public.dhe.ibm.compublic.dhe.ibm.com/software/dw/lotus/foundations/start/english/... · file...

Lotus® Foundations StartVersion 1 Release 2

Administering IBM Lotus FoundationsStart

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 193.

This edition applies to version 1, release 2 of IBM Lotus Foundations (product number 5724-V16) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2009, 2010.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

What's new in IBM Lotus FoundationsStart 1.2? . . . . . . . . . . . . . . 1

Introducing IBM Lotus FoundationsStart . . . . . . . . . . . . . . . . 3

Getting to know WebConfig . . . . . . 5Secure WebConfig . . . . . . . . . . . . 5System status window . . . . . . . . . . . 6Notices list . . . . . . . . . . . . . . 11System status details . . . . . . . . . . . 11Software activation keys and user licenses . . . . 11

Licensing requirements . . . . . . . . . 11Software activation keys . . . . . . . . . 12License information. . . . . . . . . . . 13

Software update . . . . . . . . . . . . . 14Switching languages . . . . . . . . . . 15

Installing IBM Lotus Foundations Start1.2 . . . . . . . . . . . . . . . . 17Changing the IBM Lotus Foundations server hostname and domain name . . . . . . . . . . 17IBM Lotus Foundations Start installation . . . . 17Execution control list (ECL) alerts . . . . . . . 17

User and team management . . . . . 19Service integration . . . . . . . . . . . . 19Creating, editing, and deleting user accounts . . . 20Accessing user's external (POP) email accounts . . 23Creating, editing, and deleting team accounts . . . 24Password policy . . . . . . . . . . . . . 28Disk quotas . . . . . . . . . . . . . . 29

Setting default disk quota values . . . . . . 29Setting individual user disk quotas . . . . . 29Quota limit . . . . . . . . . . . . . 30

Disk management . . . . . . . . . . 31Hard disk failure . . . . . . . . . . . . 31Installing a new hard disk drive . . . . . . . 33Disk configuration (RAID and idb) . . . . . . 34Converting an idb disk to a RAID disk . . . . . 36Disk status messages . . . . . . . . . . . 36

IBM Lotus Foundations Rescue . . . . 39Intelligent disk backup (idb) . . . . . . . . . 39Configuring idb . . . . . . . . . . . . . 41idb backup . . . . . . . . . . . . . . 46idb restoration . . . . . . . . . . . . . 50Multi disk idb and hot swap . . . . . . . . 57

Internet connectivity . . . . . . . . . 59Configuring IBM Lotus Foundations networksettings . . . . . . . . . . . . . . . . 59

Connecting an external dial up modem for anIBM Lotus Foundations Appliance. . . . . . 59Configuring general network settings. . . . . 59Configuring advanced DHCP settings . . . . 61Configuring advanced network settings . . . . 62Network devices . . . . . . . . . . . 62Network routes . . . . . . . . . . . . 64Network configuration scenarios . . . . . . 65Configuring your Internet connection. . . . . 67

DoubleVision . . . . . . . . . . . . . . 69What DoubleVision offers . . . . . . . . 69Modem connections . . . . . . . . . . 70How Internet failover and DoubleVision work. . 70

Fast/Port Forward . . . . . . . . . . . . 72Fast/Port Forward and TCP/IP . . . . . . 72Proxy servers . . . . . . . . . . . . . 73Configuring Fast/Port Forward. . . . . . . 73Forwarding scenarios . . . . . . . . . . 75Multiple static IP addresses . . . . . . . . 76Common port numbers . . . . . . . . . 76Troubleshooting Fast/Port Forward . . . . . 76

Firewall services . . . . . . . . . . . . . 77Traffic denied inbound . . . . . . . . . 77Traffic permitted inbound . . . . . . . . 77Traffic permitted outbound . . . . . . . . 77Firewall log . . . . . . . . . . . . . 79

IBM Lotus Foundations scalableservices . . . . . . . . . . . . . . 81IBM Lotus Foundations scalable servicesterminology . . . . . . . . . . . . . . 81Features of IBM Lotus Foundations scalable services 82IBM Lotus Foundations scalable services regions . . 83Setting up a scalable services region . . . . . . 85IBM Lotus Foundations scalable services frequentlyasked questions . . . . . . . . . . . . . 92

Remote access networking . . . . . . 93Virtual private networks . . . . . . . . . . 93

Private networks . . . . . . . . . . . 93Virtual private networks and TunnelVision . . . 93VPN network topologies . . . . . . . . . 94Creating a VPN (server to server) . . . . . . 95The idle timeout . . . . . . . . . . . . 96TunnelVision . . . . . . . . . . . . . 96IPsec . . . . . . . . . . . . . . . 99

Remote access services . . . . . . . . . . 102PPTP: client to server VPN service . . . . . 103Dial in service . . . . . . . . . . . . 104Terminating a connection from WebConfig . . 105

Workstation viewer . . . . . . . . . . . 105Accessing the workstation viewer . . . . . 105Virtual network computing (VNC) . . . . . 106Configuring VNC . . . . . . . . . . . 106

© Copyright IBM Corp. 2009, 2010 iii

File services . . . . . . . . . . . . 109Configuring file services. . . . . . . . . . 109Active server connections . . . . . . . . . 111Access control lists. . . . . . . . . . . . 111Setting permissions in Windows . . . . . . . 112Windows NT domain services . . . . . . . . 113

Configuring IBM Lotus Foundations domainsettings . . . . . . . . . . . . . . 113What is a domain controller? . . . . . . . 113Configuring the domain controller . . . . . 113What is a Windows NT domain member? . . . 115Configuring the domain member . . . . . . 115Connecting the Active Directory member . . . 115Verifying server connectivity . . . . . . . 116Monitoring machine accounts . . . . . . . 117Importing domain users and groups. . . . . 117File mounting/drive mapping . . . . . . . 118Joining Windows systems to a domain . . . . 119Logon scripts . . . . . . . . . . . . 121Automated drive mapping . . . . . . . . 121Workstation administrative rights . . . . . 121

Network file system . . . . . . . . . . . 122

Domain Name Service . . . . . . . 123How the DNS system works . . . . . . . . 123DNS services . . . . . . . . . . . . . 123Configuring Public DNS. . . . . . . . . . 124Dynamic DNS . . . . . . . . . . . . . 124Manually creating DNS entries . . . . . . . 125

Server applications and extensions 127MySQL server . . . . . . . . . . . . . 127

Setting up Windows for MySQL Access . . . 127What is a dynamic Web site? . . . . . . . 128

Email services . . . . . . . . . . . 129Features handled by IBM Lotus Domino . . . . 129Email DNS configuration . . . . . . . . . 137Email client configuration . . . . . . . . . 139Email logging . . . . . . . . . . . . . 140Using Lotus Domino email clients . . . . . . 141

File Transfer Protocol (FTP) services 147Enabling the FTP server . . . . . . . . . . 147Enabling FTP access for a specific team or user . . 147User versus team FTP access . . . . . . . . 148Anonymous FTP server . . . . . . . . . . 148

rsync . . . . . . . . . . . . . . . 149Enabling rsync . . . . . . . . . . . . . 149rsync from a Telnet session . . . . . . . . . 150

Print service . . . . . . . . . . . . 153IBM Lotus Foundations print services . . . . . 153Configuring local print services . . . . . . . 153

Configuring your workstation . . . . . . . . 153Configuring network printers . . . . . . . . 154Other network printing . . . . . . . . . . 154Creating an aliased printer queue . . . . . . 154

Web services . . . . . . . . . . . 155Web server . . . . . . . . . . . . . . 155Master Web server. . . . . . . . . . . . 155Lotus Domino integration . . . . . . . . . 158Virtual Web servers . . . . . . . . . . . 159Hosting multiple Web sites . . . . . . . . . 162Secure Web services . . . . . . . . . . . 162SSL certificate . . . . . . . . . . . . . 163Web caching. . . . . . . . . . . . . . 164

Web filtering . . . . . . . . . . . . 165Enabling the Web filter . . . . . . . . . . 165Exempting workstations from filtering . . . . . 165Exempting ports from filtering . . . . . . . 165Adding permitted Web sites . . . . . . . . 166Adding denied Web sites . . . . . . . . . 166Accepting access requests . . . . . . . . . 166Denying access requests . . . . . . . . . . 167List management . . . . . . . . . . . . 167Email reporting. . . . . . . . . . . . . 168

Hardware components reporting . . . 169

Log messages . . . . . . . . . . . 171Accessing log messages . . . . . . . . . . 171Customizing message display . . . . . . . . 171Firewall log information . . . . . . . . . . 171

Anti spam . . . . . . . . . . . . . 173

Virus scanner . . . . . . . . . . . 175Configuring the file virus scanner . . . . . . 175Configuring the email virus scanner . . . . . . 176

IBM Lotus Foundations Startperformance optimization . . . . . . 179Minimum hardware requirements . . . . . . 179Quick reference and hardware sizing guide . . . 180Email protocol choices affecting server performance 181Other services running on the IBM LotusFoundations server . . . . . . . . . . . 181Backup scheduling . . . . . . . . . . . 181Future capacity planning . . . . . . . . . 182

Glossary . . . . . . . . . . . . . 185

Notices . . . . . . . . . . . . . . 193Trademarks . . . . . . . . . . . . . . 194

iv Lotus Foundations Start 1.2: Administering IBM Lotus Foundations Start

What's new in IBM Lotus Foundations Start 1.2?

The following information describes new features for this release of IBM® LotusFoundations™ Start.

Deployment enhancements

Enhancements to deployment include:v The ability to directly download IBM Lotus Foundations add-ons to the serverv Additional installation instructions and support for Lotus Notes® and Lotus®

Symphony™ Linux® and Mac clientsv Lotus iNotes® support for Apple iPhonev Email logging to assist in satisfying regulatory requirements.v Availability of anti-virus and anti-spam features in a trial mode for 30 days from

time of purchase. (After that time, the purchase of an additional license isneeded in order to continue usage.)

Intelligent disk backup (idb) enhancements

Enhanced idb features include:v Support for external multi-disk idbv Automation of user email restoration from idb2

New versions of softwarev Lotus Domino® 8.5.1v Lotus Notes 8.5.1v Lotus Symphony 1.3

Leverages Lotus Domino 8.5.1 features

Lotus Domino 8.5.1 features include:v The ability to reduce email disk space requirements using the Lotus Domino

Attachment and Object Service (DAOS)v A consistent user experience for mobile users by enabling Domino's roaming

user functionality.v Supporting the Lotus Domino Web Server, which provides an integrated Web

application server that can host Web sites and Lotus Notes applicationsinternally and externally.

v TeamRooms that are automatically created for IBM Lotus Foundations teams tosimplify team collaboration.

User interface enhancements

New user interface enhancements include:v A new installation progress indicator

© Copyright IBM Corp. 2009, 2010 1

New add-ons available for IBM Lotus Foundations Start

The following IBM Lotus Foundations Start add-ons are separately purchasedproducts.

IBM Tivoli® Continuous Data Protection for Files 3.1.6 for Lotus FoundationsStart provides data protection for user's Windows® workstations, laptops, and fileservers. This add-on offers transparent, real-time replication and traditional backupservices, and can operate independently of Tivoli Storage Manager. Files can bereplicated to both the local disk and a remote target. In situations where networkconnectivity is temporarily unavailable, files are queued up and replication isresumed once the remote target is available, thus providing continuous dataprotection, while maintaining the ease of use and administration IBM LotusFoundations Start offers. Includes easy single-click installation to userworkstations, ability to pre-configure backup options for users, and uses IBM LotusFoundations idb capabilities to do an additional backup of data (which can berestored in case of disk failure). For more information, see the IBM TivoliContinuous Data Protection for Files 3.1.6 for Lotus Foundations Start add-on.

IBM Lotus Foundations Rescue is a disaster recovery solution designed for IBMLotus Foundations Start. It features advanced Intelligent Disk Backup (idb) featuresand a remote server for storing backup files. Vaulting is the process of sendingbackup data off-site, where it can be protected from hardware failures, theft, andother threats. IBM Lotus Foundations Rescue online data backup feature ensuresthat your business data can be securely restored and recovered at any time andfrom any location. To use IBM Lotus Foundations Rescue, you need at least oneIBM Lotus Foundations Start server and one IBM Lotus Foundations Rescue server.For more information, see the IBM Lotus Foundations Rescue Server.

IBM Lotus Foundations Reach provides secure company-wide instant messaging,voice over IP (VoIP) and video chat capabilities. These features facilitate quick andeasy real time communication between employees regardless of their physicallocation, while also reducing the business' telecommunication costs. For moreinformation, see the IBM Lotus Foundations Reach add-on.

2 Lotus Foundations Start 1.2: Administering IBM Lotus Foundations Start

http://www-10.lotus.com/ldd/lfndswiki.nsf/xpViewCategories.xsp?lookupName=IBM Tivoli Continuous Data Protection for Files 3.1.6 for Lotus Foundations Start 1.2

http://www-10.lotus.com/ldd/lfndswiki.nsf/xpViewCategories.xsp?lookupName=IBM Tivoli Continuous Data Protection for Files 3.1.6 for Lotus Foundations Start 1.2

http://www-10.lotus.com/ldd/lfndswiki.nsf/xpViewCategories.xsp?lookupName=Lotus%20Foundations%20Rescue%201.2%20documentation

http://www-10.lotus.com/ldd/lfndswiki.nsf/dx/R10AOG.htm

Introducing IBM Lotus Foundations Start

This guide is intended for administrators and provides information on theadvanced configuration and ongoing administration of IBM Lotus Foundations.


Getting to know WebConfig

IBM Lotus Foundations administrators use WebConfig to assign required andoptional settings for the environment. Administrators access WebConfig through anInternet browser connected to the local network. This section provides userguidance for WebConfig.

For instructions about how to access WebConfig, see the Step 2: Create anadministrator account section in IBM Lotus Foundations Start Getting Started.

Secure WebConfigThe IBM Lotus Foundations WebConfig console uses 128 bit encryption to protectadministrator information and passwords. Most recent versions of Web browserscontain built-in support for this encryption. IBM Lotus Foundations WebConfigsupports these Web browsers:v Microsoft Internet Explorer 6 and any later versions.v Mozilla Firefox 1.0.5 and any later versions.

WebConfig is unreachable if there is a failure to support 128 bit encryption results.

Other Web browsers that might work but are not explicitly supported are:v Operav Apple Safariv Netscape Navigator

Figure 1. The main screen of WebConfig


http://www-10.lotus.com/ldd/lfndswiki.nsf/xpViewCategories.xsp?lookupName=Lotus%20Foundations%20Start%201.2%20documentation

System status windowThe system status window displays the status of the services running on IBMLotus Foundations. The WebConfig menu accesses and configures various IBMLotus Foundations subsystems.

Table 1. Features of the system status window

Item Description

Central processing unit (CPU) Utilization Displays the system's processor in numericform and as a bar graph. During intensiveoperations (such as backups or heavy filetransfers), the processor usage bar mightshow 100%. This is normal. 100% usagesimply means that the processor is beingfully utilized and does not necessarily meanthat your IBM Lotus Foundations server isbeing overloaded or that performancesuffers. However, if the processor usage isconstantly at 100%, and you experienceservice slow-downs, you might want tocontact support for a services review.

Ethernet 0, Ethernet 1, and Ethernet 2 Displays the speed of data transfer throughEthernet port 0, port 1, and port 2 measuredin kbps or Mbps. The bar graph displays thespeed as a percentage of the highest transferrate recorded since the last power-up.

Point-to-point protocol (PPP) Link Displays the speed of data transfer throughthe digital subscriber line (DSL)point-to-point protocol over Ethernet(PPPoE) or dial-up Internet connection(measured in kbps). The bar graph displaysthe speed as a percentage of the maximummeasured speed.

Disk Load Displays the amount of data beingtransferred to and from the hard disk(measured in kbps or Mbps). The bar graphdisplays the amount as a percentage of thehighest amount recorded since the lastpower-up.

Disk Space Used Displays how full your server hard diskdrive is by displaying the usage andcapacity of the drive.

System Status Details button Displays system status resource informationin a graphical representation, on a variabletime basis, for example, half hour, onemonth, or one year. The information alsoincludes graphs for physical memory andvirtual storage.

Internet Status Displays the status of your Internetconnection(s). A green check mark displayswhen an Internet connection is configuredcorrectly. The default route used to transferdata to destinations on the Internet is alsodisplayed. If a modem is configured,clicking dial modem initiates a connection tothe Internet. The administrator can select toterminate the connection using this window.


Table 1. Features of the system status window (continued)

Firewall Displays the status of the firewall asenabled/disabled.

TunnelVision Displays the status of all TunnelVisionconnections.

IPsec Connections Displays the status of all IPsec connections.

Point-to-point tunneling protocol (PPTP)Connections

Displays the status of all PPTP connectionsand provides an option to disconnect activeconnections.

SoftUpdate Displays the status of the subsystem thatautomatically checks for available softwareupdates. When the subsystem is active andretrieving a list of available softwareupdates, the status light is green. When thesubsystem is operational but idle, the statuslight is gray. A red status light indicates aproblem with the subsystem and is typicallyan inability to access the distribution server.See “Log messages” on page 171 for moreinformation about download errors.

Disk Status Displays the status of your diskconfiguration, provides disk reconfigurationoptions, displays the status of a rebuildingredundant array of inexpensive disks (RAID)array, and displays intelligent disk backup(idb) drive hot swap status.

Local Backup Status Displays the status of the idb backup disk. Itdisplays how much of the idb disk space iscurrently available for backups and whenthe next backup is scheduled.

Quota Status Displays if there are any users over theirquota limit. See “Setting individual user diskquotas” on page 29 for more information.

Scalable Services Status Displays the status of the Scalable ServicesStructure.

IBM Lotus Foundations Start This row displays after IBM LotusFoundations Start is installed and displaysthe status of IBM Lotus Foundations Start.IBM Lotus Domino specific information isdisplayed, such as the status of the LotusDomino server's listener and the status ofthe Nitix Domino Connector (NDC) supportservices (next and last backup time and thenext and last database compression time).

User Authentication Method Displays the method of authenticationcurrently enabled. It displays Using normalpassword authentication if IBM LotusFoundations is a domain controller or anon-domain system. It displays Using the'domain name' Windows domain if IBM LotusFoundations is a domain member. It alsodisplays the number of IBM LotusFoundations user licenses available for use.

Getting to know WebConfig 7


Lotus iNotes When IBM Lotus Foundations Start isinstalled, the URL for IBM Lotus iNotes isdisplayed.

Virus Definition Updates If the virus scanner is licensed and if the filevirus scanner and/or email virus scanner areenabled, it displays when the virusdefinitions were last updated, how manyviruses you are protected against, and linksto a report on how many viruses weredetected since the last reboot.

File Virus Scanner If the virus scanner is licensed and file virusscanner is enabled, it displays:

v How many files were scanned

v How many viruses were found during thelast scan after the scan completes

v How many viruses you are protectedagainst

v When the next virus definitions updateoccurs

Mail Virus Scanner If the virus scanner is licensed and the mailvirus scanner enabled, it displays when thedefinitions were last updated and how manyvirulent emails have been identified sincesystem startup.

Spam Scanner Displays whether there is a valid spamscanner license, and the last reporteddefinitions update. It also displays thenumber of definite and probable spamdocuments that have been detected sincesystem startup.

Printing Service Displays the status of printing services.

MySQL Server Displays the status of MySQL services. Thenumber of sessions displayed represents thenumber of active users currently connectedto IBM Lotus Foundations and usingMySQL database services. The processorusage bar graph indicates how muchprocessor time is being used by this service.The status is a gray box if the service isdisabled, a green check mark if the service isoperational, a yellow warning symbol if theservice is used heavily, and a red x whenthere is a problem with the service.

WWW Server Displays the status of Web publishingservices. The number of sessions displayedrepresents the number of active Websessions currently open. The processor usagebar graph indicates how much processortime is being used by this service. The statusis a gray box if the service is disabled, agreen check mark if the service isoperational, a yellow warning symbol if theservice is used heavily, and a red x whenthere is a problem with the service.



Secure WWW Server Displays the status of the secure Web server.The number of sessions displayed representsthe number of active secure Web sessionscurrently open. The processor usage bargraph indicates how much processor time isbeing used by this service. The status is agray box if the service is disabled, a greencheck mark if the service is operational, ayellow warning symbol if the service is usedheavily, and a red x when there is a problemwith the service.

DNS Server Displays the status of the DNS server.

Windows File Server Clients that are not Windows or WindowsNT can connect to this service. The numberof sessions displayed represents the numberof active users currently connected to IBMLotus Foundations and using the Windowsfile services. The processor usage bar graphindicates how much processor time is beingused by this service. The status is a gray boxif the service is disabled, a green check markif the service is operational, a yellowwarning symbol if the service is usedheavily, and a red x when there is a problemwith the service.

Apple File Server Displays the status of file services for AppleMacintosh clients. The number of sessionsdisplayed represents the number of userscurrently connected to IBM LotusFoundations and using Apple file services.The processor usage bar graph indicateshow much processor time is being used bythis service. The status is a gray box if theservice is disabled, a green check mark if theservice is operational, a yellow warningsymbol if the service is used heavily, and ared x when there is a problem with theservice.

Network file system (NFS) File Server Displays the status of the NFS file server forUNIX® and similar systems. The number ofsessions displayed represents the number ofactive users currently connected to IBMLotus Foundations and using NFS fileservices. The processor usage bar graphindicates how much processor time is beingused by this service. The status is a gray boxif the service is disabled, a green check markif the service is operational, a yellowwarning symbol if the service is usedheavily, and a red x when there is a problemwith the service.



File transfer protocol (FTP) Server Displays the status of FTP services. Thenumber of sessions displayed represents thenumber of active FTP connections currentlyin progress. The processor usage bar graphindicates how much processor time is beingused by this service. The status is a gray boxif the service is disabled, a green check markif the service is operational, a yellowwarning symbol if the service is usedheavily, and a red x when there is a problemwith the service.

Simple mail transfer protocol (SMTP) Server Displays the status of SMTP services. Thenumber of sessions displayed represents thenumber of SMTP connections to the server.The processor usage bar graph indicateshow much processor time is being used bythis service. The status is a gray box if theservice is disabled, a green check mark if theservice is operational, a yellow warningsymbol if the service is used heavily, and ared x when there is a problem with theservice.

Mail Queue Status Displays the number of remote emailmessages in the email queue.

Internet message access protocol (IMAP)Mail Server and post office protocol (POP)Mail Server

Displays the status of servers responsible fordelivery of email messages from IMAP andPOP mailboxes. The number of sessionsdisplayed represents the number of userscurrently downloading email messages fromtheir IMAP or POP3 mailboxes. The status isa gray box if the service is disabled, a greencheck mark if the service is operational, ayellow warning symbol if the service is usedheavily, and a red x when there is a problemwith the service.

Lightweight directory access protocol(LDAP) Directory Server

Displays the status of the LDAP server,which is used to publish user names andemail addresses into the internal directory.The number of sessions shows how manyusers are connected. The status is a gray boxif the service is disabled, a green check markif the service is operational, a yellowwarning symbol if the service is usedheavily, and a red x when there is a problemwith the service. The processor usage bargraph indicates how much processor time isbeing used by this service.

Reboot button Click this button to reboot the IBM LotusFoundations server.

Shutdown button Click this button to correctly shutdown theIBM Lotus Foundations server. Failure toclick the Shutdown button means that yourRAID array must rebuild. See “Disk statusmessages” on page 36 for more information.



*Others Other items might be displayed on thesystem status window depending on theaddition of any optional software modules.

Notices listIn most cases, when you change a service option in WebConfig and click SaveChanges, IBM Lotus Foundations displays a list of major actions that arehappening in the background at the top of that sub-service window. Failure noticesalso are displayed in the Notices.

System status detailsThe System Status Details page is a history of critical system information that hasbeen stored by IBM Lotus Foundations and can be viewed using an array ofgraphs. These graphs represent the usage of processor load, memory usage,Ethernet traffic, and more.

Historical system status graphs

In addition to the real-time status indicators on the system status page, locatedunder these bars is a button that displays a page that displays historical graphs ofsystem status.1. Click Status in the left menu of WebConfig.2. Underneath the system status, click System Status Details to navigate to the

historical graphs.3. On this page is a number of graphs for various resources on the server.

These graphs incorporate a graphical representation of server usage. The systemstatus history graphs include not only the average resource usage over varioustime periods but also the minimum and maximum resource usages experiencedduring these periods. The average resource usage is displayed as a brightly-coloredline against a background of progressively darker colors that show the variance ofresource usage over various time periods.

The most important aspect of the status history graphs is that it is evident on allthe graphs for all time periods when there is a high variance for the resource usagebecause the shaded backgrounds corresponding to the ranges of measurements arewider. If these backgrounds are narrow, the system does not experience muchvariation in the resource usage at all.

Software activation keys and user licensesUser licenses help individuals within a company to legally use the IBM LotusFoundations platform. When you purchase a IBM Lotus Foundations user license,you are purchasing the rights for a user to use the software.

Licensing requirementsIBM Lotus Foundations uses a "Per User" and a "Per Server" licensing model. Anynumber of individuals can connect to the IBM Lotus Foundations server; however,you must purchase a IBM Lotus Foundations User License for each individual, or


"user account," where access to IBM Lotus Foundations services, such as email, file,print, MySQL, and FTP services is needed. A server license is required for everyIBM Lotus Foundations server deployed.

IBM Lotus Foundations user licenses are not required for team accounts without apassword. Team members can still access team data/services using their personaluser account passwords. If you choose to assign a password to a team, this countstowards your total user license usage.

A user license is required for every user who accesses IBM Lotus FoundationsStart; however, one additional free IBM Lotus Foundations user license is allocatedfor a IBM Lotus Foundations administrator. Any user or team assigned a passworduses up a client access license (CAL). If you are over your license usage, you cansafely remove a password from a user or team without deleting the user or teamdata. In the case of a user, this disables the user in WebConfig and removes serveraccess, but their data remain intacts. Removal of a user's password disables theuser and reduces the CAL usage accordingly.

IBM Lotus Foundations Start software is provided with a 30 day trial period.Activation keys need to be entered within that 30 day period to ensure that theproduct is available for continuous usage.

Software activation keysBy default, IBM Lotus Foundations comes configured in a 30-day trial mode. Toactivate the features and licenses that you have purchased, you must enter asoftware activation key.

When you purchase IBM Lotus Foundations software, a software activation key isprovided.

An Internet connection is required for activating the IBM Lotus Foundationssoftware license. Ensure that an Internet connection is established when attemptingto install the software.

Entering or updating your software activation keyFollow these steps to enter a new key or replace an existing activation key with anew one:1. Log in to WebConfig with an administrator account.2. Click Software Update in the left menu of WebConfig.

3. Click the Edit action button in the Foundations Registration section. TheActivation Key field is displayed.

4. Enter the new activation key.5. Click Save Changes.


License informationTo see how many IBM Lotus Foundations users are licensed for the system andhow many licenses are currently being used, follow these steps:1. Log in to WebConfig with your administrator user name and password.2. Select Software Update in the left menu of WebConfig.3. Click the Licenses tab.4. The bottom of the License Information section lists the number of users

licensed and the number of licenses available.

Figure 2. Editing the activation key in the WebConfig console


Additionally, the User Authentication Method line on the main System Statusscreen displays how many IBM Lotus Foundations users have licenses for thesystem and how many are currently being used.

If you exceed your licensed number of IBM Lotus Foundations Start users, aNotices box is displayed at the top of each page in the WebConfig console. Topurchase additional IBM Lotus Foundations Start licenses, contact your authorizedreselling partner.

Software updatePeriodically, IBM Lotus Foundations contacts distribution servers through itsinternet connection and requests an updated list of available software releases. Alist of available software releases is found on the Software Update page.

Note: If you are running IBM Lotus Foundations from a CD or DVD, you mustconfigure your disks from the WebConfig menu, shut down the system, removethe IBM Lotus Foundations CD and restart the system before Software Update canwork. For more information about configuring the hard disks, see “Diskmanagement” on page 31.

It is best to upgrade the software after-hours because rebooting disconnects allusers and causes all services to stop functioning until the server has restarted.

Figure 3. Licenses screen in the WebConfig console


For instructions on how to upgrade IBM Lotus Foundations, see IBM LotusFoundations Start Migration: version 1.0 or 1.1 to 1.2.

Switching languagesIBM Lotus Foundations currently enables you to view WebConfig in variousdifferent languages. To switch between languages, follow these steps:1. Click Software Update in the left menu of WebConfig.2. In the Software Updates tab, locate the section titled Language Selection.3. Select the target default language in the Default Language drop-down box.4. Click the save icon to save the change.

