configure the SIP Gateway and SIP Connector parameters (iSeries
environment).
Detailed instructions for each of these procedures are provided in
subsequent topics.
Review the SIP Connector planning considerations (iSeries
environment)
Reviewing the SIP Connector planning considerations is the first of three
procedures required to set up the SIP Gateway functionality in an IBM
iSeries environment.
When using the SIP functionality with Sametime servers that run on IBM
iSeries servers, you have three options for deploying the SIP Connector. You
can:
•
Use a standalone SIP Connector - This option requires you to install a
SIP Connector on a separate, dedicated Windows system. Generally, you
install a standalone SIP Connector if two communities must
communicate by transmitting data over the Internet. Standalone SIP
Connectors can also be used to ensure load balancing and continuity of
service.
•
Use an integrated SIP Connector - This option requires you to enable a
SIP Connector that resides on the same machine as the Sametime server.
Generally, you enable the integrated SIP Connector if two communities
can communicate using a corporate intranet and do not need to use the
Internet to establish connections.
Chapter 7: Enabling the SIP Gateway 371
•
Use both a standalone and integrated SIP Connector - In cases where a
community must communicate with more than one other external
community, it may be possible to use both a standalone SIP Connector
and an integrated SIP Connector. The standalone SIP Connector can be
installed to handle connections for an external community that can be
accessed only over the Internet. An integrated SIP Connector can be
used to handle connections to a different community that is accessible
over the corporate intranet.
These options are discussed in more detail below.
Using the standalone SIP Connector
You can install a standalone SIP Connector on a separate machine from the
Sametime server. In this scenario, the SIP Connector installs on a separate,
dedicated Windows NT or Windows 2000 server. The standalone SIP
Connector maintains a connection to the SIP Gateway on the Sametime
server that resides on the IBM iSeries machine. The SIP Connector handles
connections to and from another SIP-enabled community (or communities)
for the SIP Gateway.
Deploying a standalone SIP Connector(s) can provide any or all of the
following advantages. You can:
•
Overcome firewall restrictions - You can deploy a separate SIP
Connector to overcome firewall restrictions when two communities must
make connections and transmit data using the Internet.
For example, you can install the SIP Connector on a machine outside
your corporate firewall (in the network DMZ) and install the Sametime
server on a machine inside your corporate firewall.
If the SIP Connector machine is deployed outside the firewall in the
network DMZ, the SIP Connector machine must be able to initiate
connections to the Sametime server machine inside the firewall. (The
default port for these connections is port 1516.)
To ensure the two machines can communicate through the firewall, you
must configure the firewall with a set of access rules that establish trust
between the Sametime server and SIP Connector machines. (For
example, the access rules might allow those machines to connect to each
other through the firewall but prevent other machines from connecting
to them). This deployment enables SIP communication to occur between
two communities over the Internet while protecting your local Sametime
server behind the corporate firewall.
372 Sametime 3.1 Administrator's Guide
•
Balance the connection handling load for multiple communities - If
you want users in your community to connect to two separate
SIP-enabled communities, you have the option of installing two separate
SIP Connectors. Installing multiple SIP Connectors can spread the
connection handling load among multiple machines. You can configure
the SIP Connectors so that each SIP Connector handles the incoming and
outgoing connections for only one of the external communities.
•
Ensure continuity of service - You can also install two SIP Connectors
and configure both SIP Connectors to handle connections for the same
SIP-enabled community. This configuration ensures that a SIP Connector
is available if one SIP Connector machine fails.
The SIP Connector must be able to receive connections from other
SIP-enabled communities on the TCP/IP port 5060 (the default SIP port).
If you intend to encrypt connections to your SIP-enabled community with
the Transport Layer Security (TLS) protocol, the SIP Connector must be able
to receive connections from other SIP-enabled communities on TCP/IP port
5061 (the default TLS/SIP port). For more information, see “Encrypting SIP
traffic with Transport Layer Security (TLS)” later in this chapter.
Using the integrated SIP Connector
You can use the integrated SIP Connector that is available on the Sametime
3.1 server following the Sametime 3.1 installation. You can use the integrated
SIP Connector if you can establish connections with another community
using the corporate intranet (or in any situation in which you do not need
the SIP Connector to reside outside the firewall).
You can have one instance of the integrated SIP Connector for each
Sametime server on your iSeries system. If the Sametime servers reside in the
same community, each one can be configured to access any of the integrated
SIP Connectors associated with the other servers in the community. If the
Sametime servers are in different communities, then each server can only
access its own integrated SIP Connector.
The integrated SIP Connector must be able to receive connections from other
SIP-enabled communities on the TCP/IP port 5060 (the default SIP port).
Using both a standalone and integrated SIP Connector
In some multiple community environments, you can use both a standalone
and integrated SIP Connector. Using both a standalone and integrated SIP
Connector can provide any or all of the following advantages. You can:
•
Connect to communities using both an intranet and the Internet - You
can use an integrated SIP Connector to establish connections with a
community using the corporate intranet and a standalone SIP Connector
to establish connections with a different community over the Internet.
Chapter 7: Enabling the SIP Gateway 373
For example, assume that Community A must communicate with
Community B and Community C. Community A can communicate with
Community B using the corporate intranet. However, Community A can
only communicate with Community C over the Internet.
In this case, an integrated SIP Connector can be configured to handle
connections between Community A and B. You can deploy a standalone
SIP Connector to handle connections between Community A and
Community C.
The standalone SIP Connector can be used to overcome any Internet
firewall restrictions as noted in the “Using the standalone SIP
Connector” section above.
•
Balance the connection handling load for multiple communities - If
you want users in your community to connect to two separate
SIP-enabled communities, you can use the integrated SIP Connector to
connect to one community and install a standalone SIP Connector to
connect to the other community. Using multiple SIP Connectors can
spread the connection handling load among multiple machines. You can
configure the SIP Connectors so that each SIP Connector handles the
incoming and outgoing connections for only one of the external
communities.
Note In this deployment, the standalone SIP Connector can handle
connections for a community that is accessed using the corporate
intranet or a community that is accessed using the Internet.
•
Ensure continuity of service - You can use both the integrated SIP
Connector and the standalone SIP Connector to handle connections for
the same SIP-enabled community. This configuration ensures that a SIP
Connector is available if one SIP Connector fails.
Next step:
Install or enable the SIP Connector (iSeries environment)
Installing or enabling the SIP Connector (iSeries environment)
Installing or enabling a SIP Connector is the second of three procedures
required to set up the SIP Gateway functionality in an IBM iSeries
environment.
This topic discusses the following:
•
Enabling the integrated SIP Connector on Sametime for iSeries
•
Installing the standalone SIP Connector on a Windows system in an
iSeries environment
374 Sametime 3.1 Administrator's Guide
Each of these procedures is described in detail in a subsequent topic. You
can choose to complete one or both procedures, depending on your
requirements.
Enabling the SIP Connector on iSeries
The iSeries integrated SIP Connector was installed on your system when you
installed Sametime 3.1 for iSeries. If you plan to use the integrated SIP
Connector, you must enable it.
To enable the integrated SIP Connector for a particular Sametime server,
complete these steps:
1. From any OS/400 command line, type the following command and
press Enter: WRKDOMSVR
2. Type option 12 (Work object links) next to the Sametime server and
press Enter to display a list of the files and directories in the server data
directory.
3. Page down until you find this file: STCommLaunch.dep
4. Type option 2 (Edit) next to the file and press Enter.
5. Remove the “#” from the last line in the file, the line containing
“StSIPCon.”
6. Press F3 twice to save and exit.
7. Restart your server.
Next step:
If you also want to install a separate SIP Connector to support connections to
an external community over the Internet, or for load balancing purposes,
perform the procedure described in Installing the SIP Connector on a
Windows system.
If you do not want to install a separate SIP Connector on a Windows system,
continue with the procedure titled Configure the SIP Gateway and SIP
Connector parameters (iSeries environment).
Installing the SIP Connector on a Windows system (iSeries
environment)
To install a SIP Connector on a separate Windows system, follow the
instructions in this topic.
SIP Connector system requirements
The system requirements for the SIP Connector on a Windows system are:
•
Operating System - Windows NT 4.0 with Service Pack 6a, Windows
2000 with Service Pack 1 or 2, Windows 2000 Advanced Server with
Services Pack 2.
•
Processor - Pentium II with 400 MHz minimum
Chapter 7: Enabling the SIP Gateway 375
•
RAM - 1 GB recommended; 500 MB minimum
•
Disk space - 500 MB minimum
•
Disk swap space - 64 MB
•
Network software - TCP/IP network software installed
Windows SIP Connector installation procedure
To install a SIP Connector:
1. You can install the SIP Connector on your Windows system from the
Sametime 3.1 for iSeries CD. Install the SIP Connector from the
\SIPConnector directory of the Sametime 3.1 for iSeries CD.
2. During the installation, you must enter the following:
a. The IP address or DNS name of a Sametime 3.1 server. This address
enables the SIP Connector to locate and connect to the SIP Gateway
on the Sametime server.
b. A SIP Connector name. SIP Connector configuration data is
organized under this name. The SIP Connector requires this name to
get its configuration parameters. You can use the DNS name of the
SIP Connector machine as the SIP Connector name.
The SIP Connector configuration parameters are stored in a
CommunityConnector document in the stconfig.nsf database on the
Sametime server. You create this document later in this process. These
are the only significant parameters required by the SIP Connector
installation.
Next step:
Configure the SIP Gateway and SIP Connector parameters (iSeries
environment).
Configuring the SIP Gateway and SIP Connector parameters (iSeries
environment)
Configuring the SIP Gateway and SIP Connector parameters is the last of
three procedures required to set up the SIP Gateway functionality in an IBM
iSeries environment.
Configuring the SIP Gateway and SIP Connector parameters is accomplished
in four steps. These steps include:
1. Enabling connections to other communities and enabling e-mail address
translation.
2. Configuring the Community Connectivity parameters.
3. Configuring the SIP Connector parameters.
4. Enabling the SIP Connector to authenticate when connecting to the SIP
Gateway.
376 Sametime 3.1 Administrator's Guide
Each of these steps is described in detail in a subsequent topic.
Enabling connections to other communities and enabling e-mail
address translation (iSeries environment)
Enabling connections to other communities and enabling e-mail address
translation is the first of four steps required to configure the SIP Gateway
and SIP Connector parameters in an iSeries environment.
In this step you perform two separate configurations; you enable connections
to other communities and enable e-mail address translation:
•
Enabling connections to other communities allows the SIP Gateway to
initiate connections to and receive connections from another SIP-enabled
community.
•
Enabling e-mail address translation ensures that users in your Sametime
community can be identified by their Internet e-mail addresses.
Users from another community must specify the Internet e-mail
addresses of the users in your community when adding them to contact
lists or buddy lists. Enabling e-mail address translation ensures the
internal user IDs used by Sametime can be translated to the appropriate
Internet e-mail addresses.
Note SIP entities are identified by e-mail address.
To enable connections to other communities and enable e-mail address
translation, you must alter settings in the “CommunityGateway” document
of the Configuration database (stconfig.nsf). Follow the instructions below:
1. Use a Lotus Notes client to open the stconfig.nsf database on the
Sametime 3.1 server.
2. Open the CommunityGateway document by double-clicking on the date
associated with the document.
If the CommunityGateway document does not exist in the stconfig.nsf
database, you must create it. To create the CommunityGateway
document, choose Create-CommunityGateway from the menu bar in the
stconfig.nsf database.
3. In the “Support external communities” field, select “True.”
Selecting “True” in this field enables the SIP Connector to initiate
connections to and receive connections from other SIP-enabled
communities.
Note To disable connections to other communities, set the “Support
external communities” value to “False.” Setting this value to “False” is
the quickest way to disable all SIP functionality for the community.
4. In the “ConvertID” field, select “True.”
Selecting “True” in this field enables e-mail address translation.
Chapter 7: Enabling the SIP Gateway 377
Note To disable e-mail address translation, set the “ConvertID” field to
“False.”
5. Save the CommunityGateway document.
6. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Note You must enable e-mail address translation on every Sametime
server in the community. Repeat the procedure above in the
Configuration database of every Sametime server in the community.
