Securing the device connection

For increased security, HTTP traffic to and from the HCL Traveler server should be secured by enabling TLS or using a VPN.

For TLS, at least the component that is terminating TLS connections from the clients should have TLS enabled. The TLS termination can be done at the proxy, load balancer, or IP sprayer layer (common when configuring high availability mode but also possible for single HCL Traveler server configurations) or Domino HTTP layer. Other layers beyond the TLS termination of clients' requests do not need to have TLS enabled too (HTTP is normally sufficient), but it is possible to have the other layers have TLS enabled for even greater security.

Important: TLS is the direct successor to Secure Socket Layer (SSL). All versions of SSL are now deprecated. However, within this document and the HCL Domino documentation, references to SSL or SSL/TLS generally refer to the TLS protocol and TLS certificates.

TLS certificates purchased from a certificate authority or Domino self-signed TLS certificates may be used, but certificate authority certificates are often easier to use on the devices as they generally are already trusted whereas additional steps are often needed to trust the self-signed certificates on the devices. For more information, see the TLS security section of topics in the latest version of the Domino Administrator documentation.

Once TLS is enabled, use URL patterns like HTTPS://hostname to access the server instead of HTTP://hostname. Many times this includes the user entering the URL, but there are other cases where a link is utilized and that link needs to point correctly to HTTPS://hostname. See Setting the external server URL topic for more details.

Note: Do not use Redirect to TLS as the way to secure the connection. This initially allows the mobile device to send credentials over a non-secure connection and many devices poorly handle redirects causing multiple sync issues. If the HTTP server is only being used for Traveler, you should disable HTTP and only allow HTTPS. Even if HTTP cannot be disabled, mobile devices should be configured using HTTPS which is the default on most devices.

Related topics