To add language packs or change the language for the Lotus Domino server andthe Lotus Notes client, see IBM Lotus Foundations Start Getting Started.





Installing IBM Lotus Foundations Start 1.2

IBM Lotus Foundations Start provides the email and collaboration features usingIBM Lotus Domino. It does not include bundled packages normally included inother Lotus Domino packages, such as IBM WebSphere® Application Server, IBMWebSphere Portal Server, IBM Tivoli Directory Integrator, or IBM DB2® EnterpriseEdition packages.

Before you start the IBM Lotus Foundations Start installation:v Ensure that you have an administrator account on the server named root. If the

account root is not present on the system, the IBM Lotus Foundationsinstallation does not work correctly.

v Ensure that you have set up the correct host name and domain name for theserver. They cannot be changed after the installation of IBM Lotus FoundationsStart. To change these names, see “Changing the IBM Lotus Foundations serverhost name and domain name.”

Changing the IBM Lotus Foundations server host name and domainname

IBM Lotus Foundations automatically assigns a random host name to the IBMLotus Foundations server during the first start-up. Host names should be uniquebecause they are used to distinguish your server from others on the local networkand are used by local users to identify IBM Lotus Foundations file andprint-sharing resources. In addition, the host name with the domain name forms aunique Internet name under which the IBM Lotus Foundations server and its Web,FTP, and email services are addressed on the Internet.

If you want to rename your server, follow these steps:1. Log in to the WebConfig console and select Local Network in the left menu of

WebConfig.2. Edit the Host Name and Internet Domain Name fields accordingly. The host

name must be unique and must contain only numbers and letters.3. Click Save Changes.

After you have installed IBM Lotus Foundations Start, the host name and domainname are no longer modifiable.

IBM Lotus Foundations Start installationRefer to the Step 5: Install the IBM Lotus Foundations Start add-on section in GettingStarted with IBM Lotus Foundations Start for installation instructions.

Execution control list (ECL) alertsIBM Lotus Foundations Start is configured with a policy that has IBM Lotus Notesclients connect to the IBM Lotus Domino server and refresh the users executioncontrol list (ECL) settings when it is installed. Permissions are determined basedon the signature of the server or individual who authorized, or signed, the formulaor script.




In IBM Lotus Foundations Start, administrators of the IBM Lotus Foundationsserver receives an email after installation that includes a link to the AppStart setupapplication that enables them to add the IBM Lotus Foundations Start server andany system administrators to the authorized signature list. It is important for theadministrator to set up the server ECL because any future AppStart applicationsthat are installed are signed using the IBM Lotus Foundations Start ID. On newLotus Notes client installations, the first refresh happens automatically. Any futureupdates are received on subsequent connections to the server. Run the AppStartsetup before the installation of the Lotus Notes clients. By setting up the ECL,users are not prompted for permission to start those items that have been installedor authorized by an IBM Lotus Foundations server administrator.

Modifying the ECL list

Immediately after installing IBM Lotus Foundations Start, the administrators onthe server receive an email providing a Lotus Notes link to the IBM LotusFoundations AppStart administrator's page. This page contains a link toinstructions for modifying and adding administrators as trusted senders of LotusDomino related actions. By adding these administrators, users do not have toaccept these warnings, as they are authorized automatically by the Lotus Notesclient.

Recognizing and accepting ECL alerts

For any existing sites that have Lotus Notes clients installed, you might encounterthe circumstance where users have to accept the security alert at least once.

If the application is signed by a known administrator on the server, select StartTrusting the signer.


User and team management

Service integrationUser and team management is integrated with a number of other IBM LotusFoundations services. It is important that you understand how user and teammanagement relates to these other functions before creating, editing, and deletingusers and teams. Read the following section carefully.

IBM Lotus Foundations email, file, Web, and FTP services are tightly integrated.Every user and team account that is created has instant and automatic access to allthese services. When a user is created, a number of things happen in thebackground:v A login account is created and the password defined by the administrator is

assigned to that account.v A personal user directory is created on the server. This directory is accessible in

Windows' Network Neighborhood or on Macintosh's AppleShare drive. If NFS isenabled, UNIX and similar systems can use the path /export/home/USERNAME toaccess this directory. For example, the path for someone with the user namejanedoe would be /export/home/janedoe.

v A WWW directory is created. If the user wants a Web site published on the user'spersonal Web page, the index.php in the WWW directory needs to replaced withstandard HTML files (for example, index.html or index.php files). The WWWdirectory can also be used as a simple HTML file share repository if theindex.php file is deleted from that directory. This results in an HTML file listingwhen accessing the user's personal Web share.

v An FTP account (which points directly to the user's personal directory) iscreated for the user. If the user logs in to the FTP server using the proper username and password, they can access the files in their personal directory.Note: FTP services must be enabled on the server, and the user must explicitlybe granted FTP access. See “File Transfer Protocol (FTP) services” on page 147for more information.

v An email account is created for the user. Email is available through either POP3,IMAP, or the Lotus Domino email protocol.

v A MySQL account is created; on the file system it is stored in/home/USERNAME/mysql. Refer to “MySQL server” on page 127 for moreinformation.

Similarly, when a team is created, a number of things happen in the background:v A team login account is created and the password defined by the administrator

is assigned to that account.The default configuration is to have no password. Remember, assigning apassword to a team takes up one user license.

v A team directory is created. This directory is accessible to all team members inWindows' Network Neighborhood or on Macintosh's AppleShare drive. If NFS isenabled, UNIX and similar systems can use the path /export/home/TEAMNAME toaccess this directory. For example, the path for a team named sales would be/export/home/sales.

v A WWW directory is created. If the team wants a Web site published on the team'spersonal Web page, the index.php in the WWW directory needs to replaced with


standard HTML files (for example, index.html or index.php files). The WWWdirectory can also be used as a simple HTML file share repository if theindex.php file is deleted from that directory. This results in an HTML file listingwhen accessing the team's personal Web share.

v An FTP account (which points directly to the team directory) is created for theteam. If a team member logs in to the FTP server using the proper team nameand password, they can access the files in the team directory.

v An email distribution account is created for members of the team. Team emailcan be accessed through either POP3 or IMAP mailboxes. Email received by theteam email account can be set to be automatically forwarded to all members ofthe team.

v A MySQL account is created; on the file system it is stored in/home/TEAMNAME/mysql. Refer to “MySQL server” on page 127 for moreinformation.

v A Lotus Domino TeamRoom is created. Refer to “Lotus Domino TeamRooms” onpage 26 for more information.

Note: All IBM Lotus Foundations user and team accounts with a password requirea IBM Lotus Foundations user license. IBM Lotus Foundations user licenses are notrequired for team accounts without a password; team members can still accessteam data/services using their personal user account passwords. Users who do notneed to access IBM Lotus Foundations services (such as email, file, print, MySQL,and FTP services), do not require a user license. One additional free IBM LotusFoundations user license is allocated for a IBM Lotus Foundations administrator.See “Software activation keys and user licenses” on page 11 for more information.

Creating, editing, and deleting user accountsBrowsing users

Users are listed in the Users section of the WebConfig console. You can search forusers and teams by user ID, team ID, or full name.

Disabled users are displayed in this list with (disabled) appended to the FullName field. Users are considered disabled when they have no password set.

Creating users

Follow these steps to create users:1. Click Users in the left menu of WebConfig.2. Click the Users tab.3. Click Add User.


4. Enter the user ID (also known as a user name) that serves as the user's loginand personal directory name.

Note: User IDs cannot contain spaces or any punctuation other than hyphens,periods, and underscores, for example, jane-doe, jane.doe, jane_doe are allacceptable user IDs.v With IBM Lotus Foundations Start installed, this user ID becomes part of

the user's email address. For example, if the user name janedoe is created ona IBM Lotus Foundations server that resides in the example.com domain,Jane's email address is [email protected].

5. Enter the user's full name. This full name must be unique to all other nameswhen running IBM Lotus Foundations Start.

6. Enter a password for the user. User passwords should also be unique to helpmaximize security and access controls.

Figure 4. Creating a user in the WebConfig console

User and team management 21

7. Re-enter the password to ensure that it has been entered correctly. If thepasswords do not match, you are asked to re-enter the password in bothfields.

8. The next 7 fields (Company, Title, Phone Number, Phone Extension, MobileNumber, Address, and Photo to Upload) are used with the IBM LotusFoundations Reach add-on to display business contact information in LotusSametime®. For more information, see the IBM Lotus Foundations ReachAdd-on Guide. If appropriate, enter the corresponding user information.

9. Select a preferred language for the user. This determines the language for theemail template and for the Lotus Notes client through the one-clickinstallation. If appropriate, enter the corresponding information.

10. Indicate whether this user has administrator access. Administrator accessmeans that this user has unrestricted access to all configuration functions ofIBM Lotus Foundations. If you give a user administrative privileges, disk andemail quota values are not configurable. Administrative users automaticallyhave unlimited quotas.

11. Indicate whether this user has FTP access to his or her private directory. TheFTP file server has to be enabled before the user can have FTP access. If FTP isenabled in Trusted Hosts Only mode, the user can access files from a trusted,internal network or from a VPN. If FTP is enabled in open mode, the user canaccess files using FTP from anywhere on the Internet.

12. Indicate whether the user is allowed to establish a remote VPN (PPTP) ordial-in modem connection to the internal network. For security reasons, mostusers should not be able to establish a remote connection. VPN services mustbe enabled before a user can establish a VPN connection. Similarly, dial-in fora specific modem has to be enabled before a user can establish a dial-inconnection on that modem. See “Remote access services” on page 102 formore information.

13. If the domain controller is enabled, choose a drive that the user's files can beautomatically mounted to when logged in to a domain workstation. Thedefault drive is X. Be sure to choose a drive that is not already in use. Formore information, see “Windows NT domain services” on page 113.

14. Select a quota value for this user. For more information, see “Disk quotas” onpage 29.

15. Select an email quota value for this user. This is the total amount of disk spacea user's email file can occupy.

16. Enter any nicknames that are required for this user. email sent to any of thesenicknames are delivered to this user.

17. Under Join Teams, select the team(s) from the Available Teams list that thisuser is a part of. Click Join. The teams are displayed in the Member of Teamsbox.

Note: Team membership gives users full access to the team's shared directory.If one of the joined teams is a member of any other team(s), when it is addedto the Member of Teams list it has (# inherited) listed after it. The user has"inherited" team membership to those other team(s).

18. Click Save Changes. This returns you to the main User Setup page, and theuser is displayed in the list of previously created users.

Editing users

Follow these steps to edit users:




1. On the User Setup page, click the Users tab. Click the appropriate user's edit

icon . The Modify User page is displayed.

Note: While running IBM Lotus Foundations Start, user and team names arenot modifiable.

2. Change the user's information as necessary. Refer to “Creating users” on page20 for a description of the fields on this screen.

3. Click Save Changes.

Other Actions

v Remove a user's password to disable the account.v Enter a password for a disabled user to re-enable him or her.

Deleting users

Note: Deleting a user means that all the user's personal files, email settings,mailbox, and any undelivered email in the mailbox is deleted. Once this is done,none of the information can be recovered (unless you restore the data from aprevious backup).

To delete an individual user:

1. On the User Setup page, click the Users tab. Click the appropriate user's delete

icon .2. An "Are you sure you want to delete user" confirmation box is displayed. Click

OK to continue and delete the user.

To delete multiple users

To delete multiple users, you can use pre-existing pwdump2 or spreadsheet datausing the following syntax:username1, username2, username3, username4.

User names should be separated by new lines or commas.

Fields other than the user name field are optional and should use the followingsyntax:username[,user2,user3(...)]:password:full_name

The ":" (colon) separator can be replaced by ";" (semi-colon) or [TAB].1. Click Users in the left menu of WebConfig.2. Click the Users tab. Click Import Users. The Import Users page is displayed.3. In the Action field, select Delete Users.4. Right-click the field called Import Users Info. Select Copy. This copies the

contents of the file.5. Click Save Changes.

Accessing user's external (POP) email accountsFollow these steps to modify a user's email settings:


1. Click Users in the left menu of WebConfig.. Click the Users tab. The main UserSetup page is displayed.

2. Click the appropriate user's edit action button. The Modify User page isdisplayed.

3. Click User Email Settings located at the bottom of the screen.

The following fields are displayed on the user email page:v Retrieve Mail from POP server:

– Used to pull POP mail from one account from an email provider or athird-party POP mail provider, for example, Yahoo/Hotmail.

– Configure by entering the full server name used to pull mail down from yourISP, for example, pop1.isp_server.com.

v Remote POP username:

– Enter the appropriate account credentials for the email service you areretrieving from.

v Remote POP password:

– Enter the password for the POP account.v Re-enter POP password:

– Re-enter the password for the POP account to ensure that it was typedcorrectly.

For information about the Spam related fields, see the IBM Lotus Foundations AntiSpam add-on.

Creating, editing, and deleting team accountsCreating teams

Follow these steps to create teams:1. Click Users in the left menu of WebConfig. Click the Teams tab. The main

Team Setup page is displayed.2. Click Add Team. The Create Team page is displayed.




3. Enter a team ID. The team ID serves as the name of the team's shareddirectory and as the team's FTP login name, which gives team members FTPaccess to the shared directory and the WWW directory. Team IDs cannot containspaces or any punctuation other than hyphens, periods, or underscores.

4. Enter a descriptive name for the team in the Full Name field. This descriptivename must be unique.

5. Optional: Enter a login password for the team. Team passwords should beunique. If you choose to assign a password to a team, this counts towardsyour total user license usage.

6. If you are using a password, re-enter it. If the passwords do not match, youare asked to re-enter the password in both fields.

7. Select a preferred language.8. Indicate whether the team has FTP access to the team directory. The FTP file

service has to be enabled before the team can have FTP access. If FTP isenabled in Trusted Hosts Only mode, the team can access files from theinternal network or from a VPN. If FTP is enabled in open mode, the teamcan access files using FTP from anywhere on the Internet.

9. Indicate whether team members are allowed to establish a remote VPN(PPTP) or dial-in modem connection to the internal network. For securityreasons, most teams should not be able to establish a remote connection. VPNservices and dial-in services have to be enabled before a team member canestablish a VPN or dial-in connection. See “Remote access services” on page102 for more information.

10. Select the team type to create this team as:v Normal Team

Figure 5. Creating a team in the WebConfig console


v Roomv Resource

Teams created as a room or a resource can be reserved by users using LotusNotes.

11. If you chose to create the team as a room, select the capacity of the roomreferred to.

12. Select a quota value for this team. For more information, see “Disk quotas” onpage 29.

13. Enter any nicknames required by this team. emails sent to any of thesenicknames are delivered to the team.

14. Under Team Members, select the user(s) from the Users & Teams list who area part of this team. Click Add. The user(s) is displayed in the Team Membersbox.v Team membership gives users full access to the team's shared directory.v If one of the members is a team, when it is added to the Team Members

list it has (# members) listed after it. That team's members have inheritedteam membership.

15. Click Save Changes. This returns you to the main User Setup page, and theteam is displayed in the list of previously created teams.

Lotus Domino TeamRooms

When teams are created in IBM Lotus Foundations Start, a Lotus DominoTeamRoom is created called TeamRoom_name_teamroom.nsf. TeamRooms provide aforum for collaboration among team members. More details on the featuresavailable in the TeamRoom can be found at:

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.notes.help.doc/DOC/H_THE_VALUE_OF_TEAMROOM_OVER.html

Each TeamRoom normally has a Team Leader and a Team Facilitator. The TeamLeader is primarily concerned with the content of the TeamRoom, whereas theTeam Facilitator is primarily concerned with the administration of the TeamRoom,including managing the TeamRoom membership. In IBM Lotus Foundations Start,user management can be done using WebConfig's team management featuresinstead of using a Team Facilitator.

Note: Teams that are used by IBM Lotus Foundations Start and system services,such as notes, backup, and ftp, do not have TeamRooms.

TeamRoom membership

The team's members are synchronized to TeamRoom. Each team member is given aparticipant profile in the TeamRoom that includes their name, email, and phonenumber. The TeamRoom's access control list (ACL) is modified with newTeamRoom members being granted either Author access (non-admin users) orManager access (admin users). The default access for the database is set to 'noaccess'. The ACL is only changed for a user when the user is added to theTeamRoom; it is not changed after that (for example, if someone changes theaccess, that change is not overridden). New TeamRoom members are sent an emailwith information on how to access the TeamRoom.




When a user is removed from the team, their ACL entry and participant profile arealso removed. On team deletion, the TeamRoom database is not deleted and itsmembers are not removed (they remain in the ACL, and their participant profilesremain).

Editing teams

Follow these steps to edit teams:1. On the User Setup page, click the Teams tab. Click the appropriate team's edit

icon . The Modify Team page is displayed.

Note: While running IBM Lotus Foundations Start, the team name and theteam type are not modifiable. If you created a team as a room you cannotconvert it to a resource, but you can modify the capacity of the room. Similarlyif you created a team as a normal team or a resource, you cannot convert it toanother team type.

2. Change team information as necessary. Refer to “Creating teams” on page 24for a description of the fields on this screen.


Testing email

When modifying a team, click Send on the Test Email row to send a test email tothe team.

Deleting teams

Note: Deleting a team means that the team's shared network directory and all thefiles contained within the directory are deleted. Once this is done, none of theinformation can be recovered unless you restore the data from a previous backup.Teams that are used by system services, such as backup and ftp, cannot be deleted.

Follow these steps to delete teams:1. On the main User Setup page, click the Teams tab. Click the appropriate team's

delete icon .2. In the confirmation dialog that displays, click OK.

Searching for teams

The Team Setup screen restricts the number of entries that are displayed bydefault. If there are many teams, only the first 10 teams are displayed in the TeamSetup section. At the bottom of the section, there are links to a series of teams. Forexample, if you have 43 teams, the screen displays: [show all] [a - o] [p - y].Clicking the [p - y] link displays all teams with team names beginning P throughY. To help administrators to easily locate teams' records, there is a Team Searchfield at the top of the Team Setup page. To search for a team, type in that team'sID (or portion thereof) and click Search.


Password policyThe password policy feature helps an administrator to set restrictions on theformat of passwords chosen by users. For example, the administrator can specifythat uppercase and lowercase letters must be included in the password and/or thatpasswords must be of a particular minimum length.

Creating a password policy

Follow these steps to create a password policy:1. Click Users in the left menu of WebConfig.2. Click the Password Policy tab.3. Choose whether to enforce the password policy on passwords set by

administrators. The password policy settings are always enforced for passwordschosen by users. If this option is enabled, the password policy settings are alsoenforced for passwords chosen by administrators, including their ownpasswords.

4. Select which password policy criteria should be enforced by checking theappropriate boxes. The "Passwords must contain letters" and "Passwords mustcontain both uppercase and lowercase letters" rules are tied to each other.Therefore, enabling the latter settings automatically enables the former.

5. If you want to enforce a minimum password length, enter the number ofcharacters in the Password minimum length field. Use 0 for no minimum.


Illegal passwords

When a password that does not conform to the policy as specified by theadministrator is entered for a user, that user receives an email notifying them thatthey need to change their password to one that conforms to the policy. The emailalso includes instructions on how to perform this password change.

If a user changes their password in their personal WebConfig to one that does notmeet the policy criteria, they get an error message.

An error message is also displayed in WebConfig's Notices box telling them thattheir password was not changed.

If the Enforce password policy on passwords set by admins option is set to No,administrators are able to change a user's password to one that does not meet thepolicy criteria. This helps administrators to set an easy-to-remember temporarypassword for a new user, until that user can set his or her own password.

The administrator receives a warning message in WebConfig's Notices boxinforming him or her that the password does not meet the policy criteria, but thatthe password has been changed.

If a user is already set up and the administrator creates or changes a passwordpolicy, that user's password is valid - even if it does not meet the policy criteria -until the next time he or she logs on to WebConfig.


Disk quotasDisk quota defines the maximum amount of hard disk space allowed for a user'sfiles and email. The disk quota feature in IBM Lotus Foundations helpsadministrators to set specific disk quotas for individual users.

For example, a user's disk quota value can be set to predetermined values such assmall, medium, or large, to a specified value for that user, or you can choose not tohave the user's disk usage subject to a quota.

Disk quotas pertain to a user's files and email data, which can each be configuredseparately. The ability to modify the quotas for files and email separately is uniqueto IBM Lotus Foundations.

Setting default disk quota valuesFollow these steps to set default disk quota values that can be used whenassigning disks quotas to users:1. Select Quotas in the left menu of WebConfig. The main Quota Setup page is

displayed.

2. Enter a Default Small Quota Value.3. Enter a Default Medium Quota Value.4. Enter a Default Large Quota Value. The maximum size that a disk quota

value can be is 2 TB.5. Click Save Changes to save the default quota values.

Setting individual user disk quotasFollow these steps to define a user's disk quota:1. Select Users in the left menu of WebConfig. The main User Setup page is

displayed.

Figure 6. Quota Setup page in the WebConfig console


2. Click the Users tab. Click the appropriate user's edit action icon . TheModify User page is displayed. There are two separate sections for quota setup.Quota Value is for the user's files and Email Quota Value is for the user'semails.

3. In each field, select a quota value from the drop-down list for that user. Youroptions are:v Unlimited - no limit set for this userv Specified... - when selected, a text field opens that permits the user to specify

the quota in MB.Default user quotas can also be used and defined as shown in “Setting defaultdisk quota values” on page 29.

4. The value set within quota setup can be used for both files and emails.Therefore, if you have set a quota value of 100 MB, you can assign 100 MB forfiles and 100 MB for email. The maximum size that a disk quota value can be is2 TB.

5. Click Save Changes to save the quota values for that user.

Quota limitAll disk quota limits on IBM Lotus Foundations are enforced as hard limits. Thismeans that administrators can only define an absolute maximum and not a softlimit for warnings to users. When a user's quota limit is reached, IBM LotusFoundations prevents that user from using any more space on the hard disks bypreventing them from creating new files, editing existing files, or receiving emails.

User accounts with a quota over the limit cannot:v Write to the disk anymore until some space is cleared.v Log in to Lotus Domino.v Receive any new email.

When accounts have reached a quota, administrators:v See a yellow warning light in the Quota section of the System Status page

informing them that there are users over their quota.v Notice the user's Disk Space Used column on the User Setup page reports

something like: "4.1 MB / 1.5 MB ( 274 % )".v See a list of user(s) over their quota on the Quota Setup page.v Receive an email report when the server's disks reach 90% full. Another notice is

not sent unless the disk space drops below 85% usage and then rises againabove 90%.

Note: If a user goes over quota, the administrator might be required to access theusers account to either raise or remove the quota or assist in removing files as theuser may have been locked out.


Disk management

Some IBM Lotus Foundations services are not enabled unless hard disks areconfigured through the WebConfig menu.

Hard disk failureIf the problem is a hard disk failure, you need the following to restore the IBMLotus Foundations server:v Last Backup - The last backup from which you can recover data. All changes to

system configuration, user files, and new files created by users since the lastbackup are not recoverable.

v New hard disk - A new hard disk drive to replace the failed hard disk drive.

If you are using a RAID array, you do not need to restore from backup if only asingle drive in the RAID array failed.

Checking a hard disk for SMART failure

Self-Monitoring Analysis and Reporting Technology (SMART) checks hard disks forpotential problems.

To check hard disk SMART states in the IBM Lotus Foundations server, followthese steps:1. Telnet into the server and log in as an administrative user.2. Type the following command:

wd disk-info Information about the hard disks in the IBM Lotus Foundationsserver is displayed.

3.

4. Run the disk-zot program to identify the hard disks in the server. See “Erasinga hard disk” on page 32 for information about running the disk-zot program.

Note: Because the disk-zot program is used to erase hard disks, use cautionwhen using this program to identify the hard disks in the server.

Figure 7. wd disk-info with SMART drive diagnostic information


5. Press Q to exit the disk-zot program.

Checking a hard disk for file system corruption

To check for file system corruption of the main IBM Lotus Foundations server harddisk, see IBM technote Checking the main disk for filesystem corruption(http://www.ibm.com/support/docview.wss?uid=swg21387563).

Erasing a hard disk

The disk-zot program is included with all IBM Lotus Foundations servers. Thisutility can be used to erase the partition table of most previously formatted harddisks. Once zotted, WebConfig recognizes the hard disk as unformatted andprompts you to configure it.

The following process permanently destroys all data on the target disk. Thisprocess is not reversible. Always check that your idb backups are intact beforeerasing a primary hard disk.

The recommended procedure is to use new, previously unused disks rather thanerasing old disks. Remove the existing primary disk, put it aside, and then installthe new replacement hard disk. If you can restore your backups onto the new harddisk, you know it is safe to zot your old disk without losing any data.

To erase a hard disk using the disk-zot procedure, follow these steps:1. Telnet into the server and log in as an administrative user.2. Type the following command:

disk-zotThe disk-zot console is displayed. Press Enter to begin.

3. Use the arrow keys scroll to the disk you want to erase and press Enter.

Figure 8. Disk-Zot identifying the hard disks in the IBM Lotus Foundations server


http://www.ibm.com/support/docview.wss?uid=swg21387563

4. A warning is displayed indicating that your disk will be erased. Press Y tocontinue.

5. When the process completes, a notification message is displayed. Press any keyto return to the menu.

6. To erase another hard disk, repeat steps 3 - 5. When you are finished, selectQuit from the menu to exit the console and reboot the server.

Resetting an IBM Lotus Foundations server

To reset an IBM Lotus Foundations server back to the default state, the hard disksmust be erased and the configuration of the server must be cleared.

To erase the hard disks, see “Erasing a hard disk” on page 32.

To reset the server configuration, see IBM technote Resetting a Lotus Foundationsserver configuration back to the factory default (http://www.ibm.com/support/docview.wss?uid=swg21387369).

Installing a new hard disk drive1. Shut down the server completely. If your server has a main power switch, turn

off the main power switch. Unplug the power cord.2. Remove the drive from the server.3. Insert a new hard disk drive into the server.4. Insert your idb cartridge if it is not already in.5. Plug the power cord back in. If your server has a main power switch, turn on

the main power.6. Press the power button.7. Configure the new drive in WebConfig. See “Configuring your disks” on page

34.8. Initiate a restoration from WebConfig. See “IBM Lotus Foundations Rescue” on

page 39. The length of the restore process depends on the size of your harddisk drive and the amount of data to be restored. The entire process can takeseveral hours.

Note: Restoration is not necessary when adding a drive to a degraded RAID.

Recovering from hard disk drive failure

When replacing a RAID array drive, the replacement drive must be the same sizeor larger than the smallest existing drive in the RAID array.

If one of the drives in your RAID array fails, follow these steps:1. Power down the server. If your server has a main power switch, turn off the

main power switch.2. Remove the hard disk drive and replace it with a new one as soon as possible.3. If applicable, turn the main power switch back on.4. Press the power button.5. Connect to WebConfig and log in.6. The Disk Status section of the Status page of WebConfig presents you with up

to two options:

Disk management 33



v To configure the new drive as part of the existing RAID array, click Add disk#_ to your RAID array.

v To configure the new drive as the idb device, click Configure disk #_ for usein idb backups.

7. Depending on your choice, IBM Lotus Foundations configures the new drive asthe idb device or as part of your RAID array.

Disk configuration (RAID and idb)IBM Lotus Foundations is designed to work with various hard disk driveconfigurations to provide different levels of redundancy based on the needs of theuser.

A redundant array of independent disks (RAID) is a system of storing informationthat reduces risk by keeping data on two or more drives. If one drive fails, yourdata is still safely written and stored on another drive. You do not need to knowmuch about RAID to configure it on your IBM Lotus Foundations server.

Intelligent disk backup (idb) is a system that automatically performs backupprocedures as often as every 15 minutes without action from a systemadministrator. See “Intelligent disk backup (idb)” on page 39 for more information.

If your IBM Lotus Foundations has one hard disk, then you cannot take advantageof idb or RAID. If your IBM Lotus Foundations server has exactly two hard disks,you can have idb backup or a two-disk RAID array, but not both. If you have threeor more disks, you can have a RAID array of two or more hard disks and idbbackup, or you can have a RAID array with all available disks and no idb backup.

Configuring your disks1. The Disk Status section in WebConfig displays a message that a disk is not

configured.


2. Click the appropriate button to configure your disks.v For example, if you have four disks, the Disk Status section might use the

following message:Your main disk is not configured. You have the following diskconfiguration options:

– Configure disks #1, #2, #3, #4 all in a RAID

– Configure disks #1, #2, #3 in a RAID with disk #4 as an idb backupdisk

v For a RAID configuration, click the Configure disks #1, #2, #3, #4 all in aRAID button.

