Topology and Connectivity
This topic explains how Sametime components are connected and the default ports that are used. There are also example topologies to illustrate how Sametime can be deployed in different scenarios. To learn more about which clients are supported by each of the servers, see the topic Sametime Serves.
HCL has published a guide to deploying Sametime in Amazon Elastic Kubernetes Service (EKS), and will be publishing additional case studies for Google Kubernetes Engine (GKE) and on-premise Kubernetes.
Directory Services
Every deployment begins with directory services. LDAP and native Domino directories are supported. When planning your deployment, it is important to understand how users will authenticate. Sametime can be integrated into many other HCL products such as HCL iNotes, Verse, Connections and Digital Experience. It is recommended to use a common directory.
Review the LDAP Planning section for considerations in choosing a directory.
Single Sign On
Sametime Proxy and Meeting servers require Single Sign On. All users will be authenticated against the Sametime Community server, where tokens are generated to be shared with the Proxy server. The Meeting users authenticate by token to the Sametime Proxy server. In the example topologies the Sametime Meeting server must be able to communicate securely to the Sametime Proxy server in order for the authentication to complete.
Sametime supports LTPA Single Sign On as well as SAML (Security Assertion Markup Language). With LTPA SSO, the user is authenticated against the Community server, and a LTPA token is then shared with the participating Sametime Proxy and Meeting Servers. With SAML, the initial authentication happens at an Identity Provider which validates the user’s identity with the Community server. An LTPA token is then created and shared among the participating servers. For more information, see Enabling Single Sign-on.
Making Sametime Available Externally
There are several approaches to make Sametime available to your users externally. To support the Sametime mobile chat client or mobile browser clients, you can deploy a Sametime Proxy server. This server is designed to live in the DMZ, but can also be deployed internally and the required ports open to the outside.
Meeting servers can be deployed internal or in the DMZ as well. You can use a third party Kubernetes cloud provider such as Amazon EKS, Google GKE, or other third party Kubernetes provider to deploy Sametime Meetings. HCL will be publishing some case studies that have guidance in deploying Sametime Meetings on Amazon EKS and Google GKE.
Sametime rich clients, such as the Sametime client for desktop, and the Notes embedded client can connect to a Community Mux deployed in the DMZ.
See Ports used by Sametime for more details on which ports are required to be open on firewalls.
Small Internal Chat Only Deployments
For small internal deployments, it is still recommended to install everything on separate servers in a multiple server configuration. If you do plan on installing everything on a single server, HCL recommends a minimum of 8GB of RAM.
An example of a small deployment includes a single Sametime Community Server, Sametime Proxy server (for mobile and web clients), MongoDB Server and the directory services (LDAP or native Domino).
Figure 1 shows an example of a small internal deployment:
In the above example, “rich clients” are the Sametime client and Sametime embedded client (inside HCL Notes) for desktops. The Sametime Proxy server has a web client that can be used by browsers. Browser clients may include other HCL applications such as HCL Verse and HCL Connections, which have chat and presence integration with Sametime.
The HCL Sametime Proxy server is used to serve mobile clients as well. You can use the mobile client app on your internal WIFI network if devices are able to connect to the Sametime Proxy server. Mobile apps can be used internally, however be aware that the mobile clients still need access to the Apple (APNS) and Google (FCM) servers for push notifications (notifying the user of new messages). As an additional option, Sametime Proxy supports proxying the notifications if you have a third party proxy to do so.
Small Environments with Internet Access
Figure 2 shows a small chat only environment that includes internet access to the Sametime Proxy server.
In this example you can open port 443 on the firewall to the Sametime Proxy server to support mobile clients on the internet. An additional option is to separate the multiplexer on to its own server to support rich clients on the internet. The Sametime Proxy server can also be placed in a DMZ firewall zone or can be front ended by a load balancer at the firewall.
Medium and Large Environments with Redundancy
In a medium or large deployment you can deploy a cluster of Community servers for redundancy and high capacity, all Community servers share a MongoDB server. See the topic on Clustering and High Availability for more information.
For Sametime Premium Meetings, see the Docker and Kubernetes FAQ for more details.
HCL Sametime Premium Environments including Meetings
When you add a Sametime Meeting server to your environment, there are several more ports in use. Sametime Meetings are only supported in Docker or Kubernetes. If you are unfamiliar with these technologies, please see our Docker and Kubernetes FAQ.
Media streams over UDP port 10,000 for Docker or UDP 30,000 for Kubernetes. The Meeting server also requires a STUN server if any user is attending from behind a firewall. The Sametime Meeting Server comes with the public Google STUN server configured using UDP Port 19302, however any STUN server can be used. Both clients and the Sametime Meeting server need connectivity to the STUN service. For more information on STUN, see Session Traversal Utilities for NAT (STUN).
Below are several examples of how to deploy Sametime to include external users.
Figure 3 Shows HCL Sametime Premium with Internet access.
If your environment includes a DMZ, you can place the Sametime Meeting Server and Proxy server in the DMZ and open the required ports.
Figure 4 Deploying HCL Sametime Premium with a DMZ and Internet access.