Next step:
Configuring Community Connectivity parameters (iSeries environment)
Configuring the Community Connectivity parameters (iSeries
environment)
Configuring community connectivity parameters is the second of four steps
required to configure the SIP Gateway and SIP Connector parameters.
In this procedure, the administrator creates an ExternCommunity document
in the Sametime Configuration database (stconfig.nsf). The administrator
uses the settings in this ExternCommunity document to specify the
parameters that enable the SIP Gateway to connect to another SIP-enabled
community.
The connectivity parameters specified in this procedure include:
•
A name for the external community
•
The DNS domains that comprise the external community
•
The DNS name of the SIP proxy (or SIP Connector) for the external
community
•
The port used to connect to the SIP proxy that handles connections for
the external community
To configure the community connectivity parameters:
1. Open the ExternCommunity document in the stconfig.nsf database by
double-clicking on the date associated with the document.
If the ExternCommunity document does not exist in the stconfig.nsf
database, you must create it. To create the ExternCommunity document,
choose Create-Other-ExternCommunity from the menu bar in the
Configuration database (stconfig.nsf).
2. In the “Community Name” field, enter a name for the community. The
name is at your discretion. You might want to choose a name that
represents the organization associated with this community. (For
example, IBM).
378 Sametime 3.1 Administrator's Guide
3. In the “Domains” field, enter the domain names associated with the
instant messaging community of the organization specified above. This
entry can consist of one domain name, or a group of domain names. You
can also use wildcards when specifying domain names. For example,
*.ibm.com, lotus.com, tivoli.com, ubique.com.
4. In the “DNS” field, enter the fully-qualified DNS name of the SIP proxy
that handles connections for the other SIP-enabled community. The SIP
Connector attempts to connect to this SIP proxy (or SIP Connector for
another Sametime community).
If you leave the “DNS” field blank, Sametime performs a DNS lookup to
locate the SIP proxy associated with the domain(s) specified above. If
Sametime is unable to locate a SIP proxy, Sametime attempts a SIP
connection to the domain(s) using the port specified below.
5. In the “Port” field, enter the port the SIP Connector uses when
attempting SIP connections to the SIP proxy or domain(s) specified
above. The default port for SIP connections is port 5060.
6. Set the “Encryption” field to “Disabled” unless you intend to encrypt SIP
connections between communities with Transport Layer Security (TLS).
For more information, see “Encrypting SIP traffic with Transport Layer
Security (TLS)” later in this chapter.
7. Leave the “Certificate distinguished” name field blank unless you intend
to require client certificate authentication for connections between SIP
Connectors. For more information, see “Enabling client certificate
authentication” later in this chapter.
8. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Next step:
Configuring SIP Connector parameters (iSeries environment)
Configuring the SIP Connector parameters (iSeries environment)
Configuring SIP Connector parameters is the third of four steps required to
configure the SIP Gateway and the SIP Connector parameters.
In this procedure, the administrator creates a CommunityConnector
document in the Sametime Configuration database (stconfig.nsf). The
administrator uses the settings in this CommunityConnector document to
specify the parameters that control the functioning of the SIP Connector.
The SIP Connector parameters include:
•
The name of the SIP Connector machine
•
The IP address of the SIP Connector machine
•
The port on which the SIP Connector listens for connections
Chapter 7: Enabling the SIP Gateway 379
•
The names of the communities for which the SIP Connector handles
connections (these names are defined in the ExternCommunity
document created in the previous procedure).
Note that if you are using multiple SIP Connectors, you must create a
separate CommunityConnector document for each SIP Connector. Repeat
the steps below for each SIP Connector.
To configure the SIP Connector parameters:
1. Open the CommunityConnector document in the stconfig.nsf database
by double-clicking on the date associated with the document.
If the CommunityConnector document does not exist in the stconfig.nsf
database, you must create it. To create the CommunityConnector
document, choose Create-CommunityConnector from the menu bar in
the Configuration database (stconfig.nsf).
2. In the “Connector Name” field, enter a name for the SIP Connector.
Generally, the DNS name of the machine on which the SIP Connector is
installed is used as the Connector Name. If you are using the iSeries
integrated SIP Connector, specify the fully qualified host name of the
Sametime server associated with the integrated SIP Connector.
If you installed a standalone SIP Connector, you specified a SIP
Connector name during the SIP Connector installation. The “Connector
Name” field should contain the name specified for the SIP Connector
during the SIP Connector installation.
3. In the “IP” field, enter the IP address of the machine on which the SIP
Connector is installed. The SIP Connector listens for SIP connections on
this IP address.
If you are using the iSeries integrated SIP Connector, specify the fully
qualified host name of the Sametime server associated with the
integrated SIP Connector. Do not leave this field blank on an iSeries
server.
If you are using a standalone SIP Connector, specify the fully qualified
host name of the machine on which the SIP Connector is installed.
4. In the “Port” field, enter 5060. The SIP Connector listens for SIP
connections from the SIP Gateway or another SIP-enabled community
on this port. Port 5060 is the default port for SIP connections.
Note that if the “IP” field is blank, and the “Port” field specifies 0 (zero),
the SIP Connector will not listen for clear text (or unencrypted) SIP
connections. A SIP Connector in another community cannot make an
unencrypted SIP connection to the SIP Connector.
380 Sametime 3.1 Administrator's Guide
5. (Optional) In the “TLS IP” field, enter the IP address of the machine on
which the SIP Connector is installed. The SIP Connector listens for
TLS-encrypted SIP connections on this IP address.
If this field is left blank, the SIP Connector listens for TLS-encrypted SIP
connections on all IP addresses assigned to the SIP Connector machine.
The “TLS IP” field is only relevant if you use TLS to encrypt connections
between the SIP-enabled communities. For more information, see
“Encrypting SIP traffic with Transport Layer Security (TLS)” later in this
chapter.
6. (Optional) In the “TLS Port” field, enter the port number on which the
SIP Connector will listen for TLS-encrypted connections. The default
port number for these connections is port 5061.
Note that if the “TLS IP” field is blank, and the “TLS Port” field specifies
0 (zero), the SIP Connector will not listen for TLS-encrypted SIP
connections.
The “TLS Port” field is only relevant if you use TLS to encrypt
connections between the SIP-enabled communities. For more
information, see “Encrypting SIP traffic with Transport Layer Security
(TLS)” later in this chapter.
7. In the “Supported Communities” field, enter the names of the
communities for which this SIP Connector will handle connections.
These are the “Community Names” as defined in the
ExternCommunities documents created when you configured the
community connectivity parameters in the previous procedure.
8. Choose File - Save to save the CommunityConnector document.
9. Leave the stconfig.nsf database open. The next step involves creating
and modifying a document in this database.
Next step:
Enabling the SIP Connector to authenticate when connecting to the
Sametime server (iSeries environment).
Enabling the SIP Connector to authenticate when connecting to the SIP
Gateway (iSeries environment)
Enabling the SIP Connector to authenticate when connecting to the SIP
Gateway on the Sametime server is the last of four steps required to
configure the SIP Gateway and the SIP Connector.
A SIP Gateway on Sametime server will only accept connections from SIP
Connectors that are listed in its stconfig.nsf database on the Sametime server.
Specifically, the IP addresses of all SIP Connectors that connect to a SIP
Gateway on a Sametime server must be listed in the
Chapter 7: Enabling the SIP Gateway 381
“CommunityTrustedIps” field of the “CommunityConnectivity” document
in the stconfig.nsf database.
Sametime uses the IP address of the SIP Connector machine to authenticate
connections from the SIP Connector (or verify that the SIP Connector is
known to the Sametime server/SIP Gateway). Using the IP address for
authentication prevents a SIP Connector on an unauthorized machine from
connecting to the SIP Gateway on a Sametime server.
If you are using the iSeries integrated SIP Connector associated with your
Sametime server, the IP address of the SIP connector is the same as the IP
address of your Sametime server. Therefore, you do not need to add
anything to the trusted IP field. Only SIP connectors that run on an IP
address that is different from your Sametime server need to be added to the
trusted IP field. That is, you must update the trusted IP field if your
Sametime server communicates with a SIP Connector installed on a
Windows system or an iSeries integrated SIP Connector associated with a
different Sametime server in the same community.
To enable the SIP Connector to authenticate when connecting to the
Sametime server:
1. Open the CommunityConnectivity document in the stconfig.nsf
database by double-clicking on the date associated with the document.
If the CommunityConnectivity document does not exist in the
stconfig.nsf database, you must create it. To create the
CommunityConnectivity document, choose
Create-CommunityConnectivity from the menu bar in the stconfig.nsf
database.
2. In the “CommunityTrustedIps” field, enter the IP address(es) of the SIP
Connector machine(s).
Note The IP addresses of Community Services multiplexer machines
associated with a Community Services cluster are also entered in this
field.
3. Save and close the CommunityConnectivity document.
Note Sametime SIP Connectors can also be deployed with Sametime
servers that operate as part of a Community Services cluster.
After you enable the SIP Connector to authenticate you have completed all
procedures required to set up the SIP Gateway in an iSeries environment.
Your Sametime community is now SIP-enabled and users in your
community can communicate with users in a different SIP-enabled
community.
382 Sametime 3.1 Administrator's Guide
Disabling the SIP Gateway functionality
You can disable the SIP Gateway functionality if you want to prevent users
in your community from using SIP to communicate with users in a different
community.
The easiest way to disable the SIP Gateway functionality is to prevent the SIP
Gateway from making connections to or receiving connections from another
community. To disable this functionality, follow the instructions below.
1. Use a Lotus Notes client to open the Configuration database
(stconfig.nsf) on the Sametime server machine.
2. Open the CommunityGateway document by clicking on the date
associated with it.
3. In the “Support external communities” field, select “False.”
4. Choose File - Save to save the CommunityGateway document.
Encrypting SIP traffic with Transport Layer Security (TLS)
Encrypting SIP traffic with Transport Layer Security (TLS) is an optional
procedure that provides the highest level of security for the SIP Gateway
functionality. The administrator can use TLS to encrypt sensitive information
(such as user e-mail addresses and chat text) that is transmitted between two
SIP-enabled communities. Audio/video data cannot be encrypted.
In addition to encrypting SIP traffic with TLS, the administrator can also
configure the SIP Connector to support client certificate authentication.
Client certificate authentication is an optional security configuration that
requires a SIP Connector in another community to present a client certificate
when connecting to the SIP Connector in your community. This client
certificate is used to authenticate the remote SIP Connector.
Note All of the procedures in this section apply to all SIP Connectors in
both the iSeries and Windows environments with the exception of procedure
3. In procedure 3, the certificate management procedures you must perform
depend on whether you are encrypting traffic for an integrated SIP
Connector on an iSeries machine or a standalone SIP Connector on a
Windows machine.
To encrypt SIP traffic with TLS, you must perform the procedures below.
1. Specify the host name and port for TLS-encrypted connections.
2. Set the TLS encryption mode.
3. Depending on your environment see:
Chapter 7: Enabling the SIP Gateway 383
• “Managing the certificates required for TLS connections (integrated
SIP Connector on iSeries)” later in this chapter.
• “Managing the certificates required for TLS connections (standalone
SIP Connector on Windows)” later in this chapter.
4. Enabling client certificate authentication for a standalone SIP Connector
on a Windows machine (optional).
Specify the host name and port for TLS connections
Specifying the host name and port number for TLS-encrypted connections is
the first of three procedures required to encrypt SIP traffic between two
SIP-enabled communities.
In this procedure, you specify the host name and port number on which a
SIP Connector will listen for TLS-encrypted connections from another
SIP-enabled community.
The SIP Connector will also use the port number specified in this procedure
to attempt TLS-encrypted connections to the other community.
These host name and port settings are specified in the CommunityConnector
document in the Configuration database (stconfig.nsf) on the Sametime
server.
To specify the host name and port for TLS connections, follow the steps
below:
1. Use a Lotus Notes client to open the Sametime Configuration database
(stconfig.nsf) on the Sametime 3.1 server on which you have enabled the
SIP Gateway functionality.
2. Open the CommunityConnector document by double-clicking on the
“Last modified date” associated with the document.
3. Enter values in the “TLS IP” and the “TLS Port” fields in the
CommunityConnector document as described below:
• TLS IP - This field specifies the IP address on which the SIP
Connector listens for TLS-encrypted SIP connections from another
SIP-enabled community (or communities).
