ID205 IBM Lotus inotes High Availability Customer Case Study and Successful Web Deployment Best Practices

© 2011 IBM Corporation

ID205

IBM Lotus iNotes High

Availability Customer Case Study

and Successful Web Deployment

Best Practices

Rahul A. Garg | Advisory Software Engineer | IBM

Fredrik Söderquist | Consultant | Infoware Solutions Svenska AB

Agenda

●

_{Stockholms Läns Landsting Case Study}

●

_{IBM Lotus Domino Server Configurations}

●

_{Reverse Proxy Configuration for Lotus iNotes}

●

Examples High Availability Configuration

© 2011 IBM Corporation 3

Who am I?

●

_{Fredrik Söderquist}

─ _{[email protected]}

●

_{Represents a Swedish Premium Business Partner:}

●

Presenting the Case Study:

What is the Stockholm County Council?

●

_{Stockholm County Council is English for Stockholm Läns Landstings}

─ _{Know in Sweden for its abbreviation SLL}

●

_{SLL's mandate is to ensure that its 2 million residents have access to health}

care and public transport as well as preventing health problems.

●

_{SLL is one of Sweden's largest employer in Sweden}

─ _{45 000 employees}

© 2011 IBM Corporation 5

Why iNotes?

●

_{SLL started in 2002}

─ _{Each organization within SLL had their own mail solution or multiple solutions} ─ _{Even though mail solutions were present, there was a lot of drawbacks:}

– _{Basically every available product on the market was in use due to the large}

amount of different solutions

– _{About 30% of all SLL employees didn't have access to mail or where using}

group accounts

– _{There where no or very little security in these solutions} – _{Availability was delivered on a “best effort” basis}

– _{And there were no or very little protection against virus and spam}

●

Mail was an area with potential for improvements

─ SLL IT Council Committee initiated a project to establish and deploy a centralized

mail solution based on IBM Lotus Domino

─ _{It was voluntary for the organizations within SLL to join the central mail solution}

– _{The central solution had to show compelling business values in order to make}

Why iNotes? (continued)

●

_{The new central mail environment showed these business values:}

─ _{Lower TCO}

─ _{Higher availability} ─ _{More performance} ─ _{Added functionality} ─ _{Easier administration}

●

_{Why was iNotes chosen in preference of Notes?}

─ _{The organizations within SLL determined that iNotes was:}

– _{Cheaper and easier to roll out} – _{Cheaper and easier to maintain} – _{Required less user training} – _{All in all a lower TCO}

© 2011 IBM Corporation 7

How did SLL build their iNotes solution?

●

_{Combining high availability, high performance and low costs isn't easy}

─ _{SLL defined two mindsets to help them keep costs down:}

– _{“Automation instead of administration”}

– _{“Centralized operations, decentralized administration”}

Back-end architecture

●

_{The back-end architecture was placed in two geographically separated sites}

and placed within the core network of SLLnet

●

_{SLLnet is SLL's WAN}

─ _{Highly available} ─ _{High performing}

© 2011 IBM Corporation

9

Clustering

●

_{All server roles that needed to provide its services in a high availability}

configuration were clustered, mostly in a very common mirrored cluster

configuration

●

_{However for the Mail Servers SLL chose a different clustering method, a}

method that could be explained as a “multiple non-mirrored cluster”. It's actually

a single Domino cluster with eight server members. But the mailboxes aren't

mirrored between the servers, instead they are randomly and asymmetrically

distributed between all eight servers.

© 2011 IBM Corporation

11

Clustering (continued)

Randomly selected

home server

mail/user1.nsf

Randomly selected

replica

server

on

the

opposite site

Automation & archiving

●

_{To help keep costs down SLL focused on automation}

─ _{A product called User Management Tool (from Infoware Solutions) together with}

custom administrative applications created an automated user management process

─ Many additional custom administrative and products were user for additional

automation processes and application used for self administration/service desks.

