Using a Domino® pass-through server as a proxy

A proxy is a system that understands the type of information transmitted -- for example, NRPC or HTTP-format information -- and controls the information flow between trusted and untrusted clients and servers. A proxy communicates on behalf of the requester and also communicates information back to the requester. A proxy can provide detailed logging information about the client requesting the information and the information that was transmitted. It can also cache information so requesters can quickly retrieve information again.

About this task

A proxy stops direct access from an untrusted network to services on a trusted network. If an application proxy is in use, then application-specific heuristics can be applied to look at the connections from the untrusted networks and determine if what is being requested is legal or safe.

An application proxy resides in the actual server application and acts as an intermediary that communicates on behalf of the requester. An application proxy works the same as a packet filter, except the application proxy delivers the packet to the destination. An application proxy can be used with any protocol, but it is designed to work with one application. For example, an SMTP proxy understands only SMTP.

A circuit-level proxy is similar to an application proxy, except that it does not need to understand the type of information being transmitted. For example, a SOCKS server can act as a circuit-level proxy. You can use a circuit-level proxy to communicate using Internet protocols with TCP/IP -- that is, IMAP, LDAP, POP3, SMTP, IIOP, and HTTP, as well as Internet protocols secured with SSL.

HTTP is a special case. In Domino®, when the HTTP Connect method is used by an HTTP proxy, applications using other protocols can also use the HTTP proxy, but they use it as a circuit-level proxy, not as an application proxy. SSL uses the HTTP Connect method to get through an application proxy because the data is encrypted and the application proxy cannot read the data. HTTPS (HTTP and SSL) use both the HTTP proxy and the Connect method, which implies that the HTTP proxy is a circuit-level proxy for HTTPS. The same method is used to get NRPC, IMAP, and other protocols through the HTTP proxy.

You can set up a Domino® pass-through server as an application proxy for NRPC. A pass-through server provides all levels of Notes® and Domino® security while allowing clients who use dissimilar protocols to communicate through a single Domino® server. The application proxy does not allow Internet protocols -- for example, HTTP, IMAP, and LDAP -- to use a Domino® pass-through server to communicate, however. For Internet protocols, you can use an HTTP proxy with the HTTP Connect method to act as a circuit-level proxy.

A Notes® client or Domino® server can also be a proxy client and interoperate with either pass-through (NRPC protocol only) or as a SOCKS or HTTP tunnel client (for NRPC, POP3, LDAP, IMAP, and SMTP protocols). You set this up in the Proxy setting in the client Location document.

To set up a Domino® pass-through server as an application proxy

About this task

When you set up an application proxy, make sure the following Domain Name System (DNS) services are correctly configured:

  • The databases db.DOMAIN and db.ADDR, which DNS uses to map host names to IP addresses, must contain the correct host names and addresses.
  • Hosts files must contain the fully qualified domain name of the servers.

If you are using the Network Information Service (NIS), you must use the fully qualified domain name and make sure NIS can coexist with DNS.

You must first connect the server to the untrusted network -- for example, the Internet -- and then set up Notes® workstations and Domino® servers to use the pass-through server as a proxy when accessing services outside the trusted network.

To set up a workstation or server to use the pass-through server, you must specify the pass-through server in the Location document for a workstation and in the Server document for a server.