If you leave the TLS IP field blank, the SIP Connector listens for
TLS-encrypted connections on all IP addresses assigned to the SIP
Connector machine. By default, this setting is blank and the SIP
Connector machine listens for connections on all IP addresses.
• TLS Port - This field specifies the port on which the SIP Connector
listens for TLS-encrypted SIP connections from the external
community (or communities) supported by this SIP Connector. The
default setting is port 5061.
384 Sametime 3.1 Administrator's Guide
Note: The SIP Connector initiates connections to another community
using the port number specified in the ExternCommunity document.
If the fields above do not contain the appropriate values, double-click on
the CommunityConnector document to put the document in edit mode.
Edit the fields as needed and save the CommunityConnector document.
4. Close the CommunityConnector document.
5. Leave the stconfig.nsf database open. The next step requires you to
modify a document in this database.
Next step:
Set the TLS encryption mode.
Set the TLS encryption mode
Setting the TLS encryption mode is the second of three procedures required
to encrypt SIP traffic between two SIP-enabled communities.
In this procedure, you specify the way in which the SIP Connector attempts
TLS-encrypted SIP connections to another community. Your options for the
TLS encryption mode include “enabled,” “mandatory,” or “disabled.” Each
of these options is discussed below.
•
Enabled - If you select the “enabled” encryption mode, the SIP
Connector first attempts a TLS-encrypted connection to the other
community on the TLS port specified in the CommunityConnector
document (default port 5061).
If the TLS-encrypted connection fails, the SIP Connector attempts an
unencrypted SIP connection to the other community. The unencrypted
SIP connection is attempted on the SIP port specified in the
CommunityConnector document (default port 5060).
•
Mandatory - If you select the “mandatory” encryption mode, the SIP
Connector attempts a TLS-encrypted connection to the other community
on the TLS port specified in the CommunityConnector document
(default port 5061).
If the TLS-encrypted connection fails, the SIP Connector does not
attempt an unencrypted connection.
•
Disabled - If you select “disabled” as the encryption mode, the SIP
Connector attempts an unencrypted SIP Connection to the other
community on the SIP port specified in the CommunityConnector
document (default port 5060). The SIP Connector does not attempt a
TLS-encrypted connection.
To set the TLS encryption mode:
1. Open the ExternCommunity document by double-clicking on the “Last
modified date” associated with the document.
Chapter 7: Enabling the SIP Gateway 385
2. From the Encryption drop-down list, select either “Enabled,”
“Mandatory,” or “Disabled.”
3. The Certificate distinguished name field should be left blank unless you
intend to support client certificate authentication. For more information,
see “Enabling client certificate authentication (optional)” later in this
document.
4. Save and close the ExternCommunity document.
Next step:
See the topic later in this chapter that is appropriate for your environment:
•
“Managing the certificates required for TLS connections (integrated SIP
Connector on iSeries)”
•
“Managing the certificates required for TLS connections (standalone SIP
Connector on Windows”
Managing the certificates required for TLS connections (integrated SIP
Connector on iSeries)
Follow the procedures in this topic only if you are using TLS to encrypt
connections to an integrated SIP Connector on an iSeries machine. The
procedures in this topic can also be used to enable client authentication for
the integrated SIP Connector.
Note For instructions on managing certificates for a standalone SIP
Connector installed on a Windows machine, see “Managing the certificates
required for TLS connections (standalone SIP Connector on Windows)” later
in this chapter.
Certificates are required for both TLS encryption and for client
authentication. You can choose to enable TLS encryption alone or you can
enable TLS encryption with client authentication. You cannot implement
client authentication without TLS encryption.
On iSeries systems, certificates are managed using the integrated Digital
Certificate Manger (DCM), rather than IKeyMan. To use the Digital
Certificate Manager, you must install the following software products on the
iSeries server where you are running the integrated SIP connector:
•
5722-SS1 Option 34, Digital Certificate Manager
•
5722-DG1, IBM HTTP Server for iSeries
•
5722-AC2, Crypto Access Provider 56-bit for AS/400 or 5722-AC3,
Crypto Access Provider 128-bit for AS/400
386 Sametime 3.1 Administrator's Guide
The remainder of this topic outlines the tasks required to implement TLS
encryption on an iSeries integrated SIP connector. If you need more detailed
information about using DCM in order to complete the steps, see the iSeries
Information Center at http://www.ibm.com/as400/infocenter. Select the
“Digital Certificate Manager” topic in the “Security” section.
To enable TLS encryption, complete the following steps on the iSeries system
where you are running the integrated SIP connector:
1. Define the Server Certificate in the Digital Certificate Manager (DCM)
• The server certificate for your integrated SIP Connector must be
imported into the DCM *SYSTEM certificate store and it must be
signed by a certificate authority (CA) that is trusted by the external
community's SIP connector.
• Well-known public Internet Certificate Authorities (CA) that most
web browsers can recognize readily, such as VeriSign, are included in
the DCM. If you are using a private certificate authority, you must
import the CA's certificate into the DCM *SYSTEM certificate store.
• If you are implementing client authentication, you must also have a
certificate for the CA that signed the server certificate for the external
community's SIP connector. Again, this can either be a public Internet
Certificate Authority (CA) that is already included in the DCM or you
can import the certificate for a private certificate authority.
• The following public Internet Certificate Authorities (CA) are
included in the DCM:
Microsoft Root Authority
Thawte Personal Premium CA
Thawte Personal Freemail CA
Thawte Personal Basic CA
Thawte Premium Server CA
Thawte Server CA
RSA Secure Server Certification Authority
VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
VeriSign Class 2 CA Individual Subscriber-Persona Not Validated
VeriSign Class 3 CA Individual Subscriber-Persona Not Validated
Verisign Class 1 Public Primary Certification Authority
Verisign Class 2 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority
2. Define the DCM Server Application in the Digital Certificate Manager
(DCM)
Chapter 7: Enabling the SIP Gateway 387
This is a DCM Application Definition that is used when the integrated
SIP Connector accepts incoming connections from an external
community. That is, the integrated SIP Connector is acting as a server in
the context of the TLS connection handshake.
Specify the following when creating the DCM Server Application:
• Type=“Server”
• A unique identifier for the Application ID, such as
SAMETIME_SERVER_MyServerName
• If you are not implementing client authentication, specify “Client
authentication supported” = no
• If you are implementing client authentication, also specify:
“Define the CA trust list” = yes
“Client authentication supported” = yes
“Client authentication required” = yes
Select “Update certificate assignment” to specify the server certificate for
your integrated SIP Connector. This is the server certificate described in
Step 1.
If you are implementing client authentication, select “Define CA Trust
List” to specify a Certificate Authority (CA) trust list that includes the
certificate authority that signed the server certificate used by the external
community.
3. Define the DCM Client Application in the Digital Certificate Manager
(DCM)
This is a DCM Application Definition that is used when the integrated
SIP Connector is initiating a connection to an external community. That
is, the integrated SIP Connector is acting as a client in the context of the
TLS connection handshake.
Specify the following when creating the DCM Client Application:
• Type=“Client”
• A unique identifier for the Application ID, such as
SAMETIME_CLIENT_MyServerName
• “Define the CA trust list” = yes
Select “Define CA Trust List” to specify a Certificate Authority (CA)
trust list that includes the certificate authority that signed the server
certificate used by the external community.
If you are implementing client authentication, select “Update certificate
assignment” to specify the server certificate for your integrated SIP
Connector. This is the server certificate described in Step 1.
388 Sametime 3.1 Administrator's Guide
4. Add entries to the [External Community] section of the sametime.ini file
to specify the DCM application IDs. For example:
ConnectorServerApplicationId=SAMETIME_SERVER_MyServerName
ConnectorClientApplicationId=SAMETIME_CLIENT_MyServerName
5. Ensure that the QNOTES user profile has the proper authority to the
DCM certificate store by running the following commands from any
OS/400 command line:
CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server') USER(QNOTES)
DTAAUT(*RX)
CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.RDB')
USER(QNOTES) DTAAUT(*RX)
CHGAUT OBJ('/QIBM/USERDATA/ICSS/CERT/Server/DEFAULT.KDB')
USER(QNOTES) DTAAUT(*RX)
Note that these procedures must be performed both on the SIP Connector in
your community and the SIP Connector on the community to which you are
connecting.
Managing the certificates required for TLS connections (standalone SIP
Connector on Windows)
Follow the procedures in this section only if you are using TLS to encrypt
connections to a standalone SIP Connector on a Windows machine.
Note For instructions on managing certificates for an integrated SIP
Connector on an iSeries machine, see “Managing the certificates required for
TLS connections (integrated SIP Connector on iSeries)” later in this chapter.
Managing the certificates required for Transport Layer Security (TLS)
connections is the last of three procedures required to encrypt SIP traffic
between two SIP-enabled communities.
Similar to the Secure Sockets Layer (SSL) protocol, the TLS protocol relies on
certificates for authentication and encryption. This section discusses the
certificate management issues and procedures associated with encrypting
SIP traffic between two SIP-enabled communities.
When your SIP-enabled Sametime community is configured to communicate
with another SIP-enabled community, either community can initiate a
connection with the other community. Essentially, this means that the SIP
Connector in each community can operate as either the server or the client in
a TLS connection handshake. To support TLS, you must ensure that the SIP
Connector has access to the certificates that enable the SIP Connector to
operate as either a server or a client in a TLS connection handshake.
Chapter 7: Enabling the SIP Gateway 389
To manage the certificates required for TLS connections for a standalone SIP
Connector on a Windows machine, you must perform both of the following
procedures:
1. Ensure the SIP Connector can operate as a server in a TLS connection
handshake. This procedure includes the following steps:
a. Install the IKeyMan program on the SIP Connector machine.
b. Use the IKeyMan program to create a key database on the SIP
Connector machine.
c. Identify the signer (or “trusted root”) certificate you will use.
d. Create and submit a server certificate request.
e. Import the server certificate into the key database.
2. Ensure the SIP Connector can operate as a client in a TLS connection
handshake.
Each of these procedures is described in subsequent topics. Note that these
procedures must be performed both on the SIP Connector in your
community and the SIP Connector on the community to which you are
connecting.
Ensure the SIP Connector can operate as a server in a TLS handshake
Ensuring the SIP Connector can operate as a server in a TLS handshake is the
first of two procedures associated with managing the certificates required
encrypt connections to a standalone SIP Connector on a Windows machine.
When a SIP Connector in another SIP-enabled community initiates a
TLS-encrypted SIP connection to the SIP Connector in your community, the
SIP Connector in your community must operate as the server in the TLS
connection handshake.
To operate as a server in a TLS handshake, the SIP Connector must have all
of the following:
•
A key database (this database is created by the IKeyMan program).
•
The key database must contain a signer (or “trusted root”) certificate.
•
The key database must also contain a separate server certificate signed
by the same Certificate Authority (CA) as the signer certificate.
To ensure that the SIP Connector meets all of these requirements, you must
perform these five steps:
1. Install the IKeyMan program on the SIP Connector machine.
2. Use the IKeyMan program to create a key database on the SIP Connector
machine.
3. Identify the signer (or “trusted root”) certificate you will use.
390 Sametime 3.1 Administrator's Guide
4. Create and submit a server certificate request.
5. Import the server certificate into the key database.
Each of these procedures is described in a subsequent topic.
Install the IKeyMan program on the SIP Connector machine
Installing the IKeyMan program on the SIP Connector machine is the first of
five steps required to ensure that a SIP Connector on a Windows machine
can operate as a server in a TLS connection handshake.
To Install the IKeyMan program on the SIP Connector machine.
1. Create a directory named “GSKit” on the SIP Connector machine.
2. Insert the Sametime 3.1 server CD 2 into the CD drive on the SIP
Connector machine.
3. Copy the contents of the GSKit directory on the Sametime 3.1 server CD
2 to the GSKit directory on the SIP Connector machine.
4. Open a command prompt on the SIP Connector machine.
5. In the command prompt window, change to the drive and “GSKit”
directory to which you have copied the GSKit contents.
(For example, enter “cd GSKit” at the command prompt to change to the
directory containing the GSKit setup.exe file.)
