Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sametime Security and Authentication Eli M. Harris Collaboration.

Similar presentations

Presentation on theme: "Sametime Security and Authentication Eli M. Harris Collaboration."— Presentation transcript:

1 Sametime Security and Authentication Eli M. Harris Collaboration

2 l Understanding Sametime Security Methods l Using Domino Authentication l Using LDAP Authentication l Configuring Sametime Connectivity l Authenticating Sametime with other Products What We'll Cover...

3 Understanding Sametime Security Methods

4 User Identification l Anonymous access è Recommended for intranet access only è Allows anyone to access the Sametime server and databases è With or without a person document in the Sametime directory l Authenticated access è User name and password verified in a known directory before access is granted

5 Standard Domino Security l Database ACL rules also apply è Anonymous entry in the ACL è Default Entry applies to all authenticated users if not found in ACL è Maximum Internet Name and Password access setting l Server document Internet port settings è Name and password required: Yes/No è Anonymous access permitted: Yes/No Don't Forget

6 Using an LDAP Directory l Lightweight Directory Access Protocol (LDAP) is an defined TCP/IP protocol for accessing directory services è Examples of public LDAP servers Bigfoot Four11 SwitchBoard l Sametime must be configured to operate as a client to an LDAP server

7 Using an LDAP Directory (continued) See also: Beyond the Basics of LDAP (Chris Miller)  For more information on using an LDAP directory in Domino ƒ Go to ƒ Article #2724 ° Using LDAP in Domino ° By Chris Miller Resource

8 Managing Multiple Authentication Sources l Directory Assistance è Used to extend client authentication and name lookups to secondary Domino directories and to LDAP directories l Extended Directory Catalog è Allows you to aggregate directory information from several different Domino directories

9 Managing Multiple Authentication Sources (continued) l Can you see the directories cascaded in the Domino Administrator under People and Groups ? è Possible causes of failure Cross Certification Insufficient access to the Target Directory ACL l You can also setup a location using the Sametime server as the home server and attempt to address an e-mail message

10 Troubleshooting Authentication l How do you troubleshoot Sametime Authentication ? è Can the user login using the Sametime Connect client? è Can the user login using the Sametime Meeting Room client ? è Can the user login to another database unrelated to Sametime (such as names.nsf) via HTTP ? l These answers can help find the issue

11 Using Domino Authentication

12 Domino Single Sign-on l Default authentication method for Sametime 3 l How Domino Single Sign-on works è Creates an LTPA token when a user is authenticated è This token is stored in the user's browser as a cookie è When the user tries to access restricted areas, the token is presented and appropriate access is granted

13 LTPA Tokens l Things to know about LTPA Tokens è Requires the user to have cookies enabled in their browser è Users must enter a fully qualified domain name of the Sametime server Example:, not Sametime è The same LTPA token can be used to authenticate when the user accesses other servers in the same DNS domain during a single browser session Issue

14 Sametime Secrets and Tokens Authentication System l Using the Secrets and Tokens Authentication system è Way of improving security at the authentication level, as opposed to encryption or other levels è Enhances security in the following areas Sametime enabled databases deployed on a Domino server Multiple Sametime servers in a Domino domain

15 Sametime Secrets and Tokens Authentication System (continued) l Required for use of 3rd party authentication systems that use the Domino Directory Services API (DSAPI) è For example, Netegrity SiteMinder l How Secrets and Tokens work è Uses 2 databases to generate keys that allow users to move from one network to another after authenticating with a user name and password

16 Using LDAP Authentication

17 Configuring Sametime to use LDAP l Select the LDAP option during the installation è LDAP Server Name è Port Number - Default is 389 è Modify the Directory Assistance document in the Directory Assistance Database (DA.NSF) to specify the DN è Configure the LDAP directory settings from the Sametime administration tool

