In an ideal world, every computer user could connect quickly over the Internet or phone lines to any server they had permission to access. In reality, as we all know, a lot can go wrong to muddy this picture. Servers sometimes get too busy to handle the number of users trying to connect to them. The Internet backbones and telephone system can get clogged with thousands—or millions—of users trying to connect to their favorite servers all at once. And organizations' outgoing network connections, such as T1s, can become bottlenecks with too many users trying to get out at the same time.
Hardware and software vendors have addressed these problems in a variety of ways. A common thread through many of the solutions is techniques that appear to be connected to the user's server of choice, when in fact, the user is connected to something else. In general, such a solution is acceptable to computer users. If you think you are connected to the server you want and are getting the right data quickly, you don't really care where the data is coming from. (Assuming the deception is not malicious or a security violation.)
This article discusses three techniques in this area and shows how they apply, or don't apply, to Domino and Notes. The techniques are proxy, reverse proxy, and passthru. Collectively, I refer to these as interface servers, because they help a Domino server interface to the user and/or network. I also discuss interface servers for Domino when it is acting as a Notes server or Web server. (I do not discuss interface servers for other client protocols Domino supports, such as LDAP or NNTP.) A detailed resource list is also included for more information.
Proxies - The basics
A proxy is a server that stores information for the benefit of users trying to make a connection to some other outside server. To illustrate this principle, consider the following example:
The 500 employees at PieFactory Inc. generate many requests for Web pages from the Internet. But their requests are not evenly distributed across all the Web servers in the world. PieFactory employees are far more likely to request a Web page from CNN.com or Slashdot.org than from SpecialtyMechanics.com (a small machine shop). A proxy server takes advantage of this uneven distribution.
The PieFactory proxy resides within its building and stores copies of commonly requested pages, such as CNN and Slashdot. When an employee at PieFactory requests the home page from CNN.com, the proxy does not need to send a request to the Internet and wait for CNN to respond. The proxy is likely to already have that page, because another user probably requested the same page just seconds earlier. The proxy can retrieve the CNN home page from its own local hard disk and return this page to the user. The result: The user receives a much faster response.
Of course, there are many details that must be added to the above snapshot to make everything work correctly. How does the proxy know when CNN has changed its home page so the proxy can go to CNN.com for a fresh copy? How long should the proxy keep a stored page if no one has requested it for a while? If a PieFactory employee does ask for SpecialtyMechanics.com, should the proxy store this page, even though no one else is likely to request it for quite a while? How does the proxy know which pages are likely to be requested again? The way a particular brand of proxy answers these questions determines whether it is a good proxy server or not. The details of how various brands resolves these issues is beyond the scope of this article, but bear in mind different proxy products handle these variables in different ways.
Beside the performance gain realized by serving cached data, proxies can also play a role in security. Consider the PieFactory example above. Since outbound requests to the Internet go through a proxy server, the proxy can act as a filter on those requests. PieFactory can adopt a usage policy that states employees may not visit Nazi.org or Shockwave.com/games. The proxy can be configured to block requests for these Web sites.
Proxy for Notes
A proxy server for Notes clients would require that a Domino server act as a stand-in for another Domino server, just as Web proxies act as a stand-in for another Web server. The Domino-for-Notes proxy would contain Domino databases (or parts of databases) and serve this data in place of client access to the actual Domino server. Domino does not have this feature, so there are no Domino proxy servers for Notes, in the strict sense. Domino and Notes contain another well-known feature, however, that accomplishes the same goal.
Replication allows a Notes user to access a given Domino database in more than one place, with the replication algorithms keeping the database copies in sync (over time). So a near-by replica of a distant Domino database is, in effect, a proxy. Any Notes user who keeps a local copy of a mail file has created a proxy for the server's copy of their mail. When a local copy of a database is not available, Notes users choose the closest, or least busy, replica server copy for the same reason.
