Use IBM Sametime Gateway to connect Sametime® clients with other instant messaging clients. Several options are available for setting up a single server or a cluster of Sametime Gateway servers in a network deployment. You can install Sametime Gateway securely in the network DMZ. In some cases, Network Address Translators (NAT) is supported.
In addition to the topologies described here, you can read about deploying Sametime Gateway on the wiki, available at the following web address:
http://www.ibm.com/developerworks/wikis/display/sametime/Sametime+Gateway+deployments
Deploying Sametime Gateway in the DMZ
Sametime Gateway is an enterprise solution that requires a clustered deployment in the network DMZ. DMZ is a networking term that comes from the military term "demilitarized zone." DMZ refers to an area of a network, usually between two firewalls, where users from the Internet are permitted limited access over a defined set of network ports and to predefined servers or hosts. A DMZ is used as a boundary between the Internet and your company's internal network. The network DMZ is the only place on a corporate network where Internet users and internal users are allowed at the same time.
There is no risk of data being compromised as Sametime Gateway itself does not contain data. There is no need to install reverse proxies or other servers, such as IP sprayers or load balancers in front of Sametime Gateway. Sametime Gateway is secure because:
- Firewall restrictions make it impossible for users from the Internet to directly access a Sametime community server on your corporate intranet, but Internet users can access Sametime Gateway in the network DMZ.
- Sametime community servers, behind the internal firewall, are accessible only over an encrypted VP protocol.
- DB2® is behind the internal firewall, restricted by host and port access.
- LDAP is behind the internal firewall, accessible over SSL and restricted by host and port access
- Sametime Gateway exchanges with other instant messaging providers over SIP can be encrypted with SSL.
Components perform best when installed on their own machines and are most secure when behind the internal firewall.
Topologies for a standalone server
A standalone Sametime Gateway server has its own administrative console. Standalone servers do not require a SIP or XMPP proxy server. In the following configuration, the Sametime Gateway server is deployed outside the internal firewall in the DMZ, while DB2 and LDAP servers are behind the firewall.
Topologies for a managed group of servers
Each of the following deployments consists of a cluster of servers that work together in a cell to provide high availability and failover. There is one administrative console to manage all servers. The following cluster deployments are considered:
- Scenario: Two-machine installation of a cell of Sametime Gateway servers
- Machine 1: DB2, Deployment Manager, primary node
- Machine 2: secondary node, proxy servers
-
- Scenario: Three-machine installation of a cell of Sametime Gateway servers
- Machine 1: DB2
- Machine 2: Deployment Manager, primary node
- Machine 3: secondary node, proxy servers
-
- Scenario: Four-machine installation of a cell of Sametime Gateway servers
- Machine 1: DB2
- Machine 2: Deployment Manager, primary node
- Machine 3: secondary node
- Machine 4: proxy servers
- Scenario: Five-machine installation of a cell of Sametime Gateway servers
- Machine 1: DB2
- Machine 2: Deployment Manager, primary node
- Machine 3: secondary node
- Machine 4: secondary node
- Machine 5: proxy servers
The following illustration shows a typical of Sametime Gateway cluster and the ports that must be open in the firewalls to connect with DB2 and LDAP, and exchange instant messages and presence between the local Sametime community and external instant messaging communities.
WebSphere Application Server and DB2
IBM® Sametime Gateway runs on IBM WebSphere® Application Server. WebSphere Application Server provides the following capabilities:
- Clustering support, robust failover capability using the High Availability Manager
- Session Initiation Protocol (SIP) Infrastructure, including stateless SIP Proxy and SIP IP sprayer provided by the platform
- Open, extensible platform support. Additional plug-in services can configured in a flexible manner
- A central place to administer system configuration and monitoring and security policies through the Integrated Solutions Console and wsadmin script commands.
DB2 is the storage for the Sametime Gateway policies and logging. DB2 can be clustered for failover and load-balancing purposes. DB2 is part of the Lotus® common storage strategy. Lotus Domino® can use DB2 as an alternative repository, and Sametime Enterprise Meeting Server also uses DB2 for storing and sharing configuration data across servers. DB2 should be installed on a separate machine behind the internal firewall.
Typical deployment when connecting to instant messaging communities
Sametime Gateway can connect to the following instant messaging communities:
- AOL, Google Talk, and XMPP communities
- Other Sametime communities
- Other Sametime companies using AOL clearinghouse
You can set up any or all configurations as needed. Sametime Gateway allows selected individuals in your company to send instant messages to users on one or more public networks, giving your users immediate access to millions of users worldwide.
Note: When you set up a connection with AOL, you have the option of connecting with AOL users only, or connecting with the AOL clearinghouse community that includes AOL, ICQ, iChat, and other users from AOL Enterprise Federation Partner communities, including external Sametime communities. IBM recommends that you do not configure both communities, as users served by the AOL clearinghouse are a superset of users served by the AOL community. If you set up AOL only, and later decide to connect with the AOL clearinghouse community, delete the AOL community first before adding the AOL clearinghouse community to Sametime Gateway.
When you connect to other Sametime companies, you can connect business users of different companies. This deployment is very useful in case of acquisitions when IT infrastructure is still separate, when you want to interconnect vendors over the Internet. Connections are made secure by using an SSL certificate exchange.
Recommended deployment
For small, test configurations only, you can install Sametime Gateway on the same computer as Sametime Community Server, DB2, or other applications. For a production environment, your Sametime Community Server should be installed on a separate computer from your Sametime Gateway.
Multiple Network Interface Cards
To simulate a NAT (Network Address Translator), you can use two Network Interface Cards (NICs), one for an internal IP address and the other for an external IP address. If you use this configuration, you must update the default host using the Integrated Solutions Console. See
Configuring network interface cards to simulate a NAT: sta852
.
Note: The use of a NAT is only supported with a clustered configuration. Setting up a NAT is described in
Configuring the Gateway cluster and SIP proxy for a NAT environment: sta852.
Parent topic:
Planning deployments with the Sametime Standard features you want