Extending meetings to external clients and mobile users

How to plan for separated internal and external meetings, external access to internal meetings, and both. Includes server and port requirements, and topology diagrams.

Network considerations

If you will be supporting the use of LiveNames in your IBM® Sametime® deployment, you should deploy all Sametime Meeting Servers, Sametime Proxy Servers, and Sametime Advanced Servers within the same subnet. It is suggested that you configure the IBM WebSphere® Application Server with a single subnet for network traffic. You can use one network interface card on a physical computer or logical partition. You can also reference a single Domain Name System (DNS) server in the network configuration for the physical computer or logical partition.

Options to consider

When you want to invite external people to your internal meetings, you have three deployment options:
  • Separated internal and external meetings
  • Allowing external access to internal meetings
  • Both
When extending meetings to the extranet, keep in mind the following security concerns:
  • Access to DB2® from the DMZ
  • Access to LDAP from the DMZ
  • TLS/SSL encryption is recommended for all scenarios
  • If you allow external access to internal meetings, you should consider authentication, meeting passwords, and document upload restrictions.

Separated internal and external meetings

Separate internal and external meetings means that you have a Sametime Meeting Server in the intranet (to support internal users) and a Sametime Meeting Server in the DMZ (to support external users). Deploy the Sametime Meeting Server in the extranet as a stand-alone cell with its own Deployment Manager and Integrated Solutions Console for local administration of the cell. External Meeting Servers communicate with the Sametime System Console as follows:
  • Over HTTP for administration of Meeting features (from System Console)
  • Over HTTP for installation and upgrades (to the System Console)

When deploying the Sametime Meeting Server using the Sametime System Console, choose the Cell option.

Ports to open from the DMZ to the internal network:
  • 9080/9443 to the System Console for installation and registration
  • 389/636 to LDAP
  • 50000/50001 to DB2 for Meeting data storage
Use a separate DB2 database for external meetings.
Ports to open in internal firewall to allow internal users access to the external Sametime Meeting Server from the internal network:
  1. 9080/9443 for web traffic (configurable)
  2. 80/443 if you choose to deploy a WebSphere HTTP proxy server in front of a cluster of Meeting Servers
The following diagram shows a stand-alone cell deployment of internal meetings, accessed from the internet via a WebSphere HTTP proxy server in the DMZ. The following servers are deployed in the intranet:
  • LDAP
  • DB2
  • Sametime Community Server
  • Sametime Meeting Server (Internal)
  • Sametime System Console
  • Sametime Media Manager
    • Conference Manager
    • Video Manager
    • Video MCU
    • SIP Proxy/Registrar
The following servers are deployed in the DMZ:
  • Sametime Proxy Server
  • Sametime Meeting Server (External)
The following protocols and port numbers are used between the components:
  • Sametime Community Server in the intranet to Sametime Proxy Server in the DMZ: TCP 1516
  • LDAP and Sametime Media Manager: TCP 389 or 636
  • Sametime Community Server and Sametime Media Manager: TCP 1516
  • DB2 in the intranet, and Sametime Proxy Server and Sametime Meeting Server in the DMZ: TCP 50000 or 50001
  • Sametime Proxy Server to the Apple Push Notification Server: 80 or 443
  • Sametime Proxy Server to the Google Connection Server: 443
  • Internal client and Sametime Community Server: VP 1533
  • Internal client and Sametime Meeting Server: TCP 80 or 443
  • Internal client and Sametime Proxy Server: TCP 80 or 443 (443 only for Google Connection Server)
  • Internal client and Sametime Media Manager in the intranet:
    TCP 5060
    • 40000 to 49999 UDP (Starting with S9 GA until OpenSSL Security Bulletin released in September, 2015)
    • 49152-59151 UDP (Starting with OpenSSL Security Bulletin released in September, 2015 )

Deploy separate Meeting Server cells to host separate internal and external meetings

External access to internal meetings

Deploy a WebSphere HTTP proxy server to the DMZ. Use the Sametime System Console for administration. The Sametime Proxy Server and the Meeting Server are part of the cell. Communication with the Sametime System Console is over HTTP for installation and upgrades. The WebSphere HTTP proxy server will route HTTP traffic to the internal Meeting Server nodes over the Web Container ports.

When planning the deployment using the Sametime System Console, choose the Secondary Node option. After installation, the Application Server will be removed and you can create a WebSphere HTTP proxy server on that node.