Note: IBM Lotus Foundations supports RAID 1 and RAID 5. IBM LotusFoundations uses a software RAID system.

v To enable idb backup, click the Configure disks #1, #2, #3 in a RAID withdisk #4 as an idb backup disk button.

v If you select a RAID configuration, then the RAID array begins to rebuild.Depending on the size and number of disks in the RAID array, as well aswhich configuration options you choose, this process could take severalhours. Rebuilding the RAID array does not noticeably affect the performanceof IBM Lotus Foundations.

v When you attach an external eSATA or USB device to the IBM LotusFoundations server, the Disk Status section displays a message that a newdisk is available and displays configuration options.

Note: To replace an internal idb disk with an external device, you mustremove the existing internal idb device from the IBM Lotus Foundationsserver before configuring the external device as the idb device.

Figure 9. Disk Status section of WebConfig

Disk management 35

Converting an idb disk to a RAID diskYou can reconfigure your idb disk to a RAID disk at any time. The Disk Statussection of WebConfig displays your disk status and provides you with diskreconfiguration options.

You can only convert an idb disk to part of a RAID array if your IBM LotusFoundations server has exactly two disks. If you have 3 or more disks, you cannotconvert an idb disk to RAID.

Note: Converting your idb disk to part of a RAID array means that you lose idbbackup capabilities. In addition, the backup information that is stored on the idbdisk is permanently deleted.1. The Disk Status section of WebConfig states information about the primary

disk. It then states In order to improve redundancy you can:, followed by abutton labeled Add disk #2 to your RAID array. Click this button.

2. The RAID array then begins to rebuild. This process, which can take severalhours depending upon your disk size, does not noticeably affect theperformance of IBM Lotus Foundations. Click your browser's Refresh button toview an updated status of your RAID array.

3. When the array has finished building, a message is displayed in the DiskStatus section of the screen.

Disk status messagesDepending on your disk configuration, one or more of the following messages aredisplayed in the Disk Status section of WebConfig:

Table 2. Disk Status Messages

Message Reason for Display

The RAID array is rebuilding. Please do notadd or remove any disks until this process isfinished. (% complete)

A RAID array needs to build itself the firsttime it is used. It also needs to rebuild itselfwhen a new disk is added or when thepower is turned off suddenly. Always clickShutdown before turning off your IBMLotus Foundations server. Failure to do someans that your RAID array needs torebuild when you turn the server back on.Although this process does not noticeablyaffect the performance of IBM LotusFoundations, it can take several hours tocomplete depending on the size and numberof disks in your array.

Your disk array is working correctly. A RAID array is finished building.

No disks detected! Are your drives insertedor locked?

Your drives are not fully inserted andproperly locked or when all available driveshave crashed. If your drives are not locked,insert the hard disk key into the lock andturn it clockwise until it snaps back into thelocked position. If one of your drives failed,see “IBM Lotus Foundations Rescue” onpage 39 for information about how toreplace failed drives.


Table 2. Disk Status Messages (continued)

The RAID array is in degraded mode. If youremove a disk, you lose access to your files.

You are missing one configured drive in aRAID array. You can create a proper RAIDarray by configuring an additional disk.

The primary disk is in stand alone mode. Ifyou remove the disk, you lose access to yourfiles.

You have a single disk drive, you are notusing RAID, or your two-disk RAID array isin degraded mode.

There is no disk available for idb backup. No configured idb disk is present in thesystem.

Disk #_ is being used for Intelligent DiskBackup (idb).

The last disk is used for idb instead of aspart of a RAID array.

You can add disk #_ to your RAID array toimprove redundancy.

You have at least one unconfigured disk orif your last disk is being used for idb. Clickthe link to add the disk to the RAID array.

You can configure disk #_ for use in idbbackups.

The last disk drive is unconfigured. Theprevious message also displays, but you canonly choose one of the options.

There is no reason to use disk #_. Any extra disks in the system that cannot beused. This message occurs when the RAIDarray is complete, and there is already anidb disk.

Disk #_ is too small to be added to theRAID array.

Any unconfigured disks that are too small tofit into the RAID. To solve this problem,turn off the server and replace the disk witha larger disk.

Insufficient free disk space

When the amount of free disk space gets low (the default setting is less than 100MB), the IBM Lotus Foundations Start add-on stops running and email is rejectedfor delivery or reception. An Insufficient free disk space to run this addonsystem error displays in the Status section in WebConfig and a notices error at thetop of WebConfig displays stating that the email server is disabled because there isnot enough disk space on the system. Be especially careful when email logging isenabled, as log files need to be manually archived or removed. See “Emaillogging” on page 140 for more information. The administrator needs to remove orarchive files to fix the error.

Disk management 37

IBM Lotus Foundations Rescue

IBM Lotus Foundations Rescue is the backup, restoration, and disaster recoverytool set of IBM Lotus Foundations Start. Features of IBM Lotus Foundations Rescueinclude the following items:v Intelligent Disk Backup (idb) - the technology of the backup and restoration

functionality within IBM Lotus Foundations Rescuev Local backup and restoration capabilitiesv Remote backup and restoration capabilitiesv IBM Lotus Foundations Rescue server - a backup server option that can store

backups remotelyv IBM Lotus Foundations Rescue vault - A vault located on the IBM Lotus

Foundations Rescue server that supports a single IBM Lotus Foundations Startserver backup set

IBM Lotus Foundations Appliances feature local operating system redundancy. Theoperating system is stored in multiple locations and with multiple versions tomaintain IBM Lotus Foundations server uptime. The IBM Lotus FoundationsAppliance includes an integrated, proprietary solid-state drive as part of itsredundant configuration. This configuration ensures that the system is available forrecovery and essential functionality.

Vaulting is the process of sending backup data off-site, where it can be protectedfrom hardware failures, theft, and other threats. IBM Lotus Foundations Startonline data backup feature ensures that your business data can be securely restoredand recovered at any time and from any location.

See IBM Lotus Foundations Rescue Server Add-on (http://www-10.lotus.com/ldd/lfndswiki.nsf/xpViewCategories.xsp?lookupName=Lotus%20Foundations%20Rescue%201.2%20documentation) for information about the IBM LotusFoundations Rescue server.

Intelligent disk backup (idb)IBM Lotus Foundations takes a different approach to backup with intelligent diskbackup (idb) technology. idb is both cheaper and easier to use than conventionaltape backup systems. The capacity of the idb backup device varies.

idb automatically performs backup procedures without actions from a systemadministrator. However, at any time you can turn off an idb job, pause or changean idb job schedule, or manually initiate a backup procedure. See “Initiating an idbbackup” on page 49.

Features of idb

idb can use a removable high-capacity hard disk or an external storage device,providing the following advantages:v Value - One hard disk costs less than the five backup tapes needed to maintain a

tape backup system.v High Capacity - The idb backup cartridge can, in most cases, store a month or

more of backup history.






v Speed - idb backup matches and often exceeds the backup speeds achieved bymany tape systems.

v Instant Access - Regular backup tapes, like cassette tapes, are a linear medium.You must fast-forward or rewind to find information. idb technology, like acompact disc, provides almost instant access to data.

v Backup Intelligence - You do not need a network administrator to figure outwhich tapes need to be loaded and when. IBM Lotus Foundations determineswhen a backup needs to be made and whether the backup needs to be full orincremental. This decision is based on various factors: the amount of data on themain hard disk, the amount of used space on the idb device, the compressibilityof your data, and the rate at which new data is added and current data ischanged or updated. As a result, idb maximizes the amount of historical datathat is backed up.

v Durability - You can back up data on the idb device continuously withoutworrying that the drive might wear out.

v Continuous Backup - You can back up data as often as every 15 minutes.v Hot Swap - You can add and remove idb cartridges or an external idb device

while the server is running, enabling you to swap idb disks without turning theserver off.

Backup jobs

When you configure IBM Lotus Foundations to use idb, one job is automaticallycreated. This job is named Master Job. It cannot be deleted, but it can bereconfigured. By default all users and teams are included in this backup job. Whenadd-ons are installed, the teams created by add-ons do not need to be added to theMaster Job. These teams are included in specific backup jobs created when theadd-on is installed.

The exception to this functionality is the notes team, which is created when youinstall the IBM Lotus Foundations Start add-on. When you install the IBM LotusFoundations Start add-on, the notes and notesbackup teams as well as the LF StartBackup job are automatically created. The data within the notes team includes liveLotus Domino databases that are regularly copied to the notesbackup team. The LFStart job backs up the notesbackup team by default. Do not include the notes teamin a backup job unless the IBM Lotus Foundations Start add-on is disabled.

IBM Lotus Foundations Rescue reports

Backup reports, including information about the success or failure of a backup, aregenerated by the IBM Lotus Foundations Start server. When an IBM LotusFoundations Start server is configured to send backups to an IBM LotusFoundations Rescue server, the backup reports also include the success or failure ofa remote backup. These reports can be sent to an external address as well as a useron the IBM Lotus Foundations Start server.

Vault reports generated by the IBM Lotus Foundations Rescue server focus on theoperating status of the IBM Lotus Foundations Rescue server. These reports aresent to a user created on the IBM Lotus Foundations Rescue server only.


Configuring idbGeneral configuration

The idb feature of IBM Lotus Foundations automatically backs up your datathroughout the entire day, takes care of all backup tasks for you, and notifies youthrough email about its progress. Although most of the idb process is automated,you can adjust several parameters that determine how and when your backups arecompleted.

To open the main backup page, click Backup in the left menu of WebConfig. Thebackup page consists of three main sections.

Table 3. Backup page sections

Backup page sections Section elements Element actions

Backup Status Local Backup Status Lists the status of local idbbackups and the amount ofspace used by backups onthe idb device

Remote Backup Status Optional: Lists the status ofremote backups,communication with the IBMLotus Foundations Rescueserver, amount of space usedby backups, and a link forconfiguring the IBM LotusFoundations Rescue serverconnection

Backup Jobs Create a new job Creates a backup job

Backup all jobs Runs an unscheduled backupof all backup jobs

Suspend all scheduling orResume all scheduling

Stops or resume allscheduled backups

List of Backup Jobs Lists the backup jobs set upon the server; clicking the jobname modifies the job

Disk Scan Scan idb Disk Scans the idb device forbackup sets. Use thisfunction after changing theidb device in order tosynchronize the serverconfiguration and backupsets with the new device.

IBM Lotus Foundations Rescue 41

Clicking the job name enables you to modify the settings for that specific backupjob. This page has four tabs:v General

v Backup Files

v Schedule

v Advanced

Note: The Advanced tab is only available if you have a data retention license.

Table 4 lists the specifics of the Modify Job Settings page and its tabs.

Table 4. Modify Job Settings page tabs

Modify Job Settings tab Tab elements Element actions

Figure 10. Backup page


Table 4. Modify Job Settings page tabs (continued)

General Job Name Changes the job nameCannot edit the Master Jobname

Priority Assigns a unique value tothe backup job. 1 is thehighest priority

idb Quota Adjusts the size of thebackup job

Email log level Sets the level of detail in thebackup logs that areincluded in the backupreports. The default setting isError.All message levels areavailable in the system logs

Email backup reports to Identifies who receives anemail copy of the backupreportsEnter the user ID of theadministrator to receivebackup reports. If you enablethe SMTP server, you canenter any email address inthis field. You can also sendbackup reports to the backupteam to share the reportswith other team members.See “The backup team” onpage 46.

Backup compression Sets compression of thebackup filesCompressed backup filesoccupy less space on the idbdevice but require a longertime to back up and restore.

Store on Rescue server Optional: Identifies if thebackup files are copied andtransferred to an IBM LotusFoundations Rescue server

Encryption Optional: Identifies if thebackup files are encrypted;backup jobs that transfer filesto an IBM Lotus FoundationsRescue server must beencrypted


Table 4. Modify Job Settings page tabs (continued)

Backup Files Lists the directories availablefor backup. If necessary,adjust the settings byclearing or selecting checkboxes to set the directoriesbacked up in a job.The default setting for theMaster Job is to back up alldirectories except the notesteam.Note: Because the data forthe notes team is constantlyin use, it is automaticallycopied to the notesbackupteam. The notesbackup teamis safely backed up by idbjobs. Do not enable thebackup for the notes teamunless IBM LotusFoundations Start is disabled.Otherwise backup times areneedlessly increased.

Schedule Full backup frequency Backs up everything on thesystem

Incremental backupfrequency

Backs up the changes tosystem

Daily backup at When the daily backup isperformed; select a timewhen nobody is using thesystem, such as late at nightor early in the morning

Weekly backup on When the weekly backup isperformed

Base daily backups on Sets the baseline backupfrom which the incrementalbackups are generated

Advanced Data Retention Policy Indicates whether all teamsand users use a retentionpolicy

Minimum Retention Period Minimum amount of timethe backup is retained

Maximum Retention Period Maximum amount of timethe backup is retained


Backup Jobs action icons

In the Backup Jobs section of the backup page, action icons displayed to the rightof a specific job control the way backups are handled.

Table 5. Backup Jobs action icons

Backup Jobs action icons Icon action

/

Delete Job: Deletes any backup and anychildren of the backup that are not locked. Ifthe icon is a light gray color, the job cannotbe deleted (for example, the Master Job).

Restore from Job: Browses the contents of aspecific backup and restores them ifnecessary

Incremental Backup: Manually performs anincremental backup

Figure 11. General tab of the Modify Job Settings page


Table 5. Backup Jobs action icons (continued)

Full Backup: Manually performs a fullbackup

/

Suspend Scheduling and ResumeScheduling: Suspends or resumes theschedule of a specific backup job

Stop: Stops a specific backup job while it isrunning

The backup team

The backup team account grants all members of the team access to the Backuppage in WebConfig and all associated functions. Users have full control overbackups and restorations without having access to other administrator functions.1. Click Users in the left menu of WebConfig.2. Click the Teams tab. A team with the team ID backup and the full name

Backup Team is created automatically.3. To add a team or an individual user to the backup team, click the edit icon for

the backup team .4. Scroll down to the Team Members section, click to select a team or user from

the Users & Teams field, then click Add. The team or user appears in the TeamMembers field.

5. To remove a user or team from the backup team, click to select the user orteam from the Team Members field, then click Remove.

6. Click Save Changes to save your updates.

idb backupCreating an idb backup job

You can create an additional backup job to the Master Job. To create an idb backupjob, follow these steps:1. Click Backup in the left menu of WebConfig. The backup page is displayed.2. Click the Create a new job button. The first page of the Create New Job

process is displayed.3. In the Job Type field, select Local, Local Encrypted, or Remote.v Local - Creates local unencrypted backups. Remote backups are not created

with this option.v Local Encrypted - Creates local encrypted backups. Remote backups are not

created with this option.


v Remote - Optional setting that creates encrypted backups on the local IBMLotus Foundations Start server that are copied to the remote IBM LotusFoundations Rescue server.

4. In the Backup compression field, select Yes to compress the backup files orNo to leave the backup files uncompressed.

Note: Less space is required on the idb drive for compressed backup files, buta longer time is needed to restore files from a compressed backup.

5. In the Encryption password field, enter a password if you chose to create alocal encrypted or a remote backup job. Enter the password again in theEncryption password (verification) field. Encryption is available if you have alicense for backup encryption.

Note: Do not lose your encryption password if you use one for backup jobs.If you use an encryption password for a backup and the password for thatbackup is lost, that backup cannot be used for restoration. If all backups areencrypted and the passwords for the backups are lost, the server cannot berestored.

6. Click Next Page.7. For Job Name, type a unique name for this backup job.8. For Priority, set this job to the priority you want it to have in relation to other

backup jobs. The highest priority for a backup job is 1.9. For idb Quota, enter the storage space on the idb disk you want this job to

use. A maximum amount of storage space is listed next to the field.

Figure 12. First page of the Create New Job process


10. Click Next Page.11. Select which team directories you want this job to back up.

Note: The directory for the notes team is not included in a backup by default.It is automatically copied over to the notesbackup team, where it is backed upby idb. Enabling the backup for the notes team needlessly increases the timeto perform backups.

12. Click Next Page.

Figure 13. Second page of the Create New Job process

Figure 14. Third page of the Create New Job process


13. For Do you want this job to run automatically?, select if you want toautomatically run the backups.

14. If you choose to automatically run this job, select options for Full backupfrequency and Incremental backup frequency.

15. Click Finish. The following message is displayed briefly: idb is performingthe requested operations. Then the backup page is displayed with the newjob listed in the Backup Jobs section.

Initiating an idb backup

Although idb automatically performs backup procedures without contributionsfrom a system administrator, you can turn off scheduled idb backups or manuallyinitiate a backup.

Initiating an idb backup can also be done from the control panel on an IBM LotusFoundations Appliance. A backup initiated from the control panel uses the settingsthat were last configured for the Master Job.

Note: A copy of the server configuration is made each time a backup is performed.This configuration file can be used to restore your settings in the event of acatastrophic system failure.

Initiating a backup from the WebConfig menu1. Click Backup in the left menu of WebConfig. The backup page is displayed.

2. In the Backup Jobs section, click the incremental backup icon or the full

backup icon , depending on the type of backup you want to run. Thefollowing message is displayed briefly: idb is performing the requestedoperations. Then the backup page is displayed.

3. To stop the backup job before it is finished, click the stop icon .

When the backup is finished, IBM Lotus Foundations automatically emails abackup report to the administrator.

Figure 15. Fourth page of the Create New Job process


Initiating a backup from an IBM Lotus Foundations Appliancecontrol panel

This procedure can only be done with an IBM Lotus Foundations Appliance. Allother hardware platforms must initiate a backup from the WebConfig menu.1. Press the Backup button on the control panel of the IBM Lotus Foundations

Appliance.2. The display panel shows a 10 second countdown, during which you can stop

the backup process by pressing the Cancel button.3. After 10 seconds, the backup procedure commences and the control panel

displays a progress bar.4. You can delay backup for up to 24 hours by pressing the Up and Down arrows

during the countdown.

idb restoration

There are five restoration scenarios:1. Complete System Restoration - Upon total hard disk failure, perform a

complete system restore to restore your system to the state of your most recentbackup. After a complete system restoration, older copies of the existing filesfrom the backup disk overwrite the existing files. However, new files saved tothe hard disk drive after the backup are left untouched. Generally, you shouldinitiate a complete system restore only when recovering from complete harddisk failure.

2. Lotus Domino Restoration - Complete the Lotus Domino restoration scenariowhen you need to restore IBM Lotus Foundations Start rather than a directoryor a file.

3. Specific Directory Restoration - It is possible to restore a specific user or teamnetwork directory if these files have been lost or mistakenly deleted. You caninitiate a specific directory restoration only from the Backup menu. There aretwo types of specific directory restoration procedures:v Normal Restoration - The contents of a user or team directory are

overwritten, as with a complete system restoration.v Safe Mode Restoration - The contents of a user or team directory get

restored into a new subdirectory named Restore, which is created in the useror team directory. Users can browse through the contents of the directoryfrom the disk, copy any needed files, and then delete the Restoresubdirectory.

4. Specific File Restoration - It is possible to restore specific user or teamnetwork files if they have been lost or mistakenly deleted. You can initiate aspecific file restoration only from the Backup menu. There are two types ofspecific file restoration procedures:v Normal Restoration - The file is overwritten, as with a complete system

restoration.v Safe Mode Restoration - The file is restored into a new subdirectory named

Restore, which is created in the user or team directory. Users can browsethrough the files from the disk, copy any needed files, and then delete theRestore subdirectory.

5. System Configuration Restoration - Restores the system configuration.


idb restoration options

In the Backup Jobs section, icons are displayed to the right of a specific backup inthe Action column. These icons enable you to control the way your backups andrestored data are handled.

Table 6. idb restoration action icons

idb restoration action icons Icon action

Open Backup: Browses the contents of aspecific backup

Erase Backup: Forcibly deletes any backupand any children backups that are notlocked

Re-Verify Backup: Manually verifies anindividual backup

Lock Backup: Locks an individual backup.A locked backup cannot be deleted and idbdoes not expire this backup

Unlock Backup: Unlocks an individualbackup.If you have a backup that is autolockedbecause it has a child that is also locked,you must first unlock the child backup.

Locking and unlocking backups

A feature of idb in IBM Lotus Foundations is the ability to lock and unlockindividual backups. This feature enables an administrator to enforce whichbackups do and do not expire on the idb device. Backups might also beautomatically locked due to the autonomics of IBM Lotus Foundations. Lockingoccurs in the following cases:v An individual backup has been manually locked by the administrator for

preservation.v A series of backups have been automatically locked because they are parental

backups of a manually locked incremental backup.v A backup which is currently in use is locked automatically for 15 minutes after

the task has finished. This automatic locking occurs during a backup or arestoration procedure.

Initiating a full system idb restoration

A copy of your server configuration is made each time a backup is performed. Thisconfiguration file can be used to restore IBM Lotus Foundations in the event of acatastrophic system failure.

A full system idb restoration involves restoring a Master Job backup andconfiguration as well as backups from any installed add-ons. The full system idbrestoration must be completed in a specific order:v Master Job


v LF Start Backupv Additional add-ons

If you use the IBM Lotus Foundations Run add-on, it must be reinstalled beforeyou can restore virtual machines.

If you use the IBM Lotus Foundations Reach add-on, IBM Lotus Foundations Startmust be restored before you can restore IBM Lotus Foundations Reach.

To perform a full system idb restoration, follow these steps:1. Click Backup in the left menu of WebConfig. The backup page is displayed.

2. Click the Restore from Job icon for the Master Job. The Restore Files pageis displayed, which lists backups and the date and time the backup wasperformed.

3. Click the Open Backup icon for the backup from which you want torestore.

4. Click the Yes radio button for only the Select All section.

5. Click the Start Restore button to begin the restoration procedure. To exit theRestore Files page without completing a backup, click Close Backup above theAction column.

Note: Starting a restoration stops any backups in progress.

Figure 16. Select All option


6. A window opens, prompting you to confirm the restoration. Click OK tocontinue.

7. Perform steps 1-6 for the LF Start Backup job.8. Perform steps 1-6 for additional backup jobs created by add-ons.

Note: If you use the IBM Lotus Foundations Run add-on, reinstall the add-onbefore restoring from the LF Virtualization Backup job or before restoring thevirtual machines.

Initiating a Lotus Domino idb restoration

Follow these steps to initiate a Lotus Domino idb restoration:1. Stop the IBM Lotus Foundations Start add-on. To stop the IBM Lotus

Foundations Start add-on, follow these steps:a. Click Add-ons in the left menu of WebConfig.

b. Click the Edit icon for the IBM Lotus Foundations Start add-on.c. Locate the Add-on Automatic Start field and select the Disable radio

button.d. Click Save Changes.

This procedure turns off the IBM Lotus Foundations Start add-on.

Note: Users cannot access email until the restoration is complete.2. Click Backup in the left menu of WebConfig. The backup page is displayed.

3. Click the Restore from Job icon for the LF Start Backup job, and then click

the Open Backup icon for the specific backup from which you want torestore data.

4. Click the Open icon for the Team notesbackup directory, then for theFiles/ directory, and then for the notesdata/ directory. A directory labeledbackup/ is displayed in the list.

5. Indicate which directories you want included in the restoration procedure:v Select Yes if you want the Lotus Domino data restored in normal mode,

which overwrites the existing contents of the data.v Select No if you do not want the Lotus Domino data restored.v Select Safe if you want the Lotus Domino data restored in safe mode. The

Safe option restores files to a Restore directory, from which the files must bemanually restored. Refer to http://www.ibm.com/support/docview.wss?uid=swg21413900 for information about manually restoringfiles. Selecting all directories is the equivalent of performing a full systemrestoration.




6. Click the Start Restore button to begin the restoration procedure.

Note: Starting a restoration stops any backups in progress.7. A window opens, prompting you to confirm the restoration. Click OK to

continue. The restoration time varies, depending on the amount of data that iscontained in the folder.

8. When the restoration is complete, restart the IBM Lotus Foundations Startadd-on. To restart the IBM Lotus Foundations Start add-on, follow these steps:a. Click Add-ons in the left menu of WebConfig.

b. Click the Edit icon for the IBM Lotus Foundations Start add-on.c. Locate the Add-on Automatic Start field and select the Enable radio button.d. Click Save Changes.

This procedure restarts your IBM Lotus Foundations Start add-on.

Initiating a directory idb restoration

Follow these steps to initiate a directory idb restoration:1. Click Backup in the left menu of WebConfig. The backup page is displayed.

2. Click the Restore from Job icon for the backup job from which you wantto restore files. The Restore Files page is displayed, which displays a list ofbackups and the date and time that the backup was performed.


Note: The first entry in the Restore Files section below the Select All option isthe System Configuration option. The system configuration is automatically

Figure 17. Lotus Domino restoration


backed up every time any backup is performed. Restoring system configurationfiles overwrites the current system configuration, so be careful with this setting.Leave the default setting, which is No.

4. Indicate which directories you want included in the restoration procedure:v Select Yes if you want the directory restored in normal mode, which

overwrites the existing contents of the directories.v Select No if you do not want this directory restored.v Select Safe if you want the directory restored in safe mode. This option

restores files to a Restore directory within the directory.

Selecting all directories is the equivalent of performing a full systemrestoration.

5. Click the Start Restore button to begin the restoration procedure.


continue.

Initiating a file idb restoration

Follow these steps to initiate a file idb restoration1. Click Backup in the left menu of WebConfig. The backup page is displayed.

2. Click the Restore from Job icon for the backup job from which you wantto restore files. The Restore Files page is displayed, which displays a list ofbackups and the date and time that the backup was performed.


Note: The first entry in the Restore Files section of the page below the SelectAll option is the System Configuration option. The system configuration isautomatically backed up every time any backup is performed. Restoring systemconfiguration files overwrites the current system configuration, so be carefulwith this setting. Leave the default setting, which is No.

Figure 18. System Configuration setting


4. Click the Open icon for the directory that contains the data you wantrestore.

5. Indicate which files you want included in the restoration procedure.v Select Yes if you want this file or folder restored in normal mode. The

existing data is overwritten.v Select No if you do not want this file or folder restored.v Select Safe if you want the files and folders restored in safe mode. The data

is saved in the Restore file in the share of each respective user or team.

Selecting all files is the equivalent of performing a full directory restoration.6. Click the Start Restore button to begin the restoration procedure.


continue.

Local and remote restorations with IBM Lotus FoundationsRescue

When an IBM Lotus Foundations Start server sends backups to an IBM LotusFoundations Rescue server, the idb backup files are stored in two locations. Theyare stored locally on the IBM Lotus Foundations Start server as well as remotely onthe IBM Lotus Foundations Rescue server.

Because two backups are available in this configuration, the Start Restore button isreplaced with Start Local Restore and Start Remote Restore buttons. Use thedirections in this guide to initiate a local restoration. See Restoring files from thevault in IBM Lotus Foundations Rescue Server Add-on for directions to initiate arestoration of a remote backup.

Initiating a restoration from the IBM Lotus FoundationsAppliance control panel

This method can only be done with an IBM Lotus Foundations Appliance. Allother hardware platforms must initiate a restoration from the WebConfig menu.

Note: Initiate a restoration procedure from the control panel only if you want toperform a complete system restoration from the Master Job. This procedureoverwrites the existing configuration and data on the server.

Figure 19. System Configuration setting



You can initiate a restoration from the IBM Lotus Foundations Appliance controlpanel only after you configure a primary disk or a RAID array on the IBM LotusFoundations Appliance.

Press the Restore button. The display panel shows a 10 second countdown, duringwhich time you can stop the restore process by pressing the Cancel button. After10 seconds, the restoration procedure commences and the display panel shows aprogress bar.

Multi disk idb and hot swapMulti disk support for idb

IBM Lotus Foundations only recognizes one idb device at a time. Either a singleinternal device or a single external device can be used as the idb device. The idbdevice cannot consist of both an internal device and an external device.

IBM Lotus Foundations supports an external storage device that houses multipledisks configured as a single logical device for use as the idb device. Any type ofRAID level within the external device is supported.

If you have an internal idb device and want to use an external idb device, theexisting internal idb device must be removed from the IBM Lotus Foundationsserver before configuring the external device as the idb device in WebConfig.

IBM Lotus Foundations supports an eSATA or USB connection for an external idbdevice.

Follow the instructions provided by the manufacturer of the external storagedevice for single logical device configuration. Configure the external device as asingle logical device before connecting it to the IBM Lotus Foundations server forconfiguration as the idb device.

