For increased security, HTTP traffic to and from the HCL Traveler server should be secured by enabling SSL or using a VPN. For SSL, at least the component that is terminating SSL connections from the clients should have SSL enabled. The SSL termination can be done at the proxy, load balancer, or IP sprayer layer (common when configuring high availability mode but also possible for single HCL Traveler server configurations) or Domino HTTP layer. Other layers beyond the SSL termination of clients' requests do not need to have SSL enabled too (HTTP is normally sufficient), but it is possible to have the other layers have SSL enabled for even greater security.

Note: Do not use Redirect to SSL as the way to secure the connection. This initially allows the mobile device to send credentials over a non-secure connection and many devices poorly handle redirects causing multiple sync issues. If the HTTP server is only being used for Traveler, you should disable HTTP and only allow HTTPS. Even if HTTP cannot be disabled, mobile devices should be configured using HTTPS which is the default on most devices.

SSL certificates purchased from a certificate authority or Domino self-signed SSL certificates may be used, but certificate authority certificates are often easier to use on the devices as they generally are already trusted whereas additional steps are often needed to trust the self-signed certificates on the devices. For more information, see the SSL security section of topics in the latest version of the Domino Administrator documentation.

Once SSL is enabled, use URL patterns like HTTPS://hostname to access the server instead of HTTP://hostname. Many times this includes the user entering the URL, but there are other cases where a link is utilized and that link needs to point correctly to HTTPS://hostname. See Setting the external server URL topic for more details.

Related topics