6. Enter the following command in the command prompt:
setup.exe GSKit <SIP Connector installation directory> -s
flsetup.iss
In the command string above, <SIP Connector installation directory> is
the directory path in which the SIP Connector is installed. For example,
if the SIP Connector is installed in a directory named SIP, your
command string would look like this:
C:\GSKit>setup.exe GSKit C:\SIP -s -f1setup.iss
This command line performs a silent installation of the IKeyMan
program into the SIP Connector installation directory.
7. To verify that the installation is successful, do the following:
• Check that the C:\<SIP Connector installation directory>\IBM\GSK6
folder exists on the Sametime server.
• Verify that the HKLM\Software\IBM\GSK6 registry key has been
created on the SIP Connector machine.
8. After installing the IBM IKeyMan utility, you must define the Java
environment on the Sametime server machine. Follow the steps below:
a. From the Windows desktop, right click on the My Computer icon
and select “System Properties.”
Chapter 7: Enabling the SIP Gateway 391
b. Select the “Advanced” tab.
c. Click the “Environment Variables” button.
d. For “System Variables,” select “New.”
e. Enter the following in the Variable Name and Variable Value fields:
Variable Name: JAVA_HOME
Variable Value: C:\<SIP Connector installation
directory>\ibm-jre\jre
9. Use a text editor to add “com.ibm.spi.IBMCMSProvider” to the list of
providers in the C:\<SIP Connector installation
directory>\ibm-jre\jre\lib\security\java.security file. Follow the steps
below:
a. Use a text editor to open the java.security file located in the directory
path shown above on the SIP Connector machine.
b. Type the following line into the list of security providers:
security.provider.3=com.ibm.spi.IBMCMSProvider. The example
below illustrates this line added to the java.security file:
#
# List of providers and their preference orders (see above)
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.spi.IBMCMSProvider
10. Delete the file “gskikm.jar” from the following location: C:\<SIP
Connector installation directory>\ibm-jre\jre\lib\ext\gskikm.jar.
Next step:
Use the IKeyMan program to create a key database on the SIP Connector
machine.
Use the IKeyMan program to create a key database on the SIP
Connector machine
Using the IKeyMan program to create a key database on the SIP Connector
machine is the second of five steps required to ensure the a SIP Connector on
a Windows machine can operate as a server in a TLS connection handshake.
In this procedure, you use IKeyMan to create the key database that is used to
store the trusted root and server certificates required by the TLS handshake.
To create the key database:
1. Start the IKeyMan program on the SIP Connector machine. To start the
program, run the gsk6ikm.exe file located in the C:\<SIP Connector
392 Sametime 3.1 Administrator's Guide
installation directory>\IBM\gsk6\bin directory on the SIP Connector
machine.
Note You can also start IKeyMan from the Windows Start-Programs
button.
2. From the menu bar, select Key Database File - New....
3. In the New window, complete these fields:
• Key database type - Select “CMS key database file.”
• File Name - Enter “key.kdb” as the file name for the key database.
The key database must have the filename of key.kdb.
• Location - The location must specify the directory in which the SIP
Connector is installed.
Click OK.
4. In the Password prompt window, do the following:
• Type a password and confirm the password. The password is at your
discretion. You will be required to enter this password when you
open the key database to add or remove a certificate, or create a
certificate request.
• Select the “Stash the password to a file?” Check box.
Click OK.
An information window appears indicating the password is encrypted and
saved in the location:
<SIP Connector installation path>\key.sth
Next step:
Identify the signer (or “trusted root”) certificate you will use.
Identify the signer (or trusted root) certificate you will use
Identifying the signer (or “trusted root”) certificate you will use is the third
of five steps required to ensure that a SIP Connector on a Windows machine
can operate as a server in a TLS connection handshake.
To operate as a server in a TLS connection handshake, the SIP Connector
must have access to two certificates:
•
An SSL signer (or “trusted root”) certificate signed by a specific
Certification Authority (CA), such as VeriSign
•
An SSL server certificate signed by the same CA as the signer certificate.
Note Both SSL and TLS connections use SSL certificates. A TLS connection
does not require a TLS certificate.
Chapter 7: Enabling the SIP Gateway 393
In this procedure, you identify the signer certificate that you want to use as
the trusted root certificate. In a subsequent procedure, you must request a
server certificate from the same Certification Authority (CA) that created the
signer certificate.
The key database created in the previous procedure contains several signer
certificates by default. Use the procedure below to view the available signer
certificates that are provided by default in the key database.
1. If necessary, start the IKeyMan program by running the gsk6ikm.exe file
located in the <SIP Connector installation directory>\IBM\GSK6
directory on the SIP Connector machine.
2. Select Key Database File-Open to open the SIP Connector key database
(“key.kdb” in this example).
3. In the Key database content drop-down list, select “Signer Certificates”
to display the list of CA trusted root certificates provided by default.
This list includes:
• RSA Secure Server Certification Authority
• Thawte Personal Basic CA
• Thawte Personal Freemail CA
• Thawte Personal Premium CA
• Thawte Premium Server CA
• Thawte Server CA
• VeriSign Class 1 CA Individual-Persona Not Validated
• VeriSign Class 2 CA Individual-Persona Not Validated
• VeriSign Class 3 CA Individual Persona Not Validated
• VeriSign Class 1 Public Primary Certification Authority
• VeriSign Class 2 Public Primary Certification Authority
• VeriSign Class 3 Public Primary Certification Authority
• VeriSign Test CA Root Certificate
4. Identify the Signer Certificate you want to use as the trusted Certificate
Authority (CA). In the next procedure, you must request a server
certificate from the same CA.
Note If you do not want to use one of the default signer certificates, you can
also request a signer certificate from another CA. Generally, you must
browse to the CAs web site and follow the instructions on the web site to
request a signer certificate from another CA. When you receive the signer
certificate from the CA, you must add the signer certificate to the key.kdb
database as a Signer certificate. You use the “Import” feature of the IKeyMan
key.kdb database to add the certificate.
394 Sametime 3.1 Administrator's Guide
Note also that Domino servers include Certificate Authority applications.
Using a Domino Certificate Authority application can prevent you from
having to pay for certificates. For information on using a Domino server
Certificate Authority application, see the Domino server administration
documentation.
Next step
Create and submit a server certificate request.
Create and submit a server certificate request
Creating and submitting a server certificate request is the fourth of five steps
required to ensure that a SIP Connector on a Windows machine can operate
as a server in a TLS connection handshake.
After you have chosen the CA that will provide the signer (or “trusted root”)
certificate, you must request a separate server certificate from that CA. For
example, if you elect to use the “VeriSign Class 1 Public Primary
Certification Authority” certificate as the signer certificate, you must request
a separate server certificate from VeriSign.
To request a server certificate, you use the IKeyMan program to create a
certificate request. After creating this request, you must submit it to a CA.
To create a server certificate request:
1. If necessary, start the IKeyMan program by running the gsk6ikm.exe file
located on the SIP Connector machine.
2. Select Key Database File-Open and open the “key.kdb” database created
earlier.
3. In the “Key database content” drop-down list, select “Personal
Certificate Requests.”
4. On the right-hand side of the “Key database content” box, click the
“New...” button.
5. In the “Create New Key and Certificate Request” window, complete the
following fields.
• Key Label - The Key Label is at your discretion. The key label
identifies the server certificate in IKeyMan lists. You should provide a
Key Label that indicates the certificate is a server certificate (for
example, “VeriSignServerCert.”)
• Key Size - Select “1024.”
• Common name - Enter the fully-qualified DNS name of the machine
that contains the SIP Connector (for example, sipconnector1.ibm.com).
• Organization - Enter the organization with which the server is
associated. For example, “IBM.”
Chapter 7: Enabling the SIP Gateway 395
• Country - Select the country in which your server is located.
• Enter the name of a file in which to store the certificate request Specify a directory path and file name in which to store the certificate
request. In this example, the certificate request will be stored in the
file “TLScertreq.arm.”
6. Click OK. The certificate request is stored as a text file.
7. Submit the certificate request to the CA (see the notes below).
Notes on submitting a server certificate request to a CA
The procedure to submit a server certificate request can vary for each CA.
Usually, you submit the request by providing the CA with the certificate
request file (“TLScertreq.arm” in this example) or by copying the contents of
the certificate request file to your Windows clipboard and pasting these
contents into a field in a web page on the CA's web site.
After you request the server certificate, the CA will notify you when the
signed certificate is available and explain how to pick up the certificate.
Note also that CAs charge a fee for these certificates. If you use the Domino
server Certificate Authority application as your CA, you can request the CA
server certificate from the Domino CA application and avoid this fee. For
more information on using the Domino CA application, see the Domino
server administration documentation.
Next step:
Import the server certificate into the key database.
Import the server certificate into the key database
Importing the server certificate into the key database is the last of five steps
required to ensure that a SIP Connector on a Windows machine can operate
as a server in a TLS connection handshake.
To import the server certificate into the key database:
1. Use IKeyMan to open the “key.kdb” database created earlier in this
procedure.
2. On the right-hand side of the “Key database content” box, click the
“Receive...” button.
3. In the “Receive Certificate from a file” window, complete the following
fields:
• Data type - Accept the default of “Base64-encoded ASCII data.”
• Certificate file name - Browse to and select the signed server
certificate you received from the CA (as described in the previous
procedure titled "Create and submit a server certificate request).
396 Sametime 3.1 Administrator's Guide
• Location - Ensure the location field specifies the directory path to
which the signed certificate was saved after you received it from the
CA.
4. Click OK.
You should now see the server certificate name displayed in the Personal
Certificates list in IKeyMan.
Next step
This concludes the procedures required to ensure that a SIP Connector on a
Windows machine can operate as a server in a TLS connection handshake.
Next, you must perform the procedures required to ensure the SIP
Connector can operate as a client in a TLS handshake.
Ensure the SIP Connector can operate as a client in a TLS handshake
Ensuring the SIP Connector can operate as a client in a TLS handshake is the
last of two procedures associated with managing the certificates required to
encrypt SIP connections to a standalone SIP Connector installed on a
Windows machine.
To ensure the SIP Connector meets all requirements to operate as a client in a
TLS handshake, you must ensure the SIP Connector has access to the
appropriate SSL certificate.
When the SIP Connector in your community initiates a TLS-encrypted
connection to a SIP Connector in another community, the SIP Connector in
the other community will send its SSL server certificate to your SIP
Connector. The SIP Connector in your community requires this server
certificate to negotiate encryption levels and ensure the data exchanged with
the other SIP Connector is encrypted.
To ensure the server certificate of the SIP Connector from the other
community can be used to accomplish encryption, the key database on the
SIP Connector in your community must contain one of the following
certificates:
•
A signer (or "trusted root") certificate signed by the same CA as the
server certificate sent to your SIP Connector by the SIP Connector in the
other community.
For example, if the SIP Connector in the other community sends a server
certificate signed by VeriSign, the SIP Connector in your community
must have access to a signer (or "trusted root") certificate signed by
VeriSign to establish trust with the other SIP Connector.
Chapter 7: Enabling the SIP Gateway 397
•
A copy of the signed server certificate that is sent by the SIP Connector
in the other community. The SIP Connector in your community can also
establish trust with the other SIP Connector if the SIP Connector in your
community has access to a copy of the server certificate sent by the other
SIP Connector.
In many cases, the key databases on both SIP Connectors will have the
appropriate trusted root certificates by default and no procedures will be
necessary to ensure that the SIP Connector in one community can operate as
a client to the SIP Connector in the other community.
If it is necessary to obtain a copy of the server certificate of the other SIP
Connector, the IKeyMan program on the SIP Connector in the other
community can be used to export (or extract) the server certificate from the
key database.
The server certificate must then be sent in some secure way (for example, on
a floppy disk using registered mail) to your location. The IBM IKeyMan
program on your SIP Connector can then be used to import the server
certificate into the key database on your SIP Connector.
After you ensure the SIP Connector can operate as a client in a TLS
handshake, you have completed all procedures required to encrypt SIP
traffic with TLS.
Note that all procedures described in this section must be performed for the
SIP Connector in your community and the SIP Connector in the other
community to ensure data transmitted between the SIP Connectors is
encrypted.
Enabling client certificate authentication for a standalone SIP Connector
on a Windows machine (optional)
Enabling client certificate authentication is an optional procedure that
requires a SIP Connector to authenticate when connecting to a SIP Connector
in another community.
