The diagram in this topic shows a network topology where a reverse proxy resides in your DMZ and provides authentication services for the mobile device clients.
This network topology does not allow as much flexibility as the VPN topology. However, it still provides a secure network implementation that does not expose any of the Lotus® Domino® server infrastructure to the Internet or DMZ zones.
IBM® Lotus Notes® Traveler has been tested with several reverse proxy products, but most products providing a standard reverse proxy function should be adequate. These are two items to consider when selecting a reverse proxy:
- Verify that the reverse proxy is able to support a number of long-running HTTP connections equal to the mobile device clients that are in your network. When push is enabled on your mobile devices, they open an HTTP or HTTPS request to the server which remains open until a timeout occurs or new data arrives. This effectively means that the number of HTTP or HTTPS connections is equal to or slightly higher than the number of devices that are online. This model is different from a web browser, which typically opens a connection to retrieve a web page or image and then immediately closes the connection after the request is complete.
- If the reverse proxy is going to authenticate the mobile device credentials, it must be able to return an HTTP 401 response code for a failed authentication of the user credentials. The proxy must not return a user-oriented web page with an HTTP 200 (OK) response to the mobile devices. This is because the sync clients on the mobile devices are not able to interpret a user-oriented web page or form; instead, they rely on the standard Internet response codes that indicate authorization failure.
When using a reverse proxy, administrators must make sure that the addresses in the client configuration files are the proxy address and not the Lotus Notes Traveler address.
Parent topic: Planning your network topology