After configuring the external storage device as a single logical device, IBM LotusFoundations recognizes, configures, and supports the external storage device inWebConfig the same way it recognizes and supports an internal idb device. Formore information, refer to “Disk configuration (RAID and idb)” on page 34 and“Configuring idb” on page 41.

The IBM Lotus Foundations server acknowledges an idb device replacement whenthe device is disconnected and replaced with another device. When replacedcorrectly, data integrity of the idb backup files is maintained. For more informationabout replacing an idb device, refer to “Swapping the idb device (with hot swap)”on page 58 or “Swapping the idb device (without hot swap)” on page 58.

Swapping the idb device

You can swap the idb device by removing it from the IBM Lotus Foundationsserver and replacing it with another device approximately the same size as theprevious idb device. You can hot swap the idb device if it is an external device orif you have an IBM Lotus Foundations Appliance.

There are four possible hot swap messages that can appear on the display consoleof the IBM Lotus Foundations Appliance:v idb HotSwap:OK - Hot swap is supported and the idb device is inactive, so it can

be safely removed and replaced with another idb device.


v DON'T REMOVE IDB - Hot swap is supported, but the device is currently beingused for a backup/restore operation. You must wait until you see the idbHotSwap:OK message again before removing the device.

v NO BACKUP DISK! - IBM Lotus Foundations does not detect the presence of anidb device. Connect an idb device and click the Update Status button in theDisk Status section of WebConfig. The NO BACKUP DISK! message also isdisplayed if the server is configured with all RAID disks and no idb device.

v CAN'T HOTSWAP - Hot swap is not supported on your server; therefore, neverremove the idb device without turning off the system.

The idb software leaves the idb device unmounted until it needs to perform abackup or a restore. During this time, if you remove the idb device from the IBMLotus Foundations server, the display panel continues to show idb HotSwap:OKuntil one of these events occurs:v You manually start a backup or a restorationv You click the Update Status link in WebConfigv The next scheduled backup begins

After one of these events occurs, IBM Lotus Foundations detects no idb device isinstalled and changes the display console message to NO BACKUP DISK!

Swapping the idb device (with hot swap)

Follow these steps to swap the idb device (with hot swap):1. Verify that the display console displays idb HotSwap:OK. Hot swapping the idb

device is available with an external idb device or the IBM Lotus FoundationsAppliance.

2. Remove the idb device from the server.3. Connect the new idb device to the server. If you are swapping hard disks on an

IBM Lotus Foundations Appliance, slide the hard disk into the drive as far asyou can, keeping the handle horizontal. Lower the handle and lock the drive inplace with the provided hard disk drive key.

IBM Lotus Foundations detects the new idb device during its next scheduledbackup or when you click the Update Status button in WebConfig.

Swapping the idb device (without hot swap)

Follow these steps to swap the idb device (without hot swap):1. Click Status in the left menu of WebConfig.2. Click Shutdown at the bottom of the System Status page.3. When IBM Lotus Foundations completes the shutdown process, turn off the

server power.4. Remove or disconnect the idb device from the server.5. Insert or connect the new idb device to the server.6. Turn on the server power and allow IBM Lotus Foundations to complete the

restart process.


Internet connectivity

Configuring IBM Lotus Foundations network settingsYou are ready to proceed with the system configuration for network settings afteryou have:1. Configured your workstation to use TCP/IP.2. Created an administrator account.3. Logged in and connected to WebConfig.4. Configured disks. For instructions, see “Disk management” on page 31 for

details about configuring your disks.

Some IBM Lotus Foundations services are not enabled unless hard disk drives areconfigured using the WebConfig menu. For more information about configuringyour drives, see “Disk management” on page 31.

Connecting an external dial up modem for an IBM LotusFoundations Appliance

Follow these steps if you need to connect an external dial up modem:1. Connect the cable included with your external dial up modem to the serial

port on the back of the IBM Lotus Foundations Appliance.2. Connect one end of the standard telephone cable to the external modem, and

connect the other end to your telephone wall jack.

The external modem is automatically detected when the server goes through apower-up sequence.

Configuring general network settingsFollow these steps for general network configuration:1. Select Local Network in the left menu of WebConfig.. This displays the Basic

Setup tab on the Local Network Setup window.Note that the Host Name and Internet Domain Name fields are only editableif you have not installed IBM Lotus Foundations Start. After IBM LotusFoundations Start is installed, those fields can no longer be modified.


2. Indicate whether you want to display the system status page fornon-administrative users on users' personal WebConfig pages.

3. Indicate whether you want the rsync server to be enabled. This option is forUNIX-style clients only. Leave the default setting.

4. Select the appropriate public Domain Name System (DNS) resolution option:v Select Yes if you want IBM Lotus Foundations to perform DNS resolution

for Internet hosts.v Select No if you do not want IBM Lotus Foundations to perform DNS

resolution.v Select Dynamic if you want IBM Lotus Foundations to perform Dynamic

DNS resolution.

Dynamic DNS resolution allows a IBM Lotus Foundations server to hostemail, Web, and FTP services using an Internet connection with a dynamic IPaddress.

5. The Dynamic Host Configuration Protocol (DHCP) server is disabled on allnetwork interfaces by default and presumes there is no other DHCP server onthe target LAN segment. Click the checkbox next to the interface name toenable this service.

Figure 20. Local Network Setup section of the WebConfig console


6. Indicate whether you want to enable the Simple Network ManagementProtocol (SNMP) server. SNMP is used to collect statistical information fromthe host about parameters such as network throughput and processor use. It isalso used for network monitoring.

7. If you enable the SNMP server, enter an appropriate SNMP community name.8. Indicate whether you want to enable the Network Information Server (NIS).

Leave NIS disabled if you are using Windows. If you are using UNIX or asimilar system, leave it disabled unless you need NIS service. IBM LotusFoundations built-in NIS is used to share user names and groups across anetwork to simplify user access. UNIX and similar systems can be configuredto use NIS. IBM Lotus Foundations uses NIS version 2.

9. Select whether to restrict outgoing connections. IBM Lotus Foundations canrestrict outgoing connections to a few protocols. Enabling this option enablesoutgoing traffic based on the server's configuration. All other traffic is blocked.See “Firewall services” on page 77 for more information.

10. Indicate whether you want to enable IBM Lotus Foundations as a NetworkTime Protocol (NTP) server. An NTP client is required to synchronize thedesktop clocks to the IBM Lotus Foundations server.

11. IBM Lotus Foundations synchronizes its clock with a source on the Internet.To set the proper time, select your time zone from the pull down list. IBMLotus Foundations attempts to automatically detect the correct time zonebased on the browser accessing WebConfig and displays its detected resultsfor ease of application.


Configuring advanced DHCP settingsTo access the advanced DHCP settings, follow these steps:1. Click Local Network in the left menu of WebConfig.2. Click the DHCP Server Options tab.

Continue to the following sections for information about the DHCP settings.

DHCP lease length

For each interface that has DHCP enabled on it, a row is displayed listing theinterface, length, and actions that you can perform on it. You can click the editbutton on any of these rows to select the lease time that you want applied to thatinterface.

DHCP ranges

DHCP ranges is a list of ranges, giving interface, the range, and actions that youcan perform on them. To create a DHCP range, follow these steps:1. Click New DHCP Range.2. Select a starting IP address and ending IP address that you want to have the

DHCP server give out.3. Click Save Changes for it to take effect.

You can edit the ranges in a similar fashion by selecting the edit action button inthe DHCP Ranges list.

Internet connectivity 61

Static DHCP leases

Static DHCP leases help you to select which workstation receives a particular IPaddress by assigning that IP to its MAC address.1. Click New Static DHCP.2. Select the interface on which this static lease should occur.3. Enter the MAC address of the workstation to receive an IP address.4. Enter the IP address that the workstation should receive.

You can edit leases in a similar fashion by clicking the edit button in the Actioncolumn of the Static DHCP leases list.

DHCP leases

You can see a table of current leases that have been served to workstations byclicking DHCP Leases. You can determine which MAC addresses are currentlyreceiving specific IP addresses.

Configuring advanced network settingsThe Advanced Setup tab in the Local Network page of WebConfig configuressome of IBM Lotus Foundations advanced features. Changing advanced networksettings can potentially cause odd behavior in a network. For example, if youchange a IBM Lotus Foundations server's IP address or network mask to anincorrect value, you might not be able to reach it from your Web browser tochange it back. If something goes wrong with these settings, you might be forcedto change them back by logging in to the local console menu or using the controlpanel on the front of a IBM Lotus Foundations appliance.

If you intend to use TunnelVision or IPsec, every network in each office locationthat is connected through a virtual private network (VPN) must have a separatenetwork subnet. If IBM Lotus Foundations servers in various locationsautomatically configures their local network interfaces to the same subnet, youmust change your subnet number and IP address to a different value. See“Reconfiguring network devices” on page 63 for more information.

Advanced network settings window

Follow these steps to access the advanced network settings window:1. Click Local Network in the left menu of WebConfig.2. Click Advanced Setup. The Advanced Setup page is displayed.

Network devicesThe following list describes the network devices section of the screen:

Table 7. Network device description

Column Description

Device Lists the network interfaces installed on theIBM Lotus Foundations server. Connectioneth0 should be connected to the LAN.Connections eth1 and eth2 should beconnected to the Internet.

IP Address Lists the IP addresses to the interfaces.


Table 7. Network device description (continued)

Netmask Lists the IP network mask assigned to aparticular interface.

Mode Describes how an IP address was assignedto an interface.

v Forced means that a permanent IP addresswas assigned by an administrator.Connection eth0 should always have aforced IP address.

v DHCP means that a temporary IP addresswas assigned by the DHCP server. DHCPaddresses change each time you turn onyour IBM Lotus Foundations server.

v NetMap indicates that the IP address wasautomatically assigned by IBM LotusFoundations.

Trust An important parameter that needs to be setwith careful consideration.

v Yes signifies a trusting relationship withall hosts attached to that interface. Nofirewall protection is applied to thatinterface. Connection eth0 is alwaysconfigured as trusted.

v No means that any traffic arriving at thatinterface is considered non-trusted. Assuch, appropriate firewall protection isapplied. All Internet connections shouldbe configured as non-trusted.

Action icon Click this icon to display a window whereinterface settings can be changed.

Reconfiguring network devices1. Select Local Network in the left menu of WebConfig.. The Local Network Setup

page is displayed.2. Click the Advanced Setup tab. The Network Devices list is displayed. Click an

interface's Action button . The Network Settings page for that interface isdisplayed.

3. Optional: Enter a new IP address in the format 192.168.12.10.4. Optional: Enter a new network mask in the format 255.255.255.0.5. Optional: Indicate whether to trust computers on this network.6. Optional: Indicate whether you want IBM Lotus Foundations to automatically

select an IP address and network mask.v If it is set to Yes, IBM Lotus Foundations automatically selects an IP address

and network mask.v If it is set to No (and automatic configuration is disabled), you can enter an

IP address or a new network mask and click Save Changes.


Important: Connection eth0 should never be set to choose automatically. Whenan IP has been chosen, the interface should have its option forced (notautomatic) unless you are running a separate DHCP server on the localnetwork.

7. Optional: If you have a DHCP service, your Internet service provider specifiesthat you need to have a DHCP Client ID when setting up your network, enterit here.

8. Optional: Indicate whether you want IBM Lotus Foundations to use this link asthe default gateway.v If this setting is set to Yes, IBM Lotus Foundations creates a default route to

the network through this interface at the highest priority level, so this link isused by default for incoming and outgoing traffic.

v If this setting is set to Only as last resort, IBM Lotus Foundations creates adefault route to the network through this interface with a lower prioritylevel, so that it is used only if your higher-priority (Yes) links stop working.


Network routesThe Network routes section of the page displays the IP routes known to IBM LotusFoundations. Because IBM Lotus Foundations automatically discovers its networksurroundings and sets up routing tables, you generally do not need to edit them.However, depending on your Internet connection, your Internet Service Provider(ISP) might assign you a new route, in which case you have to edit the defaultroute.

Whether you have to change any route settings depends on your network setupand IBM Lotus Foundations connection to the LAN and to the Internet.

Deleting network routes

Follow these steps to delete a network route:1. Select Local Network in the left menu of WebConfig. The Local Network Setup

page is displayed.2. Click the Advanced Setup tab.

3. Click the appropriate route's delete button .4. In the window that is displayed, confirm the deletion by clicking OK.

If you cannot reconnect to the server, it is possible to initiate a 'Netscan' of the IBMLotus Foundations server to reconfigure your network configuration. Forinformation about Netscan, refer to the knowledge base article at the followingURL:


If you continue to have issues, contact support for further assistance.

Editing network routes

Follow these steps to edit a network route:1. Select Local Network in the left menu of WebConfig. The Local Network Setup

page is displayed.2. Click the Advanced Setup tab.



3. Click the appropriate route's edit action button . The Modify Route page isdisplayed.

4. Optional: Enter a new destination IP address and netmask (in the format192.168.12.0/24).

5. Optional: Click the Interface drop-down and select the interface over whichthis network can be accessed.

6. Optional: If this is not a local network route entry (eth1 or eth2), enter thenetwork's gateway address.


Network configuration scenariosBefore configuring the server in any of these scenarios, you must first ensure thatthe server has been activated with the provided activation key. If yourconfiguration scenario supports internet connectivity, you can activate at anytime.Remember, IBM Lotus Foundations expires in 30 days without activation.1. Scenario: IBM Lotus Foundations server as a workgroup server without a

direct connection to the Internet

In this scenario, you would go to the Advanced Setup page to change the IPaddress or the network mask of the local network interface or IBM LotusFoundations default route. Although you generally do not need to change thesesettings, you can still do so:a. Select Local Network in the left menu of WebConfig.b. Click Advanced Setup. The Advanced Setup page is displayed.c. In the Network Devices or Network Routes section of the Advanced Setup

page, click the appropriate action button.d. Depending on your choice, the Modify Route or the Network Settings page

is displayed. Refer to “Reconfiguring network devices” on page 63 and“Editing network routes” on page 64 for full descriptions of these twoscreens.

e. Change the appropriate settings and click Save Changes.

Figure 21. Diagram of scenario 1


2. Scenario: IBM Lotus Foundations server as a workgroup server and dial-upgateway to the Internet

If IBM Lotus Foundations has automatically chosen the proper IP addresses,there is nothing else for you to change. If you want to change the IBM LotusFoundations server's local IP addresses, you can do so by clicking the editbutton on the line describing the parameters for the Ethernet 0 interface.The default route is automatically determined when IBM Lotus Foundationsdials in to the Internet. In this case, there should be no default route entry inthe Routes Table.

3. Scenario: IBM Lotus Foundations server as a workgroup server and high-speedgateway to the Internet

IBM Lotus Foundations automatically configures its parameters if the ISP usesDHCP as a means of automatic network configuration. In this case, thereshould be nothing for you to do on the Advanced Setup page, although youcan change the address of your local network interface if you want to do so.If the ISP assigns a unique static IP address, network mask, and default route,IBM Lotus Foundations discovers the proper default route, but does not knowwhich IP address to select. Although IBM Lotus Foundations finds the availableaddress and establishes a proper connection to the Internet, you should changethe IP address of the Internet interface to the address assigned by your ISP. Youshould do the same with the default route setting. If you run into problemsconfiguring advanced network settings, contact technical support. If you runinto problems configuring advanced network settings, search the IBM supportarticles at the following URL:http://www.ibm.com/software/lotus/foundations/support/




http://www.ibm.com/software/lotus/foundations/support/

To change these settings:a. In the Network Devices section of the Advanced Setup page, click the

appropriate port's (for example, eth1) action button.b. The Network Settings page is displayed. Enter the new IP address and click

Save Changes.c. In the Network Routes section of the Advanced Setup page, click the action

button in the Default row, which the last entry in the list.d. The Modify Route page is displayed. Change the default route and click

Save Changes.4. Scenario: IBM Lotus Foundations server as a domain controller and high-speed

gateway to the Internet.

IBM Lotus Foundations can serve as a Windows NT® style domain controllerfor all the computers running Windows on the network. As the domaincontroller, IBM Lotus Foundations provides authentication services for thecomputers on the network. When this function is enabled, the Windows fileserver is set up as a domain controller, and a domain replaces the Windowsworkgroup. For specific information about configuring domain controllers, see“Windows NT domain services” on page 113.

Configuring your Internet connectionConfiguring a cable modem

No extra tasks are required for configuring a cable modem.

Configuring a DSL connection

Follow these steps to configure a DSL connection:1. Select Dial-up in the left menu of WebConfig. The Dial-up Networking Setup

page is displayed.2. Click the action icon in the appropriate ADSL row (eth1 or eth2 only). The

ADSL Dialer Options page is displayed.3. Enter the Internet account user name provided by the ISP.4. Enter the account password provided by the ISP.5. Enter your password again to ensure that it was entered correctly. If the

passwords do not match, you are asked to enter your password again in bothfields.

6. Optional: Enter your gateway IP address. Leave this blank if you do not knowthe address.

7. Indicate whether you want to enable the connection.



v Select Yes if you want to establish a permanent connection.v Select No if you do not want to establish a connection.v Select Only as a last resort if you want to use this connection only if the

primary connection fails.8. Click Save Changes.

Configuring a dial-up modem

The IBM Lotus Foundations appliance does not come with preinstalled modems.The following instructions are for configuring services if you have a deviceattached which is automatically detected by the IBM Lotus Foundations server.Refer to your hardware vendor for details on installing third-party components.1. Select Dial-up in the left menu of WebConfig. The Dial-up Networking Setup

page is displayed.2. Optional: If you have an external modem connected, you might need to click

Detect Modems to initiate the Modem Detection Cycle. Refer to“DoubleVision” on page 69 for information about using multiple dial-upmodems. If the modem is undetected, check cables and power. Cycle poweron the modem and initiate a new Detect Modems test.

3. Click the Modem #1 action button. The Dial-up Networking Setup page isdisplayed.

4. Enter the phone number provided by your ISP. If you have to dial 9 to get anoutside line, enter this number. For example, enter: 9, 123-123-1234.

5. Enter the Internet account user name provided by your ISP.6. Enter the account password provided by your ISP.7. Enter your password again to ensure that it was entered correctly. If the

passwords do not match, you are asked to enter your password again in bothfields.

8. Indicate the number of idle seconds before automatic disconnection. If youenter zero, the connection never automatically disconnects. Be careful withthis setting, especially if you do not have an unlimited internet access packagefrom your ISP.

9. Select the appropriate dialing mode:v Select Yes if you want the IBM Lotus Foundations server to dial

automatically to the internet when someone tries to reach it.v Select No if you want to manually initiate a connection by clicking Dial

Modem on the System Status page.v Select Only as a last resort if you want to use a dial-up connection when

one or more of your high-speed connections fail. The dial-up connectionstays active until one of the high-speed connections becomes functional.Although all traffic is forwarded to the high-speed connection when itreturns to normal, the dial-up connection remains active for a few minutesin case the high-speed connection fails again. In that case, the systemreroutes traffic back to the dial-up connection immediately without havingto wait for a dial-up connection to be re-established.

10. Indicate whether you want your IBM Lotus Foundations server to emulateWindows Dial-up Networking. Some internet providers are set up to workonly with Windows dial-up clients. If you have problems establishing dial-upconnection, try enabling this option.

11. Indicate whether users are able to establish a remote dial-in modemconnection to the internal network. VPN (PPTP) and Dial-In access has to be


enabled before you establish a remote connection. See “User and teammanagement” on page 19 for more information.


Take a snapshot

Now that you have taken the time to configure IBM Lotus Foundations you canuse the Take Snapshot selection in the menu to display all the informationavailable on one scrollable page. You can also save this information in an offlineWeb page format as reference material to cross-check any changes that might occurin your configuration settings.

DoubleVisionDoubleVision is an IBM Lotus Foundations feature that helps you to configure twoor more Internet connections. For example, you can combine a cable modem andan asymmetric digital subscriber line (ADSL) link, two ADSL links, multipledial-up modems to the same Internet service provider (ISP) or different ISPs, orany combination of Internet connections supported by IBM Lotus Foundations.

There is no single place to configure DoubleVision. Instead, it is automaticallyconfigured when more than one Internet connection is used at the same time.

Note: For DoubleVision to activate, you must have at least two gatewayconnections. You can choose a default connection.

What DoubleVision offersUsing DoubleVision technology, IBM Lotus Foundations helps you to set upmultiple Internet connections and use them all simultaneously. DoubleVision doesnot bond your Internet connections into a single pipe. It manages the connectionsindependently.v You can have two ADSL lines and subscribe to two different ADSL services, so

if either service fails, you are still online.v You can have a cable modem and an ADSL line at the same time and share the

load between them.v In areas without high-speed Internet support, you can configure multiple

dial-up modems using multiple accounts, and reach ISDN-equivalent speeds at afraction of the price.

v You can set up a dial-up modem as a fallback connection. IBM LotusFoundations automatically switches to your dial-up ISP when your normalInternet connection (one or more ADSL, cable, or other high-speed lines) fails.

Table 8. Advantages to DoubleVision

Advantage Description

Increased reliability If one ISP's Internet connections fails, theremaining ISP's connection stays functional.This means that your downtime is limited,also known as fail-over, or redundantconnectivity.


Table 8. Advantages to DoubleVision (continued)

Last resort dial-up mode If one or more of your high-speed Internetconnections fail, IBM Lotus Foundations candial your modem automatically and usedial-up access instead. When yourhigh-speed links are restored, the modemautomatically disconnects after it verifiesthat the high-speed connections are stableand active. The same applies to high-speedconnections if you choose to use them as alast resort connection.

Dynamic DNS integration If you are using Dynamic DNS, IBM LotusFoundations automatically publishesappropriate DNS names so people canalways find your Web site, even if your highspeed links are down and you need to use adial-up connection. See “Domain NameService” on page 123 for more information.

Full automation You do not have to reconfigure any clientworkstations on your local network to takeadvantage of DoubleVision. DoubleVision isfully automated and managed by the server.No manual intervention is required toactivate and deactivate Internet serviceswhen they fail or are restored. IBM LotusFoundations automatically takes care ofthese situations.

Modem connectionsSince modems are normally much slower than other Internet connections, youprobably do not want to use a modem as your primary connection. Instead, youcan configure your modem as a "last resort" option, meaning that your modemonly connects if one or more of the high-speed connections fails.

If a modem is configured as the primary connection, it connects to the Interneteven if high-speed connections are available. This is useful if you want to test themodem connection.

How Internet failover and DoubleVision workWhat Internet failover doesv You can set up multiple links in order of priority by setting some to Enable: As

last resort instead of Enable: yes. These links only get activated when theprimary links are marked broken by IBM Lotus Foundations.

v Broken links are detected using a method called Demi-Ping. It detects mostkinds of link failures to the Internet, although certain kinds of partial failurescannot be detected. IBM Lotus Foundations should always notice if you unplugthe physical connection to a link and automatically switch to your secondarylinks, and this is the easiest way to check that it is working.

v You can see that you are using Internet failover by checking the "number.letter."code next to your various Internet links on the status page of WebConfig.Ignoring the letter, the different numbers imply the different backup priorities.


For example, if you have 1.a. Indirect on eth1, 1.b. Indirect on eth2, and2.a. Modem, then your primary links (1.x) are the first two and your secondarylink (2.x) is the last (modem) link.

v The DNS server, including Dynamic DNS, publishes one of the IP addresses forthe "most important non-broken link" as the IP address for your domain. That is,if a #1 link is non-broken, then is publishes its address; if all #1 links are broken,then it publishes a #2 address.

v Because incoming connections are typically addressed to your domain name,whichever IP your DNS is publishing is the one to receive most incoming traffic.However, if there is more than one non-broken link, any of those should be ableto receive incoming traffic if you ping the IP address of that link.

v All outgoing connections go through the first non-broken link. There is no wayto force an outgoing connection to use another link.

What DoubleVision doesv DoubleVision handles outgoing load sharing between multiple links at the same

priority level. In the previous example, if you have 1.a. Indirect on eth1, 1.b.Indirect on eth2, and 2.a. Modem, then if all links are non-broken, DoubleVisiondivides the outgoing Web traffic between the two 1.x. links. It analyzes eachoutgoing connection for the route to the destination with the least latency (whichis not necessarily the route with the highest bandwidth). It then uses that routefor that particular connection to the destination. Since certain ISPs are usuallybetter than others, this frequently leads to a majority of traffic always using asingle connection, with the other being used sporadically or not at all. This isexpected and normal behavior.

v DoubleVision's load sharing works differently from typical load balancingrouters. It takes each individual session, such as a single Web page, and assignsit to one Internet link or another, and all packets for that session go through thesame link. This is unlike the typical load balancing routers, which split packetsrandomly across links, even packets belonging to the same session. This meanstwo things:1. You do not need both links to be through the same cooperating ISP that can

decode a single session from multiple links which is the major advantage ofDoubleVision.

2. If you only have one session at a time or your sessions are unluckilyassigned to links, you get little to no performance improvement.

v For some types of outgoing traffic, for example, FTP, ping, traceroute, and SMTP,the best link is chosen as a "default" link and is used for all outgoing non-HTTPtraffic.

v Incoming traffic is treated differently from outgoing traffic: IBM LotusFoundations accepts connections on all non-broken links, but the DNS for yourdomain name is only registered to point at the default link chosen by IBM LotusFoundations. This is because you cannot actually tell client software to use thebest link or alternate between these two links in a reasonable way, so IBM LotusFoundations has to choose the best one and tell them to use that. Occasionally,the DNS-advertised best link starts to get too loaded down, probably because allthe incoming traffic is using it, so IBM Lotus Foundations decides to advertisethe second-best link for a while instead. Remote users might have a DNS cacheof 5 minutes or more, so this change does not take effect immediately.

DoubleVision quick summaryv You are using Internet failover if you have multiple links with different

numbers: 1.a., 2.a., and so on.


v You are using DoubleVision if you have more than one highest-prioritynon-broken link with the same number and more than one letter: 2.a., 2.b., andso on.

v With either DoubleVision or Internet failover, unplugging any link should causeIBM Lotus Foundations to switch you over to a different, working one. If it doesnot, something is misconfigured or you have encountered one of the followinglimitations.– Your DNS server always publishes the address of its favorite non-broken,

high-priority link. So incoming traffic generally comes in on that address.– Incoming traffic is always accepted at the address of any non-broken link,

even if DNS currently gives users no way of actually getting there.– Outgoing Web traffic always goes through all highest-priority DoubleVision

links.– Outgoing non-Web traffic always goes through IBM Lotus Foundations'

favorite highest-priority link.

Fast/Port ForwardThe Fast/Port Forward technology in IBM Lotus Foundations enables you toforward Internet traffic from a specific address and interface to another addressand interface. A subsystem that performs this function is typically called a proxyserver.

When computers on the Internet access services on your internal, protectednetwork, they "talk through" your IBM Lotus Foundations server. Fast/PortForward makes sure that these untrusted computers can only access theinformation and services that you want them to access.

If Fast/Port Forward is disabled, no one can see anything on your local networkbecause IBM Lotus Foundations acts as a firewall. If you enable Fast/PortForward, you are making a protected "hole" in your firewall that enablescomputers on the outside to access your network. To decide whether you want touse Fast/Port Forward, you need to decide if enabling Fast/Port Forward is worththe added security risk.

Note: Because you are affecting the firewall security of your network, it isimportant that you understand what you are doing while configuring Fast/PortForward.

Fast/Port Forward belongs to a class of programs known as proxy servers. It is theIBM Lotus Foundations inbound proxy server. Its job is to accept TransmissionControl Protocol (TCP) or User Datagram Protocol (UDP) connections on oneaddress and port, then forward them off to some other address and port. There aremany programs that do this, but Fast/Port Forward provides simplifiedconfiguration, uses less memory, and is generally faster than any other solution. Ituses zero-forking technology to keep its resource usage to a minimum while stillrunning faster than most other proxies.

Fast/Port Forward and TCP/IPFast/Port Forward is an advanced feature of IBM Lotus Foundations. Ensure youhave a clear understanding of Transmission Control Protocol (TCP), InternetProtocol (IP), User Datagram Protocol (UDP), and TCP/IP before adjusting anyFast/Port Forward configuration settings.


Fast/Port Forward can handle both TCP and UDP. Fast/Port Forward processesthe two protocols differently, but this difference in processing does not affect theconfiguration of Fast/Port Forward through WebConfig.

Proxy serversIBM Lotus Foundations acts as a firewall, meaning that it blocks computers on theInternet from having access to your private servers.

