Deploying instant messaging to external messaging communities 

---

Use IBM Sametime Gateway to connect Sametime® clients with other instant messaging clients. Several options are available for setting up a single server or a cluster of Sametime Gateway servers in a network deployment. You can install Sametime Gateway securely in the network DMZ. In some cases, Network Address Translators (NAT) is supported.

Review deployment scenarios, sizing guidelines, and troubleshooting information for Sametime Gateway in this wiki's Community tab; see the Sametime Gateway deployment articles.

Deploying Sametime Gateway in the DMZ

Sametime Gateway is an enterprise solution that requires a clustered deployment in the network DMZ. DMZ is a networking term that comes from the military term "demilitarized zone." DMZ refers to an area of a network, usually between two firewalls, where users from the Internet are permitted limited access over a defined set of network ports and to predefined servers or hosts. A DMZ is used as a boundary between the Internet and your company's internal network. The network DMZ is the only place on a corporate network where Internet users and internal users are allowed at the same time.

There is no risk of data being compromised as Sametime Gateway itself does not contain data. There is no need to install reverse proxies or other servers, such as IP sprayers or load balancers in front of Sametime Gateway. Sametime Gateway is secure because:

• Firewall restrictions make it impossible for users from the Internet to directly access a Sametime community server on your corporate intranet, but Internet users can access Sametime Gateway in the network DMZ.
• Sametime community servers, behind the internal firewall, are accessible only over an encrypted VP protocol.
• DB2® is behind the internal firewall, restricted by host and port access.
• LDAP is behind the internal firewall, accessible over SSL and restricted by host and port access
• Sametime Gateway exchanges with other instant messaging providers over SIP can be encrypted with SSL.
  

Components perform best when installed on their own machines and are most secure when behind the internal firewall.


Starting with version 8.5.2, Sametime Gateway security can be enhanced using the IBM WebSphere DMZ Secure Proxy Server. Using this component, a firewall can be inserted between the
SIP proxy (hosted on the DMZ Secure Proxy Server) and the Sametime Gateway servers. The following two deployments are supported:




In this "single DMZ" configuration, the DMZ Secure Proxy Server is deployed in the DMZ while the rest of the Sametime servers, including Sametime Gateway, are deployed on the corporate intranet. All requests from external clients are routed through the DMZ Secure Proxy Server.




In this "dual DMZ" configuration, the DMZ Secure Proxy Server is deployed in the outermost "Web" DMZ, the Sametime Gateway servers are deployed in an inner, "Application" DMZ, and the rest of the Sametime servers are deployed on the corporate intranet.

For more information on configuring Sametime Gateway with the DMZ Secure Proxy Server, see the guide, Sametime Gateway: Deploying WebSphere Secure DMZ Proxy Server.

Topologies for a standalone server

A standalone Sametime Gateway server has its own administrative console. Standalone servers do not require a SIP or XMPP proxy server. In the following configuration, the Sametime Gateway server is deployed outside the internal firewall in the DMZ, while DB2 and LDAP servers are behind the firewall.

Topologies for a managed group of servers

Each of the following deployments consists of a cluster of servers that work together in a cell to provide high availability and failover. There is one administrative console to manage all servers. The following cluster deployments are considered:

• Scenario: Two-machine installation of a cell of Sametime Gateway servers
• Machine 1: DB2, Deployment Manager, primary node
• Machine 2: secondary node, proxy servers
  
• Scenario: Three-machine installation of a cell of Sametime Gateway servers
• Machine 1: DB2
• Machine 2: Deployment Manager, primary node
• Machine 3: secondary node, proxy servers
  
• Scenario: Four-machine installation of a cell of Sametime Gateway servers
• Machine 1: DB2
• Machine 2: Deployment Manager, primary node
• Machine 3: secondary node
• Machine 4: proxy servers
  
  
• Scenario: Five-machine installation of a cell of Sametime Gateway servers
• Machine 1: DB2
• Machine 2: Deployment Manager, primary node
• Machine 3: secondary node
• Machine 4: secondary node
• Machine 5: proxy servers
  
  

The following illustration shows a typical of Sametime Gateway cluster and the ports that must be open in the firewalls to connect with DB2 and LDAP, and exchange instant messages and presence between the local Sametime community and external instant messaging communities.

WebSphere Application Server and DB2

IBM® Sametime Gateway runs on IBM WebSphere® Application Server. WebSphere Application Server provides the following capabilities:

• Clustering support, robust failover capability using the High Availability Manager
• Session Initiation Protocol (SIP) Infrastructure, including stateless SIP Proxy and SIP IP sprayer provided by the platform
• Open, extensible platform support. Additional plug-in services can configured in a flexible manner
• A central place to administer system configuration and monitoring and security policies through the Integrated Solutions Console and wsadmin script commands.
  
  

DB2 is the storage for the Sametime Gateway policies and logging. DB2 can be clustered for failover and load-balancing purposes. DB2 is part of the Lotus® common storage strategy. Lotus Domino® can use DB2 as an alternative repository, and Sametime Enterprise Meeting Server also uses DB2 for storing and sharing configuration data across servers. DB2 should be installed on a separate machine behind the internal firewall.

Typical deployment when connecting to instant messaging communities

Sametime Gateway can connect to the following instant messaging communities:

• AOL, Google Talk, and XMPP communities
• Other Sametime communities
• Other Sametime companies using AOL clearinghouse
  

You can set up any or all configurations as needed. Sametime Gateway allows selected individuals in your company to send instant messages to users on one or more public networks, giving your users immediate access to millions of users worldwide.

Note: When you set up a connection with AOL, you have the option of connecting with AOL users only, or connecting with the AOL clearinghouse community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. IBM recommends that you do not configure both communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway.

When you connect to other Sametime companies, you can connect business users of different companies. This deployment is very useful in case of acquisitions when IT infrastructure is still separate, when you want to interconnect vendors over the Internet. Connections are made secure by using an SSL certificate exchange.

Recommended deployment

For small, test configurations only, you can install Sametime Gateway on the same computer as Sametime Community Server, DB2, or other applications. For a production environment, your Sametime Community Server should be installed on a separate computer from your Sametime Gateway.

Multiple Network Interface Cards

To simulate a NAT (Network Address Translator), you can use two Network Interface Cards (NICs), one for an internal IP address and the other for an external IP address. If you use this configuration, you must update the default host using the Integrated Solutions Console. See Configuring network interface cards to simulate a NAT.




Note: The use of a NAT is only supported with a clustered configuration. Setting up a NAT is described in Configuring the Gateway cluster and SIP proxy for a NAT environment.

Parent topic: Planning deployments with the Sametime Standard features you want