Extending web chat to external clients and mobile users

To set up Sametime® Communicate for external users, you need to host the Sametime Proxy Server in the DMZ in a stand-alone cell or as a managed node that's part of the internal cell. All other servers can in behind the firewall in the intranet.

You must decide if the Sametime Proxy Server will be in its own stand-alone cell or part of the internal cell. If part of the internal cell, there's no difference in functionality. The difference is in the deployment model and how the Sametime Proxy Server node is to be managed.

For iOS users, access to DB2® is required for message storage. Network access to Apple Push Notification Service (APNS) is also required. The Sametime System Console is required for policy management and the DB2 license. Deployment without the Sametime System Console is not recommended. Google users require access to Google Cloud Messaging.

Stand-alone cell deployment

If you decide to deploy the Sametime Proxy Server in a stand-alone cell, choose the Cell option when deploying the Sametime Proxy Server using the Sametime System Console. Installation will include its own Deployment Manager and Integrated Solutions Console for local WebSphere® Application Server administration. A stand-alone cell has no communication with the internal Sametime cell from a WebSphere Application Server perspective.

The following graphic shows Sametime components deployed in the intranet and DMZ. The following servers are deployed in the intranet:
  • LDAP
  • DB2
  • Sametime Community Server
  • Sametime System Console
  • Media Manager
    • Conference Manager
    • Video Manager
    • Video MCU
    • SIP Proxy Registrar
The following server is deployed in the DMZ:
  • Sametime Proxy Server
The red line in the graphic represents the internal client's connection for chat.
The following protocols and port numbers are used between the components:
  • Community Server in the intranet to Sametime Proxy Server in the DMZ: TCP 1516
  • LDAP and Media Manager: TCP 389 or 636
  • Community Server and Sametime Proxy Server: TCP 1516
  • Community Server and Media Manager: TCP 1516
  • DB2 in the intranet and Sametime Proxy Server and Sametime Meeting Server in the extranet: TCP 50000 or 50001
  • Internal client and Community Server: VP 1533
  • Internal client and Meeting Server: TCP 80 or 443
  • Internal client and Sametime Proxy Server: TCP 80 or 443
  • Internal client and Media Manager in the intranet:
    • TCP 5060
    • UDP outbound 420001 to 43000 (audio)
    • UDP outbound 46001 to 47000 (video)
    • UDP inbound 42000 to 43000 (audio)
    • UDP inbound 46000 to 47000 (video)

Sametime Proxy Server in a stand-alone cell in the DMZ
Communication to and from the Sametime System Console takes place as follows:
  • Over the SOAP protocol for administration of Sametime Proxy Server features from the Sametime System Console
  • Over HTTP for installation and upgrades to the Sametime System Console
Ports to open from the DMZ to internal network:
  • 9080/9443 to the Sametime System Console for installation and registration
  • 1516 to your Community Servers for server traffic
  • 389/636 to LDAP (optional)
  • 50000/50001 to DB2 for iOS message storage
Ports to open to the Internet:
  • 2195/2196 for APNS traffic
Ports to open to the Sametime Proxy Server from the Internet:
  • 9080/9443 for Web traffic (configurable)

Managed node deployment

You can deploy the Sametime Proxy Server as a managed node that's part of internal cell. At installation, choose Primary Node, if installing a first server, or Secondary Node if adding a cluster member. This deployment uses the Sametime System Console for WebSphere Application Server administration and be part of the internal cell from a WebSphere Application Server perspective.

Communication to and from the Sametime System Console takes place as follows:
  • Over the SOAP protocol for administration of Sametime Proxy Server features from the Sametime System Console
  • Over HTTP for installation and upgrades to the Sametime System Console
Ports to open from the DMZ to internal network:
  • 9080/9443/8701/8703 to the Sametime System Console for installation and registration
  • 1516 to your Community Servers for server traffic
  • 389/636 to LDAP (required)
  • 50000/50001 to DB2 for iOS message storage
  • WebSphere ports
Ports to open to the Internet:
  • 2195/2196 for APNS traffic
Ports to open to the Sametime Proxy Server from the Internet:
  • 9080/9443 for Web traffic (configurable)

The following diagram shows a Sametime Proxy Server deployed in the DMZ to support browser and mobile clients for external users. The red line indicates how internal users would access Sametime using a browser.


Sametime Proxy Server in the DMZ as a managed node