Ports to open from the DMZ to the internal network:
  • 9080/9443/8701/8703 to the Sametime System Console for installation and registration
  • 389/636 to LDAP (required)
  • WebSphere key ports
  • Web Container ports to the internal Sametime Meeting Server nodes

Ports to open to the WebSphere HTTP proxy server from the Internet: 80/443

The following diagram shows a WebSphere HTTP proxy server in the DMZ, connecting to the Sametime Meeting Server in the intranet. The following servers are deployed in the intranet:
  • LDAP
  • DB2
  • Sametime Community Server
  • Sametime Meeting Server (Internal)
  • Sametime System Console
  • Sametime Media Manager
    • Conference Manager
    • Video Manager
    • Video MCU
    • SIP Proxy/Registrar
The following servers are deployed in the DMZ:
  • Sametime Proxy Server
  • WebSphere proxy server
The following protocols and port numbers are used between the components:
  • Sametime Community Server in the intranet to Sametime Proxy Server in the DMZ: TCP 1516
  • WebSphere HTTP proxy server and LDAP: TCP 389 or 636
  • WebSphere HTTP proxy server and Sametime Media Manager: WebSphere transports
  • LDAP and Media Manager: TCP 389 or 636
  • Sametime Community Server and Sametime Media Manager: TCP 1516
  • DB2 in the intranet, and Sametime Proxy Server and Sametime Meetings Server in the extranet: TCP 50000 or 50001
  • Sametime Proxy Server to the Apple Push Notification Server: 80 or 443
  • Sametime Proxy Server to the Google Connection Server: 443
  • External client and WebSphere HTTP proxy server: TCP 80 or 443
  • External client and Sametime Proxy Server: TCP 80 or 443
  • Internal client and Sametime Community Server: VP 1533
  • Internal client and Sametime Meeting Server: TCP 80 or 443
  • Internal client and Sametime Proxy Server: TCP 80 or 443 (443 only for Google Connection Server)
  • Internal client and Sametime Media Manager in the intranet:
    TCP 5060
    • 40000 to 49999 UDP (Starting with S9 GA until OpenSSL Security Bulletin released in September, 2015)
    • 49152-59151 UDP (Starting with OpenSSL Security Bulletin released in September, 2015 )

Deploy internal Meeting Server and allow external users to access internal meetings

Separate internal and external meetings and external users can attend internal meetings

Deploy the a Meeting Server, Sametime Proxy Server, and WebSphere SIP Proxy Server together in a separate cell in the DMZ, separated from Community and Meeting services in the internal cell. In addition, external users have access to audio and video capabilities.

The following diagram shows a typical deployment that allows internal and external meetings, where external users can attend internal meetings. The deployment uses a separate cell of meetings in the DMZ, separated from the internal cell.

The following servers are deployed in the intranet:
  • LDAP
  • DB2
  • Sametime Community Server
  • Sametime Meeting Server
  • Sametime System Console
  • Sametime Media Manager
    • Conference Manager
    • Video Manager
    • Video MCU
    • SIP Proxy Registrar
The following servers are deployed in the DMZ:
  • Sametime Proxy Server
  • Sametime Meetings Server
  • WebSphere HTTP proxy server
The following protocols and port numbers are used between the components:
  • Sametime Community Server in the intranet to Sametime Proxy Server in the DMZ: TCP 1516
  • WebSphere HTTP proxy server and LDAP: TCP 389 or 636
  • WebSphere HTTP proxy server and Sametime Media Manager: WebSphere transports
  • LDAP and Media Manager: TCP 389 or 636
  • Sametime Community Server and Sametime Media Manager: TCP 1516
  • DB2 in the intranet, and Sametime Proxy Server and Sametime Meetings Server in the extranet: TCP 50000 or 50001
  • Sametime Proxy Server to the Apple Push Notification Server: 80 or 443
  • Sametime Proxy Server to the Google Connection Server: 443
  • External client and WebSphere proxy server: TCP 80 or 443
  • External client and Sametime Proxy Server: TCP 80 or 443
  • Internal client and Sametime Community Server: VP 1533
  • Internal client and Sametime Meeting Server: TCP 80 or 443
  • Internal client and Sametime Proxy Server: TCP 80 or 443
  • Internal client and Sametime Media Manager in the intranet:
    TCP 5060
    • 40000 to 49999 UDP (Starting with S9 GA until OpenSSL Security Bulletin released in September, 2015)
    • 49152-59151 UDP (Starting with OpenSSL Security Bulletin released in September, 2015 )

Deploy internal and external Meeting Servers and allow external users to attend internal meetings