If you want to make a service available to the outside world, Fast/Port Forwardcontrols the connection for you. When someone outside wants to access the service,they send the request to a port on your IBM Lotus Foundations server. Fast/PortForward then connects them to the service. This process has two connections: onefrom the client to the Lotus Foundations server, and another from the IBM LotusFoundations server to the service. When either the client or the server transmitsinformation, IBM Lotus Foundations forwards it to the opposite end of theconnection.

As a result, you need to know the addresses and port numbers of both the sourceof the information and the destination of the information. IBM Lotus Foundationsreceives connection requests from the source address and forwards them to thedestination.

If you want to use Fast/Port Forward, you probably already have a clear idea ofwhat your destination address is. The source, however, might be more difficult todetermine and ultimately depends on how your Internet Protocol (IP) address isconfigured.

Static and dynamic IP addresses

A person trying to access Fast/Port Forward services through your IBM LotusFoundations server must know your assigned IP address to locate you on theInternet. Each time you connect to the Internet, your Internet service provider (ISP)assigns you an IP address. Dynamic IP addresses are inconvenient for use withFast/Port Forward because your address changes each time you connect, making itdifficult for your clients to find you.

If you specifically ask for one, your ISP can give you a static IP address (static IPaddresses do not change). When you have a working static IP address, you canadd it to a Domain Name Service (DNS) server, which converts your domain'sreadable name into its IP address.

Configuring Fast/Port ForwardYou can configure Fast/Port Forward once you know your source and destinationaddresses. If you still are not sure where the addresses come from, a few examplesare displayed in “Forwarding scenarios” on page 75.

Note: Remember that you decrease firewall security when you enable Fast/PortForward.1. Log in to WebConfig with your administrator user name and password.2. Click Fast/Port Forward in the left menu of WebConfig. The Fast Forward

Setup page is displayed, showing the list of addresses being forwarded. Thislist might be empty if no addresses are being forwarded.


Creating a new forward

To create a forwarding entry, follow these steps:1. Click Add Forwarding Entry. The Add Forward page is displayed.

Figure 25. Fast Forward Setup page of WebConfig

Figure 26. Add Forward page for Fast/Port Forward


2. Enter the source address and port number in the From Address and From Portfields. You can only attach one forward connection to any given source addressand port.

3. Enter the destination address and port number in the To Address and To Portfields. Ensure that you have entered the destination information correctly. Ifyou forward connections to a server that is not answering, Fast/Port Forwarddrops the connection.

4. Enter a description of the Fast/Port Forward to keep track of its purpose ordestination.


Editing a forward

To edit a forwarding entry, follow these steps:1. Click Fast/Port Forward in the left menu of WebConfig.

2. On the Fast/Port Forward page, click the edit icon for the appropriateforward. The Modify Forward page is displayed.

3. Change the appropriate source or destination information.4. Click Save Changes.

Deleting a forward

To delete a forwarding entry, follow these steps:1. Click Fast/Port Forward in the left menu of WebConfig.

2. On the Fast/Port Forward page, click the delete icon for the appropriateforward.

3. To confirm the deletion, click OK in the window that opens.

Forwarding scenariosBelow are a few common forwarding examples:1. Your internal network has an email server called Fred running Windows NT.

The address of the server is 192.168.1.5. Set the source address to host_nameand the source port to 25, which is the Simple Mail Transfer Protocol (SMTP)port. Set the destination address to 192.168.1.5 and the destination port to 25.Now people can send email to your IBM Lotus Foundations server's staticInternet Protocol (IP) address, and it is forwarded to your mail server.

2. If Fred has a Domain Name Services (DNS) server on port 53, you can set aforward from the source address of host_name and the source port of 53 to thedestination address to 192.168.1.5 and the destination port of 53. People onthe Internet now can look up host names that belong to your local network.

3. You can make WebConfig accessible from the outside world. An examplereason of why you might want to do this is to allow technical support to accessyour IBM Lotus Foundations server and help you resolve problems. Port 80 onIBM Lotus Foundations is already in use for the company Web server, so useport 81 as the source port. WebConfig uses port 8043; if the destination IPaddress is 192.168.1.1, the complete destination address is 192.168.1.1/port 8043.To access WebConfig from the outside, you would need to use a specialaddress:https://www.yournetwork.com:81/


Multiple static IP addressesIn certain cases, you want Fast/Port Forward to treat connections differentlydepending on their target. For example, you might want email frommail1.yournetwork.com to be sent to Fred, your NT server, and email frommail2.yournetwork.com to be sent to Barney, your UNIX server. To do this, yourInternet service provider (ISP) needs to assign you multiple static Internet Protocol(IP) addresses. Some ISPs might not offer this service.

If you have two static IP addresses (for example, 207.6.60.1 and 207.6.60.2), andyou want the setup described, follow these steps:v Create one forwarding entry with the source address 207.6.60.1 and source

port 25, and the destination address 192.168.1.5 and destination port 25.v Create another forwarding entry with the source address 207.6.60.2 and source

port 25, and the destination address 192.168.1.6 and destination port 25.

Common port numbersA few common port numbers that you can use with Fast/Port Forward are listedin the following table.

Table 9. Common port numbers for use with Fast/Port Forward

Port Use

22 Secure Shell (SSH)

23 Telnet

25 Simple Mail Transfer Protocol (SMTP)

79 Finger

80 Hypertext Transfer Protocol (HTTP) - Web server

110 Post Office Protocol (POP)

5631 PcAnywhere

443 Web server secure port (HTTPS)

Some ports cannot be used with Fast/Port Forward. For example, the commonport number for File Transfer Protocol (FTP), port 21, does not work because ituses multiple connections that include both ports 20 and 21.

Troubleshooting Fast/Port ForwardThe WebConfig page in IBM Lotus Foundations might display the followingmessage: An error occurred while Fast Forward tried to bind to one or moreof the addresses specified.

This message might be displayed in the following situations:v You are trying to forward to ports that are already being used by your IBM

Lotus Foundations server (such as port 80).v Fast/Port Forward has more than one entry trying to use the same source port

and address. You cannot have more than one Fast/Port Forward entry attachedto the same source.

If you see this message, turn off the server that is already using the port. Forexample, to forward port 80 (the port used for Web services) to another address,you would first have to shut off the Web server on IBM Lotus Foundations.

The log messages show which Fast/Port Forward entries did and did not work.


Firewall servicesThe firewall subsystem featured in IBM Lotus Foundations is entirelyauto-configuring and automatically reconfigures its parameters to adapt to anyIBM Lotus Foundations server settings. There are no user controls needed.However, you can choose to restrict outgoing traffic and view a log of all requeststo traverse the firewall.

Traffic denied inboundThe firewall denies all inbound network traffic that is not for the following:v Remote administrationv Private network hostsv Service network hostsv The firewall itself

Traffic permitted inboundThe firewall supports access requests from various services, including thefollowing services, if enabled.v File Transfer Protocol (FTP) - Active and Passive Modev Hypertext Transfer Protocol (HTTP)v Hypertext Transfer Protocol Secure (HTTPS)v Simple Mail Transfer Protocol (SMTP)

See “Log messages” on page 171 for what firewall request information is logged.

Traffic permitted outboundIBM Lotus Foundations permits the following protocols through the firewall.

Table 10. Permitted protocols through the Lotus Foundations firewall

Protocol -TransportLayerProtocol/Port

TransportLayerProtocol -TransmissionControlProtocol(TCP) or UserDatagramProtocol(UDP)

Port Purpose

Telnet TCP 23 Access resources on a UNIX/Linuxcomputer

File TransferProtocol(FTP)

TCP 20–21 Copy files between computers

HypertextTransferProtocol(HTTP)

TCP 80 Make Web pages available over the Internet

HypertextTransferProtocolSecure(HTTPS)

TCP 443 Make secure Web pages available over theInternet


Table 10. Permitted protocols through the Lotus Foundations firewall (continued)

Simple MailTransferProtocol(SMTP)

TCP 25 Transfer or send email messages betweenservers

DomainName Service(DNS)

TCP and UDP 53 Navigate the Internet using domain namesinstead of IP addresses

Post OfficeProtocolversion 3(POP3)

TCP 110 Read email from a single inbox

InternetMessageAccessProtocol(IMAP)

TCP 143 Read email from a remote location

All other non-Remote Administration traffic from private, service, and publicnetwork clients directed to or through the IBM Lotus Foundations firewall isdropped or denied.

This feature is disabled as the default setting for IBM Lotus Foundations. Once thefeature is enabled, users within your network cannot use programs that do notadhere to the above protocols, such as ICQ.

To enable the Restrict Outgoing Traffic option, follow these steps:1. Click Local Network in the left menu of WebConfig. The Basic Setup tab of the

Local Network Options page is displayed.


2. In the Restricts outgoing connections field, select Enable to configure IBMLotus Foundations to only enable the above outbound ports. Select Disable toenable all outgoing traffic.


Restricting outgoing traffic helps to block applications such as MSN Messenger,Yahoo Messenger, Kazaa, Morpheus, and similar applications.

Firewall logSee the “Log messages” on page 171 chapter for information about firewall logs.

Figure 27. Basic Setup tab of the Local Network Setup page of WebConfig


IBM Lotus Foundations scalable services

Overview

IBM Lotus Foundations scalable services are not intended to replace thefunctionality provided by Microsoft® Windows domains. They are designed withthe intention of making IBM Lotus Foundations more scalable by centralizing theadministration of a group of IBM Lotus Foundations servers.

Scalable services employ a master-slave network model, enabling a single masterserver to centrally manage all users and licensing for multiple slave servers.

IBM Lotus Foundations scalable services introduction

The needs and concerns of small to medium businesses can be best met with asingle easy-to-use and easy-to-manage device. As organizations grow, they aretypically required to expand their network services as additional load is placed onthe single server. Scalable services are designed to facilitate the needs of growingorganizations while still maintaining ease-of-use and capitalize on IBM LotusFoundations' ease-of-deployment. They introduce the ability for multiple IBMLotus Foundations servers to be deployed across an organization yet still providecentrally managed user and licensing. The hierarchical model allows for anorganization to design their infrastructure to most efficiently deliver services basedon the following:v Number of employeesv Geographic expansev Actual usage of services and resources of the IT infrastructure

IBM Lotus Foundations scalable services terminologyTable 11. IBM Lotus Foundations scalable services terminology

Term Definition

Login access The IBM Lotus Foundations server to whicheach team/user is assigned

Scalable services region A group of IBM Lotus Foundations serversconfigured to share scalable services-relatedinformation, such as master server, slaveservers, teams, team members, and users; aIBM Lotus Foundations server might be amember of one region at most

Scalable services master server The sole administration point for a scalableservices region

Scalable services slave server Any IBM Lotus Foundations server with thescalable services feature enabled and notacting as the scalable services master server

Scalable services node Any IBM Lotus Foundations server that iseither a scalable services master or scalableservices slave

Stand-alone server Any IBM Lotus Foundations server withoutscalable services enabled


Features of IBM Lotus Foundations scalable servicesThere are three main features of IBM Lotus Foundations scalable services:v User synchronizationv Domain Name Service (DNS) synchronizationv Scalable services licensing and user licenses

User synchronization

IBM Lotus Foundations scalable services helps you centrally manage user andteam information from the IBM Lotus Foundations scalable services master server.The synchronization of users and team includes ALL user configurationinformation, including the following information:v User namev Passwordv Full Namev Team membershipv Administrative rightsv Point-to-Point Tunneling Protocol (PPTP) settingv File Transfer Protocol (FTP) settingv Drive mountingv Disk quota

Synchronization occurs in a uni-directional manner. This means that all userconfiguration changes must be done on the master node. Any changes made to asynchronized user in the slave node is overwritten on the next synchronization.Any changes made to a user on the master replicates to the slave node on whichthe user has node access. If a previously existing user shares a name with asynchronized user, then the existing user's settings are overwritten. All team anduser accounts exist on the master node. This enables all users to authenticateagainst the master.

The synchronization of a team automatically synchronizes all members of the teamwithout having to specify the individual users. This includes teams that weremembers of the team transferred, as well as all of their users.

DNS Synchronization

This feature includes the ability to propagate workstation host names to the othernodes so that workstations and servers might be addressed by name across anInternet Protocol Security (IPSec) virtual private network (VPN) rather than just byInternet Protocol (IP) address.

The master accumulates lists of all host names from each slave, combines theselists with its own list of local host names, and distributes it to each of the slavesthat has DNS Sync enabled. To resolve situations in which there are identical hostnames on different servers, DNS Sync sorts the list of host names such that hoststhat are local to the current server are resolved first. That is, on a slave, local hostnames take priority over host names local to the master which, in turn, takepriority over those on other slaves.

If DNS records conflict (in other words, the same DNS name resolves to twodifferent IP addresses that are on different nodes in the region), an entry from the


local node pre-empts the remote node. An entry on the master pre-empts an entryfrom a remote slave. If two slaves have conflicting names, each one selects its ownlocal name for itself, and the master selects one of the names to distribute to all theother machines. The name the master selects does not depend on the order inwhich the slaves have most recently synchronized, though it might depend onwhich slaves have supplied the conflicting names (for example, the originalimplementation resolves conflicts by selecting the slave with the host name that isfirst alphabetically). In order to guarantee that DNS entries are known and areconsistent between scalable services servers, any DNS entry that has been explicitlyset on the master takes precedence over any on a slave. This can only beoverridden on a slave by explicitly setting a DNS entry that slave.

DNS Synchronization allows a scalable services region with multiple locations touse a single domain name across the entire region. By synchronizing with themaster server on specified intervals, the slave servers also acquire the ability torecognize the region's domain and propagate it throughout the region. This makesit even easier to recognize all the servers by name, such as master.domain.com,slave1.domain.com, and slave2.domain.com, rather than having each node using theirown domain name.

Scalable services licensing and user licensing

User license management is simplified with scalable services. One user license isautomatically synchronized to each slave for each user (or team that has its ownpassword) synchronized to that slave. This means that in a typical setup, themaster server is purchased with sufficient user license so that each user/team hasone and slave servers do not need to be purchased with any. The master scalableservices node requires user licenses for each user in the region.

User accounts that are no longer being synchronized to the slaves are notautomatically deleted (and hence might use a user license on the slave). This is notof great consequence because the number of user licenses a slave has allocated to itdepends on the accounts that are being actively synchronized. That is, extra (old)accounts on the slave are locked out.

By using scalable services, you can convert the IBM Lotus Foundations userlicenses on the master server into network user licenses. You no longer need toworry about user licenses for any of the slave servers, as they automatically inheritany required user licenses from the master server for all users controlled by themaster server.

IBM Lotus Foundations scalable services regionsWith IBM Lotus Foundations scalable services, a hierarchical structure is used tocentralize the management of the IBM Lotus Foundations servers. This is bestunderstood as a single master-to-multiple slaves configuration. Each scalableservices hierarchy is known as a region.

At the top of each scalable services region is the master server. The master serveris responsible for the configuration and account synchronization throughout thescalable services region.

Each node in the region is a complete IBM Lotus Foundations server within itself,capable of providing all the normal IBM Lotus Foundations services. Scalableservices augment the IBM Lotus Foundations abilities by providing the capabilityto configure user data between all nodes of the region. This synchronization is

IBM Lotus Foundations scalable services 83

possible across the local area network (Internet Protocol Security - IPSec) andacross the virtual private network (TunnelVision) to address geographically diverseenvironments.

The following diagram shows a sample IBM Lotus Foundations scalable servicesregion.

Centralized Management and Administration

While IBM Lotus Foundations already provides Web-based administration throughWebConfig that is accessible remotely, the administration of users and teams acrossthe entire network is not cohesive when deployed with stand-alone servers. Useradditions and modifications need to be manually replicated across the differentIBM Lotus Foundations servers to keep all the configurations synchronized.

Figure 28. Sample scalable services region


Scalable services simplify this by centralizing the administration of the users andteams on the master server. Modifications to a user's configuration, such as apassword change, are automatically synchronized to the slave servers.

Before enabling scalable services, an architectural plan should be constructed as tothe layout of the IT network and the distribution of the users.

Setting up a scalable services regionIf a IBM Lotus Foundations server possesses a scalable services master or scalableservices slave license, a link labeled Scalable Services is displayed in the left sidemenu of WebConfig.

On a standalone IBM Lotus Foundations server that has a scalable services license,clicking Scalable Services in the left side menu of WebConfig opens a pagecontaining the following table.

Table 12. Fields for the Local Node Setup page

Local Node Setup Page Fields Definition

Mode Identifies the server as a standalone, master,or slave server

Scalable Services Region Name Name of the scalable services region inwhich this server participates

Scalable Services Password/Re-enterPassword

Password for the scalable services region

Figure 29. Scalable services Local Node Setup page


Table 12. Fields for the Local Node Setup page (continued)

Local Node Setup Page Fields Definition

Sync Frequency Frequency with which the mastersynchronizes user data and DNS data withthe scalable services slaves; this field canonly be configured on the master server

Master Node IP address or (internal) host name for themaster server; this field can only beconfigured on slave servers

Configuring a master server

Selecting the Mode for the server as Master and clicking Save Changes refreshesthe page to show the Basic Setup tab of the scalable services configuration page.

The Scalable Services Configuration section of the Basic Setup tab displays thestatus of all slave servers in the region. As there are presently no slaves configured,this table is empty.

The Local Node tab displays the scalable services page described at the beginningof the Setting up the scalable services region section.

The User Node Access tab displays team node access and user node access. Thispage leads to configuration pages for user/team access and email home servers.

Configuring a slave server

To configure a server as a slave server, follow these steps:

Figure 30. Basic Setup tab of the scalable services master server


1. Click Scalable Services in the left menu of WebConfig. A page is displayed thatis like the page used when configuring the master server.

2. Select Slave for the Mode if it is not already selected. Fields not editable instand-alone mode are now editable.

3. For Scalable Services Region Name, type the name of the region you createdwhen setting up the master server.

4. For the Scalable Services Password and Re-enter Password fields, type thepassword you created with the master server.

5. For Master Node, type the host name or IP address of the master server.6. Click Save Changes.7. Once you have clicked to save the slave server settings, two error messages are

displayed in the Slave Node Status section of the Scalable Services page. Thefirst message states the slaver server is not authorized to join the scalableservices region. The second message states that DNS Sync requires the node tojoin the scalable services region. To remove the messages, return to the masterserver and authorize the slave server.

Authorizing a slave server on the master

The master must grant permission to each slave attempting to connect to thescalable services region.

After a slave has been configured and attempts to connect, a message is displayedin the Scalable Services Configuration section of the Basic Setup tab for ScalableServices with the machine information for the slave server that attempted to join

Figure 31. Slave server setup screen


the scalable services region.

1. On the master server, click Scalable Services in the left menu of WebConfig.

2. In the Scalable Services Configuration section, click the edit icon in theAction column.

3. In the new page that opens, select Member for the Standing field.

Figure 32. Master server with unauthorized slave server


4. The Hostname and IP Address fields display the name and the IP address ofthe slave server requesting to join the scalable services region. For the Standingentry, select Member to add the slave server to the scalable services region.

5. For the Enable DNS Synchronization entry, select Yes to enable the slaveserver to synchronize DNS information with the master server.

6. In the Node Users section, click to highlight all the users you want to assign tothis node and click Add.

Figure 33. Modify Node page of the master server


7. Click Save Changes to finish this configuration.8. After you have added the slave server to the scalable services region and

authorized it, the update of the new slave server is displayed in the ScalableServices Configuration section of the Basic Setup tab of the Scalable Servicespage.

Figure 34. Adding users

Figure 35. Updated status page after authorizing a slave server to the scalable services region


Administering Users and Teams

You can manage all of your users and teams across the entire scalable servicesregion from the master server with IBM Lotus Foundations scalable services.1. While logged in to the master server, click Scalable Services in the left menu of

WebConfig.. Click the User Node Access tab in the Scalable Services page. Thepage lists the team nodes and user nodes for the scalable services region.

2. The Team ID and User ID list the teams and users in the scalable servicesregion. To configure a team or user, click the name of the team or user youwant to configure. The Full Name is a descriptive name for a team or user, andLogin Access specifies the slave (if any) to which the account is synchronized.This setting can be configured in the setup page specific to the team or user.

3. Note the team named NS3-region name. This is automatically created and isknown as the NS3 Team.

The scalable services team

Enabling IBM Lotus Foundations scalable services prompts the system to create ateam named after the scalable services region. This team is password protectedwith the scalable services password and must exist for scalable services to functionproperly. Modifying, renaming, or deleting this team is not recommended whilescalable services are enabled as unexpected behavior might occur. If the team isdeleted or renamed, it is automatically recreated.

Figure 36. User Node Access page


IBM Lotus Foundations scalable services frequently asked questionsSome frequently asked questions about IBM Lotus Foundations scalable servicesare listed below.1. Are administrator accounts on the master server synchronized to the slave

server(s)?

Like normal teams and users, you must specify the accounts that aresynchronized. This includes administrator accounts.

2. What happens to my pre-existing team/user accounts on a machine that Ichange from a stand-alone machine to a scalable services slave server?

The team/user accounts still exist. If similarly named accounts exist on themaster (and the master has been configured to synchronize them), their accountinformation (such as the password, full name, and so on) are overwritten, butnone of the data on disk is lost.

3. I have two IBM Lotus Foundations servers that I have been usingindependently. I want to combine them into a scalable services region, butthey each have a number of unique team/user accounts. How can I easilymerge their team/user accounts and set up my scalable services region?

The Export/Import User feature is useful for this procedure. Unfortunately, itonly exports/imports the user name, full name, and password. If you arewilling to set up your scalable services master with default values, use thisfeature.Alternatively, you can follow a more thorough but time-consuming approachby configuring one machine as the master and another as the slave. Set upsynchronization for users to synchronize everything to the slave, then switchtheir roles after the initial synchronization (make them stand-alone servers first)and repeat the process. As an example, if you have Server A and Server B, setServer A to master, Server B to slave, and then synchronize them. Next, changeboth servers to stand-alone mode. Finally, make Server A the slave and ServerB the master. Following the subsequent synchronization, both servers containan identical list of team/user accounts. This process can be extended to buildup a complete list of team/user accounts on a server that you want to becomea scalable services master server.

4. I deleted a team/user on the master server (or stopped synchronizing ateam/user to a particular slave server), but that team/user still exists on theslave server. Why is that?

This is intentional so that data stored in the team/user's directory on the slaveserver is not automatically deleted.

5. Why can't a scalable services slave server also be a domain member?

This is intentional to avoid a host of problems related to conflicts arisingbetween domains and scalable services regions. Basically, allowing a server tobe both a domain member and a scalable services slave gives it twoindependent channels to create user accounts (one through Samba Pass ThruAuthentication and another through scalable services).


Remote access networking

Virtual private networks

Private networksIn the past, private networks were created by using routers to connect differentoffice locations through dedicated lines. This procedure is often called a wide areanetwork (WAN). Conventional private networks are illustrated like this:

Virtual private networks and TunnelVisionTunnelVision enables you to create a virtual private network (VPN) using theInternet instead of a dedicated WAN connection for server-to-server ornetwork-to-network connections. A VPN is illustrated as in the following diagram:

Figure 37. WAN private network

Figure 38. VPN topology


For remote and mobile employees, see “Remote access services” on page 102 forinstructions on setting up client connections using VPN.

Making a virtual network private

In a conventional private network, the company owns all the routers, all thecomputers, and all the phone lines involved. Because the only people using thenetwork are employees, the network is secure, at least in theory.

The Internet is connected to any number of businesses and organizations. Asprivate data passes through the Internet, it is possible that people might interceptwhat is being sent. To prevent this from happening, all the data that passesthrough a VPN is encrypted with the strongest encryption technology available:1024 bit RSA and 128 bit Blowfish algorithms. Such encryption makes it difficult toaccess the data in your transmissions.

VPN network topologiesTopology refers to the shape of a network or the network's layout. How differentnodes in a network are connected to each other and how they communicate aredetermined by the network's topology. A VPN enables organizations tointerconnect their offices securely. Applications and data can be readily sharedthroughout the VPN network if wanted. For example, you could have the accountsdepartments of each branch connected to each other or each department could beconnected to a central point.

TunnelVision can work in either a 'fully meshed' topology or a 'non-meshed'topology.

Fully meshed topology

In a fully meshed topology, devices are connected with many redundantinterconnections between network nodes. In a true meshed topology, every nodehas a connection to every other node in the network. An advantage of such anetwork would be that no branch is reliant upon a single connection.

Non-meshed topology

In a non-meshed or 'hub-and-spoke' topology, all devices are connected to a centralhub or headquarters that dictates the access rules of the VPN to the otherbranches. Nodes communicate across the network by passing data through thehub. A typical application would be to implement a terminal services solutionusing the headquarters as the gateway for the branch sites.

Figure 39. Diagram of a fully meshed topology


Creating a VPN (server to server)Because the IBM Lotus Foundations server does most of the work for you, creatinga VPN is much easier than it sounds. All you have to do is create the encryptedtunnel.

Using unique subnet numbers

Each Ethernet network in the VPN must use a different subnet number. Use any ofthe networks from 192.168.1 to 192.168.254, since these numbers are reserved forprivate use. As noted in “TunnelVision” on page 96, there are three availableaddress ranges for non-routable IP networks.

The master server needs an IP address or fully qualified domainname (FQDN)

The only way to find someone on the Internet is to know their IP address. This canbe accomplished with either a static IP address (a static IP address is guaranteednever to change so people on the Internet can always find you) or through the useof a fully qualified domain name (FQDN) such as server.domain.com. The DNSsystem translates the FQDN into an IP address. This is useful for systems that usedynamic DNS.

The IBM Lotus Foundations Dynamic Domain Name System (DDNS) featureautomatically updates DNS information when a new IP address is assigned to anetwork, enabling you to publish DNS entries and provide Internet services even ifyou have a dynamic IP address.

To create a connection between two IBM Lotus Foundations servers, someoneneeds to act as the client and someone as the master server. It is like a phone callto an ISP: you, the client, need to know their phone number, but they, the server,do not need to know yours. With TunnelVision, you have a similar situation: theserver side, accepting a connection, needs a static IP address or FQDN, while theclient side can have either a static or dynamic IP address.

Only one IBM Lotus Foundations server, typically the computer with the fastestInternet connection at the head office, needs to act as the server and have a staticIP address or fully qualified domain name. All the others can simply act as clients.

To obtain a static IP address, talk to the ISP. Dynamic DNS can be used in place ofa static IP address. Refer to “Domain Name Service” on page 123 for moreinformation.

Figure 40. Diagram of a non-meshed topology

Remote access networking 95

The idle timeoutIf either end of the tunnel does not receive any data for approximately 20 minutes,it assumes that one end has disconnected from the Internet or that the tunnel is nolonger needed.

If one end of the tunnel is still online, it tries to rebuild the connectionautomatically. Since this only takes a few seconds and happens only when thetunnel has been idle for a long time, this should not affect you. However, thisbehavior can often cause the VPN tunnel's status light to turn yellow or red. Thisis not a sign of malfunction.

TunnelVisionA VPN enables all the computers on two networks to communicate with eachother. For this to happen, you have to first configure their subnet addresses.

When you install IBM Lotus Foundations, the IP addresses used on the localnetwork do not really matter. Internet standards recommend that all IP addressesthat are owned by internal business networks (and not used on the Internet itself)begin with 192.168. The third part of the IP address specifies which private subnetnumber you are using, and the fourth part identifies an individual computer onthe network. In special circumstances, however, you can use any subnet number atall (the first three parts of the IP address). Non-routable IP networks can be any ofthe following:v 10.0.0.0 - 10.255.255.255v 172.16.0.0 - 172.31.255.255v 192.168.0.0 - 192.168.255.255

The important thing is that the IBM Lotus Foundations server and the computerson the local network have the same subnet number and unique IP addresses.

Network address translation (NAT)

When you communicate with other computers on the Internet, IBM LotusFoundations uses network address translation (NAT) to give each connection avalid, unique IP address that does not conflict with other networks.

But for a VPN, IBM Lotus Foundations should not use NAT because then only twoaddresses are visible: IBM Lotus Foundations server #1 and IBM LotusFoundations server #2. Instead, IBM Lotus Foundations should pass addresses oneach network through to the other network unchanged.

For this to happen, you need to assign different subnet numbers to each Ethernetnetwork involved in the VPN. For example, use 192.168.1 for Network #1 and192.168.2 for Network #2. That means each computer on Network #1 has anaddress starting with 192.168.1, and each computer on Network #2 has an addressstarting with 192.168.2.

The steel pipe (or tunnel)

Network #1 is connected to the Internet through IBM Lotus Foundations server #1and has the subnet number 192.168.1. Network #2 is connected to the Internetthrough IBM Lotus Foundations server #2 and has the subnet number 192.168.2.