●

Server-based archiving

─ _{A product called Mailpak Archiving Tool (from Infoware Solutions) was deployed to}

help keep storage costs down

– _{Low performing (cheap) storage was used for the online archive}

─ _{The mail servers got added performance due to less data to manage}

© 2011 IBM Corporation 13

SLL's iNotes solution

●

_{Solid back-end sorted out, only thing needed was a front-end}

─ _{SLL wanted transparent failover and load balancing of iNotes} ─ _{Many different products were looked at and discarded}

─ _{WebSphere Edge Components were chosen}

●

_Front-end

─ _Products:

– _{WebSphere Edge Dispatcher (load balancers)} – _{WebSphere Edge Caching Proxy}

– _{WebSphere Edge Content Based Router}

– _{WebSphere Application Server (LDAP authentication)}

─ Customization:

– _{Login application}

– _{Web service to CLDBDIR.nsf to get user's mail servers for load balancing} – _{Proxy plugin for the web service look up}

SLL's iNotes solution (continued)

●

_{Every HTTP request is load balanced}

─ _{Failover is completely transparent to users}

●

_{Since forms85.nsf is located on all eight mail servers, all mail servers are}

involved in presenting iNotes data.

●

_{Since users have two mailboxes, both mail servers holding their mailbox is}

involved in load balancing and failover of the content in the mailbox

●

_{Proxies do URL-masking, user always sees mail.sll.se}

●

Firewall between the front-end and back-end ensures that only the proxies can

communicate with mail servers over HTTP

─ _{SLL is terminated by the proxies which makes the mail servers gain performance} ─ Only one SSL certificate is needed which help keep cost down

© 2011 IBM Corporation

Lessons learned & best practices

1

Sort out the back-end first

2

You need a front-end

3

Maintenance work during office hours is possible with a front-end

4

With a front-end you only have one place for SSO integration

5

Load balancing utilizes HW better, make sure you don't overscale

6

Notes and iNotes users can co-exist

7

iNotes demands less user training than Notes

● (depending on your users skills)

© 2011 IBM Corporation 17

What's next for SLL?

●

_{8.5.2 upgrade}

─ _{SLL is currently in the middle of an upgrade to 8.5.2 that is planned to be completed}

by Q1 2011

─ With this upgrade they are looking into implementing DAOS to further reduce the

storage costs

●

Virtualization

─ _{Even more cost reducing actions are made with further virtualization of their}

infrastructure

●

_{Sametime 8.5}

─ _{Sametime is being deployed to provide online meetings, chat and awareness.} ─ _{And of course Sametime will be integrated with iNotes}

Agenda

●

_{Stockholms Läns Landsting Case Study}

●

_{IBM Lotus Domino Server Configurations}

●

_{Reverse Proxy Configuration for Lotus iNotes}

●

Examples High Availability Configuration

© 2011 IBM Corporation 19

IBM Lotus Domino Server Configuration

Requirements

●

_Replication

─ _{Cluster replication is required for load balancing}

●

_{Enable Multi-Server Single Sign On}

─ _{Eliminates the need for users to re-authenticate when accessing multiple servers} ─ _{Create Web SSO configuration}

– _{Add an LTPA (Light-Weight Third Party Authentication) Token}

─ _{Set HTTP Authentication Method}

●

_{Lotus iNotes Redirector}

─ Requires Domino Web Configuration (domcfg.nsf

IBM Lotus Domino Server Replication

Configuration

●

_{Enable Cluster Replication}

Select Domino servers to be added to the cluster

Create a new cluster

© 2011 IBM Corporation

21

IBM Lotus Domino Server SSO Configuration

●

_{Create Web SSO Configuration}

All Server Docs View

Click on Web and create Web SSO Configuration

IBM Lotus Domino Server SSO Configuration

●

_{Create Web SSO Configuration (continued)}

Set Config name

DNS Domain name

Domain Servers

For dual-directory configurations

© 2011 IBM Corporation

23

IBM Lotus Domino Server SSO Configuration

●

_{Create Web SSO Configuration (continued)}

IBM Lotus Domino Server SSO Configuration

●

_{Set HTTP Authentication Method}

Enable Domino Servlet Manager for Add Web SSO

Configuration Internet Protocols -->

© 2011 IBM Corporation 25

IBM Lotus iNotes Redirect

●

_Overview

─ _{Domino application based on the IWAREDIR.NTF template}

─ _{Allows Lotus iNotes users to access their mail file and mail server using only the}

