You can install the IBM® Lotus Notes® Traveler server in the same Domino® domain as your mail servers or install in it's own isolated Domino Domain. Installing in the same domain as mail servers simplifies the setup but can complicate upgrade process as many customers upgrade their Traveler servers more frequently than their mail servers. If installing the Notes Traveler server in the DMZ then you should always install in an isolated Domino domain to improve security and limit the information stored in the local names.nsf in the DMZ. For more on network setups see 2.3 Planning your server and network topology
The following checklist covers all Notes Traveler setups, however when installing in the same domain as the mail servers, many of these items come for free. If installing in an isolated Domino Domain or your company has mutiple Domino Domains, be sure to ensure all of these items are satisfied.
- The Lotus Notes Traveler server must be able to physically connect to mail servers in the other domains.
- The server ID file used by the Lotus Notes Traveler server must be cross-certified with any other Domino domains that the Lotus Notes Traveler server needs a connection to.
- The remote mail servers must grant server access to the Lotus Notes Traveler server. Generally this is best accomplished by putting the Traveler server in the LocalDomainServers group.
- The user's mail file must grant manager plus delete access to the Lotus Notes Traveler server. Generally this is best accomplished by putting the Traveler server in the LocalDomainServers group.
- The Notes Traveler server must have access to the Domino directory or LDAP server being used for User information storage and authentication. If not the local names.nsf then Directory assistance must be used to point to this directory or directories.
- The Domino directory or LDAP server must be capable of returning the home mail server and the mail file path name for each user that registers with the Lotus Notes Traveler server. If using an LDAP server that does not contain the mail server information, it must return a unique distinguished name or internet address that can be used to find the mail server when performing a lookup against the local names.nsf or Domino directory specified by Directory Assistance.
- If you are using multiple Domino domains and plan on implementing mobile security policies, it is easier to use Lotus Notes Traveler default settings to define security policies rather than use Lotus Notes Traveler policy settings documents that are part of the Domino administration policy setup. If using Lotus Notes Traveler policy documents, you have to define the policy settings separately in every different Domino domain for them to work properly. If you are using Lotus Notes Traveler default settings, then these settings and security policies apply to any user that connects to the Lotus Notes Traveler server regardless of the Domino domain the user belongs to. For more information, see see 8.2.2 Device settings.
It is possible to have a Lotus Notes Traveler server or a Traveler High Availability pool supporting mobile users in multiple Domino domains. The configuration changes required are same as above: cross-certification of the domains, update security access in server document, and configure Directory Assistance on Traveler server to authenticate with all the domains or make available the person records locally.
Considerations when choosing single or multiple domain configuration:
Lotus Traveler and Domino mail servers in same domain:
- Generally for smaller companies, who only have one mail domain.
- Simpler Administration and Maintenance of the Domain, with replication and mail routing.
- Common Server configuration documents and program documents in the same domain keep the configuration easy to maintain.
- No special Authentication configuration needed for users within same domain where all mail users exist in the primary Domino directory (names.nsf)
Lotus Traveler and Domino mail servers in separate domain:
- Required for larger environments running multiple mail domains.
- Recommended if running the Notes Traveler server in the DMZ.
- Better Security, since no mail users in Lotus Traveler Domino directory.
- Both Traveler domain and Domino mail server domain(s) need to be cross-certified
- Directory assistance needs to be configured on Lotus Traveler server for user lookup and authentication of users in other mail domains
What does IBM do internally?
In the IBM internal implementation of Lotus Notes Traveler, multiple Traveler servers are deployed in each Domino mail domain. Users are assigned to a Notes Traveler server that is a part of their mail domain. The Traveler servers are inside the corporate firewall and uses the IBM Mobile Connect reverse proxy to provide external network access and improve security. There are a few smaller mail domains which do not have Traveler servers deployed. These users are assigned to a Notes Traveler server in a different domain and Directory Assistance is used to provide proper user lookup.
Further reading on supporting multiple Lotus Domino