Note The procedures in this section explain how to enable client certificate
authentication for a standalone SIP Connector on a Windows machine. To
enable client certificate authentication for an integrated SIP Connector on an
iSeries machine, see "Managing the certificates required for TLS connections
(integrated SIP Connector on iSeries)" earlier in this chapter.
Client certificate authentication requires a SIP Connector to present a
separate client certificate when initiating a connection (or operating as a
client) to a SIP Connector in another community. The SIP Connector in the
398 Sametime 3.1 Administrator's Guide
other community uses this client certificate to verify the identity of the client
SIP Connector.
Client certificate authentication is a separate security process from
encrypting SIP connections with TLS (described earlier in this chapter).
Client certificate authentication verifies the identity of the connecting server
while encryption protects the data from being read by an unauthorized user
or attacker.
To illustrate client certificate authentication, consider the following basic
example in which SIP Connector A operates in one community while SIP
Connector B operates in a separate community.
1. SIP Connector A initiates a connection (or operates as a client) to SIP
Connector B.
2. SIP Connector B requests a client certificate from SIP Connector A.
3. SIP Connector B authenticates SIP Connector A based on the data
provided on this client certificate.
For client certificate authentication to be accomplished in this scenario, SIP
Connector A must be configured to operate as the client to SIP Connector B
in the connection handshake. Similarly, SIP Connector B must be configured
to operate as a server in the connection handshake to validate the identity of
SIP Connector A based on the client certificate presented by SIP Connector
A. Instructions for each of these procedures are provided in the following
topics:
•
Enabling a SIP Connector to operate as a client when client certificate
authentication is required.
•
Enabling a SIP Connector to require client certificate authentication.
Enabling a SIP Connector to operate as a client when client certificate
authentication is required
Enabling the SIP Connector to operate as a client when client authentication
is required is the first of two procedures associated with enabling client
certificate authentication for a standalone SIP Connector on a Windows
machine.
In this procedure, you must request a client certificate (or "Personal"
certificate) from a Certificate Authority (CA) and merge this certificate into
the key database on the SIP Connector.
The procedures required to request a client (or "Personal" certificate) from a
Certificate Authority (CA) are identical to the procedures discussed earlier in
this document in the section titled "Ensure the SIP Connector can operate as
a server in a TLS handshake." These procedures are summarized below.
Chapter 7: Enabling the SIP Gateway 399
1. Install the IKeyMan program on the SIP Connector machine.
2. Use the IKeyMan program to create a key database on the SIP Connector
machine.
3. Identify the signer (or "trusted root") certificate you will use.
4. Create and submit a server certificate request. (See the notes below.)
5. Import the server certificate into the key database.
If you have already performed these procedures, you have completed all
steps necessary to enable a SIP Connector to operate as a client when client
authentication is required by the SIP Connector in another community. If
you have not performed these procedures, you can follow the procedures
described in "Ensure the SIP Connector can operate as a server in a TLS
handshake" to enable a SIP Connector to operate as a client when client
authentication is required.
Notes concerning "server" and "client" certificates
In step 4 above, the term "server" certificate request is used. A "client"
certificate is identical to a "server" certificate except the certificates are used
for different purposes. For client certificate authentication, the certificate
name is used to verify the identity of the client. For TLS encryption, the
public key on the certificate is required to begin the encryption process.
When importing this certificate into the IKeyMan database, you designate it
as a "Personal" certificate. IKeyMan does not distinguish between "client"
and "server" certificates and regards them both as "Personal" certificates. The
five steps above can be followed exactly as written to import the client
certificate into the key database. However, when performing these
procedures the administrator should be aware that the terms "server
certificate" and "client certificate" are synonymous.
Next step:
Enabling a SIP Connector to require client certificate authentication.
Enabling a SIP Connector to require client certificate authentication
Enabling the SIP Connector to require client certificate authentication is the
last of two procedures associated with enabling client certificate
authentication for a standalone SIP Connector on a Windows machine.
This procedure enables the SIP Connector to operate as a server in the client
certificate authentication process.
To require client certificate authentication (or enable the SIP Connector to
operate as a server in the client authentication process), you must perform
two steps:
1. Enter the client certificate name in the ExternCommunity document in
the Configuration database.
400 Sametime 3.1 Administrator's Guide
2. Ensure the SIP Connector has access to the certificates necessary to trust
the client certificate.
Each of these procedures is described in detail in a subsequent topic.
Enter the client certificate name in the ExternCommunity document in
the Configuration database
Entering the client certificate name in the ExternCommunity document in
the Configuration database is the first of two steps required to enable a SIP
Connector to require client certificate authentication.
When client certificate authentication is required, a SIP Connector in another
community must send its client (or "Personal") certificate to the SIP
Connector in your community. The SIP Connector in your community must
verify that the name on this certificate is a certificate name it knows to
accomplish the authentication.
To ensure that your SIP Connector knows the name of the client certificate
provided by the SIP Connector in the other community, you must enter this
certificate name in the ExternCommunity document in the Configuration
database (stconfig.nsf) of the Sametime server to which your SIP Connector
connects.
To enter the name of the client certificate in the ExternCommunity
document:
1. Use a Lotus Notes client to open the Configuration database
(stconfig.nsf) on the Sametime server.
2. Open the ExternCommunity document in the stconfig.nsf database by
double-clicking on the date associated with the document.
3. In the "Certificate distinguished name" field, enter the name associated
with the client certificate (or "Personal" certificate) sent by the SIP
Connector in the other community to the SIP Connector in your
community.
The name of this certificate is usually entered in canonical format,
including both the name, organizational unit (if applicable), and
organization. For example, cn=servername, ou=organizational unit,
o=organization.
The name of this certificate is specified when the certificate request is
created. If you do not know the name of this certificate, it may be
necessary to contact the administrator for the other community to get
this certificate name.
4. Save and close the ExternCommunity document.
Chapter 7: Enabling the SIP Gateway 401
Next step:
Ensure the SIP Connector has access to the certificates necessary to trust the
client certificate.
Ensure the SIP Connector has access to the certificates necessary to
trust the client certificate
Ensuring the SIP Connector has access to the certificates necessary to trust
the client certificate sent by a SIP Connector in another community is the last
of two steps required to enable client certificate authentication on a
standalone SIP Connector installed on a Windows machine.
This procedure ensures that the client certificate (or "Personal" certificate)
sent by a SIP Connector in another community is signed by a Certificate
Authority (CA) that is trusted by the SIP Connector in your community.
To ensure the SIP Connector in your community trusts the CA of the client
certificate, the SIP Connector in your community must have access to one of
the following certificates:
•
A signer (or "trusted root") certificate signed by the same CA as the
client certificate sent by the SIP Connector in the other community.
•
A copy of the signed client certificate that is sent by the SIP Connector in
the other community. The SIP Connector in your community can also
establish trust of the client certificate if your SIP Connector has access to
a copy of the client certificate that is sent by the other SIP Connector.
In many cases, the key databases on each SIP Connector will have the
appropriate trusted root certificates by default and no procedures will be
necessary to ensure that the SIP Connector in one community has the trusted
root certificate necessary to trust the client certificate sent by the SIP
Connector in the other community.
If it is necessary to obtain a copy of the client certificate of the other SIP
Connector, the IKeyMan program on the other SIP Connector can be used to
export (or extract) the certificate from the key database on that SIP
Connector. This certificate must then be sent in some secure fashion (for
example, on a floppy disk sent by registered mail) to your organization. You
can use the IBM IKeyMan program on your SIP Connector to import the
certificate into the key database on your SIP Connector.
If you have not yet created a key database on the SIP Connector to store
these certificates, you can follow the steps described in these two topics to
create the key database. These two topics appear earlier in this chapter.
•
Install the IKeyMan program on the SIP Connector machine.
•
Use the IKeyMan program to create a key database on the SIP Connector
machine.
402 Sametime 3.1 Administrator's Guide
If it is necessary to import the client certificate of the other SIP Connector
machine into the key database, follow the instructions in the "Import the
server certificate into the key database" earlier in this chapter to import the
certificate.
Audio/Video connectivity with SIP
When a user in your community invites another user to an instant
audio/video meeting, the meeting is created on a Sametime server in your
community. The call control and signaling aspect of this connection is
handled by SIP. If both communities are configured to support SIP, as
described earlier in this chapter, the user from the other community should
be able to participate in the audio/video meeting.
Note however that the audio/video streams for the meeting are sourced
from the Multimedia Processor (MMP) on the Sametime server hosting the
meeting. This aspect of audio/video connectivity functions as follows:
•
The Audio/Video streams are transmitted using UDP. The Sametime
server Audio/Video Services dynamically select the UDP ports on which
to transmit the audio and video streams. These ports are chosen from the
"Interactive Audio/Video Network - Multimedia Processor (MMP) UDP
port numbers start/end at" settings in the Sametime Administration Tool
on the Sametime server.
•
If any network between the client and the server blocks UDP traffic, the
audio/video streams cannot be transmitted to the client in the other
community. In this case, the audio and video streams can be tunneled
over a single TCP/IP port.
The administrator can specify the TCP port over which the streams will
be tunneled in the "Interactive Audio/Video Network-TCP tunneling
port" (default 8084) setting in the Sametime Administration Tool on the
Sametime server. The port specified as the "TCP tunneling port" must be
open through all networks between the client and the server for the
client to transmit and receive TCP-tunneled audio and video streams.
Note If the audio/video streams must be routed through an HTTP or
SOCKS proxy server on any network between the user in the external
community and the Sametime server in your community, the user cannot
participate in an instant audio/video meeting with a user in your
community.
For more information about the MMP on the Sametime server, see
"Audio/Video Services components and clients" in Chapter 10.
Chapter 7: Enabling the SIP Gateway 403
End user experience with the SIP Gateway
The Sametime User's Guide refers to users in other SIP-enabled communities
as "external users." External users cannot access Sametime features, but they
can communicate with Sametime users through instant messages and
audio/video sessions.
Sametime Connect identifies external users by Internet e-mail addresses
([email protected]) rather than hierarchical names (Jane
Doe/East/Acme) or short names (Jane Doe). External users also identify
Sametime users by e-mail addresses. For example, when adding a Sametime
user to an awareness list, external users enter the Sametime user's e-mail
address.
For the most part, Sametime users interact with external users just as they do
with other Sametime users. For more information, refer to the topics listed
below in "Chapter 2: Using Sametime Connect" of the Sametime 3.1 online
end user help (available from the "Documentation" link on the Sametime
server home page). This help is also available in PDF format at
www-10.lotus.com/ldd. Click the Documentation Library link to search for
the Sametime 3.1 User's Guide.
Sametime users can:
•
Add and remove external users from the contact list. See "Adding an
Individual Name to the Contact List" for more information.
•
Add and remove external users from the Who Can See If I Am Online
List. See "Determining Who Sees You Online" for more information.
•
Send and receive instant messages with external users. See "Chatting
with People" for more information.
•
Create specific alerts for external users. See "Setting Specific Alerts" for
more information.
•
Display external users in the contact list in two ways: only when external
users are online or all the time. See "Displaying Online People or All
People" for more information.
•
Invite external users to instant audio/video sessions and attend instant
audio/video sessions started by external users. These sessions are
different from Sametime meetings because they do not include any other
Sametime tools, such as whiteboard or chat.
To invite an external user to an instant audio/video session:
a. Select the external user in the contact list.
b. Right-click the external user and select either Audio (for an
audio-only session) or Video (for a session that includes both audio
and video).
404 Sametime 3.1 Administrator's Guide
c. The Start Instant Meeting dialog box appears. Edit the Topic and
Message fields if necessary and click Send. (You cannot add tools or
add invitees to the session. Even if "Secure Meeting is checked, your
session might not be encrypted because the external user's
community might not enable encryption.)
d. Click OK if the confirmation dialog box appears.
The following Sametime features do not work with external users:
•
External users cannot attend scheduled or instant Sametime meetings.
•
External users do not appear in the local directory. These users must
added individually to the Sametime Connect contact list using the
Internet e-mail address.
•
You cannot send announcements to external users.
•
You cannot transfer files to external users or receive files from external
users.
