Securing connections between the Sametime servers and clients

There are several connection methods to connect to the Sametime server. This topic includes the steps to encrypt connections between the desktop clients and the Sametime server using TLS.

Before you begin

You must configure the sametime.ini settings, either at the global or individual TLS scope.

About this task

To implement the use of TLS, the clients must have the Direct connection using TLS connection option enabled. This setting is under Preferences > Server Communities > Global Connection Settings. Client preferences can be pushed from the server using Managed Settings.

When you enable TLS for the Sametime server connections, TLS version 1.2 is used by default. SSLv3 and TLSv1 have security vulnerabilities and should not be used.

To configure the connection between the Sametime server and clients, there are two tasks that must be completed:
  • Configure the encryption settings.
  • Configure the client settings to support a direct connection with TLS.

Sametime can be configured to allow legacy encryption along with TLS encryption (both enabled), or strict TLS where only TLS encrypted connections are allowed. This is handled in the stconfig.nsfCommunityServices document . The Sametime Mux can listen for both TLS and legacy encrypted connections on the same port number, so there is no need to have a unique port for the TLS encrypted connections, they can also use port 1533. The port number can be changed if desired.

For details on configuring the encryption settings, follow the instructions in one of the following topics.
After securing the Mux port, the connection preferences must be changed in the client. There are three methods to set the client connection preferences.
  • Push the setting to users in the managed-community-configs.xml file, which is a good option for clients that are already deployed and in use.
  • Use the plugin_customization.ini file which can be configured and included with the installation package.
  • Manually configure the settings as described in the following steps.

Procedure

  1. From the Sametime Connect Client, click File > Preferences.

    • To select this connection method for all server communities, click Server Communities. In the Global connection settings section, click Direct connection using TLS > OK.
    • To select this connection method for only one server community, click Server Communities, select the server community name, and open the Connection tab. Uncheck Use global connection settings, then click Direct connection using TLS. Click OK to close the Preferences window.