The diagrams in this topic shows a network topology where a reverse proxy resides in your DMZ and provides authentication services for the mobile device clients.
The first diagram represents a stand alone Lotus Notes
® Traveler server in this topology.
The second diagram shows the same network topology with a High Availability (HA) pool of Lotus Notes
Traveler servers. In this case, the function of spraying or load balancing the device requests is provided by a separate server in the trusted domain.
The third diagram shows the network topology with the authentication proxy also providing the ability to spray the mobile requests to the HA pool of Lotus Notes
Traveler servers. Lotus
® Mobile Connect can provide the authentication proxy and request spraying capability.
This network topology does not allow as much flexibility as the VPN topology. However, it still provides a secure network implementation that does not expose any of the Lotus Domino
® server infrastructure to the Internet or DMZ zones.
® Lotus Notes
Traveler has been tested with several reverse proxy products, but most products providing a standard reverse proxy function should be adequate. These are some items to consider when selecting a reverse proxy:
- Verify that the reverse proxy is able to support a number of long-running HTTP connections equal to the mobile device clients that are in your network. When push is enabled on your mobile devices, they open an HTTP or HTTPS request to the server which remains open until a timeout occurs or new data arrives. This effectively means that the number of HTTP or HTTPS connections is equal to or slightly higher than the number of devices that are online. This model is different from a web browser, which typically opens a connection to retrieve a web page or image and then immediately closes the connection after the request is complete.
- If the reverse proxy is going to authenticate the mobile device credentials, it must be able to return an HTTP 401 response code for a failed authentication of the user credentials. The proxy must not return a user-oriented web page with an HTTP 200 (OK) response to the mobile devices. This is because the sync clients on the mobile devices are not able to interpret a user-oriented web page or form; instead, they rely on the standard Internet response codes that indicate authorization failure.
- Connections from the device to the Lotus Notes Traveler server use the HTTP GET, POST, and OPTIONS methods. Verify that all three methods are allowed.
- Ensure the HTTP OPTIONS response is coming from the Lotus Notes Traveler server and not the reverse proxy.
- Ensure an HTTP 449 response is not changed into a different HTTP response (for example, 500).
- Avoid HTTP 302 redirects, as the devices will, in response, often turn POSTs into GETs. By definition, a GET does not contain a body, so the body that was in the POST will be missing.
When using a reverse proxy, administrators must make sure to set the external URL in the Lotus Notes
Traveler server document, as explained in Server document settings
Parent topic: Planning your network topology