SteelHead™ Deployment Guide - Protocols : Other Protocol Optimization : Lotus Notes Optimization
Lotus Notes Optimization
You can enable and modify Lotus Notes optimization settings in the Configure > Optimization > Lotus Notes page.
Lotus Notes is a client-server collaborative application that provides email, instant messaging, calendar, resource, and file sharing. RiOS provides latency and bandwidth optimization for Lotus Notes v6.0 and later traffic across the WAN, accelerating email attachment transfers and server-to-server or client-to-server replications.
RiOS saves bandwidth by automatically disabling socket compression, which makes SDR more effective. It also saves bandwidth by decompressing Huffman-compressed attachments and LZ-compressed attachments when they are sent or received and recompressing them on the other side. This allows SDR to recognize attachments that have previously been sent in other ways (such as over CIFS, HTTP, or other protocols), and also allows SDR to optimize the sending and receiving of attachments that are slightly changed from previous sends and receives.
To use this feature, both the client-side and server-side SteelHeads must be running RiOS v5.5.x or later. To enable optimization of encrypted Lotus Notes connections, both the client-side and server-side SteelHeads must be running RiOS v7.0.
Enabling Lotus Notes provides latency optimization regardless of the compression type (Huffman, LZ, or none).
Before enabling Lotus Notes optimization, be aware that it automatically disables socket-level compression for connections going through SteelHeads that have this feature enabled.
For information about configuring Lotus Notes optimization, see the SteelHead Management Console User’s Guide.
Optimizing Encrypted Lotus Notes
You can optimize encrypted Lotus Notes traffic in RiOS v7.0 or later. When you enable the encrypted Lotus Notes feature, traffic between SteelHeads is decrypted and the current Lotus Notes protocol optimization (RiOS v5.5) is applied.
Lotus Notes Authentication
The Lotus Notes and the Domino server relies on a the Notes ID file for proper authentication. This file contains information for authentication and encryption between the client and the server in the Lotus Notes and Domino system. The Notes ID file is usually stored on the client. You must have a password to decrypt the ID file and use its contents, but you do not need a password to authenticate with the server (for example, MS-Exchange or other systems).
This section requires that you be familiar with Lotus Notes and Domino servers.
Optimization Architecture
To optimize an encrypted connection between a Notes client and a Domino server, you must import the Domino servers ID file into the server-side SteelHead, because the SteelHeads in the path of the connection need to be able to decrypt and reencrypt the sent data. Next, configure the Domino server with a port on which it accepts unencrypted connections. This can either be the standard port or an auxiliary port. Now, when a Notes client connects to the Domino server, the server-side SteelHead forwards the connection to the auxiliary port of the server.
After the connection is authenticated, the server-side SteelHead resets the connection of the Notes client but maintains the unencrypted connection with the Domino server on the auxiliary port. The Notes client now tries to establish a new encrypted connection, which the server-side SteelHead intercepts and handles as if it were the Domino server.
The server-side SteelHead (acting as the Domino server) generates the information necessary to encrypt the connection to the Notes client. The result is a connection that is encrypted between the Notes client and server-side SteelHead but unencrypted between the server-side SteelHead and the Domino server.
Configuring Optimized Encrypted Lotus Notes
This section describes how to configure optimized encrypted Lotus Notes.
To import the server ID file of Domino servers that require optimization into the server-side SteelHead
Log in to the respective Domino servers and identify the location of the server ID file in the notes.ini file. This is usually is located on a Windows server in C:\Program Files\IBM\Lotus\Domino\data.
Open the notes.ini file with a text editor.
Figure 8‑1. Example notes.ini File
Import all server ID files into the server-side SteelHead. You do not need to do this on the client-side SteelHead).
  • From the Management Console, choose Optimization > Protocols: Lotus Notes. You can also use the CLI command protocol notes encrypt import server-id <http, ftp, or scp URL> [password <password>].
  • Select Add Server.
  • Specify the server ID file URL (or use the Browse button) and password.
  • Server IDs might not have passwords.
  • Click Add.
  • Figure 8‑2. Import the Server ID File
    To configure Domino servers to accept unencrypted connections on an auxiliary port
    Connect to the Domino server.
    Open the Domino Administrator and connect to the desired Domino server.
    Figure 8‑3. Domino Server Administrator
    From the Domino Administrator, choose Configure > Server > Setup Ports to open the Setup Ports page.
    Figure 8‑4. Setup Ports Page
    In the Setup Ports page, click New to create a new port.
    Name the port.
    This example shows the port named TCPIP_RVBD and has the TCP selected in the Driver drop-down menu.
    Click OK.
    Figure 8‑5. Creating a New Port
    To enable the newly created port, select the new port in the Setup Ports page.
    Make sure that Port enabled is selected and Encrypt network data is not selected.
    Click OK.
    Figure 8‑6. The New Port on the Setup Ports Page
    To set a new TCP port number and restart the port
    Open the Domino server's notes.ini file.
    The file is usually located in C:\Program Files\IBM\Lotus\Domino.
    Add a line using the format <port_name>_TCPIPAddress=0,<IP_address>:<port>.
    Use the IP address; Domino listens on all server IP addresses.
    Figure 8‑7. Line Added to the notes.ini File
    Restart the new port.
    The Domino server starts to listen on the new port after a restart of the port or the server.
    Select the Server tab.
    Choose Server Console in the left tree structure.
    In the drop-down menu at the bottom of the page, choose restart port TCPIP_RVBD.
    Figure 8‑8. Restart the Port
    To enable Notes Encryption Optimization on both SteelHeads and set the appropriate alternate unencrypted port number on the server-side SteelHead
    From the Management Console, choose Optimization > Protocols: Lotus Notes.
    Select Enable Lotus Notes Optimization.
    Select Optimize Encrypted Lotus Notes Connections.
    Specify the configured unencrypted port number.
    Click Apply.
    Figure 8‑9. Lotus Notes Page
    When the Notes client has connected to the Domino server, you see an optimized encrypted Notes connection in the current connections table. An example client-side SteelHead is shown in Figure 8‑10.
    Figure 8‑10. Client-Side SteelHead Current Connections Page with Optimized Encrypted Lotus Notes
    Riverbed recommends that you also enable secure peering on the SteelHeads. The optimized encrypted Notes connection between the client-side and the server-side SteelHead is unencrypted. To secure this connection, you can enable secure peering on the SteelHeads. For more details, see Deploying Secure Peering for All Optimized Traffic.
    If the SteelHead encounters an error with the Domino server, the IP address of the Domino server might be added to a blacklist at the server-side SteelHead to avoid disruption to the traffic. This includes configuration errors. New connections to or from the IP address are not optimized.
    You can view blacklist entries with the CLI command show protocol notes encrypt blacklist. You can clear the entire blacklist or a single entry with the CLI command protocol notes encrypt blacklist remove-ip <ip-address>.
    The best practice is to check the system logs of the SteelHead to see if something about your Lotus Notes optimization is not working properly: for example, there are messages if the wrong server ID file is imported or the unencrypted port is not configured on the Domino server.
    Important notes:
  • When you enable encrypted Lotus Notes optimization, you force all connections between a Notes client and a Domino server to be encrypted.
  • Enabling Encrypted Notes optimization forces the client to always perform slow authentication.
  • The Notes client might try to reuse a previously assigned ticket during authentication by sending an Auth request after the server's Hello response. This is called fast authentication because it saves several round trips. Fast authentication does not work when you enable Encrypted Notes optimization.