name of the iNotes Redirect server

─ _{Uses Domino authentication methods to redirect a user's browser to their mail file}

based on their username and password

●

Create Lotus iNotes Redirect application using IWAREDIR.NTF template

●

_{Configure Redirect application}

IBM Lotus iNotes Redirect Server Settings

●

_{Server Settings}

─ _{How to look up mail file and mail server} ─ _Fixed

– _{Force redirection to the specified url, eg user comes from domino.acme.com}

and setting is set to mail.acme.com, the URL will become mail.acme.com

─ _Dynamic

– _{The url is built from the incoming URL request. eg. mail1.acme.com}

─ _MailServer

© 2011 IBM Corporation 27

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{Reverse Proxy field can be used to add name of reverse proxy server that will}

be used as “junction” name in the redirection URL

─ _{NOTE: This does NOT provide reverse proxy functionality; you still need a reverse}

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{In general, when working with reverse proxies, use the Fixed mode}

© 2011 IBM Corporation 29

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{To assist load balancers working in a clustered environment, a form called}

“ServersLookup” (new to 8.5.2) has been made available and will reside in the

Redirect database

─ _{When requested by the load balancer}

─ _{The ServersLookup form will return one of two HTTP response headers in the}

format X-Domino-xxxxx, each containing a comma separated list of servers.

– _{X-Domino-ReplicaServers is returned when the service finds the relevant path}

within its own cluster

– _{X-Domino-ClusterServers is returned only when the mail servers are part of a}

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{Configure SSL options}

─ _{SSL used only on authentication} ─ _{SSL used for whole session}

© 2011 IBM Corporation 31

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{Coming in 8.5.3}

─ _{Omit http protocol from redirect URL}

– _{Default is No, which means the redirect URL will include the http(s) protocol} – _{This is useful in scenarios where external users will be using https as provided}

by a reverse proxy and internal users will be using http against the back-end Domino server

IBM Lotus iNotes Redirect Server Settings

(continued)

●

_{Coming in 8.5.3}

─ _{Use home mail server for Domino Directory lookups}

– _{Default is No, which means lookups will be done against current server hosting}

the Redirect server

– _{This is useful when supporting multiple Domino domains, each with its own}

Directory, and using one Redirect server. Previously, lookups would only be done against current server which could result in improperly constructed

redirect URLs. Allowing lookups against the user's home mail server will ensure the redirect URL is properly built.

– _{Note that this will need the Redirect server to be added to the Trusted Servers}

© 2011 IBM Corporation 33

IBM Lotus iNotes Redirect UI Settings

●

_{UI Setup}

─ _{Personal Options allow users to specify which iNotes area they want to start in, eg.}

Mail, Calendar, etc

─ Login Options allow users to choose between the different iNotes modes

– _{Enable the shared or public computer mode that disables attachments}

IBM Lotus iNotes Redirect Ultra-light Settings

●

_{Ultra-light / Mobile Settings}

─ _{Enable Radio Button, creates a Ultra-Light mode button when using Firefox}

─ _{Mobile Devices, detects the device and creates a login page formatted for mobile}

© 2011 IBM Corporation 35

IBM Lotus iNotes Redirect Application Settings

●

_{ACL Configuration}

IBM Lotus iNotes Redirect Implementation

●

_{Add the iNotes Redirector to the HTTP Configuration in the Server Doc}

iNotes Redirector DB name

Internet Protocols -->HTTP

© 2011 IBM Corporation 37

IBM Lotus iNotes Redirect Implementation

(continued)