•
External users appear either online or offline in the contact list. They do
not have the full range of online statuses that are available to regular
Sametime users. Sametime online statuses are not visible to external
users, either. To external users, Sametime users appear only as online or
offline. If an external user is part of another Sametime community, then
the full range of Sametime online statuses is available.
•
You cannot include multiple external users in a single chat or
audio/video session.
•
You cannot include external users in chats or audio/video meetings with
AOL Instant Messenger users or regular Sametime users.
•
You cannot invite other people to a chat or an audio/video session with
an external user.
•
You cannot add tools to chats or audio/video sessions with external
users.
•
Audio/video sessions with external users do not include chat.
•
External users are not listed in your company's directory. You cannot
use the directory to search for the names of external users when you add
them to your contact list, add them to the Who Can See If I Am Online
List, or invite them to chat or audio/video sessions.
Chapter 7: Enabling the SIP Gateway 405
•
Privacy features work slightly differently between Sametime users and
external users. Normally, if you use the Who Can See If I Am Online List
to prevent Jane Doe from seeing you online, you also cannot see Jane
online. She always appears offline in your contact list. However, if you
use the Who Can See If I Am Online list to prevent an external user from
seeing you online, you can still see the external user online (unless she
uses the privacy features of her own instant messaging client to prevent
you from viewing her online status).
•
The Sametime Connect settings for displaying full names or short names
do not affect external users' names.
406 Sametime 3.1 Administrator's Guide
Chapter 8
Configuring the Meeting Services
This chapter describes the Meeting Services and explains the Meeting
Services configuration options available from the Sametime Administration
Tool. This chapter includes information on:
•
Maintaining the Sametime Meeting Center.
•
Automatically extending meetings past their scheduled end times.
•
Adding the names of meeting participants to the Meeting Details
document after a meeting ends.
•
Specifying the collaborative activities that are available for all meetings
on the Sametime server.
•
Allowing the recording of Sametime meetings so users can replay
meetings after the meetings have finished. Meetings are recorded to
Sametime Record and Playback (RAP) files.
•
Encrypting meeting data and requiring passwords for all scheduled
meetings.
•
Enabling the Sametime Meeting Services to operate with a Latitude
MeetingPlace server so that end users can use Sametime to schedule a
telephone conference call.
•
Specifying different Connection Speed Settings for modem and
LAN/WAN connections to the Broadcast Services. The Connection
Speed Settings determine the rate that streams are transmitted on the
network for broadcast meetings with no audio/video activity.
About the Meeting Services
The Meeting Services include the T.120 software that supports real-time
collaboration through screen sharing and a shared whiteboard. The Meeting
Services also provide a variety of other types of support for the meeting
activity occurring on the Sametime server.
407
Functions of the Meeting Services are to:
•
Support a direct TCP/IP connection, a SOCKS proxy connection, and an
HTTP proxy connection between the Sametime Meeting Room client and
the Sametime server. The default port for this connection is port 8081.
This connection is used by all screen-sharing and whiteboard
components of the Meeting Room client. If you have installed the
Sametime Multimedia Services package, the interactive audio and video
components of the Sametime Meeting Room client also use this
connection for call setup and control purposes. For more information,
see “Meeting Services Network settings” in Chapter 5.
•
Maintain multiple connections and distribute screen-sharing,
whiteboard, and other T.120 data to all participants in a Sametime
meeting.
•
Maintain lists of active, scheduled, finished, and recorded meetings in
the Sametime Meeting Center.
•
Start and stop meetings at the appropriate time.
•
Interact with components of the Community Services to create meetings
in which collaborative activities supported by the Community Services,
Meeting Services, and Audio/Video Services are simultaneously
available.
•
Enforce administrator-specified restrictions on the collaborative
activities available for meetings on the Sametime server.
•
Support encryption of meeting data and password protection for
individual meetings.
•
Log Meeting Services events to the Sametime log (stlog.nsf).
•
Write the names of meeting attendees to the Meeting Details document.
•
Support the ability to schedule Latitude MeetingPlace telephone
conferences from the Sametime Meeting Center.
•
Provide the ability to record Sametime meetings in Sametime Record
and Playback (RAP) files so that users can replay meetings after the
meetings have ended.
•
Support different Connection Speed Settings for modem and
LAN/WAN connections to the Broadcast Services.
•
Handling connections from the Meeting Services of other Sametime
servers when a community includes multiple Sametime servers. Meeting
Services server-to-server connections occur on TCP/IP ports 1503 and
1516.
408 Sametime 3.1 Administrator's Guide
Note In a multiple server environment, port 1516 must be open
between two Sametime servers to enable a single Sametime meeting to
be simultaneously active on both Sametime servers. This functionality is
sometimes called “invited servers.” For more information, see
“Advantages of a single meeting on multiple servers” in Chapter 13.
Meeting Services configuration settings
The Sametime Administration Tool includes configuration settings that
allow the administrator to control the Meeting Services. The available
settings are:
General
The General settings enable the administrator to extend meetings, include
participant names in the Meeting Details document, allow users to schedule
meetings from Microsoft Outlook, and control the collaborative activities
and security features (encryption and meeting password) that are available
for all meetings on the Sametime server. The administrator also uses the
General settings to allow scheduled meetings to be recorded and stored on
the server so that they can be replayed after the meeting has ended.
Telephone Options
The Telephone Options settings enable the administrator to configure the
Sametime server to operate with a Latitude MeetingPlace server. These
options enable an end user to schedule telephone conferences on a Latitude
MeetingPlace server from the Sametime Meeting Center.
Connection Speed Settings
The Connection Speed Settings enable the administrator to specify data
transmission speeds (bit rates) for the Real-Time Protocol (RTP) streams that
are transmitted by the Broadcast Services on the Sametime server to
Sametime Broadcast clients. These Connection Speed Settings control the
transmission rates for broadcast meetings without audio/video. Different
transmission speeds are specified for modem and LAN/WAN connections
to the Sametime Broadcast Services.
Meeting Services connectivity settings
For information about the ports used by the Meeting Services and the
available connectivity options, see “Meeting Services Network settings” in
Chapter 5.
Chapter 8: Configuring the Meeting Services 409
Accessing the Meeting Services configuration settings
To access the Meeting Services configuration settings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services. The available settings are:
• General
• Telephone Options
• Connection Speed Settings
General Settings for Meeting Services
The General settings for Meeting Services allow you to configure settings for
instant and scheduled meetings on the Sametime server.
The available settings are:
General
•
Automatically extend meetings past their scheduled end times - Extends
any meeting past its scheduled end time when people are still attending
the meeting.
•
After a meeting, add the names of participants to the meeting document
- Adds the names of participants to the meeting details after the meeting
ends.
When people start an instant meeting or schedule a meeting
•
Allow people to choose the screen-sharing tool in meetings - Allows end
users to select the screen-sharing tool for instant and scheduled
meetings.
•
Allow people to choose the whiteboard tool in meetings - Allows end
users to select the whiteboard tool for instant and scheduled meetings.
When you allow users to choose the whiteboard, you can also control
whether the Meeting Moderator can save whiteboard annotations as
attachments in the meeting.
•
Allow people to choose the “Send Web Page” tool in meetings - Allows
end users to select the Send Web Page tool for instant and scheduled
meetings.
•
Allow people to choose the “Polling tool” in meetings - Allows end users
to select the Polling tool in meetings.
410 Sametime 3.1 Administrator's Guide
•
Allow people to record meetings for later playback - Allows a user to
record a scheduled meeting so the meeting can be replayed after the
meeting has ended.
When you allow users to record meetings, you must also specify the
directory on the Sametime server in which recorded meeting files will be
stored and the amount of free disk space on the server that must be
available for a meeting to be recorded. For more information about
allowing users to record meetings and the administrative tasks
associated with recorded meetings, see “Managing recorded meetings
(Record and Playback)” later in this chapter.
•
Allow people to choose NetMeeting for screen sharing and whiteboard Allows end users to select NetMeeting as a tool for instant and
scheduled meetings. When a meeting includes NetMeeting, participants
use NetMeeting for screen sharing and whiteboard rather than using
Sametime.
•
Allow people to schedule Broadcast meetings - Allows end users to
schedule broadcast meetings. If this option is not selected, broadcast
meetings are not available on the Sametime server.
Security
•
Encrypt all Sametime meetings - Encrypts the T.120 screen-sharing and
whiteboard data, streaming audio/video data, and chat data that passes
between clients and the Sametime server during all Sametime meetings.
•
Require all scheduled meetings to have a password - Ensures that every
meeting scheduled in the Sametime Meeting Center has a password.
This password is meeting-specific and is different from the Internet
password specified on each user's Person document that enables users to
authenticate with the server.
Automatically extending meetings beyond the scheduled end time
When scheduling a meeting in the Meeting Center, an end user chooses a
duration for the meeting. To ensure that meetings do not end before
participants have concluded their business, you can allow any online
meeting to extend past its scheduled end time if people are still in the
meeting. You can also specify the number of minutes that the meeting
should be extended. By default, all online meetings are extended by 15
minutes.
Note If you are using a Latitude MeetingPlace server with Sametime, you
should ensure that the MeetingPlace server allows telephone calls to extend
by the same amount that you extend the Sametime meeting. Otherwise, a
telephone call that is associated with an online meeting might end before the
meeting ends.
Chapter 8: Configuring the Meeting Services 411
If the “Automatically extending meetings beyond the scheduled end times
when there are still people in the meeting” setting is not selected, all
meetings will end after the specified duration regardless of whether
participants are still in attendance. Participants receive a warning message
approximately three minutes before a meeting ends. Do not select this setting
if a consistently high number of active meetings is affecting server
performance.
To allow an online meeting to extend past its scheduled end time:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. Select the “Automatically extend meetings beyond scheduled end times
when there are still people in the meeting” check box in the General
settings for Meeting Services. (This check box is selected by default.)
6. Specify the number of minutes you want the meetings to extend in the
“Meeting extension length (minutes)” box.
7. Click Update and restart the server for the change to take effect.
Adding the names of participants to the meeting document
Every meeting that is scheduled in the Sametime Meeting Center includes a
Meeting Details document. This document records information such as the
name of the meeting, the date and time of the meeting, and any files for the
meeting. Meeting details documents are available before, during, and after a
meeting. These documents are not available for instant meetings.
You can record the names of meeting participants on the Meeting Details
document after a meeting is over. When participant names are included in
the details, end users can determine who attended a particular meeting and
contact other meeting participants.
To record the names of meeting participants on the Meeting Details
document after a meeting ends:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
412 Sametime 3.1 Administrator's Guide
5. Select the “After a meeting, add the names of participants to the meeting
document” check box in the General settings for Meeting Services.
6. Click Update and restart the server for the change to take effect.
To view the names in the Meeting Details document after the meeting has
ended, click Finished on the left side of the Meeting Center and then click the
meeting name.
Allowing or preventing use of the screen-sharing tool in meetings
The administrator selects the “Allow people to choose the screen sharing tool
in meetings” setting to allow people to choose screen sharing as a
collaborative activity when creating an instant or scheduled meeting.
When this setting is selected, the administrator can also determine the
screen-sharing tasks that meeting participants can perform. By default,
people are allowed to choose screen sharing in meetings, and all participants
are allowed to use all screen-sharing features.
When you allow people to choose screen sharing, it is automatically included
in all scheduled meetings on the Sametime server. An end user can remove
the screen-sharing tool from a scheduled meeting by using the Tools tab on
the New Meeting page in the Meeting Center. An end user can also select
screen sharing as a tool when starting an instant meeting.
When this setting is not selected, the screen-sharing tool and all
screen-sharing features and options are hidden in the Sametime end-user
interface. Essentially, the screen-sharing collaborative activity is unavailable
for all instant and scheduled meetings.
Note For more information about screen sharing, see the Lotus Sametime
User's Guide available from the Documentation link on the Sametime server
home page.
To allow or prevent the use of the screen-sharing tool in meetings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To prevent the use of screen sharing, clear the check mark from the
check box labeled “Allow people to choose the screen sharing tool in
meetings.” Skip to Step 7.
To allow the use of screen sharing, select the check box labeled “Allow
people to choose screen sharing tool in meetings” in the General settings
for Meeting Services. (This check box is selected by default.)
