System architecture

This topic describes the system architecture for HCL Nomad for web browsers, iOS, and Android.

Web

HCL Nomad for web browsers consists of multiple components, including HTML, JS, WASM, NTF, NSF and INI files. These static files must be served by an HTTP server via HTTPS.

HCL Nomad for web browsers communicates with the HCL Domino servers via NRPC, but the only communication technically allowed from a WebAssembly container is secure WebSocket Secure (WSS). For security reasons, the WSS communication must be to the same site as the HTTPS communication. Therefore, HCL Nomad for web browsers tunnels NRPC over WSS to a Nomad server (either Nomad server on Domino or HCL SafeLinx server configured as a Nomad server) to handle both HTTPS and WSS communications.

For the NRPC traffic, HCL Nomad for web browsers wraps the NRPC request in WSS and sends the request to the Nomad server starting out as HTTPS (on port 443 by default) and using an HTTP 101 response code to upgrade the protocol to WebSockets. The Nomad server unwraps the received WSS to obtain the NRPC, identifies the target HCL Domino server, and relays the NRPC to the Domino server (on port 1352 by default). When the Nomad server receives the NRPC response, it wraps the NRPC in WSS and returns the NRPC wrapped in WSS to HCL Nomad for web browsers.

Because HCL Nomad for web browsers and Domino servers are communicating via NRPC at the end points, Domino clustering and failover functions as it does in other NRPC based clients.

In the browser, the code is all running inside a JavaScript engine. The static resources are cached locally and HCL Nomad uses an IndexedDB or Origin Private File System for local storage as needed.

Nomad server on Domino

Static files served over HTTPS are always served locally by the Nomad server on Domino.

Because the Nomad server is running on Domino, the information for Nomad to be configured can be found with local lookups and LDAP calls to Domino are not necessary.

The following diagram is a sample architecture:

Note: The Nomad server on Domino does not authenticate the HTTP flows, which are used primarily for the "Nomad for web browsers' static files", as there is nothing confidential to a user or the company in those files. The NRPC traffic over WSS is authenticated at the NRPC level as NRPC always has been, but HTTP authentication, if desired, must be achieved through the optional "WSS & HTTP Proxy" where the HTTP authentication options are based on the options that the proxy provides (SAML, MFA, etc.).

SafeLinx as the Nomad server

Static files served over HTTPS can be served locally by the Nomad server or hosted on a number of HTTP servers (Domino, CloudFront, NGINX, CDN, etc.).

SafeLinx uses LDAP calls to Domino to retrieve information necessary for Nomad to be configured (user name, server name, etc.).

The following diagram is a sample architecture:

Note: Other infrastructure, such as VPN, may be inserted between the browser and SafeLinx but SafeLinx must be present between the browser and Nomad for web browsers static resources and Domino servers.
Note: Depending on what network zone you chose to deploy SafeLinx into, you may want to select different SafeLinx authentication options (single factor, multiple factor, etc.). For the "HTTP Authentication (various)" options, see Adding authentication profiles in the SafeLinx documentation.

Mobile

HCL Nomad for iOS and Android have a similar system architecture as HCL Nomad for web browsers. The following list describes the differences between mobile and web:
  • For mobile, the client is a native application on the device and is not related to the browser.
  • The NRPC communications are not restricted to WSS, so the mobile client may use either NRPC directly to the Domino servers (often requiring a VPN or other access to the Domino servers) or NRPC wrapped in WSS through the Nomad server to the Domino servers.
  • The "Nomad for web browsers' static files" are not applicable to mobile.
  • SAML is supported on mobile for authentication but not for Nomad Federated Login.