●

_{DWALoginForm needs Anonymous connections enabled}

─ _{Otherwise, Login page will have a broken image link}

●

_{If Anonymous connections are not allowed}

─ _{Use the NOTES.INI setting, HTTPPublicUrls}

– _{Available starting in 8.5.2}

– _{Allows you to add public urls for images} – _{e.g. HTTPPublicUrls=/iwaredir.nsf/*}

IBM Lotus iNotes Redirect Login page

●

_{Using the DWALoginForm}

─ _{Create and open Domino Web Server Configuration application (domcfg.nsf)} ─ _{Click “Add Mapping”}

─ _{Change the Target Database to your Lotus iNotes Redirect application} ─ _{Change the Target Form to DWALoginForm}

─ _{Save and Close}

© 2011 IBM Corporation 39

IBM Lotus Sametime Integration with reverse

proxies

●

Requirements when deploying with a Reverse Proxy server

─ Edit stlinks.js (located on both Sametime and Domino iNotes servers)

– var ll_RProxyName=”https://ReverseProxyHost.acme.com”; – var ll_AffinityID=”st8”;

– Note: The stlinks directory which contains stlinks.js may get overwritten during a Domino

server update. It's recommended to backup stlinks.js and hostInfo.js, which may have been customized.

─ Edit stconfig.nsf --> Meeting Services (located on the Sametime server)

– Reverse Proxy Enabled: True – Reverse Proxy Alias: st8

─ Reverse Proxy example settings

– Proxy /st8/communityCBR/* http://sts.acme.com:8082/communityCBR/* – Proxy /st8/* http://sts.acme.com/*

– ReversePass http://sts.acme.com/* https://ReverseProxyhost.acme.com/*

●

Deploying in a high-availability configuration

─ Sametime clusters for failover

IBM Lotus Sametime Proxy 8.5 configuration

●

Requirements for WebSphere Caching Proxy Server

─ Enable PUT and DELETE method directives as required by the Sametime Proxy server

─ Add rewrite and mapping rules for iNotes and Sametime with junction points in order for

requests to be sent to the proper server

─ Lastly, in order to keep access secure, it's recommended to configure SSL between the client

© 2011 IBM Corporation 41

IBM Lotus Sametime Proxy 8.5 configuration

(continued)

●

Domino Server Configuration

─ The Sametime Proxy server used by iNotes users is defined on the Domino server by setting a

notes.ini var. There are two possible server settings, iNotes_WA_SametimeProxyServer and iNotes_WA_SametimeProxyServerSSL. We recommend using both settings as follows:

– For intranet/internal users, set iNotes_WA_SametimeProxyServer to the URL of the actual

Sametime Proxy server.

● iNotes_WA_SametimeProxyServer=http://stproxyServer.company.com:9080

– In the case where intranet/internal users are required to make a secure connection

● iNotes_WA_SametimeProxyServer=https://stproxyServer.company.com:9443

– For internet users, set iNotes_WA_SametimeProxyServerSSL to the URL of the reverse

proxy

Reverse Proxy Configuration for Lotus iNotes

●

_{Software Based Solution}

─ _Apache®

– _{Easy to setup} – _Caching

– _{Low cost}

─ _{IBM® WebSphere® Edge™}

– _Robust – _Easy

– _{Ideal for mid size deployments} ●

_{Hardware Based Solution}

─ F5 Networks® BIG-IP™ Load Traffic Manager™ (LTM)

– _{Highly Scalable}

© 2011 IBM Corporation 43

Reverse Proxy Configuration for Lotus iNotes

using Apache

●

_{Apache Reverse Proxy:}

─ _Apache2

─ _{Vhosts can be configured} ─ _Scalable

─ _{Configuring the Reverse Proxy server}

– _Modules

●

mod proxy, rewrite, proxy-balancer (Loadmodule.conf)