Chapter 8: Configuring the Meeting Services 413
6. Select an option for allowing participants to use screen sharing:
• Select “Participants can share their screen, view a shared screen, or
control a shared screen if the Moderator permits” to allow
participants to use all aspects of screen sharing. (This option is
selected by default.) This option allows all meeting participants to
share their screens if screen sharing is allowed in the meeting by the
Moderator.
• Select “Participants can share their screen if the Moderator permits or
view a shared screen” to allow participants to share information and
to view shared information, but to prevent them from controlling
information that someone else is sharing. Select this option to ensure a
high level of security for screen sharing. This option allows only
specific users selected by the Moderator to share screens on their
computers. All other meeting participants can view the shared
screens.
• The “Participants can view the shared screen only” option is provided
for security purposes when you have used a multiple Sametime
server deployment and connected Sametime servers across a firewall
to extend Sametime to Internet users. For more information on this
setting, see “Extending Sametime to Internet users” in Chapter 14 and
“Screen sharing security and Internet users” in Chapter 14.
7. Click Update and restart the server for the change to take effect.
Allowing or preventing use of the whiteboard tool in meetings
The “Allow people to choose the whiteboard tool in meetings” setting
enables the administrator to allow or prevent users from selecting the
whiteboard as a collaborative activity when creating instant or scheduled
meetings. By default, users can select the whiteboard collaborative activity in
all instant and scheduled meetings created on the Sametime server.
When this setting is selected, the whiteboard is automatically included in all
scheduled meetings on the Sametime server. An end user can remove the
whiteboard tool from a scheduled meeting by using the Tools tab on the
New Meeting page in the Meeting Center.
Note To include the whiteboard in an instant meeting, the user must select
the “Collaborate...” option from the presence list or Sametime Connect client
when starting the instant meeting.
If the administrator disables the “Allow people to choose the whiteboard
tool in meetings” setting, all whiteboard features and options are hidden
from the end user in the Sametime end-user interface. The whiteboard
cannot be selected as a collaborative activity for instant or scheduled
meetings.
414 Sametime 3.1 Administrator's Guide
Allow people to save whiteboard annotations as attachments to the
meeting
When the “Allow people to choose the whiteboard tool in meetings” setting
is selected, the administrator has the option of allowing the Meeting
Moderator to save whiteboard annotations as attachments to the meeting.
During a whiteboard meeting, end users can use various whiteboard
drawing or text tools to mark (or annotate) the image that is being presented
on the whiteboard. If the administrator enables this setting, the Meeting
Moderator can save the whiteboard at any time during the meeting. When
the Meeting Moderator saves the whiteboard, it is saved in its current state
with all annotations included in the saved file. This feature enables the
Moderator to capture the contents of the whiteboard at any time during the
meeting. The saved whiteboard file can be used for later viewing or for
presentation during a subsequent whiteboard meeting.
If the Meeting Moderator saves a whiteboard file more than once in a
meeting, only the most recently saved version of the whiteboard file is saved
on the server.
The whiteboard file is saved on the Sametime server as an attachment to the
meeting's Meeting Details document in the Sametime Meeting Center. The
whiteboard is saved in two file formats: RTF and SWB (Sametime
Whiteboard). The RTF file can be opened in most word processing or
graphics applications for printing or viewing after the meeting has ended.
The SWB file can be attached to future meetings and presented on the
whiteboard during those meetings.
Note The Moderator saves the whiteboard by selecting the menu option
Meeting - Save Whiteboard in the Whiteboard tool in the Sametime Meeting
Room client. The Save Whiteboard option is hidden if the administrator does
not allow the Meeting Moderator to save the whiteboard.
To allow or prevent the use of the whiteboard tool in Sametime meetings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow whiteboard activity on the server, select the check box labeled
“Allow people to choose the whiteboard tool in meetings.” (This check
box is selected by default.)
To prevent whiteboard activity on the server, remove the check mark
from the check box labeled “Allow people to choose the whiteboard tool
in meetings.” Skip to Step 7.
Chapter 8: Configuring the Meeting Services 415
6. Perform this step only if you selected the “Allow people to choose the
whiteboard tool in meetings” in Step 5.
To allow people to save the whiteboard and annotations to it at any time
during a meeting, select the check box labeled “Allow people to save
whiteboard annotations as attachments to the meeting.”
To prevent people from saving the whiteboard during meetings, remove
the check mark from the check box labeled “Allow people to save the
whiteboard annotations as attachments to the meeting.”
7. Click Update and restart the server for the change to take effect.
Allowing or preventing use of the Send Web Page tool in meetings
The “Allow people to choose the 'Send Web Page' tool in meetings” setting
enables the administrator to allow or prevent users from selecting Send Web
Page as a collaborative activity when creating instant or scheduled meetings.
By default, users can select the Send Web Page collaborative activity in all
instant and scheduled meetings created on the Sametime server.
When this setting is selected, the Send Web Page tool is automatically
included in all scheduled meetings on the Sametime server. An end user can
remove the Send Web Page tool from a scheduled meeting by using the
Tools tab on the New Meeting page in the Meeting Center.
Note To include the Send Web Page tool in an instant meeting, the user
must select the “Collaborate...” option from the presence list or Sametime
Connect client when starting the instant meeting.
If the administrator disables this setting, all Send Web Page features and
options are hidden from the end user in the Sametime end-user interface.
The Send Web Page tool cannot be selected as a collaborative activity for
instant or scheduled meetings.
To allow or prevent the use of the Send Web Page tool in Sametime
meetings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow Send Web Page activity on the server, select the “Allow people
to choose the Send Web Page tool in meetings” check box. This check
box is selected by default.
416 Sametime 3.1 Administrator's Guide
To prevent Send Web Page activity on the server, remove the check
mark from the “Allow people to choose the Send Web Page tool in
meetings” check box.
6. Click Update and restart the server for the change to take effect.
Allowing or preventing the use of the Polling tool in meetings
The “Allow people to choose the Polling tool in meetings” setting enables the
administrator to allow or prevent users from selecting polling as a
collaborative activity when creating instant or scheduled meetings. By
default, users can select the polling collaborative activity in all instant and
scheduled meetings created on the Sametime server.
When this setting is selected, polling is automatically included in all
scheduled meetings on the Sametime server. An end user can remove the
polling tool from a scheduled meeting by using the Tools tab on the New
Meeting page in the Meeting Center.
Note To include the polling tool in an instant meeting, the user must select
the “Collaborate...” option from the presence list or Sametime Connect client
when starting the instant meeting.
If the administrator disables this setting, all polling features and options are
hidden from the end user in the Sametime end-user interface. Polling cannot
be selected as a collaborative activity for instant or scheduled meetings.
To allow or prevent the use of the polling tool in Sametime meetings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow Polling activity on the server, select the check box labeled
“Allow people to choose the Polling tool in meetings.” (This check box is
selected by default.)
To prevent Polling activity on the server, remove the check mark from
the “Allow people to choose the Polling tool in meetings” check box.
6. Click Update and restart the server for the change to take effect.
Chapter 8: Configuring the Meeting Services 417
Allow people to record meetings for later playback (scheduled meetings)
The administrator uses this setting to allow or prevent users from recording
scheduled meetings on the Sametime server. For more information on
allowing users to record meetings and the administrative tasks associated
with recorded meetings, see “Managing recorded meetings” later in this
chapter.
Allowing or preventing the use of NetMeeting for screen sharing and
whiteboard
The “Allow people to choose NetMeeting (or other T.120-compatible client)
for screen sharing and whiteboard instead of Sametime Web-based meeting
tools” setting enables end users to attend Sametime meetings with Microsoft
NetMeeting or other T.120-compatible clients. Specifically, this setting
enables the screen-sharing and whiteboard features of Microsoft NetMeeting
to be used in a Sametime meeting instead of the Sametime screen-sharing
and whiteboard features.
When this setting is selected, a Use NetMeeting check box appears on the
Tools tab of the New Meeting page in the Meeting Center. When an end user
selects this check box:
•
The meeting uses NetMeeting screen sharing and whiteboard instead of
Sametime screen sharing and whiteboard.
•
All users must attend the meeting with a NetMeeting client to
participate in the screen-sharing and whiteboard activities occurring in
the meeting.
•
The screen-sharing features of the NetMeeting client and the Sametime
Meeting Room client are not compatible. NetMeeting users and
Sametime Meeting Room client users cannot collaborate with screen
sharing or the whiteboard in the same meeting.
When the “Allow people to choose NetMeeting...” setting is not selected, end
users cannot use the screen-sharing and whiteboard features of NetMeeting
or other T.120-compatible clients in Sametime meetings. The Sametime
Meeting Room client must be used in all meetings that include screen
sharing and the whiteboard.
About using NetMeeting audio/video with Sametime
The administrator can enable the “Allow H.323 clients (such as Microsoft
NetMeeting) to join a Sametime meeting” option in the Configuration Network and Ports settings of the Sametime Administration Tool to enable
Microsoft NetMeeting clients to participate in audio/video meetings on the
Sametime server. If both this setting and the “Allow people to choose
NetMeeting (or other T.120-compatible client) for screen sharing and
whiteboard instead of Sametime Web-based meeting tools” setting are
418 Sametime 3.1 Administrator's Guide
enabled, NetMeeting users can connect to the Sametime server and
participate in meetings using screen sharing, whiteboard, audio, and video.
For information on attending Sametime meetings with a Microsoft
NetMeeting client, see the Lotus Sametime User's Guide available from the
Documentation link on the Sametime server home page.
The NetMeeting users can collaborate with Sametime Meeting Room clients
in the audio/video portions of meetings. (When NetMeeting users
participate in the audio/video portions of a Sametime meeting, the meeting
is referred to as a “mixed meeting.”) To enable NetMeeting and Sametime
Meeting Room clients to collaborate using audio/video in a mixed meeting,
the “Allow H.323 clients (such as Microsoft NetMeeting) to join a Sametime
meeting” option must be selected in the Sametime Administration Tool.
Note that NetMeeting users cannot use screen sharing or whiteboard when
collaborating in a meeting that also includes Sametime Meeting Room
clients, but audio/video data can be exchanged between the two clients.
To allow or prevent the use of NetMeeting screen sharing and whiteboard in
Sametime meetings:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow the use of NetMeeting screen sharing and whiteboard in
Sametime meetings, select the check box labeled “Allow people to
choose NetMeeting (or other T.120-compatible client) for screen sharing
and whiteboard instead of Sametime Web-based meeting tools.”
To prevent the use of NetMeeting screen sharing and whiteboard in
Sametime meetings, remove the check mark.
6. Click Update and restart the server for the change to take effect.
Allowing or preventing broadcast meetings
The “Allow people to schedule Broadcast meetings” setting allows or
prevents end users from scheduling broadcast meetings on the Sametime
server. Disabling this setting prevents the end users from using the
broadcast capabilities supported by the Broadcast Services on the Sametime
server. By default, users are allowed to schedule broadcast meetings on the
Sametime server.
When this setting is selected, the end user can select the “Broadcast
Presentation or Demo” meeting type when scheduling meetings in the
Chapter 8: Configuring the Meeting Services 419
Sametime Meeting Center. (The end user selects this meeting type to
schedule a broadcast meeting.)
Note For more information on broadcast meetings and the Sametime
Broadcast Services, see Chapter 9, Configuring the Broadcast Services.
When this setting is not selected, the “Broadcast Presentation or Demo”
meeting type is hidden from the end user on the New Meeting page of the
Sametime Meeting Center. Since a broadcast meeting must always be a
scheduled meeting, disabling this setting prevents users from creating
broadcast meetings on the Sametime server.
Note Broadcast meetings are always scheduled meetings. An end user
cannot start an instant broadcast meeting from a presence list.
To allow or prevent broadcast meetings on the Sametime server:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow users to schedule broadcast meetings, select the “Allow people
to schedule Broadcast meetings” check box.
To prevent users from scheduling broadcast meetings, remove the check
mark from the check box.
6. Click Update and restart the server for the change to take effect.
Encrypting all Sametime meetings
The administrator can encrypt the T.120 screen-sharing and whiteboard data
and audio/video data that passes between clients and the Sametime server
during all Sametime meetings. The meeting data is encrypted using RC2
encryption with a 128-bit encryption key. Encrypting all meetings ensures
security for the meeting data. Encrypted meeting data is transmitted more
slowly than unencrypted data.