Since replication is a core feature of Domino and Notes, information about it is scattered throughout the product documentation. (See the Iris Today article listed in the Resources section below)
Proxy for browsers
A proxy server for the Web resides close to the users and reduces the need for user requests to go onto the Internet. To the extent possible, Web requests are resolved locally, without contacting the target Web server, which may be far away. Domino cannot be used as a proxy server, but this is of little consequence, since there are so many other products that fill this need. A proxy server that caches requests to an underlying Domino server does not need to be Domino itself. Since Domino acts as a standard Web server, any Web proxy server will work as a proxy for Domino. (See related links below.)
Note that when you are using the Notes client as a web browser, there are preference settings that direct Notes to use a proxy server for web access. (And for other Internet protocols as well.) For information about this feature see Notes R5 Help / Index / Proxy Server / Connecting To The Internet.
As described above, a proxy is a server that helps with outbound network requests. A reverse proxy helps with inbound requests. Another example from PieFactory shows how this might work.
Imagine PieFactory has a smash hit with their banana cream pie, which is selling like hot cakes on their Web site. So many people are visiting the site to order the pie that the Web server is swamped. PieFactory could, of course, get a faster Web server to handle the load, but another option is to add a set of reverse proxies. The reverse proxies would be placed between the general Internet and the server that contains the PieFactory Web site. The addition of round-robin IP routing software completes the picture.
When a user points a browser to PieFactory.com, the request is received by the round-robin IP router. The router directs the user's request to one of the reverse proxies. If the reverse proxy does not have the requested page, the reverse proxy obtains the page from the PieFactory Web server. If the reverse proxy does have the Web page cached, it serves the page directly to the user without any request to the real Web server. The next user is routed to the next reverse proxy server, then the next user to the next reverse proxy, and so on.
After the whole system has been running for a while, all of the reverse proxies contain most of the pages users will request. The load on the actual PieFactory Web server is dramatically reduced since the requests are spread across all the reverse proxies. For users requesting information about the banana cream pie, it appears they are all communicating with a single PieFactory Web server. (The reverse proxies and the IP router hide the IP addresses and names of the proxies to pull off this deception.)
Reverse proxies can also serve as an additional layer of security to protect a server that contains sensitive information. The main server can reside behind a firewall, with the reverse proxy outside the firewall and open to Internet traffic. Only the reverse proxy is allowed (by the firewall) to communicate with the main server. All user requests are received by the reverse proxy, which can satisfy most of the requests from cached pages, without contacting the main server. Anyone trying to break into the main server has several hurdles to overcome: first the reverse proxy, then the firewall, and then the restricted access to the main server. The result is a higher level of security than a single server provides.
Reverse proxy for Notes
The goal of reverse proxy servers is to reduce the incoming request load on a single server. For the reasons stated earlier, Domino does not support reverse proxying for Notes requests, in the strict sense. However, the Domino cluster feature accomplishes the same goal.
Clustering is "fast replication" where a set of servers share a set of Domino databases and synchronize the databases very quickly (within seconds). In effect, the set of servers in a cluster act as one larger computer with greater resources. The Notes client software is "cluster aware," so it can fail over to a cluster member that is available, if part of the cluster is down. The result is the same as traditional reverse proxies—faster response for users and higher reliability. (For more information on clustering, see the Iris Today articles listed in Resources below.)
Reverse proxy for browsers
Just as with reverse proxying for Notes clients, Domino also cannot be used as a pure reverse proxy for browser clients. This is a minor restriction, however, because Domino contains the Internet Cluster Manager (ICM) feature. ICM allows Domino to form a cluster of Web servers, giving the same benefits—increased load handling and reliability—as Domino clustering for Notes. (See ICM resources below).
Both proxies and reverse proxies have two common features: cached data to reduce network or server load in some way; and redirection to change where server requests are routed. Passthru servers use only the second of these techniques.