─ _{Configuration Files}

– _{httpd.conf, ssl-global.conf, loadmodule.conf, listen.conf}

─ _{ProxyRequests Off}

─ _{Mapping rules: set directives for iNotes}

─ _{Example: ProxyPass / http://dom1.acme.com/} ─ _{ProxyPassReverse / http://dom1.acme.com/}

High Availability Configuration for Lotus iNotes

using Apache

●

_{Apache Reverse Proxy:}

─ _{Load Balancing} ─ _Example:

– _{ProxyPass /balancer-manager !}

– _{ProxyPass / balancer://inotescluster/ stickysession=JSESSIONID}

nofailover=On

– _{ProxyPassReverse / http://dom1.acme.com/} – _{ProxyPassReverse / http://dom2.acme.com/} – _{<Proxy balancer://inotescluster>}

– _{BalancerMember http://dom1.acme.com route=dcmail1 loadfactor=50} – _{BalancerMember http://dom2.acme.com route=dcmail2 loadfactor=50} – _{ProxySet lbmethod=bytraffic (or byrequests)}

© 2011 IBM Corporation 45

Case Study – Reverse Proxy using Apache

●

_{Central Bank of India}

─ _{7000 users provisioned. 4500 active users}

─ _{35% users use iNotes as the only mode of mail access} ─ _{Majority of iNotes users access mails over internet.}

─ _{Some branch location users connect via low speed dial up links}

●

_Solution

─ _{Domino servers in cluster}

─ _{Users mail files clustered across all servers}

─ Apache Reverse Proxy used for iNotes users from Internet ─ _{Apache on SUSE linux}

─ Domino ICM used internally ─ SAN storage

© 2011 IBM Corporation 47

Reverse Proxy Configuration for Lotus iNotes

●

_{Software Based Solution}

_Apache®

–

_{Easy to setup}

_Caching

–

_{Low cost}

─

_{IBM® WebSphere® Edge™}

–

_Robust

_Easy

–

_{Ideal for mid size deployments}

●

Hardware Based Solution

─ F5 Networks® BIG-IP™ Load Traffic Manager™ (LTM)

– _{Highly Scalable}

– _{Advanced scripting support} – _{Ideal for complex deployments}

Reverse Proxy and High Availability Configuration

for Lotus iNotes Using F5

●

_{F5 BIG-IP LTM}

─ _{Hardware-based Advanced Application Delivery Controller} ─ _{Improves Application Performance}

– _{Intelligent compression}

– _{Optimized TCP/IP stack (TCP Express) improves performance on WAN/LAN}

─ _{Secure the Applications and Data}

– _{Selective, hardware-based encryption}

─ _{Offload Tasks from the Application Servers}

– _{OneConnect™, minimizes connections on the server side} – _{Fast Cache, caches server content on the BIG-IP}

– _{SSL Offload, hardware optimized for SSL encryption} – _Compression

© 2011 IBM Corporation 49

Case Study – Reverse Proxy using BIG-IP LTM

●

_{Tests at Lotus Performance Lab}

●

_{Domino Configuration}

─ _{2 Domino Servers}

─ _{Mirrored Configuration}

─ _{4000 Concurrent Users / Server}

●

_{BIG-IP LTM}

─ _GZip

─ _{HTTP Caching} ─ _{SSL Termination}

●

_Results

─ _{CPU Reduction Per Domino Server.} ─ _{Faster Response time from Server}

Case Study – Reverse Proxy using BIG-IP LTM

© 2011 IBM Corporation 51

BIG-IP LTM and Domino Performance Results

CPU by

28%

Per Domino Server

─ _{CPU by 28% Per Domino Server} ─ _{Reponse Time by 75%}

F5 Networks & Lotus iNotes Collaboration

●

_{Working with F5 we have developed a simpler way to deploy iNotes securely to}

the Cloud

●

_{The iRule that was developed find the user mail file replicas across clusters and}

routes the user to the least loaded servers

●

We have added changes in IWAredir.nsf return x-header with cluster, and

replica server lists.

