This document describes how to configure a reverse proxy server for Lotus
Connections.
Overview
A reverse proxy server intercepts client requests to Lotus Connections
servers and, when possible, returns cached data rather than contacting
the true destination server. A reverse proxy reduces the amount of
traffic that a back-end server must perform to satisfy duplicate requests
for data, while at the same time improving the response time for those
requests.
You can set up a reverse proxy by using WebSphere Application Server Edge
components (formerly Edge Server). Edge components can control client access
to Web servers and improve access to Web-based content over the Internet
or a corporate intranet.
Infrastructure
The topology in this deployment uses a cluster of Lotus Connections servers
connected to a remote HTTP server, a remote database server, and a remote
LDAP server. These are deployed in a private network behind a firewall.
Client request are intercepted and handled by the transparent proxy server.
Users are not aware that a proxy exists in the configuration.
This deployment was tested on a
Microsoft Windows Server 2003 platform. The following figure illustrates
the topology used in this deployment:
Specifications
The following table lists the specifications of the systems used in this
deployment:
| Component
| Software
| OS
| System
|
| Reverse Proxy
| IBM WebSphere Application
Server Edge Components 6.1
| Windows
| Pentium IV CPU, 3.0
GHz, 500 MB RAM
|
| Web Server
| IBM HTTP Server 6.1.13
with SSL enabled
| Windows
Linux
| 2 Dual-Core CPUs,
2.0 GHz, 8 GB RAM
1 Quad-Core CPU, 1.6 GHz, 4 GB RAM
|
Lotus Connections
1.0.2
Lotus Connections 2.0
|
IBM WebSphere Application Server 6.1.0.13
IBM WebSphere Application Server 6.1.0.13
| Windows
Linux
| 2 Dual-Core CPUs,
2.0 GHz, 8 GB RAM
|
| Database
| DB2 9.1.4
Oracle 10g 10.2.0.3
| Windows
Linux
| 2 Dual-Core CPUs,
2.0 GHz, 8 GB RAM |
Step-by-Step instructions
Before deploying this infrastructure, the product and all related components
must be installed.
Installing WebSphere Edge Components
1. Download
Edge Components (part number: C88UQML):
https://w3-104.ibm.com/software/xl/download/ticket.do?openform
2. Launch
the Edge Components
launchpad.bat file and install the
Caching
Proxy component. For more information about installing, see the
Edge
components information center.
3. Start
the proxy service: Click
Start >
Control Panel
Administrative Tools >
Services, and then select
IBM
Caching Proxy and start the service.
4. Enter
the URL of the target Web server: Click
Start > All Programs >
Edge Components > Caching Proxy > Configuration Wizard. Enter
the URL of the
Target Web Server, and click
Next.
5. Enter
a
User Name and
Password for a new administrator account,
and click
Next. Click
Finish and
OK.
6. Open
the
ibmproxy.conf file (usually located in the
\cp\etc\en_US
directory) and add the following line to the Start new mapping rules
section:
Add Pass /pub/* \cp\server_root\pub\en_US\*
Save the file.
7. Configure
the proxy: Open Proxy Configuration > Proxy Settings, select
the HTTP check box, and click Submit.
8. Click
Proxy Performance, deselect the Run as a pure proxy check
box, and click Submit.
9. Restart
the proxy server and test the configuration: Open a web browser and navigate
to "http://Your_Proxy_Server.com/", where
is a Lotus Connections feature (such as Activities or Blogs). If the web
page for the selected feature appears, the reverse proxy is working correctly.
You can check the reverse proxy logs under: C:\Program Files\IBM\edge\cp\server_root\logs.
Enabling SSL
A. Create a personal certificate on the proxy server
1. Create
a key database for proxy server: Click Start > All Programs >
IBM WebSphere > Edge Components > Caching Proxy > Start Key Management
Utility.
2. Click
Key Database File and select New.
3. Enter
the following information and click OK:
Key database type: CMS
File Name: ProxyKey.kdb
Location: C:\ProxyDB
4. At
the password prompt, enter your password and select the Stash the password
to a file? check box.
5. Create
a personal certificate: Click Create > New Self-Signed Certificate....
6. Enter
the following information and click OK:
KeyLabel: ProxyCert
Version : X509V3
Key Size : 1024
Common name : Your_Proxy_Server.com
Organization : ibm
B. Import a signer certificate from the Web server
1. Extract
the PluginCert.arm file from the IBM HTTP Server. (For more information
about IHS, see Edge
components information center):
Open the plugin-key.kdb file (under C:\IBM\HTTPServer\Plugins\etc\)
and click OK. Enter your password when prompted, and click OK.
2. Click
WebSphere Plugin Key > Extract Certificate... and enter the following
data:
Data type: Base64-encoded ASCII data
Certificate file name: PluginCert.arm
Location: C:\
Click OK.
3. Import
the IHS Signer Certificate to the proxy server: Click Start > All
Programs > IBM WebSphere > Edge Components > Caching Proxy >
Start Key Management Utility, and open the ProxyKey.kdb file.
4. Click
Signer Certificates > Add, and enter the following information:
Data type : Base64-encoded ASCII data
Certificate file name : PluginCert.arm
Location : C:\
Click OK
5. When
prompted to enter a label, type PluginCert, and click OK.
C. Configure SSL on the proxy server
1. In
the proxy server's admin console, open Proxy Configuration > SSL
Settings.
2. Select
the Enable SSL check box.
3. Select
the Attempt to cache content on a secure request check box.
4. Enter
the kdb location, for example, c:\ProxyKDB\ProxyKey.kdb, in the Key
Ring Database file field.
5. Enter
the password file location, for example, c:\ProxyKDB\ProxyKey.sth,
in the Key Ring Database Password File field.
6. Click
Submit.
D. Modify the ibmproxy.conf file
1. Add
the following lines to enable Proxy and ReversePass directives:
Proxy /*
http://venturacn24.cn.ibm.com/* :80
Proxy /*
https://venturacn24.cn.ibm.com/* :443
ReversePass http://Your_HTTP_Server.com/*
http://Your_Proxy_Server.com/*
ReversePass https://Your_HTTP_Server.com/*
https://Your_Proxy_Server.com/*
2. Add
the following line to enable the SendRevProxyName directive:
SendRevProxyName yes
3. Add
the following lines to enable cache directives (optional):
CacheTimeMargin 0 seconds
CacheQueries Always http://Your_HTTP_Server.com/*
CacheQueries Always https://Your_HTTP_Server.com/*
4. Save
the ibmproxy.conf file.
5. Restart
the proxy server and test the configuration: Open a web browser and navigate
to "https://Your_Proxy_Server.com/", where
is a Lotus Connections feature (such as Activities or Blogs).
If the web page for the selected feature appears, the reverse proxy in
SSL mode is working correctly.
You can check the reverse proxy logs under: C:\Program Files\IBM\edge\cp\server_root\logs.
E. Test the configuration
1. Restart
the proxy server.
2. Open
a web browser and navigate to "https://Your_Proxy_Server.com/",
where is a Lotus Connections feature (such as Activities
or Blogs). If the web page for the selected feature appears, the reverse
proxy in SSL mode is working correctly.
You can check the reverse proxy logs under: C:\Program Files\IBM\edge\cp\server_root\logs.
Recommended reading