18 Configuring Sametime to use LDAP (continued) l What do you do if you didn't choose LDAP during the installation ? è NO LDAP option will be available in the Sametime administration tool è Must be manually configured Create an LDAP document in the Directory assistance database Configure the LDAP server settings using a Notes client n Open the Sametime Configuration database (STCONFIG.NSF) n Choose Create >Other>LDAP Server

19 Using SSL to encrypt LDAP connections in Sametime l Sametime makes 5 separate connections to the LDAP server è When authenticating users è When resolving user names during login è Resolving User and Group names as a response to 'Add a Person or Group' è Browsing directory è Getting the content of public groups l Must enable in both Sametime and DA

20 Using SSL to encrypt LDAP connections in Sametime (continued) l Sametime offers different options for encrypting LDAP connections è Encrypt all data The most secure - Encrypts all 5 connections è Encrypt only user passwords Intermediate level of security Must modify Sametime.ini as follows: n [Directory] ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1 è Can slow server performance Note

21 Configuring Sametime Connectivity

22 Sametime Connectivity l Having trouble with Sametime and your firewall? è You need to know which ports Sametime is using as default Knowing these ports will help you pass your Sametime Administration certification exam è You also need to know where to change these port settings Which port settings will affect which Sametime service? Lesson

23 Configuring Basic Sametime Ports l Configured in the Server document è Internet Web Ports HTTP n Default 80 n if Tunneling is enabled - Default 8088 SSL - Default 443 è Internet Directory Ports LDAP - Default 389

24 Configuring Community Services Ports l Configured in Sametime Administration è Listening for connections from other Sametime Servers Default 1516 è Listening for direct Sametime Client Connections Default 1533 è Listening for HTTP connections Default 8082 Also allows the Sametime to tunnel on port 80

25 Configuring Meeting Services Ports l Configured in Sametime Administration è Listening for connections from other Sametime Servers or T.120 connections Default 1503 è Listening for direct Meeting Room Client Connections Default 8081 è Listening for HTTP connections when direct Meeting Room Connections fail Default 80 - Used for HTTP tunneling

26 Configuring Broadcast Services Ports l Configured in Sametime Administration è Listening for Real-time Streaming Protocol (RTSP) call control connections from Sametime Broadcast clients Default 554 Also used for connections from HTTP Proxy servers è Broadcast gateway address for control connections Uses this port for internal connections - Default 8083 Do not change this setting unless absolutely necessary GOTCHA!

27 Configuring Broadcast Services Ports (continued) l Time to Live (TTL) should also be configured è Specifies how long the multicast traffic will propagate on the network before being discarded è The farther apart the servers are geographically, the longer the TTL should be What should the TTL be ? Decision Point

28 Configuring Audio/Video Services Ports l Which port does Sametime use for Audio/Video control connections? è Uses the port setting for the Meeting Room Client - Default 8081 è Uses this port for call control functions l Listens for call setup connections from H.323 compliant clients è Default Port 1720 è Also uses TCP ports 49152 - 65535 for H.245 protocol used by H.323 clients

29 Configuring Audio/Video Services Ports (continued) l Uses a Dynamic UDP port range for inbound Audio/Video Streams è Default 49252 - 65535 l Port used to tunnel audio and video streams è If UDP is unavailable, this port is used to tunnel the A/V stream using TCP instead of UDP è Default 8084 è Don't try to tunnel everything on port 80 Warning

30 HTTP Tunneling l One of the best features of Sametime which extends Sametime thru firewalls è The Community, Meeting, and Broadcast services use port 80 to connect to the Community Services Multiplexer (MUX) è The Multiplexer can distinguish between different types of HTTP connection requests è The MUX then creates intraserver connections to pass the data

31 HTTP Tunneling (continued) l Audio/Video and Tunneling è The Audio/Video Control connection requires either a direct TCPIP or connection through a socks proxy è Default port - 8084 è If the Meeting Services connection occurred using HTTP Tunneling, Audio/Video is not supported ! Tradeoff

32 Sametime Server Services and ports l Sametime has lots of services ! è Each service is an executable file è The overview feature of the Sametime Administration tool lists the appropriate exe file name l What can you do to help troubleshoot connectivity with one of these services on your Sametime Server?

