Deploying servers in the DMZ
Deploying all servers in the DMZ is a valid option for small, highly secure deployments when hardware is limited.
Deploying IBM® Sametime® servers outside the internal firewall, but still separated from the Internet with a DMZ firewall, is a valid option for small, highly secure deployments. Advantages to this deployment keeps critical services such as LDAP services and IBM DB2® Server behind the internal firewall while requiring fewer computers for the deployment.
Disadvantages of deploying servers outside the internal firewall are that Sametime services are more easily exposed to the Internet and there is no separation between internal and external meetings.
- HTTPS to the Sametime Media Manager and Sametime Proxy Server
- SIPS ports to Media Manager, and UDP ports to Sametime Video Manager
- Sametime Community Server (1533) for internal clients
- LDAP (386/636)
- DB2 (50000/500001)
The Sametime System Console deployed in the DMZ can be in the same cell as the Meeting Server, Media Manager, and Sametime Proxy Server. The Sametime System Console can also serve as the Deployment Manager for any other Sametime servers hosted in the DMZ (with the exception of the Video Manager and Sametime Video MCU). Hosting a Sametime Proxy Server in the DMZ enables the awareness feature for external users who attend meeting.
Most of the time clients inside a company must pass through a Network Address Translator (NAT) to get to the Internet. And most of the time users who work from a home office must pass through a NAT-enabled router to get to the Internet. If your users must pass through NAT or a firewall, and you want them to access audio and video, then you need to deploy a Sametime TURN Server. A TURN Server is required when direct peer-to-peer communications are not possible.
If using a TURN Server, open a UDP port range between internal clients and the Media Manager and between the Media Manager and the TURN Server for clients that use audio/video.
Note: If a client is behind an HTTP Proxy Server and access to the Internet is only allowed using Port 80 HTTP or 443 SSL, then Sametime cannot support audio/video. See Planning a Sametime TURN Server deployment for more information.
The graphic that follows shows how you can create a secure deployment of voice and video services outside the intranet for external, anonymous access.
- LDAP server
- DB2 server
- Internal clients
- Sametime System Console
- Sametime Proxy Server
- Sametime Community Server
- Sametime Meeting Server
- Sametime TURN Server
- IBM SIP Edge Proxy Server
- Sametime Media Manager:
- SIP Proxy/Registrar
- Conference Manager
- Video Manager
- Video MCU
- Apple Push Notification Server
- Google Connection Server
- External clients
- LDAP server and Sametime Media Manager: TCP 389 or TCP 636
- DB2 server and Sametime Proxy Server, Sametime Meeting Server: TCP 50000 or 50001
- Sametime Community Server and Sametime Proxy Server, Sametime Media Manager: TCP 1516
- Internal clients
Internal clients communicate in A/V sessions with external and mobile users by connecting to the following servers:
- Sametime Community Server: VP 1533
- Sametime Meeting Server: TCP 80 or 443
- Sametime Proxy Server: TCP 80 or 443 (for Apple Push Notifications Server), TCP 443 (for Google Connection Server)
- Sametime Video MCU (for A/V conferences): UDP 49152-59151
- External clients
External clients and mobile users connect to A/V meetings through the SIP Edge Proxy Server. External clients and mobile users communicate with internal clients by connecting to the following servers:
- Sametime Proxy Server, Sametime Meeting Server: TCP 80 or 443
- Sametime TURN Server: TCP or UDP 3478