Note With Sametime releases 2.5 and higher, all chat data is encrypted
regardless of whether the “Encrypt all meetings” setting is selected.
Sametime clients from releases earlier than 2.5 contain settings that enable
users to conduct either encrypted or unencrypted chats. If a Sametime client
from a release earlier than 2.5 connects to a Sametime 3.1 server, the chat is
either encrypted or unencrypted depending on the client settings. Earlier
Sametime chat clients use RC2 encryption with a 40-bit encryption key.
420 Sametime 3.1 Administrator's Guide
When you encrypt all meetings, an end user cannot remove encryption for
an individual meeting. If you do not select this option, an end user can
choose whether to encrypt the screen-sharing, whiteboard, and audio/video
data when creating the meeting. (Chat encryption is handled as described in
the note above.)
It is not possible to encrypt meetings when you have allowed people to
choose NetMeeting for screen sharing and whiteboard or participate in
audio/video meetings with NetMeeting. If you want to encrypt all meetings,
you must ensure that:
•
The “Allow people to choose NetMeeting” check box in the Meeting
Services - General settings is not selected.
•
The “Allow H.323 clients to join a Sametime meeting” check box in the
Configuration - Connectivity - Network and Ports - Interactive
Audio/Video settings is not selected.
To encrypt all meetings on the Sametime server:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. Select the “Encrypt all meetings (not available with Microsoft
NetMeeting)” check box in the General settings for Meeting Services.
6. Click Update and restart the server for the change to take effect.
Requiring all scheduled meetings to have a password
You can require every meeting scheduled in the Sametime Meeting Center to
have a password. (Instant meetings cannot have passwords.) When you
select this option, an end user must enter a password when scheduling a
meeting. When a scheduled meeting includes a password, all participants
must enter the password to attend the meeting or view the Meeting Details
document for the meeting.
Note The meeting password is an additional security feature that provides
password protection for individual meetings. The meeting password is
different from the Internet password that is specified on each user's Person
document. The Internet password is used to authenticate a user when the
user accesses any protected database on the server or logs in to the
Community Services from Sametime Connect.
Chapter 8: Configuring the Meeting Services 421
It also differs from the password that a user can give a telephone conference
call scheduled with Latitude MeetingPlace. Requiring all scheduled meetings
to have a password does not require users to enter a password for telephone
conference calls associated with online meetings.
To require all scheduled meetings to have a password:
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. Select the check box labeled “Require all scheduled meetings to have a
password.”
6. Click Update and restart the server for the change to take effect.
Managing recorded meetings (Record and Playback)
Sametime provides the ability to record a scheduled meeting and store the
recorded meeting on the Sametime server. The recorded meeting can be
accessed and replayed by any Sametime user at any time. Users access the
recorded meeting files from Meeting Details documents in either the
Finished or Recorded view of the Sametime Meeting Center. Sametime can
record the following meeting activities:
•
Screen sharing
•
Whiteboard
•
Chat
•
Send Web page
•
Question and answer polls
•
Audio
•
Video
The administrator controls whether end users have the ability to record
meetings on the Sametime server from the “Allow people to record meetings
for later playback” setting in the Configuration-Meeting Services settings of
the Sametime Administration Tool. If the administrator allows users to
record meetings, a “Record this meeting so that others can replay it later”
option appears on the Essentials tab of the New Meeting page in the
Sametime Meeting Center. If an end user selects this option when creating a
scheduled meeting, the meeting is recorded in a Sametime Record and
Playback (RAP) file and stored on the Sametime server in a location specified
422 Sametime 3.1 Administrator's Guide
by the administrator. The default RAP filename includes a unique meeting
identifier followed by the RAP file extension.
After a meeting has been recorded, a “Replay the Meeting” button appears
in the Meeting Details document associated with the meeting in the
Sametime Meeting Center. A user can open the Meeting Details document
and select this button to replay the meeting.
Note A user cannot access a recording of a meeting until the meeting that is
being recorded is finished. The recording is not available while the meeting
is in progress.
When the user selects the “Replay the Meeting” button, a modified version
of the Sametime Broadcast client Java applet starts in a Web browser
window on the user's machine and connects to the Broadcast Gateway
component of the Sametime server. The Broadcast client is modified to
include controls that enable the user to stop, pause, resume, rewind, and
forward the playback of the recorded meeting file.
To replay a meeting, the Sametime server locates the RAP file that contains
the recorded meeting, and the Broadcast Gateway streams the meeting
content to the modified Broadcast client. The connection process and
streaming of the recorded meeting content operate exactly as if the user is
attending a broadcast meeting. The Broadcast components of the Sametime
server handle the connection process and playback of recorded meeting files.
For more information, see Broadcast client connection process and Working
with the Broadcast Services.
Note The Sametime log does not record information related to the playback
of recorded meetings. Information is recorded only for the original meeting.
If you allow users to record Sametime meetings, you should also be familiar
with the administrative features provided for exporting, importing, deleting,
and replacing recorded meeting files on the Sametime server. The remaining
topics in this section describe the administrative tasks related to recorded
meetings:
•
Allowing or preventing recorded meetings - Describes how to allow or
prevent users from recording meetings on the Sametime server. If you
allow recorded meetings, you must specify the directory on the
Sametime server in which recorded meeting files are stored and the
minimum amount of free disk space that must be available for the
recording of a meeting to continue.
•
Managing recorded meeting files - Discusses the administrative features
provided to export, import, delete, and replace recorded meeting files on
the Sametime server. These features are available from the user interface
of the Sametime Meeting Center; they are not available from the
Sametime Administration Tool.
Chapter 8: Configuring the Meeting Services 423
Allowing or preventing recorded meetings on the Sametime server
The “Allow people to record meetings for later playback” setting in the
Configuration - Meeting Services settings of the Sametime Administration
Tool enables the administrator to allow or prevent users from recording
scheduled meetings on the Sametime server.
Note The Sametime log does not record information related to the playback
of recorded meetings. Information is recorded only for the original meeting.
If you want to allow users to record meetings on the Sametime server, you
must select the “Allow people to record meetings for later playback” setting
and specify the following:
•
The directory on the Sametime server where the recorded meeting files
will be stored
•
The number of megabytes of free disk space that must exist for recording
to continue
Each of these settings are discussed in detail below.
The directory on the Sametime server where the recorded meeting files
will be stored.
By default, the recorded meeting files are stored in the following location:
•
<sametime server install directory>\MeetingArchive\ on a Windows
system (for example C:\Sametime\MeetingArchive).
•
<sametime server data directory>\MeetingArchive\ on an IBM iSeries
system.
Note the following if you change the default location for recorded meetings:
•
If you specify a directory that does not currently exist on the Sametime
server, the directory is created when the next meeting is recorded. If, for
any reason, the directory cannot be created, meetings are not recorded. If
meetings are not recorded, verify that the directory was created or create
the directory if necessary.
Note You do not receive any notification if the directory cannot be
created.
•
If meetings were recorded previously and stored in the
C:\Sametime\MeetingArchive directory (or Data\MeetingArchive
directory on iSeries), the Sametime server cannot locate those recorded
meeting files if a user attempts to play them. You must export the files
from the C:\Sametime\MeetingArchive directory and import them into
the new directory to enable users to play the recorded meetings.
424 Sametime 3.1 Administrator's Guide
•
If you change the default directory setting and attempt to import
recorded meeting files to the new directory before you have recorded the
first meeting, the import will fail because the directory is not created
until a meeting is recorded. You should either record a meeting or
manually create the directory before importing meetings.
The number of megabytes of free disk space that must exist for recording
to continue.
The recording of meetings stops when the number of megabytes of free disk
space falls below the threshold specified by the administrator. The default
setting is 300MB of free disk space. If a meeting is in the process of being
recorded when this threshold is reached, recording is stopped and an error is
written to the Sametime log.
To check available disk space on the Sametime server from the Sametime
Administration Tool:
a. Choose Monitoring - Miscellaneous.
b. Select the “You can view the Domino Web Administration pages in a
new browser window” link. Selecting this link opens the Domino
Web Administration client.
c. Enter your administrator name and password to access the Domino
Web Administration client.
d. In the Domino Web Administration client, select Analysis - Disk
Space to view the available disk space on the Sametime server. If you
are using Microsoft Internet Explorer, make sure the “Use HTTP 1.1”
setting in the Tools-Internet Options-Advanced options of the
browser is disabled to use the graphical monitoring tools of the
Domino Web Administration client.
Note If recording is stopped because of a shortage of disk space, an RAP
file that contains a partial recording of the meeting is stored on the Sametime
server and a message is written on the Meeting Details document for the
meeting indicating that the meeting could not be recorded. The
administrator must make more disk space available on the server before
recording can continue. If necessary, you can make more disk space
available by deleting old recorded meeting files. For more information, see
“Deleting recorded meetings” later in this chapter.
If the administrator disables the “Allow people to record meetings for later
playback” setting, scheduled meetings cannot be recorded on the Sametime
server.
Follow the instructions below to allow or prevent users from recording
scheduled meetings on the Sametime server:
Chapter 8: Configuring the Meeting Services 425
1. From the Sametime server home page, click the “Administer the Server”
link to open the Sametime Administration Tool.
2. Choose Configuration.
3. Choose Meeting Services.
4. Choose General.
5. To allow users to record scheduled meetings on the server, select the
check box labeled “Allow people to record meetings for later playback.”
This check box is selected by default.
To prevent users from recording scheduled meetings on the Sametime
server, remove the check mark from the “Allow people to record
meetings for later playback” check box. If you disable this setting, skip to
Step 8.
6. In the “Save recorded meetings in the following location” field, accept
the default directory or type a new path to the directory in which you
want the recorded meeting files (or RAP files) to be stored. The default
path is <sametime server install directory>\MeetingArchive\ on a
Windows system and <sametime server data
directory>\MeetingArchive on an IBM iSeries system.
The Sametime server uses the entry in this field to locate the recorded
meeting files when a user selects the “Replay the Meeting” button from
the Meeting Details document associated with the recorded meeting.
7. In the “Stop recording when this much disk space is left (MBytes)”
setting, type the number of megabytes of free disk space that must exist
on the Sametime server hard drive for a meeting to be recorded. If the
number of megabytes of free disk space falls below the specified level,
recording is stopped and a message is written on the Meeting Details
page indicating that the recording did not complete. The default setting
is 300MB.
8. Click Update and restart the server for the change to take effect.
Note A Recorded view is available from the Sametime Meeting Center that
enables an end user to see a list of all recorded meetings on the Sametime
server. Users can also access the Meeting Details documents of recorded
meetings from the Finished view of the Sametime Meeting Center. If the
“Allow people to record meetings for later playback” setting is disabled, the
Recorded view is still visible in the Sametime Meeting Center. A user
selecting the Recorded view sees a message indicating that there are no
recorded meetings. All other recorded meeting features and options are
hidden from the end user in the Sametime end-user interfaces.
426 Sametime 3.1 Administrator's Guide
Managing recorded meeting files
If the administrator allows users to record Sametime meetings, the meetings
are recorded in Sametime Record and Playback (RAP) files. These files are
stored on the Sametime server in the directory the administrator specifies in
the “Save recorded meetings in the following location” setting available from
the Configuration-Meeting Services settings of the Sametime Administration
Tool.
Recorded meeting files are managed from the Meeting Details documents
associated with recorded meetings in the Sametime Meeting Center
(stconf.nsf) and from the Import Recording link available from the Sametime
Meeting Center.
An administrator can perform the following procedures to manage recorded
meeting files:
•
Delete the Recording - To delete a recorded meeting file, select this
option on the Meeting Details document associated with the recorded
meeting. You might want to periodically delete recorded meetings from
the server to conserve disk space. For more information, see “Deleting
recorded meetings” later in this chapter.
•
Export the Recording - To export (copy) a recorded meeting file, select
this option on the Meeting Details document associated with the
recorded meeting. You can use this option to make backup copies of
meetings or move a meeting to a different Sametime server. For more
information, see “Exporting recorded meetings” later in this chapter.
•
Replace the Recording - To replace a recorded meeting file, select this
option on the Meeting Details document associated with the recorded
meeting. For more information, see “Replacing recorded meetings” later
in this chapter.
•
Import Recording - To add