Passthru is a Domino feature that has been available for quite a few years, so is likely to be familiar to many Lotus Notes users. The feature stems from the needs of dial-up modem users in large organizations, who often want access to many Domino servers. Using traditional dial-up access, users were required to place separate phone calls to the modems attached to each server, in order to use more than one server in a work session. This is very inconvenient, since it means users must store the dial-up phone number for many servers and must hang up and redial every time they want to work on a different server.
Passthru solved this problem by designating one server to route network traffic to many servers. Modem users make one phone call to the passthru server and are then allowed to work on that server or any other server using the passthru. The feature made remote Notes work much more convenient in a large organization.
Besides the single-phone-call advantage, passthru gives system administrators other capabilities. A passthru server can act as a network bridge to servers that do not share a communication protocol with the user. As an example, assume Server A runs the SPX protocol, Server B has SPX and TCP, and User 1 has a Notes client with just TCP installed. Normally, User 1 would not be able to connect to Server A, because they do not share a communication method. If Server B is a passthru for Server A, however, User 1 can connect to Server A via the Server B passthru.
Passthru servers also offer a valuable security layer to the Domino administrator because they act as a chokepoint for network traffic. Imagine PieFactory has 10 Domino servers, one of which is a passthru server. Whenever a user dials PieFactory to use one of the servers, they all come in through the passthru server. This allows a single point of control for Notes dial-in access and presents fewer servers to the outside world for an attacker to penetrate.
Passthru for Notes
Domino passthru for Notes, where a single Domino server acts as an access point for other Domino servers, is a standard feature of Notes/Domino. It has the advantages listed above, which include convenient dial-up access for phone line users, protocol bridging, and security consolidation. (See the Iris Today article on Server Connections in Resources below.)
Passthru for browsers
As described above, a passthru server acts as a common entry point to other servers behind the passthru. The benefits are ease of connection (one connection rather than many) and consolidation of security checks at the passthru server. Domino does not act as a passthru server for browser traffic to other Domino Web servers. However, there are other technologies that offer this feature.
A Virtual Private Network (VPN) can contain a single access point that opens up the rest of the private network servers to the VPN user. The single access point acts as a logical passthru, because it allows the user to make one connection to many servers and is a security chokepoint. (See VPN resources below.)
LAN dial-in is another technology that acts as a passthru for browser connections. This technique allows a remote user to make a phone call to a network access point, which then connects the user to an organization's internal LAN. For example, WorldCom is one of the providers of this service, with its Remote LAN Dial product. (See related links below.)
Here's a list of articles and Web sites for more information on proxies and related terms.
Replication: Iris Today Under the Microscope: Domino Replication by Bret Swedeen
Proxy servers and Internet caching: Web-cache.com .
Reverse proxies: from Netscape documentation about its Proxy Server 3.5 product.
ICM: An Iris Today article Domino Internet Cluster Manager by Lori Fucarile.
Server Connections: Iris Today article on Server Connections: Just Passing Thru by David DeJean provides an excellent overview of passthru.
Proxy vendors: a list of many proxy vendors is available at: http://www.serverwatch.com/proxyvendors.html
Unix operating servers: One of the most popular Web proxies for Unix-flavor operating servers is the free, open-source project Squid
Firewalls: Many links about firewalls and their vendors are at Firewall.com. Building Internet Firewallsby Zwicky, Cooper, and Chapman is a popular book on this topic. Firewalls and Internet Security by Cheswick and Bellovin is another good overview of this area.
VPNs: A good overview of VPNs is written by the consulting group Core Competence.
VPNs: A good overview of VPNs is written by the consulting group Core competence's FAQ about VPNs is also helpful.
Acknowledgements Many thanks to several anonymous readers at Lotus for helpful comments about these topics, and to Bob Balaban http://www.looseleaf.net for reading a draft of this article and his suggestions.
About the author Chuck Connell is president of CHC-3 Consulting and runs the popular web sites DominoAdministration.com and DominoSecurity.org. Chuck is also SearchDomino.com's security expert. You can view his bio here.