─ _{This can be used by any High Availability / Reverse Proxy that can parse response}

headers.

●

iRule Configuration Requirements.

─ _{BIG-IP LTM Configuration}

– _{Add All Domino Servers into a Pool}

– _{Configure HTTP Profile for Best performance.}

© 2011 IBM Corporation 53

IBM's Deployment of the iRule

Load balancing, failover, caching, GZIP

and terminating SSL

URL masking

All available mail servers share the load on forms.nsf and the other data

“Spraying”

mail/user1.nsf mail/user1.nsf

Domino Cluster 1 Domino Cluster 2

Domino Cluster 4 Domino Cluster 3

mail/user2.nsf mail/user2.nsf

Conclusion – Key take away points

_{Improved Scalability}

_{More Flexibility}

Better Performance

High Availability

Enhanced Security

© 2011 IBM Corporation 55

Related Information and Resources

●



_{Achieving high availability with IBM Lotus iNotes}

─

_{http://www.ibm.com/developerworks/lotus/library/inotes-avail/index.html}

●

_{IBM Websphere Edge Components Infocenter}

─ _{http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?}

topic=/com.ibm.websphere.edge.doc/welcome.html

●

F5 Networks

─ http://www.f5.com/products/big-ip/

─ _{Deploying the F5 BIG-IP LTM with IBM Lotus iNotes}

– _{http://www.f5.com/pdf/deployment-guides/f5-ibm-inotes-dg.pdf}

●

_Apache

─ _{Reverse Proxy Tutorial}

– _{http://www.apachetutor.org/admin/reverseproxies}

─ _{Module lists and descriptions}

– _{http://httpd.apache.org/docs/2.2/mod/}

─ _{Open SSL configuration steps}

Lotus iNotes References

●Lotus iNotes – http://www.ibm.com/lotus/inotes

─ _{Feature matrix, product overview and collateral}

●_{Lotus iNotes area within Notes & Domino Wiki – http://www-10.lotus.com/ldd/dominowiki.nsf}

●_{Lotus Developer Domain – http://www.lotus.com/ldd}

─ _{Lotus iNotes 8.5 Articles}

– _{http://www.ibm.com/developerworks/lotus/library/inotes-full/}

─ _{Lotus Domino Web Access Performance papers}

– _{http://www.ibm.com/developerworks/lotus/library/domino85-inotes/}

●_{Support & Fix Central}

─ _{Tech Notes -- http://www.ibm.com/developerworks/lotus/support/}

─ _{Fix Central -- http://www-933.ibm.com/support/fixcentral/}

●_{IBM Lotus Greenhouse – http://greenhouse.lotus.com}

© 2011 IBM Corporation 57

Related Sessions

●

_{AD108: IBM Lotus iNotes Customization: Make Lotus iNotes Your Own!}

●

ID204: What's New in IBM Lotus iNotes 8.5.2 - and Beyond

●

SHOW108: Extending IBM Lotus Notes, Lotus iNotes, Lotus Symphony, and

Lotus Sametime Connect with Widgets, Policies, Plug-ins and APIs

●

_{ID201: What's New in IBM Lotus Notes 8.5.2 - and Beyond}

●

_{ID102: Best Practices for Upgrading to IBM Lotus Notes and Domino Servers to}

Q & A

© 2011 IBM Corporation 59

Legal Disclaimer

© IBM Corporation 2011. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

Apache is a registered trademark of The Apache Software Foundation in the United States, other countries, or both.

Big-IP, Load Traffic Manager are trademarks or registered trademarks of F5 Networks or its subsidiaries in the United States and other countries. Infoware Solutions is a registered trademark of Infoware Solutions in the Sweden, other countries, or both.