Gateway settings work when a computer on the Ethernet sends packets directly toanother computer if its subnet number is the same. That means that 192.168.1.15transmits directly to 192.168.1.46, since they are both on the same subnet. However,192.168.1.15 cannot send packets directly to 192.168.2.20 - the subnet numbers aresimilar, but they are not the same. The station then sends the data through itsdefault gateway: IBM Lotus Foundations server #1.

This is where TunnelVision is used, as long as you have configured the IBM LotusFoundations servers to create a VPN. When TunnelVision starts, it creates anencrypted connection between the two IBM Lotus Foundations servers through theInternet. This connection is sometimes called a steel pipe because, like a true steelpipe, it is hard to see what is inside or to break through it. More often it is knownas a tunnel.

IBM Lotus Foundations server #1 treats data addressed to Network #2 from itslocal Ethernet in a special way. Rather than just passing the data to the ISP, IBMLotus Foundations encrypts it and sends it through the tunnel. When IBM LotusFoundations server #2 receives the encrypted data, it decrypts the information andforwards it on to Network #2 as if it had arrived directly from Network #1. Thatway, Network #1 can communicate securely with Network #2 without any need forspecial changes to individual workstations.

Configuring a TunnelVision master serverEnsure that the IBM Lotus Foundations server that you are configuring as themaster server has a static IP address or has a fully qualified domain name.

Follow these steps to configure a TunnelVision master server:1. Select VPN in the left menu of WebConfig. The VPN Setup page is displayed.


2. Select Enable for the PPTP Server setting.3. Select Enable for the TunnelVision setting.4. Select Yes for the TunnelVision: Use Fully Meshed Mode setting to run

TunnelVision in a Fully Meshed mode and No to run it in a non-meshed mode.v If you enable TunnelVision to work in fully meshed mode, then your server

can learn about other servers on the VPN by exchanging informationthrough the master server. Then each server makes connections directly toeach of the other VPN-connected servers directly, as needed, without needingto go through the master. If you disable fully meshed mode, then your serveronly communicates directly with the master server and the master's localnetwork. Your server cannot see any of the other VPN-connected servers ornetworks.

v In previous versions of the IBM Lotus Foundations software, fully meshedmode was always enabled and this is still the recommended setting.

5. Leave the TunnelVision: Address of Master Server field empty since themaster server does not initiate connections.

6. Enter a password that the server and client use to prove to each other that theyare trusted.

7. Enter the password again to ensure that it was entered correctly.8. Click Save Changes.

Configuring a TunnelVision clientA IBM Lotus Foundations server does not need a static IP address to act as aTunnelVision client, but it needs to know the static IP address or fully qualifieddomain name of the master server.

Figure 41. VPN Setup page


To find this information, select Local Network from the left-side menu in theWebConfig console on the master server. Click the Advanced Setup tab. Note theaddress assigned to eth1. Follow these steps to configure a TunnelVision client:1. Select VPN in the left menu of WebConfig. The VPN Setup page is displayed.2. Leave the default PPTP Server setting.3. Select Enable for the TunnelVision setting.4. Select Yes for the TunnelVision: Use Fully Meshed Mode setting if you are

running TunnelVision in a fully meshed mode, and No if you are running it ina non-meshed mode.v If you enable TunnelVision to work in fully meshed mode, then your server

can learn about other servers on the VPN by exchanging informationthrough the master server. Then each server makes connections directly toeach of the other VPN-connected servers directly, as needed, without needingto go through the master. If you disable fully meshed mode, then your serveronly communicates directly with the master server and the master's localnetwork. Your server cannot see any of the other VPN-connected servers ornetworks.

v In previous versions of the IBM Lotus Foundations software, fully meshedmode was always enabled and this is still the recommended setting.

5. In the TunnelVision: Address of the Master Server field, enter the masterserver's static IP address or fully qualified domain name.

6. Enter the password that was used in step 6 of “Configuring a TunnelVisionmaster server” on page 97.

7. Enter the password again to ensure that it was entered correctly.8. Click Save Changes. TunnelVision immediately begins to create the tunnel

between the client and the master server. If the client and the server areconnected to the Internet and everything is configured correctly, this processshould only take a few seconds.

To configure another IBM Lotus Foundations server as a client, simply repeat thisprocess.

TunnelVision statusThe System Status page always displays the status of active VPNs. You might needto click the browser's Refresh button to see the latest information.

IPsecThe IPSec functionality in IBM Lotus Foundations uses the industry standardISAKMP/IKE protocol and is compatible with other standard IPSec devices. IPsecis the recommended method for creating a permanent tunnel.

Adding an IPsec routeTo create an IPsec route, follow these steps:1. Select VPN in the left menu of WebConfig.2. Select the IPsec Setup tab.3. Select Add New IPsec Route. The Create IPsec Route page is displayed.


4. In the Remote Server field, enter the public IP address or the fully qualifieddomain name (FQDN) of the remote server.

5. To include a private subnet behind the remote server's firewall, enter theinternal subnet containing the internal IP address of the remote unit in theRemote Subnet field. For example, if the unit's internal IP address is192.168.10.1 with a subnet mask of 255.255.255.0, enter 192.168.10.0/24.

6. Enter a remote IKE key. This is a password that should be unique and enteredon both ends of the IPsec connection.

7. Click Yes to enable the Perfect Forward Secrecy (PFS) feature. The two ends donot negotiate this automatically, so make sure that the setting is the same onboth ends.

8. For Enable this connection, click Yes.9. Click Save Changes.

Adding an anonymous incoming connection IPsec routeCreating an anonymous IPsec route eliminates the need for statically identifyingthe remote server IP address.

To configure an anonymous connection, follow these steps:1. Select VPN in the left menu of WebConfig.2. Select the IPsec Setup tab.3. Select Add New IPsec Route. The Create IPsec Route page is displayed.

Figure 42. Create IPsec Route screen


4. Enter 0.0.0.0 in the Remote Server field. The IBM Lotus Foundations servermust have a static IP address.


6. Enter a remote IKE key. This password needs to be entered on both ends of theIPsec connection.

7. Click Yes to enable the Perfect Forward Secrecy (PFS) feature. The two ends donot negotiate this automatically, so make sure that the setting is the same onboth ends.

8. For Enable this connection, click Yes.9. Click Save Changes.

Editing an IPsec routeTo edit an existing IPsec route, follow these steps:1. Select VPN in the left menu of WebConfig.2. Select the IPsec Setup tab.

3. Select the appropriate IPsec route's edit icon on the IPsec Setup page. TheModify IPsec Route page is displayed.

4. In the Remote Server field, enter the fully qualified domain name or IP addressof the remote server that you want to connect to.


6. Enter a remote IKE key. This is a password that should be unique and enteredon both ends of the IPsec connection.

7. Select Yes to enable the Perfect Forward Secrecy (PFS) feature. The two endsdo not negotiate this automatically, so make sure that the setting is the same onboth ends.

Figure 43. Create IPsec Route screen



Setting up other IPsec clientsWith the large number of IPsec servers available, configuration parameters cannotbe provided for each device. The following information does, however, provide thebest configuration for enabling a IBM Lotus Foundations server to create a virtualprivate network (VPN), with third-party devices.

IBM Lotus Foundations setup

For a IBM Lotus Foundations setup, use these configurations:v Remote server - Enter the external IP address of the remote unit.v Remote subnet - Enter the internal IP address of the remote unit and the subnet.

For example, if the unit's internal IP address is 192.168.10.1 with a subnet maskof 255.255.255.0, enter 192.168.10.0/24.

v Remote IKE key - Enter your shared key that is being used.v Key Type - Select PSK.v Perfect Forward Secrecy (PFS) - Select Yes.

Third-party IPsec client setup

For a third-party setup, use these configurations:v Encryption / Tunnel - 3DES/MD5 and 3DES/SHA1 are supported.v Security Association (SA) Lifetime - set to 3600 seconds.v Mode - If there are different modes available, select Main Mode.v Private Key Secret - Use preshared secret keys (PSK), not RSA keys or other

keys such as PKI, as these are not supported on IBM Lotus Foundations.v Perfect Forward Secrecy - Perfect forward secrecy (PFS) must be enabled or

disabled on both ends of the connection. The IPsec protocols do not provide amethod for the two ends to negotiate this, so you must ensure that it is setcorrectly.

Remote access servicesRemote Access Services (RAS) is a feature that enables you to access an internalnetwork while at home or on the road.

You can take advantage of RAS with the following setups:v A virtual private network (VPN), which requires the Internet and a

Point-to-Point Tunneling Protocol (PPTP) clientv A dial-in connection (which requires a dial-up modem and a phone line)

Windows typically has a PPTP client built-in. You might have to purchase aseparate software package if you are using a Macintosh.

To establish a remote connection, users must have PPTP or dial-in access. Refer tothe “Creating users” on page 20 section for more information.


PPTP: client to server VPN serviceConfiguring VPN service on Lotus Foundations

To configure the virtual private network (VPN) service on IBM Lotus Foundations,follow these steps:1. Click VPN in the left menu of WebConfig. The VPN Setup tab of the VPN

Setup page is displayed.2. In the PPTP Server field, select Enable to enable the Point-to-Point Tunneling

Protocol (PPTP) server.3. Click Save Changes.

Establishing a VPN connection

To establish a VPN connection to a IBM Lotus Foundations server, you need toknow your user name and password and the IBM Lotus Foundations server'sdomain name or Internet Protocol (IP) address.

If the client cannot connect to the IBM Lotus Foundations server, ensure the PPTPclient is configured to support Microsoft Challenge Handshake AuthenticationProtocol (MS-CHAP), MS-CHAP version 2, and Microsoft Point-to-PointEncryption protocol (MPPE). Refer to the documentation from you operatingsystem for enabling or configuring these protocols.

Windows 2000/XP/Vista

To establish a VPN connection on a Windows 2000, Windows XP, or WindowsVista machine, follow these steps (these steps vary slightly for Windows XP andWindows Vista):1. In Windows, go to Network Connections.2. Select New Connection Wizard and click Next.3. In the Network Connection Type window, select the Connect to the network

at my workplace, then click Next.4. In the following window, select Virtual Private Network connection, then

click Next.5. In the Connection Name window, enter a name for the location to which you

are connecting.6. In the Public Network window, select Do not dial the initial connection and

click Next.7. In the VPN Server Selection window, enter the public IP address of the IBM

Lotus Foundations server, or enter the host name followed by the domainname. Click Next.

8. Click Finish. Now that the VPN connection has been created, you need toconfigure the settings before connecting to the remote network.

9. Open the VPN connection. Before logging in for the first time click Properties.10. Click the Networking tab and select PPTP VPN from the Type of VPN

drop-down box. Click OK. This only needs to be set once for each connection.11. Log in using the provided IBM Lotus Foundations user name and password

and click OK. Various messages display such as Verifying the connection...and Registering the user... before a complete connection. You can log inthrough PPTP as any user on the IBM Lotus Foundations server, so long asthe user has PPTP enabled from the Users menu.


Disconnect a PPTP connection1. On the Status page of the WebConfig console, in the Services Status section, the

PPTP Connections line displays the status of all PPTP connections. If there areactive connections, a Details link is displayed.

2. Click the Details link. The Active PPTP Users screen is displayed.3. Click the Delete action icon of the user whose PPTP connection you want to

disconnect.4. A window is displayed that asks Are you sure you want to disconnect

username? Click OK to disconnect the PPTP connection.

Dial in serviceConfiguring dial in service on IBM Lotus Foundations

Follow these steps to configure dial in service on IBM Lotus Foundations:1. Click Dial-up in the left menu of WebConfig. The Dial-up Networking Setup

page is displayed.

2. Click the edit icon in the Action column for the appropriate modem. Asecond Dial-up Networking Setup page is displayed.

3. In the Allow Dial in connections field, select Yes.4. Click Save Changes.

Configuring dial in service in Windows

Follow these steps to configure dial in service in Windows:1. Click Start → Settings → Control Panel. Double-click the Add/Remove programs

icon.2. The Add/Remove Programs Properties window is displayed. Select the

Windows Setup tab.3. Select Communications from the Components list and click Details.... A second

Components list is displayed, showing the communications components thatare already installed and those that can be installed.

4. Select Dial-Up Networking from the Components list.v If it is already selected, then dial-in software has already been installed.

Proceed to “Establishing a dial up connection.”v If it is not selected, you must install the dial-in software. Proceed to the next

step.5. Select Dial-Up Networking and click OK.6. The Windows Setup window is re-displayed. Click Apply. The software is

installed automatically.7. Reboot your computer when the software is finished installing.

You might be asked to insert your Windows disk for additional softwarecomponents to be loaded. Follow the instructions provided by the operatingsystem during this process.

Establishing a dial up connection

When a user dials into the IBM Lotus Foundations server, their user name isdisplayed in the Internet Status field in the Services Status section of Status page


in the WebConfig console for the duration of the connection. The administrator canchoose to terminate the user's connection from this page.

To establish a dial-in connection to your network, you need to know your IBMLotus Foundations user ID and password and the phone number of a modem thatis connected to an external phone line. Depending on your Internet connection, itmight take longer than normal to complete network requests.

To establish a dial-in connection in Windows 2000, Windows XP, or Windows Vista,follow these steps (these steps vary slightly for Windows 2000 and WindowsVista):1. Select Start → Settings → Control Panel → Network Connections.2. Click Create a new connection in the Network Tasks pane on the left side of

the Network Connections window. Click Next.3. Select Connect to the network at my workplace. Click Next.4. Select Dial-up connection.5. Enter a name for the dial-up connection. Click Next.6. Enter the phone number for the IBM Lotus Foundations server. Read the

window text for specific information about adding any necessary informationto the phone number. Click Next.

7. If you want to add a shortcut icon to your desktop, click the box for Add ashortcut to this connection to my desktop.

8. Click Finish. You have created an icon that activates a dial-in connection tothe internal network.

9. Establish a dial-in connection by double-clicking the icon that you created inthe previous step.

10. Enter your IBM Lotus Foundations login name and password. Click Connect.A window showing you the progress of the connection is displayed. An iconshowing traffic between your workstation and the IBM Lotus Foundationsserver to which you are connected to is displayed in the bottom right cornerof your screen when you are connected to the local network.

11. To terminate the connection, double-click the icon. Select Disconnect in thewindow that is displayed.

Terminating a connection from WebConfigWhen a user dials into the IBM Lotus Foundations server, their username isdisplayed in the Internet Status field in the Services Status section of the Statuspage of WebConfig for the duration of the connection. The administrator canchoose to terminate the user's connection from this page.

Workstation viewerThe workstation viewer is a IBM Lotus Foundations subsystem that can list theworkstations and servers that are connected through the local network. TheWorkstations page tells you which computers are on the network, their names andInternet Protocol (IP) addresses, and who is logged on.

If a workstation can be administered remotely using virtual network computing(VNC), the remote administration program can be accessed from WebConfig.

Accessing the workstation viewerTo access the workstation viewer, follow these steps:


1. Click Workstations in the left menu of WebConfig. The Workstations page isdisplayed.

2. Scanning for workstations can waste bandwidth; no workstations aredisplayed in the list by default. Click New Scan to view an updated list ofworkstations.

3. Click Refresh after a few seconds to view the updated list. Workstations aredisplayed in the list if they are connected to the network. Refresh changes backto New Scan when the scan is complete.

4. Workstations can be sorted by IP Address or Workstation Names by clickingthe appropriate column title.

Virtual network computing (VNC)Using free Windows software called Virtual network computing (VNC), you canconfigure Windows, Macintosh, and UNIX workstations so they can be controlledremotely from a central workstation. If users need help or settings need to bechanged, the VNC software provides an alternative to an administrator having tophysically go and sit in front of the workstation to solve the problem.

Computers with a VNC remote administration server installed are displayed withthe words Remote Admin next to them on the Workstations page.

Configuring VNCThere are two parts to configuring remote administration:1. VNC Server - Should be installed on every user's workstation.2. VNC Viewer - Should be installed on the administrator's workstation.

When the servers and viewers are configured, clicking the Remote Admin link onthe Workstations screen connects you to the remote virtual network computing(VNC) server and displays the remote desktop.

Configuring the VNC server

To configure the VNC server, perform these steps:1. Download VNC. You can download VNC from http://www.realvnc.com/

products/download.html.2. The file comes in a compressed format. Extract the file in a temporary location

for installation. Run the Setup program and follow the instructions. Accept alldefaults during the installation process.

3. When the installation is finished, reboot the workstation.4. Click Start → Applications → VNC → Start VNC (App mode).5. The first time you start VNC you have to set up a password, which is needed

to connect to your workstation.6. When VNC is active, a small VNC icon displays in the bottom right corner of

your screen.

Configuring the VNC viewer (for the administrator's workstation)

To configure the VNC viewer, perform these steps:1. Download VNC from the Internet and configure the VNC server.2. Look for vncviewer.exe and copy it to an easily navigable location, such as

C:\Windows.


http://www.realvnc.com/products/download.html

http://www.realvnc.com/products/download.html

3. Click Start → Programs → Windows Explorer.4. From the Tools menu, select Folder Options.5. Click the File Types tab. The File Types page is displayed.6. Click New Type.... The Add New File Type page is displayed.7. Enter a description of the file type (such as VNC Viewer Admin) in the

Description of Type field.8. Enter vnc in the Associated extension field.9. Enter application/x-vnc in the Content Type (MIME) field.

10. Click New. The New Action page is displayed.11. Enter Open in the Action field.12. Enter the following line in the Application used... field: c:\windows refers to

the location where VNC has been installed. The quotations around "%1" arerequired.c:\windows\vncviewer.exe /config "%1"

13. Click OK. VNC Viewer Admin is displayed in the Registered file types list ofthe File Types screen.


File services

IBM Lotus Foundations is designed to provide high performance file sharingservices to Windows, Macintosh, and UNIX-style clients. Files created by Windowsusers can transparently be seen by Macintosh users and vice versa.

The management and administration of file services is tightly integrated with usermanagement and administration. Refer to “Service integration” on page 19 for adetailed explanation of how file sharing services are automatically set up duringuser and team creation.

Configuring file servicesFollow these steps to configure file services:1. Click File Server in the left menu of WebConfig. The Basic Setup tab is the

default view.

Figure 44. File Server Setup page in the WebConfig console


2. If appropriate, enable the file virus scanner. With this option selected, all fileson the system are automatically scanned for viruses every 12 hours. When avirus is encountered, it is cleaned, if possible. Otherwise, it is renamed to'filename-INFECTED' and the user whose directory the file was found in isinformed through email of the virus.

3. If appropriate, enable the NFS files server, which enables UNIX, Linux, andsimilar computers to access shared directories on the server. For NFS mounting,users can mount a server directory on a local Linux machine by following thesesteps:a. Create the mount point on the Linux workstation: mkdir /Files

b. Mount the remote file system: mount server_ip_address:/export/home/user_name/Files

You can now access the share using the Linux workstation provided the serverdirectory permissions are correct.

4. If appropriate, disable the Macintosh file server. Each user and team have ashared directory, accessible by Windows file sharing, FTP, Apple Filing Protocol(AFP), or NFS. This should stay enabled if there are Mac clients on the networkthat want to use AFP to connect to their shares. Mac users might have theoption to use the SMB protocol, but they can still use AFP to connect to shares.You should keep this option enabled if the user prefers to connect using AFP,you do not have Windows domain membership enabled and have Mac clients,or if you have older Mac clients that do not support SMB. If you have no Macson your network, you can safely disable this option.

5. In the Windows File Server section, you can select the following options fromthe drop-down:v Stand Alone enables the file server and is the default setting.v Disabled turns off the file server.v NT Domain Controller, NT Domain Member, Active Directory Member

should be selected if the server is an NT domain controller, member, orActive Directory member. Refer to “Windows NT domain services” on page113 for further instructions.

6. Enter a Windows workgroup name if you are not acting as a domain memberor a domain controller. This name indicates the workgroup under which theIBM Lotus Foundations server is listed as a resource in Windows NetworkNeighborhood. Enter the Windows workgroup name being used by otherworkstations in the office. If you are setting up a new network, you can useany workgroup name you want, providing that you configure the Windowsworkstations so they belong to the same workgroup.

7. In the section labeled WINS Support, select whether the IBM LotusFoundations server responds to WINS requests by clicking Enable or Disable.If you select Enabled for the option above, specify the WINS server on thenetwork in WINS Server section. If you want that IBM Lotus Foundationsserver to act as the WINS server, leave the text box as is. If you want to useanother server on the network to act as the WINS server, enter the IP addressof that server.

8. If you do not need to use the IBM Lotus Foundations File Server from legacyMicrosoft Windows boxes (versions 9x), disable Legacy WindowsCompatability.


To ensure that the status of the file server has changed, select Status in the leftmenu of WebConfig.. The Windows, Apple, and NFS File Server sections of the


System Status screen should display the updated status. It can take up to 15seconds for file services to start, and during that time the status might read Errorstarting service.

Active server connectionsThe Active Connections tab displays which server resources, such as opened files,are being used by client workstations.

To view the current active connections in IBM Lotus Foundations:1. Click File Server in the left menu of WebConfig. Click the Active Connections

tab.2. In the main window, you see a table that displays the following information:v User Name - indicates which user account is used to log in to the network

share.v Machine Name - indicates the workstation used to log in to the network

share.v IP Address - indicates the IP associated with the Machine Name.v Connected Since - indicated what time the share was connected to.v Action - provides the option of looking into further details of the connection

or deleting the connection.

3. If you click the edit icon , you see a page that displays the followinginformation:v User Name - indicates which user account is used to log in to the network

share.v Machine Name - indicates the workstation used to log in to the network

share.v Path - indicates the path location of the share connection. If a file is in use,

the actual file might display.v Open Since - indicates when the share was initially accessed.

Access control listsAn Access Control List (ACL) defines which permissions, or access rights, thateach user or team has to a specific file or directory.

Administrators can modify a IBM Lotus Foundations user or team's permissions,Read Only, Read/Write, or No Permissions on directories through the IBM LotusFoundations Permissions feature.

Setting a user's permissions

Follow these steps to set a user's permissions:1. Click File Server in the left menu of WebConfig. Click the Permissions tab.2. Scroll down the list of teams, admins, and users in the selection box and click

the directory to which you want to assign permissions. Click ShowPermissions.

3. The Modify File Permissions page is displayed showing the current permissionsfor that directory.

File services 111

4. Modify the user's permissions by selecting either the Read Only, Read/Write,or No Permissions radio button. Click the check mark button for IncludeSubfolder(s) if you want the same permission applied recursively, then clickthe save icon in the Action column.

5. If you want to add permissions, in the last row titled Add, select the folderfrom the drop-down, and click the green plus sign in the Action column.

6. To set all the files and folders under the current directory back to the defaultpermission value, click Reset Folder Permissions.

7. To set all the files and folders under the current directory, including allsubfolder files back to the default permission value, click Reset TreePermissions.

Setting a team's permissions

Follow these steps to set a team's permissions:1. Click File Server in the left menu of WebConfig. Click the Permissions tab.2. Scroll down the list of teams, admins, and users in the selection box and click

the directory of the team to whom you want to assign permissions. Click ShowPermissions.

3. The Modify File Permissions page is displayed, showing the currentpermissions for that directory.

4. Modify the team's permissions by selecting either the Read Only, Read/Write,or No Permissions radio button. Click the check mark button for IncludeSubfolder(s) if you want the same permission applied recursively, then clicksave icon in the Action column.

5. To view the permissions of all users assigned to that team, click the plussymbol to the left of the team name in the Modify File Permissions section.This expands the team list and show all users within that team and theirpermission levels.

6. If you want to add permissions, in the last row titled Add, select the folderfrom the drop-down, and click the green plus sign in the Action column.

7. To set all the files and folders under the current directory back to the defaultpermission value, click Reset Folder Permissions.

8. To set all the files and folders under the current directory, including allsubfolder files back to the default permission value, click Reset TreePermissions.

Setting permissions in WindowsAlternatively, you can configure file and folder permissions in Windows. Refer tothe following links for further information:

How to Share and Set Permissions for Folders and Files Using Windows XP:

http://technet.microsoft.com/en-us/library/bb456988.aspx

File and Folder Permissions (Windows 2000):

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx


http://technet.microsoft.com/en-us/library/bb456988.aspx



Windows NT domain services

Configuring IBM Lotus Foundations domain settingsThe domain settings for IBM Lotus Foundations are located in the File Serversection in WebConfig.

Click File Server in the left menu of WebConfig. The Basic Setup tab is the defaultview. The options for configuring domain settings are located in the Windows FileServer drop-down box.

You have the following options:v Disabled - disables Windows file sharing and domain services in IBM Lotus

Foundations.v NT Domain Controller - configures the IBM Lotus Foundations server as a

domain controller.v NT Domain Member - configures the IBM Lotus Foundations server as a domain

member.v Active Directory Member - configures the IBM Lotus Foundations server as a

member of an Active Directory environment.v Stand Alone - enables Windows file sharing services in IBM Lotus Foundations

and disable the domain settings.

See “File services” on page 109 for more information about the following topics:v File services in stand-alone modev Permissionsv Active connections

Note: Because different versions of IBM Lotus Foundations can containmodifications to domain functionality, it is recommended that IBM LotusFoundations servers acting as domain members or a domain controller are runningthe same version on each server.

What is a domain controller?A domain controller provides authentication services to the rest of the computerson the network. It stores user account and security information in a centraldatabase for one domain. When a user logs on to a computer that is part of thedomain, the domain controller authenticates the user name and password againstthe information in the directory database.

IBM Lotus Foundations can serve as a Windows domain controller for all thecomputers running Windows on the network. When this function is enabled, theWindows file server is set up as a domain controller and a domain name replacesthe Windows workgroup.

The network domain name has nothing to do with the Internet domain name.They do not interact and are independent of each other.

Note: Do not use the same Internet domain name as your local network domainname.

Configuring the domain controllerFollow these steps to enable IBM Lotus Foundations as a domain controller:

File services 113

1. Click File Server in the left menu of WebConfig. The File Server Setup screen isdisplayed.

2. For the Windows File Server drop-down box, select NT Domain Controller.3. Enter a name in the Windows Workgroup/Domain field. This is the domain

name once the domain controller is enabled. Avoid using the default name ofWORKGROUP.

4. For Domain Admin Team, select any additional users to add to thedomain_admins team. Members of this team have the exclusive ability toauthenticate workstations to the IBM Lotus Foundations domain.

5. The Roaming Profiles selection enables or disables roaming profiles forWindows workstations. A roaming profile is available when a user logs on toany computer on the network. Administrators create roaming profiles, whichare stored on the server.

6. For WINS Support, select whether the IBM Lotus Foundations server respondsto Windows Internet Name Service (WINS) requests by clicking Enable orDisable.If you select Enabled for the option above, specify the WINS server on thenetwork in WINS Server. If you want that IBM Lotus Foundations server to actas the WINS server, leave the text box as is. If you want to use another serveron the network to act as the WINS server, enter the Internet Protocol (IP)address of that server.


You need to set each Windows workstation's domain name to match this forWindows file and printer sharing to work properly.

Figure 45. File Server Setup screen in the WebConfig console


What is a Windows NT domain member?IBM Lotus Foundations can become a member of a Microsoft Windows NTdomain, enabling IBM Lotus Foundations to authenticate users using a pre-existingWindows NT domain controller rather than local passwords.

The Windows NT domain stores all user account and security information in acentral database. When a user logs on to IBM Lotus Foundations, the Windows NTdomain authenticates the user name and password against the information in thedirectory database. This means that you do not need to maintain a separatedirectory database for both IBM Lotus Foundations and Windows systems. IBMLotus Foundations users can access their network files from both Windows andIBM Lotus Foundations systems with the same user name and password. Alladministration can be done from the domain controller, which can use either IBMLotus Foundations or Windows.

Configuring the domain memberFollow these steps to enable IBM Lotus Foundations as a domain member:1. Click File Server in the left menu of WebConfig. The File Server Setup page is

displayed.2. In the Windows File Server drop-down box, select NT Domain Member.3. Enter the domain name in the Windows Workgroup/Domain field.4. For Domain Admin Username, enter the user name of a member of the

domain_admins team on the IBM Lotus Foundations domain controller. If youare authenticating to a Windows domain controller, enter a user namebelonging to the domain_admins group on the Windows server.

5. For Domain Admin Password, enter the corresponding password to the username you provided in the previous box.

6. For WINS Support, select whether the IBM Lotus Foundations server respondsto Windows Internet Name Service (WINS) requests by clicking Enable orDisable.If you select Enabled for the option above, specify the WINS server on thenetwork in the WINS Server field. If you want that IBM Lotus Foundationsserver to act as the WINS server, leave the text box as is. If you want to useanother server on the network to act as the WINS server, enter the InternetProtocol (IP) address of that server.WINS Support is disabled by default because the domain controller usuallyacts as the WINS server. The primary reason to enable this option on a domainmember is when it is in a multi-subnetted environment.


