If you work at a small business and have only one static IP address assigned by your Internet Service Provider (ISP), the static IP is typically attached to your router, which then issues internal IPs to the machines in your local network. But, suppose you want to make some of your internal Domino servers visible to the outside world. The servers might be for your own use when you're out of the office, or for customers to access a Lotus Notes application hosted at your office.
This situation also applies to organizations that own more than one IP address, but have used up all their IP numbers for existing machines. How do you host more externally visible servers than the number of IPs you have?
The standard answer is to set up a virtual private network (VPN), and many routers have this capability built in. The problem with VPNs, however, is that they require more work for the person logging in. Some VPNs require special client-side software; and all require you to issue username/password pairs to each person who connects.
In some cases, the security gains from the VPN are worth this effort. (And, indeed, are the reasons for the effort.) In many cases, though, you want people to connect to your Lotus Domino servers without any special setup on the client side -- other than possessing a valid Notes ID file.
This tip describes how to host more than one Domino server at a single IP address without using a VPN.
A couple points to keep in mind:
- The scheme described here applies to using Domino Server as a Lotus Notes application server, not as a Web browser (HTTP) server. At the end of the article, I include some information about the HTTP case.
- I have tested this configuration with my router (LinkSys RV082), but the networking features described are standard on many routers in all price ranges.
Perform the following on each server that you want to expose to outside Lotus Notes connections:
- Stop the Domino server process by typing EXIT at the Domino console. Do not shut down the operating system, just Lotus Domino.
- Make sure the Lotus Domino server has a static internal IP address assigned by the router. Many offices are set up this way by default. If the Domino server has a dynamic IP address instead, change it to static by associating the server's physical (MAC) address with an internal IP address.
You can get the physical address in Windows by typing "ipconfig /all" at a DOS command prompt. In the router, go to DHCP / Static IP, and enter the physical-to-IP pair. Use a static IP address that is within the router's allowed range and is not within the dynamically assigned range.
- If you changed the server's IP address from dynamic to static, renew the IP lease on the server to pick up the new address. Do this in Windows by typing "ipconfig /renew" at the DOS prompt. The reply should confirm the static IP you assigned.
- Set up port forwarding in the router, so that an unused TCP port points to this server. The configuration is usually under Setup -> Forwarding. Define a "named service" for the server and port, such as SalesServer for TCP ports 13520 to 13520. Now assign this service to the internal static IP for the server.
A finished example is: SalesServer (TCP/13520~13520)10.63.159.131. (For subsequent servers, create different service names and TCP ports, such as MailServer=13521, Sales2=13522, etc.)
- Edit NOTES.INI on the server, so Domino talks the Notes RPC protocol on the new port. Do this by adding the line "<port-name>_TCPIPAddress=0,<server-ip-address>:port-number". The name of the port is usually TCP or TCPIP, which you can find by looking at the Ports= line in the same INI file. An example is: TCPIP_TCPIPAddress=0,10.63.159.131:13520.
- Restart the Domino server process. Check the TCP/IP addressing by typing "show port <port-name>" at the server console. Lotus Domino will confirm the IP address and port number.
- Modify the server's connection document on the Lotus Notes clients to use your company's public IP address (or DNS name) and server port number. The public IP address (or name) points to the router, which will redirect traffic to the proper Domino server, based on TCP port number. An example is: names.nsf (the personal NAB) -> Advanced -> Connections -> SalesServer/Acme -> Advanced -> Destination Server Address = 126.96.36.199:13520.
- Test the whole configuration by using Lotus Notes to connect to this Domino server. You may have to restart Lotus Notes, since it caches information about previous connections and tries to reuse them.
Some readers are probably screaming right now about how insecure this configuration is, since anyone in the world can see the Domino server and attempt to connect to it.
My response is twofold:
If the data on the Domino server is extremely sensitive, you might want to consider a layered approach, such as VPN or smart cards to gain access to the network. But a properly set up Domino server and Lotus Notes application is very secure in itself. To break in, an attacker needs a valid Notes ID file, issued by the same organization that signed the server's ID. This is tough to fake. I trust a well-designed Notes/Domino server on the public Internet much more than I trust most bank computers on the Internet.
Some additional notes that may be helpful:
- I suspect that this whole scheme will work if your ISP dynamically (rather than statically) assigns your company's IP address. While I have not tested this, you may be able to use a service such as Dynamic DNS from EasyDNS, to provide a named pointer to your changing company IP number.
- It is probably not possible to use this scheme when Lotus Domino is a public Web (HTTP) server. Web users expect all Web servers to listen on port 80 for HTTP traffic, so you would confuse them by changing this port.
- It may be possible to use this scheme for Domino intranet Web servers, although I have not tested it. In this case, you can control the bookmark on users' desktops, so you can modify the HTTP port. Such a link would look like: http://sales.acme.com:13520.
If you try this, be aware that Domino's configuration of the HTTP port is set in a different place than its Lotus Notes port. See names.nsf -> Configuration -> Servers -> All Server Documents -> <server-name> -> Ports -> Internet Ports. If you get this working, please write and let me know.
- This scheme will probably not work with partitioned Domino servers, since those servers are already using port mapping.
For more information see Domino Administration Help -> Index -> Ports -> TCP, and your router's documentation.
About the author: Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Lotus Notes and Domino..
This tip is very good! I've been searching for this answer for a long time. I should only add that for HTTP servers, you can also host multiple Domino servers, (serving HTTP files) using only one static IP address.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our tip contest and you could win a prize.