33 Sametime Server Services and ports (continued) l Launching these services separately in a DOS window will give you excellent debugging information è Disable or stop service in Windows Services if necessary è Find the appropriate exe filename è Launch service separately from a command line Secret

34 Authenticating Sametime with other products

35 Quickplace with Sametime l Configuring Sametime awareness with Quickplace è Need to set up multi-server session-based authentication for the Quickplace server so it shares the authentication token with the Sametime server 1. Add these settings to the NOTES.INI file on the Quickplace Server: n NoWebFileSystemACLs=1 n h_ScopeUrlInQP=1 Next Steps

36 Quickplace with Sametime (continued) 2. Enable session-based authentication in the Domino Directory for the Quickplace Server: l a. Edit the Server document. l b. Click the Internet Protocols - Domino Web Engine tab. l c. Next to Session authentication, select multi-server. 3. If there is not a Domino Web Server Configuration database on the Quickplace Server, perform the following: l a. Create a database from the Domino Web Server Configuration (5.0) template and give it the file name DOMCFG.NSF.

37 Quickplace with Sametime (continued) l b. Open the new database. l c. Choose Create - Mapping a Login Form. l d. In the “Target Database file name” field, enter l QUICKPLACE/RESOURCES.NSF. l e. In the “Target form name” field, enter QuickPlaceLoginForm. l f. Save the new form. Final steps to configure QP3 with Sametime l a. From Domino Designer, open the database QUICKPLACE/RESOURCES.NSF. l b. Open the QuickPlaceLoginForm. l c. Copy the field from this form to the login form in DOMCFG.NSF.

38 WebSpherePortal Server with Sametime l Integrating WebSpherePortal Server gives you the ability to add online awareness to any aspect of your portal è Many steps are required to allow these 2 products to integrate properly è Here are some of the most important ones to know Resource

39 WebSpherePortal Server with Sametime (continued) Check the portal environment properties file on the WebSpherePortal server for the following entries l \lib\app\config\ l CS_Server_Domino_Directory.enabled=true l m l CS_Server_Sametime.enabled=true Check these settings on the Domino Server document l On the Basics Tab, fully qualified host name is correct l On the Ports Tab, the Net Address of the TCPIP port is the fully qualified host name l On the Internet Protocols Tab, HTTP Sub-tag, the host name field contains the fully qualified host name

40 WebSpherePortal Server with Sametime (continued) Domino LDAP specific settings for the portal l Users wpsadmin, wpsbind, and wpsadmins need Reader access to the Domino directory (or in a group) l A Domino LDAP configuration document must exist and the LDAP fields list must contain MailFile, Mail Server and http_hostName as available via LDAP Domino Single Sign On settings l Import LTPA token from WebSphere into Web SSO document l Enter same IP domain name in TokenDomain field which was entered in WebSphereAdmin when generating the token l Change the LDAP Realm manually to hostname\:389

41 WebSpherePortal Server with Sametime (continued) Ensure hostaddress.xml is correct on WebSphereServer l Located at \PortalServer\app\wps.ear\wps.war\ peopleawareness\hostAddress.xml l 80 Sametime.ini settings on the Sametime server l VPS_BYPASS_TRUSTED_IPS=1 or l VPS_TRUSTED_IPS= IPAddress,IPAddress,...

42 Getting Help !

43 Online Resources l When in doubt, search it out ! è Online Help è Lotus Developer Domain è Download Sametime documentation Sametime Installation Guide Sametime Administrator's Guide Sametime Audio/Video Guide and more ! è Search the forum è search engine

44 Your Turn! Questions? Submit your questions now by clicking on the “Ask a Question” button in the bottom left corner of your presentation screen. Thank you! You can send additional questions to Eli Harris via

Download ppt "Sametime Security and Authentication Eli M. Harris Collaboration."

Similar presentations

Ads by Google