Connecting the Active Directory memberDo not set an IBM Lotus Foundations server as an Active Directory member if thedomain controller is an IBM Lotus Foundations server.

Follow these steps to add the IBM Lotus Foundations server as a member of anActive Directory environment:1. Click File Server in the left menu of WebConfig. The File Server Setup page is

displayed.2. In the Windows File Server drop-down box, select Active Directory Member.3. Enter the domain name in the Windows Workgroup/Domain field.

File services 115

4. For Domain Admin Username, enter the user name of a member of theDomain Administrators group on the Windows server.

5. For Domain Admin Password, enter the corresponding password to the username you provided in the previous box.

6. For WINS Support, select whether the IBM Lotus Foundations server respondsto Windows Internet Name Service (WINS) requests by clicking Enable orDisable.If you select Enabled for the option above, specify the WINS server on thenetwork in the WINS Server field. If you want that IBM Lotus Foundationsserver to act as the WINS server, leave the text box as is. If you want to useanother server on the network to act as the WINS server, enter the InternetProtocol (IP) address of that server.WINS Support is disabled by default because the domain controller usuallyacts as the WINS server. The primary reason to enable this option on a domainmember is when it is in a multi-subnetted environment.


Verifying server connectivityAfter you have selected and configured a mode in IBM Lotus Foundations, youcan verify the status on the main System Status page of WebConfig in the UserAuthentication Method section.

If you have set Windows File Server to Disabled, you should see:

Table 13. User Authentication Message

Section Image Message

User Authentication Method: Using normal password authentication. x of x userlicenses available.

If you have set Windows File Server to NT Domain Controller, you should see:



User Authentication Method: Authenticating users for domain DOMAIN_NAMEas a Windows NT domain controller. Using normalpassword authentication. x of x user licensesavailable.

If you have set Windows File Server to NT Domain Member, you should see:



Windows DomainMembership:

Joined domain DOMAIN_NAME(SERVER_NAME/IP_ADDRESS)

User Authentication Method: Using Windows domain DOMAIN_NAME usingpassword server SERVER_NAME/IP_ADDRESS. xof x user licenses available.

If you have set Windows File Server to Active Directory Member, you should see:




Windows DomainMembership:

Joined domain DOMAIN_NAME(SERVER_NAME/IP_ADDRESS)

User Authentication Method: Using Windows domain DOMAIN_NAME usingpassword server SERVER_NAME/IP_ADDRESS. xof x user licenses available.

If you have set Windows File Server to Stand Alone, you should see:



User Authentication Method: Using normal password authentication. x of x userlicenses available.

Monitoring machine accountsMachine account monitoring is available in NT Domain Controller mode and listsall machine trust accounts of the current domain.

Click File Server in the left menu of WebConfig. Click the Machine Account link.

The status of a machine trust account is displayed as one of the following:v Joining - The machine is in the process of joining the current domain.v Joined - The machine has already joined the domain, but no user is currently

accessing the domain controller through that machine.v Active - One or more users are currently accessing the domain controller

through that machine.

If you want to remove a machine account from the list, click the delete icon .This can be used to clean up the list or remove domain access from a workstation.This comes into effect the next time that workstation attempts to log in to thedomain.

Importing domain users and groups

Note: Each account that is imported uses a license on the member server. If thereare not enough licenses on the member server, you receive an error noticeindicating that your license limit has been exceeded and accounts might not workcorrectly.

From a member server, you can import domain groups and users from the domaincontroller. This helps you to selectively choose which accounts you want to importand ensures that authentication and other domain-related features are consistentacross the network.

Follow these steps to import domain users and groups:1. Click Users in the left menu of WebConfig.2. Click Import Users.

File services 117

3. From the Domain Controller Groups and Domain Controller Users fields,highlight the accounts that you want to import to the member server and clickImport.

Note: The only user account that cannot be imported is root.4. Click Save Changes. A page displaying the imported items, along with other

information is displayed.v PWDUMP2 Generated Users - Indicates which accounts have been

imported using the pwdump2 utility. The information provided includes theuser name of the account, along with the Lanman hash and MD5 hashstrings.

v Syntactically Generated Users - Indicates user accounts that have beenmanually entered into the Import Users section. The information provided isthe user name of the account, the password for the account (in plain text),the full name, and the quota and quota type, if one has been assigned.

v Imported Domain Groups - Indicates which groups you have specified toimport to the member server. The information provided is the group name,the members of that group, and the quota and quota type, if one has beenassigned. Group members who exist in the domain controller, but not in thedomain member, are not displayed in the Members field.

v Imported Domain Users - Indicates which users you have specified toimport to the member server. The information provided is used as the usernames, their passwords (in plain text), and the quota and quota type, if onehas been assigned.

5. After you have verified all the imported accounts, click Save Changes.

Authentication status

After you import an account from the Active Directory server or Windows domain,the account appears as a disabled remote user. The account owner must log intoIBM Lotus Foundations WebConfig using the user ID and password on the domainor Active Directory server. After the initial user login the passthroughauthentication activates.

After a domain member server is connected to the domain controller and all thewanted accounts have been imported, you can verify the authentication status. Inthe User section of WebConfig, a new column labeled Authenticate is displayedand indicates whether an account is local or remote.

If the status indicates local, the account only exists on the member server. If thestatus indicates remote, the account exists on both the member server and thedomain controller.

Note: If the same user account exists on both servers, before domain connectivity,the accounts synchronize and automatically use the authentication on the domaincontroller. After the accounts are synchronized, the status of the users that existedon both accounts changes from local to remote.

File mounting/drive mappingAfter the domain controller is enabled, a user's folders can be mounted directlyonto any domain workstation upon login. The shared folders of any team that theuser belongs to can also be mounted.


For Users

To mount files or map drives for users, follow these steps:1. Click Users in the left menu of WebConfig.2. Click the Users tab.

3. Click the edit icon in the Action column for the appropriate user. TheModify User page is displayed.

4. From the drop-down menu in the Automatically mount files as field, select thedrive as which the user's files should be mounted on the workstation. Thedefault drive is X.

Note: Ensure that you choose a drive that does not conflict with a drive that isalready in use.


This can also be done when the user is created.

For Teams

To mount files or map drives for teams, follow these steps:1. Click Users in the left menu of WebConfig.2. Click the Teams tab.

3. Click the edit icon in the Action column for the appropriate team. TheModify Team page is displayed.

4. From the drop-down menu in the Automatically mount files as field, select thedrive as which the team's shared files should be mounted on the workstation.The default, Disabled, is to not mount the files at all. The Auto optiondecreases the possibility of drive conflicts.


This can also be done when the team is created.

Joining Windows systems to a domainAll Microsoft Windows workstations need to authenticate to the domain once thedomain controller is enabled. Authentication to the domain must be performedusing account that belongs to the domain_admins team.

Once a Windows workstation has joined the domain, users can change theirpasswords using the standard Windows interface or from WebConfig.

For Windows 20001. In Windows, select Start → Settings → Control Panel. The Control Panel

window is displayed.2. Select System from the list. The System Properties window is displayed. Click

the Network Identification tab.3. Click Properties. The Identification Changes window is displayed.4. In the Member section of the window, select Domain. Enter the name of the

domain as entered in the Windows Workgroup/Domain field in the BasicSetup tab on the File Server Setup page of the WebConfig console and clickOK.

File services 119

5. A Windows Security box will appear, prompting you to enter to a usernameand password. Enter the credentials of a user belonging to the domain_adminsteam on the server and click OK.

6. Another box will appear, welcoming the workstation to the domain. You willbe prompted to reboot the workstation in order for the changes to take place.The next time you log in to Windows, the login window will contain anadditional Domain field. Make sure this field is selected when authenticating tothe domain.

For Windows XP Professional1. In Windows, select Start → Settings → Control Panel. The Control Panel

window is displayed. On the left menu bar under Control Panel, select ClassicView if you are currently in Category View.

2. Select System from the list. The System Properties window is displayed. Clickthe Computer Name tab.

3. Click Change.... The Computer Name Changes window is displayed.4. In the Member of section of the window, select Domain. Enter the name of the




For Windows Vista

The versions of Windows Vista that are capable of joining a domain are theBusiness and Ultimate editions. The Home Basic and Home Premium editionscannot join and domain.1. In Windows, right clickStart → Computer → Properties.2. In the section Computer name, domain and workgroup settings, click Change

settings.3. Click Change.... The Computer Name Changes window is displayed.4. In the Member of section of the window, select Domain. Enter the name of the





For Windows 7

Prior to adding any Windows 7 workstations to a Lotus Foundations domain, aregistry patch must first be applied. For further information on this subject, refer tothe IBM technote Support for Windows 7 in Lotus Foundations(http://www.ibm.com/support/docview.wss?uid=swg21409287).1. In Windows, right clickStart → Computer → Properties.2. In the section Computer name, domain and workgroup settings, click Change

settings.3. Click Change.... The Computer Name/Domain Changes window is displayed.4. In the Member of section of the window, select Domain. Enter the name of the




Windows Server 2008

IBM Lotus Foundations can join as an Active Directory member with WindowsServer 2008, but only if the domain and forest functional levels on the controllerare set to Windows 2003. IBM Lotus Foundations is the same as Windows 2003 inwhat it supports.

Logon scriptsLogon scripts are MS-DOS batch files found at \\Servername\netlogon. A MicrosoftWindows workstation performs a user's logon script when the user signs on to thedomain. The primary function of the logon scripts is to set up mapped drives tothe user's shares on the domain controller.

All scripts are called USERNAME.bat. These batch files call upon _logon.bat. The_logon.bat file is empty by default. If an administrator modifies the _logon.batfile, the instructions in the _logon.bat are performed after the user-specific logonscript. Manual modifications should be made to _logon.bat, as USERNAME.bat isautomatically generated and modifications are lost.

Automated drive mappingYou can automatically mount user folders and team folders through the selectionof a drive mount in the Modify User, Add User, Modify Team, or Add Team setuppages. These drive mappings are done through the logon scripts. Any drivespreviously mounted are not automatically disconnected as Windows caches thesedrive connections.

Workstation administrative rightsAdministrators can add users to the domain_admins team to give them workstationadministrative rights to all computers running Windows on the network. Usershave full control over workstation administration without giving them access to

File services 121


other server administrator functions. Adding users to the domain_admins team onlygives them administrative rights over a Windows client if the Windows client isjoined to the domain.

Giving users workstation administrative rights

Follow these steps to give users workstation administrative rights:1. Click Users in the left menu of WebConfig.

2. Click the Teams tab, then click the edit icon in the Action column for thedomain_admins team. Add any users to the domain_admins team that you wantto grant access to workstation administrative features. See “User and teammanagement” on page 19 for instructions on how to create a team.

3. The next time that user logs in to the domain, they have workstationadministrative rights.

Network file systemNFS (Network file system) is a protocol invented by Sun Microsystems thatenables clients using UNIX and similar operating systems to mount file systemsfrom remote servers. This chapter is for advanced users who are familiar withUNIX and similar operating systems.

Refer to http://en.tldp.org/HOWTO/NFS-HOWTO/ for more information aboutNFS.

IBM Lotus Foundations only supports situations where the user IDs are the sameon the local system and the IBM Lotus Foundations server.


http://en.tldp.org/HOWTO/NFS-HOWTO/

Domain Name Service

Domain Name Service (DNS) is the protocol used to convert Internet domainnames into Internet Protocol (IP) addresses. If DNS is configured, users can accessinformation about the local network and the Internet using domain names insteadof specific IP addresses.

Configuring DNS services can be complicated because it often requires dealingwith outside organizations called domain registrars. If you are uncertain aboutissues related to DNS, ask your Internet service provider (ISP) to help you.

How the DNS system worksDNS hierarchy

The Internet Domain Name Service (DNS) server network is arranged as ahierarchy, in which a single root domain, sometimes called dot (.), links to the setof top-level domains, such as .com and .org. Each of the top-level domainscontains a link to each of the second-level domains, such as ibm.com andmydomain.org. Third- and fourth-level domains are less common and are used inlarge organizations like universities.

You most likely publish a second-level domain name such as example.com. Whenyou do that, your DNS server, if enabled, automatically publishes the names insideexample.com, such as www.example.com and mail.example.com.

Domain registrars

However, there is still a part that must be done manually. In this example, youhave to create a link on the .com server to ask your second-level domain to bereferred to your IBM Lotus Foundations server's Internet Protocol (IP) address. Todo this, you need to visit a domain registrar to make sure that your domain nameis not already being used by someone else, as well as to give them the outside IPaddress of the IBM Lotus Foundations server.

To register a domain name, the IBM Lotus Foundations server must have a staticIP address. Most Internet service providers (ISPs) provide this service for anadditional fee. Dynamic DNS (DDNS) can be used in place of a static IP address.Refer to “Dynamic DNS” on page 124 for more information.

When you enable your public DNS server and register with a domain registrar,people should be able to look up the IP address associated with your domainname. To test this, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Select Yes in the Enable Web Server field of the Basic Setup tab.3. Ask someone outside the local network if they can view your domain.

DNS servicesIBM Lotus Foundations runs two different kinds of services for Domain NameService (DNS):


v DNS Lookup and Caching Server: This server converts domain names (such aswww.ibm.com) into Internet Protocol (IP) addresses and then sends the IPaddresses to your browser. IBM Lotus Foundations runs the DNS lookup andcaching server on your local network and blocks connections to the lookupserver from the Internet. There are no special options to configure the DNSlookup and caching server.

v DNS Publishing Server: This server adds names for your own network (suchas www.example.com) into the global DNS system so that people can find yourIP address to access your Web site or to send you email. The DNS publishingserver and how it can be configured is explained in the rest of this chapter.

Configuring Public DNSThis public Domain Name Service (DNS) option only controls the DNS publishingserver and how people outside your local network communicate with it. The DNSpublishing server is always active for computers on your local network.

To configure the public DNS, follow these steps:1. Click Local Network in the left menu of WebConfig. The Basic Setup tab of the

Local Network Options page is displayed.2. In the Act as Public DNS Server field, select one of the following options: No,

Yes, or Dynamic.v If you do not want to publish any DNS entries, select No; this is the default

setting.v If you want to provide services to the outside world, such as email, you

must enable the DNS server by selecting Yes or Dynamic.v Your choice depends on some relatively complex issues involved in domain

name registration.3. Click Save Changes.

Dynamic DNSDynamic DNS is a IBM Lotus Foundations feature that enables you to publishDomain Name Service (DNS) entries and provide Internet services even if youhave a dynamic Internet Protocol (IP) address, as opposed to a static IP address.

When you register your domain with a registrar, you give them the address of theprimary server and backup server, which already have static IP addresses. Whenyour IBM Lotus Foundations server connects to the Internet, it automaticallyinforms the servers about your current IP address and asks them to publish yourup-to-date DNS information.

You need to provide a domain registrar with the following DNS server addresses:1. dyndns1.ivivanet.com2. dyndns2.ivivanet.com3. dyndns3.ivivanet.com

After you provide a domain registrar with the address of your primary andbackup servers, you then need to set your public DNS server to Dynamic. IBMLotus Foundations does the rest of the configuration automatically.


Manually creating DNS entriesBased on the services you have enabled, IBM Lotus Foundations automaticallydecides which Domain Name Service (DNS) names to publish. For example, ifyour domain name is example.com, and the Enable Web Server option is set toYes (not Trusted Hosts Only), then IBM Lotus Foundations automaticallypublishes the DNS name www.example.com as a pointer to your Web server.Similarly, if you enable the Simple Mail Transfer Protocol (SMTP) email deliveryserver, it publishes the name mail.example.com.

Although IBM Lotus Foundations publishes names automatically, you might wantto occasionally add extra names to your DNS server. You might also want to addan entry that enables people to access your site without typing www. before theaddress.

Changing DNS information with a domain registrar can often take 24 - 72 hours toreplicate through the DNS backbone.

Types of DNS entries

You can create four kinds of DNS entries:v A (address): Creates an entry for converting a name (such as www.example.com)

to an Internet Protocol (IP) address (such as 111.22.33.44). This is the mostcommon type of entry.

v NS (copy from nameserver): Enables you to mirror someone else's DNS server.Every DNS server should have a backup server with an additional copy of thedata. When you register a domain name, the registrar generally asks for aprimary and a secondary server. If someone asks you to act as their secondaryDNS server, you can add their domain name and primary server's IP address asan NS entry.

v MX (mail exchanger): Occasionally, you might want to publish a Web server anda mail server with the same name but different IP addresses. For example, youmight want people to reach you by email when they send to [email protected],but you might want the example.com Web server to point to a different address.To do that, you would add address records for example.com andwww.example.com pointing to your Web server, and then you would add anMX entry for example.com pointing to your mail server. You do not need tocreate a separate MX entry if it points to the same address as the address record.

v DR (dynamic redirect): Dynamic redirection can be used to circumvent blockedHTTP (Hypertext Transfer Protocol, or Web) ports. Any Web requests directed tothe address entered as Name are automatically redirected by a Dynamic DNSserver to port 4201 on the site entered as Value. This is almost transparent forclients, who only notice that the host name and port have changed slightly.

Creating a DNS entry

To create a private DNS entry, follow these steps:1. Click DNS in the left menu of WebConfig. The Public Entries tab of the DNS

Entries page is displayed.2. To list, create, or edit your private DNS entries, click the Private Entries tab.v Private DNS entries are available only to the internal network and include

host names of all the computers the IBM Lotus Foundations server can findon the local network.

Domain Name Service 125

v Public DNS entries include the mail exchange (MX) record and entries for theuntrusted (external) network interface. Virtual Web server DNS records alsogo on the public DNS list.

v Most of the listings, both public and private, are automatically set up by IBMLotus Foundations.

3. To add a private DNS entry, click Add Private Entry. The Add DNS Entry pageis displayed.

4. In the Name field, enter a name for the entry.5. In the Entry Type field, select one of the following options: Copy from

Nameserver (NS), Mail Exchanger (MX), Address (A), or Dynamic Redirect(DR).

6. In the Value field, enter the target IP address.

Note: MX records can accept either IP address values or fully qualified domainnames as values.


Editing an existing DNS entry

To edit an existing private DNS entry, follow these steps:1. Click DNS in the left menu of WebConfig. The Public Entries tab of the DNS

Entries page is displayed.2. To edit your private DNS entries, click the Private Entries tab.

3. Click the edit icon in the Action column for the entry. The Modify DNSEntry page is displayed.

4. Make the appropriate changes and click Save Changes.


Server applications and extensions

MySQL serverMySQL is an advanced database administration tool that can be used to storedynamic Web page data for services such as online catalogs and stores, createaccounting databases, and create address books. MySQL is an advanced feature forusers that are familiar with databases and SQL (structured query language).

For more information, go to http://www.mysql.com.

MySQL listens on port 3306.

Administration and access to the database occurs through various MySQL clients(refer to http://forge.mysql.com/tools/) or PHPMyAdmin (refer tohttp://foundations.lotus911.com/foundations/foundations.nsf/?Open).

If the MySQL server is enabled, users on the internal network can access personaldatabases and the databases of any teams to which they belong. User and teamdatabases are automatically created when user and team accounts are set up.

User permissions and database creation are handled byIBM Lotus Foundations andshould not be modified. Any permissions are reset during the next reboot.Databases not created by IBM Lotus Foundations are deleted during the nextreboot.

Setting up Windows for MySQL AccessYou can use Microsoft Access to access and manage database tables.1. You first have to download the MySQL ODBC (Open Database Connectivity)

connector. You can download this at http://dev.mysql.com/downloads/connector/.

2. On the page that is displayed, click the link for the Connector/ODBC. Ensurethat you are downloading the most recent stable release.

3. From the Windows downloads section of the screen that displays, click thedownload link for Windows or Windows x64.

4. On the screen that is displayed, select the nearest server to download from.5. In the window that is displayed, select the download location where you

want to save the mysql-connector-odbc file. This set of steps assumes that it issaved to the desktop.

6. Double-click the icon on your desktop and click Run.7. The Microsoft ODBC Setup screen is displayed. Click Continue.8. Select MySQL from the Available ODBC Drivers list. Click OK.9. For Windows XP and later, click Start → Settings → Control Panel →

Administrative Tools → Data Sources (ODBC). For previous versions ofWindows, click Start → Settings → Control Panel → ODBC Data Source. TheODBC Data Source Administrator screen is displayed.

10. Click Add.... The Create New Data Source screen is displayed.


http://www.mysql.com

http://forge.mysql.com/tools/

http://foundations.lotus911.com/foundations/foundations.nsf/?Open

http://dev.mysql.com/downloads/connector/

http://dev.mysql.com/downloads/connector/

11. Select MySQL from the list. Click Finish.12. Provide the following information:

v A Windows DSN Name (such as MySQL Address Book)v Your IBM Lotus Foundations server's host name or IP addressv Your MySQL database name, user name, and password.

13. Click OK on this screen and then on the ODBC Data Source Administratorscreen.

14. Open Microsoft Access.15. Create a database named address book.16. Anywhere in this window, right-click your mouse. Select Link Tables.17. In the Files of Type section of the screen that is displayed, select ODBC

Databases. The Select Data Source screen is displayed.18. Select the Machine Data Source tab and select MySQL Address Book. The

Link Tables screen is displayed.19. Select the appropriate table, then click OK.20. Make sure that the appropriate table is highlighted and click OK. The table

opens in Microsoft Access.

What is a dynamic Web site?Dynamic Web sites, such as online stores or catalogs, use databases to storeinformation and PHP: Hypertext Preprocessor (PHP) or Perl scripts to produce theWeb page based on the data stored in the database. This enables the changinginformation to be reflected on the site as it changes. Dynamic Web sites requireadvanced knowledge of PHP or Perl script, and it is advisable that you seek thehelp of a qualified programmer to create your own.

Generating dynamic Web sites

The following PHP script is used to render the example address book into adynamic Web site.1. Ensure that you have a team named AddressBook on your IBM Lotus

Foundations server.2. Ensure the user John is a member of the AddressBook team.3. Enter the following script into a text file and save it as addressbook.php:

<table><?phpmysql_connect("localhost", "john", "password");mysql_select_db("AddressBook");$result = mysql_query("SELECT * FROM AddressBook");while ($line = mysql_fetch_array($result){echo "<tr><td>{$line['name']}</td><td>{$line['phone']}</td></tr>";}?></table>

4. In the Windows Network Neighborhood, copy the script in John's WWW folderon the local server.

5. Open an Web browser on your workstation. In the address bar of the browser,enter: http://server_name/~john/addressbook.php The address book opens inthe browser.


Email services

The Email Server section is divided into several tabbed sections that enable you toeffectively manage all the email services offered in IBM Lotus Foundations Start.

Features handled by IBM Lotus DominoThe following features are handled by the Lotus Domino server that is integratedwith IBM Lotus Foundations Start:v Simple Mail Transfer Protocol (SMTP)v Post Office Protocol 3 (POP3)v POP3/Secure Sockets Layer (SSL) Serverv Internet Message Access Protocol (IMAP)v IMAP/SSL Serverv Domino Attachment and Object Service (DAOS) - For more information about

this feature, click here.v Roaming users - For more information about this feature, refer to “Roaming

users” on page 144.

Summary tab

The Summary tab displays a list of services, indicates status, and providesadditional comments where necessary.

The options displayed are:v POP3 Server - A system that receives a user's email messages and stores them in

the user's mailbox. When a user's email client checks for new email, itcommunicates with the POP3 server, which ensures proper user authenticationand delivery of email to the user's email client. POP3 is the most commonlyused email delivery protocol.– POP3/SSL Support - This is the secure POP3 server. The SSL is a commonly

used protocol for managing the security of a message transmission on theInternet.

v IMAP Server - An advanced system that is like POP3. Because IMAP is relativelynew, not all email clients support it. IMAP offers superior user authenticationand allows users to store their email on a server instead of downloadingmessages to a workstation (as is the case with POP3). This enables users tocheck their email from various workstations and lets them see a complete list ofthe emails kept in their folders.– IMAP/SSL Support - This is the secure IMAP server. The SSL is a commonly

used protocol for managing the security of a message transmission on theInternet.

v SMTP Server - The email delivery engine. This server receives emails anddelivers them to user's in boxes.– Virus Scan - Scans all outgoing and incoming email for viruses. If a virus is

found, it is immediately removed from the email. A warning is then sent tothe sender and all recipients along with the original, but virus-free, message.You must buy the IBM Lotus Foundations AntiVirus license for IBM LotusFoundations for this feature to be enabled.


http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin85.doc/H_ATTACHMENT_CONSOLIDATION_OVER.html

– Content Spam Scan - Scans all incoming email for possible spam. If spam isdetected, it categorizes the email as either probable or definite spam andenables you to choose what to do with the email including marking it,moving it to a spam folder, or deleting it.

– Network Spam Scan - Scans the network for possible spam. This option onlyappears if IBM Lotus Foundations Engate MailSentinel 3.6 anti-spam isinstalled. For more information, refer to the IBM Lotus Foundations AntiSpam add-on.

– Real-time block list (RBL) - Sets the level of RBL spam protection that theserver uses. "No RBL" enables all email into the system without doing anychecks on the sources. "Medium RBL" blocks all email originating fromknown spam sources. "Strong RBL" blocks email from known spam sourcesand spam relay servers and dialup accounts.

– SMTP Authentication - Enables remote users to send email through the IBMLotus Foundations server, preventing the need for the email setting to bemodified every time a user changes location. IBM Lotus Foundations useraccount information must be provided within the email client settings for thisfeature to work.

– Smarthosting - Enables outbound email to be delivered to a specified server.If this option is not specified, the SMTP server tries to find its own server tosend the email to. The smarthosting option is useful for users who have anISP that forces all SMTP traffic through their servers. If an ISP wants you tosend email to their own server, simply specify the address of the server witha smarthost. Note that some ISP's require a user name and password in orderto access their server.

– Attachment Filter - Enables IBM Lotus Foundations to filter incoming emailsthat contain file attachments. The filtering can be done based on specifieddocument extension types and specific users can be exempt from individualextension types.

– Allowed Relays - IP addresses or domain names can be added to enable foremail relaying from those specified locations.

Servers tab

The Servers tab enables you to control the various email features in IBM LotusFoundations. The options are as follows:1. SMTP (mail delivery) serverv Enable - Enables the SMTP server and enables any computer on the

internal network or on the Internet to send email using the IBM LotusFoundations server as an email server. Messages from computers on theInternet are accepted only if their destination is the local domain hosted bythe IBM Lotus Foundations server. (This prevents the server and Internetbandwidth from being used to send unsolicited emails).

v Only Trusted Hosts - Enables the SMTP server and enables internal usersand users connected to the internal network through a VPN to send emailusing the IBM Lotus Foundations server as their email server.

v Disable - Disables the SMTP server completely.2. POP3 (mail reader) serverv Enable - Enables the POP3 server and enables any computer on the internal

network or on the Internet to access the POP3 mailbox. Select Enable onlyif you have users who access their email from outside of the office.

v Only Trusted Hosts - Enables the POP3 server and enables internal users toaccess the POP3 mailbox.




v Disable - Disables the POP3 server.3. POP3/SSL (secure mail reader) serverv Enable - Enables incoming secure POP3 connections from anywhere. This

means that your users can download their email from anywhere on theInternet.

v Only Trusted Hosts - Enables incoming secure POP3 connections only fromthe local network and not from the Internet.

v Disable - Disables the secure POP3 server.4. IMAP (advanced mail reader) serverv Enable - Enables incoming IMAP connections from anywhere. This means

that your users can read their email from anywhere on the Internet.v Only Trusted Hosts - Enables incoming IMAP connections only from the

local network and not from the Internet.v Disable - Disables the IMAP server.

5. IMAP/SSL (secure advanced mail reader) serverv Enable - Enables incoming secure IMAP connections from anywhere. This

means that your users can read their email from anywhere on the Internet.v Only Trusted Hosts - Enables incoming secure IMAP connections only from

the local network and not from the Internet.v Disable - Disables the secure IMAP server.

6. Lotus iNotesv Enable - Enables incoming web requests from anywhere.v Only Trusted Hosts - Enables incoming web requests only from the local

network and not from the Internet.v Disable - Disables Lotus iNotes.

