Deploying an IBM Sametime 8.5.2 Network Address Translation environment 

Overview

This article explains a scenario for deploying an IBM® Sametime® 8.5.2 Network Address Translation (NAT) environment.

When the IBM Sametime Gateway cluster and Session Initiation Protocol (SIP) proxy is configured for a NAT, the NAT environment requires that the SIP Proxy's external fully qualified DNS name (FQDN), as known to external communities, be the same as its internal FQDN .

Traversing a NAT environment is a known issue in the SIP domain. Currently, the IBM WebSphere® SIP infrastructure does not provide a solution to this problem because it does not support any of the Internet Engineering Task Force (IETF) standards. Therefore, any SIP application deployed on WebSphere Portal must develop its own solution.

The scenario provided here assumes that you have the following elements in your deployment:

• A clustered environment, with one more more clustered servers
• A SIP proxy server federated to the cluster
• All cluster members (including the SIP proxy server) deployed within the same subnet
• A static NAT that is defined in the NAT or firewall; the public IP address should be mapped to the SIP Proxy server's internal IP address.

Software stack components

The software stack includes:

• Sametime Community Server 8.5.2
• Lotus® Domino® Server 8.5
• Sametime Media Manager Server 8.5.2
• Sametime Gateway Server 8.5.2
• Sametime Proxy Server 8.5.2
• Sametime System Console 8.5.2
• DB2® UDB Edition v9.5
• WebSphere Application Server 7.0.0.3
• WebSphere Application Server 7.0.0.3 Network Deployment
• IBM Tivoli® Directory Server 6.1
• Network Dispatcher: IBM Edge Components of IBM WebSphere Application Server 7.0
• Load Balancer: IBM Edge Components of IBM WebSphere Application Server 7.0

Figure 1 shows how the basic environment is set up.

Figure 1. Diagram of the environment


Note these limitations:

1. Only static NAT is supported.
2. In this case a single SIP Proxy deployment was tested; a multiple-SIP Proxy deployment was never tested but can be applied with the same setting.
3. Single-server deployment is not supported, but a clustered deployment that contains only one server is supported.

Full Sametime 8.5.2 NAT test environment

Figure 2 displays in more detail the full test environment configuration.

Figure 2. Full environment configuration

Detailed system requirements

The IBM Support document, #7109598, “Detailed System Requirements - Sametime Standard 8.5.2,” contains a list of “supported components that have undergone compatibility testing by IBM. IBM recommends that customers always use operating systems, Web browsers, devices or applications listed in the application's system requirements; any variance has some level of risk because the combination has not been tested, and is not supported by IBM.”

Deploying NAT on Sametime 8.5.2

The Lotus Sametime 8.5.2 Product Documentation on the Wiki contains detailed, step-by-step instructions for installing and deploying NAT on Sametime 8.5.2. For best results, follow all instructions in the following links completely and in the order in which they are presented in the Information Center:

1. Configuring the Gateway cluster and SIP proxy for a NAT environment
   Configure a cluster of IBM® Sametime Gateway servers to operate in a NAT (Network Address Translation) environment. The NAT environment configuration requires that the SIP Proxy's external Fully Qualified DNS Name (FQDN), as known to external communities, be the same as its internal FQDN.
   
2. Installing Sametime TURN Server
   

1. Installing the Sametime TURN Server files
Deploying IBM Sametime TURN Server involves installing a Java™ Run-time Environment (JRE) plus some additional files. Unlike other Sametime servers, the TURN Server does not require IBM WebSphere® Application Server.

2. Enabling NAT traversal
Enable the NAT traversal feature by editing the stavconfig.xml file on the IBM Sametime Media Manager’s Conference Manager component.

3. Configuring firewalls and opening ports
If the IBM Sametime TURN Server and the Sametime Media Manager are separated from clients by firewalls, you must open ports in the firewalls to enable communications.

4. Configuring the Media Manager to use the TURN Server
Configure the IBM Sametime Media Manager to work with the Sametime TURN Server.

5. Deploying a load balancer with Sametime TURN Servers
Although IBM Sametime TURN Server cannot be clustered for high availability, you can provide some additional service by deploying multiple TURN Servers with a load balancer to distribute the workload.

3. Configuring a SIP proxy server

Configure the Session Initiation Protocol (SIP) proxy server for a cluster of IBM® Sametime® Gateway servers. There is no need to configure external domains in the SIP proxy server; this is done through the Sametime Gateway configuration.

Troubleshooting

Detailed tips on troubleshooting each of the following products/areas can be found in the Sametime 8.5.2 Installation and Administration Troubleshooting topic in the Wiki:

NOTE: If your IBM Sametime deployment experiences problems with NAT traversal, begin by troubleshooting the Sametime TURN Server.

• Sametime Connect client
• Sametime System Console
• Sametime Community Server
• Sametime Proxy Server
• Sametime Media Manager
• Sametime Bandwidth Manager
• Sametime TURN Server
• Sametime Meeting Server
• Lotus Sametime Gateway Server
• Installation or uninstallation
• Log file locations
• Directory conventions

Conclusion

You should now be able to successfully configure NAT for Sametime 8.5.2.

Resources

Refer to the Product Wiki for more information on:

• NAT traversal terms
• Port allocations for NAT traversal

About the author

Desmond McCann is a Chartered Engineer working on the Sametime Verification Test team. He has been with IBM since 2010, focusing on integration and interoperability across Lotus Sametime products.