Deploying Sametime Meeting Server to support external users
Starting with version 8.5, the IBM® Sametime® Meeting Server is hosted on IBM WebSphere®. This allows the Meeting Server to take advantage of HTTP communications and follow familiar models used for deploying other WebSphere-based and HTTP-based applications. The new deployment model is simpler than the "classic" Sametime web conference server, which was hosted on IBM Domino® and leveraged proprietary protocols that required opening multiple ports in firewalls so that "invited servers" could access meetings. There is no longer a need for the "invited server" model because all users now access Sametime Meetings by connecting to the same server with HTTP.
Use an external Sametime Meeting Server to allow users within your organization to meet with external users connecting from the Internet. The external Sametime Meeting server is installed outside the inner firewall, in the network DMZ (demilitarized zone). Both internal and external Sametime Meeting client users can access this server anonymously or by authenticating with their LDAP credentials. The following examples show how you can deploy Sametime components to ensure that external users have access to different features. While these deployment scenarios are common, the HTTP-based design of Sametime Meeting Server offers a great deal of flexibility and can be adapted to the deployment models familiar in most environments.
Allow external users to access only Sametime meetings
This deployment scenario exposes a Sametime Meeting Server to the Internet by hosting it in the DMZ. As shown in the image, two firewalls have been configured, defining three security zones. The inner firewall isolates the organization's intranet (the most secure zone), and the outer firewall creates a DMZ between the intranet and the Internet (the least secure zone). The Sametime System Console and the Sametime Proxy Server are deployed on the intranet (protected by inner firewall), while the Meeting Server is deployed in the DMZ (protected by the outer firewall). External users can connect to the Meeting Server from the Internet, but cannot connect to the Sametime System Console for access to other Sametime features; for example, the Sametime Proxy Server's awareness feature is available only to internal users.
Typically, you would deploy a Meeting Server as a primary node within the Sametime System Console's cell and use the console to administer the Meeting Server. This topology requires you to deploy the Meeting Server as a separate WebSphere cell (containing its own deployment manager) to ensure that all the necessary administration components are located within the same zone. Creating a separate cell isolates the Meeting Server from other Sametime components, which minimizes the need for opening routes in the firewalls. When prompted to Choose the configuration type while installing the Meeting Server, select Cell (see Guided activity: Preparing to install a Sametime Meeting Server for instructions on installing the Meeting Server). If you cluster multiple Meeting Servers for high availability or failover functionality, install the additional Meeting Server as secondary nodes and then deploy a load balancer in front of the cluster.
- Inner firewall
- IBM DB2® server (port 50000); users require read/write access
- LDAP server (ports 389 and 636); access is read-only
- Outer firewall
- HTTP (port 80) for unsecured access or
- HTTPS (port 443) for secured access
Allow external users to access additional Sametime features
An alternative scenario exposes other Sametime services to the Internet by deploying additional Sametime servers, plus the Sametime System Console, in the DMZ. As shown in the image, two firewalls have again been configured, defining three security zones. The inner firewall isolates the organization's intranet (the most secure zone), and the outer firewall creates a DMZ between the intranet and the Internet (the least secure zone). The Sametime System Console is now deployed in the DMZ rather than the intranet zone, so it can be installed into the same cell as the Meeting Server. The System Console can also serve as the deployment manager for any other Sametime servers hosted in the DMZ, so external users can now access the features offered by any Sametime servers that are deployed in the DMZ. For example, hosting a Sametime Proxy Server in the DMZ enables the awareness feature for external users who attend meetings hosted on a Meeting Server that is also deployed in the DMZ
This topology allows you to manage all Sametime components deployed in the DMZ as a single WebSphere cell, using the Sametime System Console as the deployment manager. Instead of deploying the Meeting Server as its own cell, you would deploy it as a primary node that is administered by the Sametime System Console. When prompted to Choose the configuration type while installing the Meeting Server, select Primary node (see Guided activity: Preparing to install a Sametime Meeting Server for instructions on installing the Meeting Server). If you cluster multiple Meeting Servers for high availability or failover functionality, install the additional Meeting Servers as secondary nodes and then deploy a load balancer in front of the cluster.
- Inner firewall
- DB2 server (port 50000); users require read/write access
- LDAP server (ports 389 and 636); access is read-only
- If you deploy the Sametime Proxy Server(s) in the DMZ as shown in the picture, then you will also need to open port 1516 on the Sametime Proxy Server(s) and the Sametime Community Server(s) to allow them to communicate.
- Outer firewall
- HTTP (port 80) for unsecured access or
- HTTPS (port 443) for secured access