Direct connection
Use either the virtual private network or the reverse proxy solution to ensure the best overall security. However, it is also possible to use SSL from the mobile device to connect directly to the HCL Traveler server or HA pool of servers inside the DMZ.
When using this configuration, take steps to ensure that the HCL Domino® server has been secured and does not contain unnecessary data. For example, it is not recommended to host user mail files on the HCL Domino® server in this configuration. Consider installing this HCL Domino® server in a Domino® domain different from your production mail domain. This configuration has the advantage that no personal records for users are present in the local names.nsf, and directory assistance will be configured to remotely access the actual directory inside the production domain. For more information, see Supporting multiple HCL Domino domains.
The first diagram shows a direct connection to a stand alone HCL Traveler server within this topology.
The second diagram shows a direct connection to an HA pool of HCL Traveler servers. In this case, the IP sprayer and the HCL Traveler servers are in the DMZ and the DB Server and Mail servers are in the trusted domain.
The HCL Traveler server sits inside your DMZ and should not contain any user mail files. You must open port 443 on the Internet-facing firewall to the HCL Traveler server for data syncing. Then, on the intranet firewall, you must open up Notes® RPC port 1352 to each HCL Domino® mail server that contains user mail files. For an HA pool, on the intranet firewall, open the JDBC port for the Data Base server that contains the HCL Traveler Data. The port will depend upon the database server used and the configuration (for example, port 50000 for the JDBC connection to a DB2® Server instance).
The third diagram shows the network topology with the authentication proxy also providing the ability to spray the mobile requests to the HA pool of HCL Traveler servers.
This configuration is shown using only HTTPS (SSL) connections between the device and the HCL Traveler server. While it is technically possible to connect the device to the server using HTTP (port 80), do not use this configuration.