7. LDAP directory serverNote: These radio buttons are disabled when running IBM Lotus FoundationsStart.v Enable - Enables the LDAP server, which answers directory queries. The

LDAP directory is automatically populated with the names and emailaddresses of all users configured on the IBM Lotus Foundations server.

v Disable - Disables the LDAP server completely.8. Lotus Notesv Enable - Enables the Lotus Notes server to be available on the Internet.v Only Trusted Hosts - Enables the Lotus Notes server to be available only

from the local network and not from the Internet.9. SMTP Authenticationv Enable - Enables the email server to be used as an SMTP gateway for

remote IBM Lotus Foundations users.v Disable - Disables the SMTP authentication service.

10. Reject Unknown Usersv Enable - Blocks incoming emails containing users that do not exist on the

IBM Lotus Foundations server.v Disable - Enables incoming emails containing users that do not exist on the

IBM Lotus Foundations server.11. Transport Layer Security (TLS) for Incoming Connections

v Enforce - Enforces the requirement for inbound email to use a cryptic datatransmission using the TLS protocol.

Email services 131

v Optional - Makes inbound cryptic data transmission using the TLS protocoloptional.

Note: TLS is disabled if the Network Scanner is activated. See IBM LotusFoundations Anti Spam add-on for more information.

12. TLS for Outgoing Connectionsv Enforce - Enforces the requirement for outbound mail to use a cryptic data

transmission using the TLS protocol.v Optional - Makes outbound cryptic data transmission using the TLS

protocol optional.13. Number of Incoming SMTP Connections

Enter the number of incoming SMTP connections that you want to permit atonce.

14. Email Size LimitEnter the number limit for the size of incoming email messages in MB. 25 MBis the default. It is recommended you do not go above 50 MB.

15. Minutes Between Remote POP Mailbox ChecksEnter the number of minutes that the server waits between checks for remotePOP email messages.

16. ISP's SMTP ServerIf the ISP forces you to use a specific SMTP server, enter that server's name.

17. ISP's SMTP PortIf the ISP forces you to use an SMTP port that is not the standard Port 25,enter the port here.

18. ISP's SMTP UsernameEnter the ISP login user name if required.

19. ISP's SMTP PasswordEnter your ISP login password if required.


Filters tab

The Filters tab enables you to control the email filter feature in IBM LotusFoundations. The following options are available:1. Mail Virus Scannerv All Emails - Scans all inbound and outbound email.v Inbound Only - Scans inbound email that targets local users only.v Disabled - Disables email virus scanning.

2. RBL (spam blocker) Note: This option only displays if the Network Scanner isdisabled.v Strong RBL - Stronger check of spam candidates than Medium RBL.v Medium RBL - Blocks known spam servers. Medium RBL blocks most spam

email.v No RBL - Disables RBL spam protection.For more information about RBL, see“Anti spam” on page 173.

3. Mail Spam Scanner




v Network Scanner - Uses rules based on the email originator and sender IPaddress to evaluate email early in the SMTP process. By clicking this option,the Network Spam Scanner Behaviour and User White/Black Lists optionsdisplay.

v Content Scanner - Enables email content spam scanning. By clicking thisoption, the User White/Black Lists and Definite Spam Categories optionsdisplay.

Both the Network Scanner and Content Scanner require an optional spamscanner license. For more detailed information, refer to the IBM LotusFoundations Anti Spam add-on.

4. Network Spam Scanner Behaviour Note: This option only displays if theNetwork Scanner is enabled.v Mark - Flags email as spam and passes it through the system normally.v Delete - Deletes email it determines to be spam immediately.

5. User White/Black Lists Note: This option only displays if the Content Scanneror Network Scanner is enabled.v Enable - Enables users to specify their own white and black lists, in addition

to the global system list.v Disable - Disables users from specifying their own white and black lists.

6. Definite Spam Categories Note: This option only displays if the ContentScanner is enabled.Any email classified as probable spam by the spam scanner and falls into oneof the selected categories (Hoax, Adult, Money, Goods, and Health) isautomatically reclassified as definite spam before being sent to the recipient.

7. Attachment filterv Enable - Enables the attachment filter.v Disable - Disables the attachment filter.The attachments file types that you want filtered and the users who you wantexcluded from filtering rules, can be defined in the Attachment Extensionssection under the Advanced Filtering tab.

8. Mail Loggingv Enable - Enables logging of all incoming and outgoing email. All email

entering and exiting the system is automatically logged.v Disable - Disables email logging.

In order to complete enabling mail logging, the maillog_user must be given apassword. For more information, see “Email logging” on page 140.

Monitoring tab

The Monitoring tab enables you to view email statistics and run email queries inIBM Lotus Foundations. The following options are available:

Email Statistics

1. Active Queuev Trusted - The number of emails sent from the internal trusted network that

are pending delivery.v Untrusted - The number of emails sent from the untrusted network which

are pending delivery.2. Waiting Queue

Email services 133



v Trusted - The number of emails sent from the trusted network which couldnot be delivered right away due to an error.

v Untrusted - The number of emails sent from the untrusted network whichcould not be delivered right away due to an error.

3. All Queuesv The total number of emails in all queues.

For each queue, you can choose to resend all the items by selecting the resend icon

or delete all the items in each queue by selecting the delete icon .

Query Parameters

Using the query parameters you can query the queue for emails based on theinformation you need. You create a query by entering any of the following:1. Select what you want to view in your query results:v Sizev Datev Senderv Recipientv IP address

2. Select the minimum email size (in kBytes).3. Select the minimum time in queue (in minutes).4. Enter a specific sender's email address.5. Enter a specific recipient's email address.6. Click Start New Query.

When you start a new query, it switches you to a page that lets you view thequery results. If you leave this page you can get back to the query results byclicking View Query Results. If you want to refine your query based on the queryyou just ran, click Run Against Existing Query and the query you just ran isrefined based on the parameters you changed. By clicking this button you are notsearching the queue for new emails, you are only eliminating emails from thequery. If you want the latest data from the queue you have to click Start NewQuery again.

Example query

For example, you might have a user, jdoe, that when she sends an email with anattachment to root, it does not get delivered. To query and see the emails, youwould follow these steps from the Monitoring tab:1. Check to see it there are any emails stuck in the queue in the Waiting Queue

row in the email Statistics section. As an example, you see that there are 10emails in the Trusted row in the waiting queue.

2. In order to find out which of those emails are from the user to root that havean attachment, fill out the query form in the Query Parameters section byfollowing these steps:a. For Fields to display, click the Size, Date, Sender, and Recipient check

boxes.b. Enter a size in the Minimum email size (in kbytes) field. For example, 10.


c. Enter a time in the Minimum time in queue (in minutes) field. Forexample, 1.

d. Enter a user name in the From email address field. It does not have to bethe entire email address. A search is done for what is provided in the field,so if it appears anywhere in a 'from' email address, it is returned in thequery. For example doe.

e. Enter a user name in the To email address field. The same rules apply asused in the From email address field. For example, root.

3. Click Start New Query.4. After the query is complete, the view switches to a Query Results section. In

the Query Results section, the following items are displayed:

Table 18. email query options

Column Description

Queue Id This is the individual identifier of the email.This helps tell two emails apart. This istypically used internally for your own emailpurposes, but it also might help a technicalsupport group to have the value.

Queue type There are five queue types.

v active: Being delivered

v incoming: Just received

v deferred: There was an error processing

v hold: The email is being held by theadministrator

v corrupt: The email received has beencorrupted

Queue Source There are two values:

v trusted: the email is from the internalnetwork

v untrusted: The email is coming from theInternet

Size (kBytes) The size of the email including emailheaders.

Date The date it was received.

From The original sender of the email.

To The recipient of the email.

IP The IP address of the last place the emailcame from. This can be confusing, but emailsare bounced around the Internet so this is theemail of the final gateway which sent youthe email.

Email services 135

Table 18. email query options (continued)

Column Description

Action There are three actions you can take:

- View all the fields for a particular email,even if they were not included in the query

- Resend an email

- Delete an email

5. Under the query results, you have the following buttons:v Go Back - Takes you back to the Query Parameters page.v Delete All Queried - Deletes all the emails in the query results.v Resend All Queried - Resends all the emails in the query results.

Addressing tab

The Addressing tab enables you to manage virtual email domains, mailing lists,and email aliases.

Available Internet Mail Domains

This section lists the all the domains hosted on the server and enables you tospecify which users can use the domain for email purposes.

By default, all users on the server have access to all the domains. If no users areadded, the server assumes that all users have access.

Should you want to modify user access to a specific domain, follow these steps:1. Click the virtual domain action button.2. In the Modify Virtual Domain box, highlight the users you want to add for this

domain and click Add >>.3. Click Save Changes.

Advanced Filtering tab

The Advanced Filtering tab enables you to specify filter criteria, specificallyregarding Internet domains and attachment types. For example, you can configurea filter so domains that offer certain types of content are blocked or block file typeattachments in email messages that could pose a liability to the business.

Add a filter

Follow these steps to add a filter:1. In the Filter Criteria section, click Add New Filter The Add Internet Domain

Filter page is displayed.


2. Enter your Filter criteria. This option enables you to indicate what email youwant to filter by email address, individual IP address, IP address range, ordomain name. Options are:v Email address - For example, [email protected] Domain name - For example, example.comv IP address - For example, 192.168.0.1v IP address range - For example, 192.168.0.1/24If you enter a domain name, you can use wildcards. For example*.example.com is an acceptable entry.

3. The Relay option enables you to indicate if you want this entry to be used as arelay. Set the option to Yes to permit emails from that location to pass throughthe server's SMTP gateway without authentication. This option can be usedalongside SMTP authentication or on its own.

4. Select whether the item should be white listed or blacklisted. White listed itemsalways take precedence over blacklisted items. This option is disabled if you donot have a Spam Scanner license.


Add an attachment filter

This section enables you to specify which extension to add to the list for filtering.Follow these steps to add an attachment filter:1. In the Attachment Extension section, click Add New Attachment Filter The

New Attachment Extension page is displayed.2. Enter the Attachment Extension. This option enables you to specify file types

that are not permitted in incoming emails. The extension cannot start with aperiod. For example, .exe is not valid but exe and tar.gz are valid entries.Wild cards can be used in the name. For example, tar.* is a valid entry.

3. Select any Exempted Users for which the individually specified filter rule willnot apply by clicking their name in the Available Users list and clicking Addto place them in the Exempted Users list.


Email DNS configurationAlthough email services are functional after the administrator enables theappropriate email servers, the email delivery DNS records must be configuredbefore users can send email to and receive email from outside of the internalnetwork.

In the scenario that an email message is sent to [email protected], themessage is downloaded to the SMTP server, which needs to know the IP addressof example.com to deliver the message. The SMTP server consults the root DNSserver on the Internet and through a series of queries is eventually pointed to theDNS server that stores the names and IP numbers of the hosts in example.com.

DNS resolution

It is vital that your DNS server, which maintains information about the domain, isset up correctly. DNS resolution service can be provided by IBM LotusFoundations, or it can be provided by another DNS server maintained by you or

Email services 137

by an ISP. If DNS resolution is provided by an ISP and you want IBM LotusFoundations to receive all emails for the domain, then make sure that you requestthe following information from the ISP:

Mail exchanger records (MX) records for your domain should be pointed to yourIBM Lotus Foundations Start server's public IP address, that is, the addresstypically assigned to the eth1 interface.

If DNS resolution is provided by IBM Lotus Foundations, make sure that thepublic IP address is registered with a proper domain name registrar as yourdomain DNS host. To use the Dynamic DNS service, you first need to ensure thatyour Internet domain name is registered with a domain name registrar. Once thisis complete, add the following IBM servers as name servers to your registrar'sdomain registration:v dyndns1.ivivanet.comv dyndns2.ivivanet.comv dyndns3.ivivanet.comv

Once you have added these DNS records, follow these steps:1. Click Local Network in the left menu of WebConfig.2. In the Act as Public DNS Server row, click Dynamic.3. Click Save Changes.

Note: For IBM Lotus Foundations Start to function properly as an email server forglobal email delivery, you must have a static IP address or use Dynamic DNS.

Configuring IBM Lotus Foundations as a DNS server

To properly configure IBM Lotus Foundations as a DNS server, follow these steps:1. Click Local Network in the left menu of WebConfig. The Local Network Setup

page is displayed.


2. In the Act as Public DNS Server field, select Yes.3. Click Save Changes.

Email client configurationAlthough there are many different email clients available, the configuration of mostclients is similar. The exact configuration of the email client depends on how youwant the email delivery to be configured. The two most common configurationsare listed in the following section. Configure the email client according to theconfiguration that resembles the email setup.

If Lotus Notes is being used as the email client, it is configured as part of theone-click deployment.

General setup

If the email is hosted on an ISP's email server:

All users in the office have their own email address and mailbox hosted on theISP's server. The ISP supplies you with the name of the POP3 or IMAP server

Figure 46. Configuring the DNS server

Email services 139

where the email has to be retrieved and with the address for the SMTP emaildelivery server. Enter this address into the appropriate field during theconfiguration of the email client.

Using the IBM Lotus Foundations server as an SMTP server, even if the email ishosted by an ISP has its advantages, especially if you often send large messages orif there is a slow Internet connection. The email client might be tied up for minutesor even hours if a large email message is sent to an ISP's SMTP server. If the IBMLotus Foundations server is used as an SMTP server, large files are quicklytransferred over the high-speed LAN. Although a file is then slowly transferredover the Internet connection; the email client is free to perform other tasks.

Enter the following information when configuring the email client:v For the SMTP server, enter the IP address or host name provided to you by the

ISP. Alternatively, use the IBM Lotus Foundations server as the SMTP server andenter the IP address or host name of the IBM Lotus Foundations-powered server.

v For the POP3 or IMAP server, enter the IP address or host name provided toyou by the ISP.

v For the POP3 or IMAP mailbox name, enter the first part of the email address.For example, if the email address is [email protected], enter johndoe.

v For the POP3 or IMAP password, enter the password provided to you by yourISP.

If the email is hosted on the IBM Lotus Foundations server:

Enter the following information when configuring the email client:v For the SMTP server, enter the internal IP (eth0) address or host name of the

IBM Lotus Foundations server. You do not need to enter the domain name.v For the POP3 or IMAP server, enter the internal IP (eth0) address or host name

of the IBM Lotus Foundations server.v For the POP3 or IMAP mailbox name, enter the IBM Lotus Foundations user

name.v For the POP3 or IMAP password, enter the IBM Lotus Foundations password.

Lightweight Directory Access Protocol (LDAP) setup

IBM Lotus Foundations has a built-in LDAP server, which provides a directory ofuser names and email addresses. It is automatically populated with names andemail addresses of all IBM Lotus Foundations users. Most email clients supportaccess to read-only LDAP servers. Refer to the email clients product documentationfor information about how to connect to the IBM Lotus Foundations LDAP service.

Email loggingEmail logging is used to capture and log emails sent through the IBM LotusFoundations system. Email logging can be used to satisfy regulatory requirementsor you might want a permanent record of emails sent by and received by acompany's employees.

For information about the WebConfig option for enabling email logging, see“Filters tab” on page 132.


maillog team

When email logging is enabled, a team called maillog is created. The mailjrn.nsf(active mail log) is 'rolled over' once it reaches a certain size threshold (100megabytes), and the rolled-over files are moved into the maillog team directory.From there, you can copy them off the system for archiving purposes, then deletethem from the IBM Lotus Foundations system to recover the disk space. You canalso create a backup job to specifically back up the maillog team on its ownschedule. By default, the maillog team is included in the Master Job.

maillog_user

When email logging is enabled, a user called maillog_user is created. Themaillog_user must be given a password before email logging can begin. Themaillog_user can see the contents of the email journals by either looking at theactive mailjrn.nsf on the system or using a Lotus Notes client to look at therolled-over databases either in the maillog team directory or anywhere else theLotus Notes client can access files, such as locally on Windows or on a Windowsshare.

If Mail Logging goes from Enabled to Disabled, email logging stops, but themaillog team and maillog_user are not deleted.

Email logs and disk management

A daily maintenance task runs at 6 AM that generates a report that is emailed tothe administrator. The report lists any accumulated log files. After enabling emaillogging, you should be sure to examine each daily report email so you canmanually archive the files (if required) and also ensure that the log files do not fillthe disk. If the log files do fill the disk, the IBM Lotus Foundations Start add-onstops running and email is rejected for delivery or reception. An Insufficientfree disk space to run this addon system error displays in the Status IBM LotusFoundations Start add-on section in WebConfig and a notices error at the top ofWebConfig displays The email server has been disabled because there is notenough disk space on the system. The administrator needs to remove or archivefiles to fix the error.

Using Lotus Domino email clientsLotus iNotes

When IBM Lotus Foundations Start is installed, you can begin using Lotus iNotesto view and send email. In a Web browser that supports 128 bit encryption, go tothe following URL:

http://server_ip_address/mail/

Enter a user ID and password that has been created in IBM Lotus Foundations.Once you are authenticated, the Lotus iNotes screen is displayed.

Using Lotus iNotes on the Apple iPhone

You can also access Lotus iNotes from an Apple iPhone. First you must allowLotus iNotes to accept incoming web requests from anywhere. Follow these steps:1. Click Email Server in the left menu of WebConfig.

Email services 141

2. Click the Servers tab.3. In the Lotus iNotes section, click Enable.4. Click Save Changes.5. From the Apple iPhone, login to http://server_ip_address/mail/ and enter the

IBM Lotus Foundations user ID and password.

For assistance with Lotus iNotes, use the help feature provided in Lotus iNotes, orrefer to http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_LOTUS_INOTES_OVER.html.

Setting up Lotus Domino email clients

In addition to Lotus iNotes, you can install Lotus Notes to take full advantage offeatures offered by a Lotus Domino server. Instructions for installing Lotus Noteson Linux and Mac OS X are included here. For installing Lotus Notes using theone-click installer on Windows, see the Step 8: Install the Lotus Notes add-on sectionin Getting Started with IBM Lotus Foundations Start.

Installing Lotus Notes on Linux and Mac OS X

Client requirements:v Linux (Latest updates)v Mac OS X

The code for installing on Linux or Mac OS X can be downloaded fromhttps://www.lotusfoundations.com/partner/.

For Linux:

To install Lotus Notes on Red Hat, SuSE, and Ubuntu, follow the instructions here.Then follow these steps for either Red Hat and SuSE or Ubuntu.

Red Hat and SuSE

1. Log in to the Linux machine as a non-root user.2. Copy the Lotus Notes user ID file from the IBM Lotus Foundations server to

the Linux machine from iNotes:a. Go to http://server_ip_address/mail/ and log on to the IBM Lotus

Foundations server with your user ID and password.b. Click Status in the left menu of WebConfig.c. Scroll down to Lotus iNotes and click the URL link.d. Sign on with user ID and password.e. Click Mail icon (far left icon under the Home tab).f. Open the Welcome emailg. Click ID file at bottom of the email.h. Click OK on the Security popup The ID file is copied to the Downloads

directory on the local machine.3. Start Lotus Notes by clicking Applications → Office → Lotus Notes.4. The license displays in a terminal window. Read the license, and key in 1 to

accept the license.5. At the Welcome window of Lotus Notes, click Next.


http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_LOTUS_INOTES_OVER.html

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_LOTUS_INOTES_OVER.html


http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg27013074#Linux85standard

http://www-01.ibm.com/support/docview.wss?&uid=swg27013076

http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg27013074#Mac85standard

https://www.lotusfoundations.com/partner/

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin85.doc/H_INSTALLING_ON_WIN32_FROM_AN_INSTALLATION_EXECUTABLE_9942_OVER.html

6. Enter your user name or your short name as it is in IBM Lotus FoundationsStart. Enter the Lotus Domino Server Name. Click Next (Note that you canedit the /etc/hosts file with the IBM Lotus Foundations server's IP address ifyou cannot ping the IBM Lotus Foundations server from the Linux machine)

7. Enter the location of your ID file (/server_ip_address/user/user.id). ClickNext.

8. Click Yes to copy the ID file to the data directory.9. At the Additional Services window, click Next.

10. Click Yes to accept Lotus Notes as your default email program.

Ubuntu

1. Log in to the Linux machine as a non-root user.2. Copy the Lotus Notes user ID file from the IBM Lotus Foundations server to

the Linux machine from iNotes:a. Go to http://server_ip_address/mail/ and log on to the IBM Lotus

Foundations server with your user ID and password.b. Click Status in the left menu of WebConfig.c. Scroll down to Lotus iNotes and click the URL link.d. Sign on with user ID and password.e. Click Mail icon (far left icon under the Home tab).f. Open the Welcome emailg. Click ID file at bottom of the email.h. Click OK on the Security popup The ID file is copied to the Downloads

directory on the local machine.3. Start Lotus Notes by clicking Applications → Office → Lotus Notes.4. The license displays in a terminal window. Read the license, and key in 1 to

accept the license.5. At the Welcome window of Lotus Notes, click Next.6. Enter your user name or your short name as it is in IBM Lotus Foundations

Start. Enter the Lotus Domino Server Name. Click Next (Note that you canedit the /etc/hosts file with the IBM Lotus Foundations server's IP address ifyou cannot ping the IBM Lotus Foundations server from the Linux machine)

7. Enter the location of your ID file (/server_ip_address/user/user.id). ClickNext.

8. Click Yes to copy the ID file to the data directory.9. At the Additional Services window, click Next.

10. Click Yes to accept Lotus Notes as your default email program.

For Mac OS X:

To install Lotus Notes on Mac OS X, follow the instructions here. Then follow thesesteps:1. Download the Lotus Notes user ID file from the IBM Lotus Foundations server

one of 2 ways:v From Finder:

a. Select Go from the task bar, then click Connect to server.b. Enter smb://server_IP_address/user_ID in the Server Address field.c. Click Connect.

Email services 143

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin85.doc/H_INSTALLING_NOTES_ON_MAC_OS_OVER.html

d. Select Registered User. Enter the IBM Lotus Foundations user ID andpassword. Click Connect.

e. Expand the LotusFoundations directory.f. Copy the Lotus Notes user ID file file to the MAC desktop (or other

preferred location).v From iNotes:

a. Go to http://server_ip_address/mail/ and log on to the IBM LotusFoundations server with your user ID and password.

b. Click Status in the left menu of WebConfig.c. Scroll down to Lotus iNotes and click the URL link.d. Sign on with user ID and password.e. Click Mail icon (far left icon under the Home tab).f. Open the Welcome emailg. Click ID file at bottom of the email.h. Click OK on the Security popup The ID file is copied to the Downloads

directory on the local machine.2. Start Lotus Notes client on the Mac client.3. At the Welcome page, click Next.4. At the User Information page, enter the following information:v Name: Enter the full user name.v Domino Server: Enter the servername/domain (do not include .com).Click Next.

5. At the Notes ID file page, browse to the ID file copied earlier and click Next.6. Click Yes to copy the ID file to Lotus Notes data directory.7. Enter the password, click Next.8. You can choose to configure additional services. Select Services and click Next

to configure, or click Finish to complete the installation. Click OK on themessage displaying that the setup is complete.

IBM Lotus Connections

If Lotus Connections is deployed in your organization, you can access many of itsfeatures from within the Lotus Notes client, including installing the Business Cardplug-in. Refer to http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.openactivities85.client.doc/r_oa_c_welcome_to_lotus_connections.html formore information.

Roaming users

Roaming users is a Lotus Domino feature that allows users who use Lotus Notesclients on multiple computers (for example, office computer, notebook, and homecomputer), to have their Lotus Notes data synchronized automatically betweenthose computers. For example, when working at home, a contact is added in LotusNotes. This gets synchronized to a copy of the user's contacts database on theserver. When the user next logs on to the Lotus Notes client at work, the contact issynchronized from the server to the client. Refer to http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_NOTES_ROAMING_USER_OVER.html formore details on Lotus Domino's roaming feature.


http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.openactivities85.client.doc/r_oa_c_welcome_to_lotus_connections.html

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.openactivities85.client.doc/r_oa_c_welcome_to_lotus_connections.html

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_NOTES_ROAMING_USER_OVER.html



Any user in Lotus Domino either is or is not a roaming user. The term 'upgrade' isused to describe changing a non-roaming user to a roaming user, and 'downgrade'describes the reverse process. When a user is upgraded to roaming, a specialdirectory is created on the IBM Lotus Foundations server to hold replica copies ofcertain of their Lotus Notes databases so they are available for synchronizing tomultiple clients. When the user next logs in to Lotus Notes, they are alerted by adialog that they are being upgraded to roaming, and the initial synchronizationtakes place. Similarly, when a user is downgraded from roaming, they are alsoalerted to that fact. Once a user is a roaming user, the experience is simply thatchanges made on one client appear on the others (after replication).

When IBM Lotus Foundations Start is installed, a team is created calledroaming_users.

The default is that the users are not roaming users. The administrator needs to addusers to the roaming_users team to upgrade them to roaming. Removing themfrom the team downgrades them from roaming. This can be done at user creationtime or any time after that. For instructions on adding users to teams, refer to“Creating, editing, and deleting team accounts” on page 24.

Roaming user data

Not all databases are synchronized for Lotus Notes users. In particular, the user'sroaming-enabled files include contacts, bookmarks, notebook or journal, feedssubscriptions, and roaming data that stores roamed Eclipse plug-in data andsettings.

The roaming data for a user is stored in the directory /local/notesdata/roaming/userid; for example, /local/notesdata/roaming/janedoe. This means that theroaming data is backed up as part of the LF Start Backup job. When a user isdowngraded from roaming to non-roaming, Lotus Domino automatically removesthe user's roaming data and the user's directory.

Figure 47. Team Setup page

Email services 145

File Transfer Protocol (FTP) services

IBM Lotus Foundations uses a File Transfer Protocol (FTP) server that enablesusers and teams to access network and Web files. FTP services are automaticallyenabled for users on the internal network.

Enabling the FTP serverFollow these steps to enable the FTP server:1. Click FTP Server in the left menu of WebConfig. The FTP Server Setup page is

displayed.

2. Indicate whether you want to enable the FTP file server.3. Indicate whether you want to enable anonymous FTP. If this option is enabled,

anyone can download files from the FTP directory by using anonymous as theFTP login name and their email address as the password.

4. Indicate whether you want to enable anonymous uploads. If this option isenabled, anonymous users can upload files to the FTP directory. Be careful withthis option.

5. Enter the total number of connections at any one time. This option is used toprevent the overuse of Internet bandwidth. You can leave the default setting,but increase the number of anonymous users if the server is often busy.


Enabling FTP access for a specific team or userFollow these steps to enable FTP access for a specific team or user:1. Select Users in the left menu of WebConfig.

2. Click the appropriate user or team's edit icon .3. The Modify Users or Modify Teams page is displayed.

Figure 48. FTP Server Setup page


4. Indicate whether you want this user or team to have FTP access with theAllow FTP Access radio button.

5. Click Save Changes.6. Repeat steps 2-5 for any additional users or teams.

User versus team FTP accessUsers can log in to the IBM Lotus Foundations FTP server by entering theirassigned user name and password to access their own user directory.

To access the directory of any team of which they are a member, users need to usethe team name in place of their user names, but they can continue to use theirindividual passwords rather than a team password.

Anonymous FTP serverThe FTP server can be used in anonymous mode to enable uploads and downloadsof files to a specific directory without authentication from the remote user. Thisanonymous mode of operation is commonly used for public file distribution on theInternet. Although the file can be downloaded from a Web server, FTP is thepreferred method because it offers superior performance for high volume and largefile transfers.

When Anonymous FTP is enabled, IBM Lotus Foundations automatically creates ateam called FTP. Members of this team have access to the FTP directory. All filesplaced in this directory by team members are accessible to anyone on the Internet.Similarly, when Anonymous Upload is enabled, anyone on the Internet can uploadtheir own files to the subdirectory in the FTP directory.


rsync

rsync is a UNIX-based utility that enables incremental files and directorysynchronization from one location to another. This can be used to copy data filesfrom the IBM Lotus Foundations server to another system that also supports rsync.An advantage to using this file transfer method is that only the changed portionsof the files are transferred, rather than the entire new version of the files anddirectories.

Note: To use rsync, commands must be run within a Telnet session. Therefore,basic knowledge and understanding of the Linux command line is recommended.For a more detailed explanation of rsync, visit the following Web site:http://samba.anu.edu.au/rsync/

Enabling rsyncTo enable rsync, follow these steps:1. Log in to WebConfig as an administrative user.2. Click Local Network in the left menu of WebConfig. The Basic Setup tab of

the Local Network Setup page is displayed.


http://samba.anu.edu.au/rsync/

3. For the Rsync Server field, select Enable or Only Trusted Hosts.4. Click Save Changes.

rsync from a Telnet sessionPushing data to another location

To push data to another location, use this command:rsync -zav --progress /home/local_user/Filesremote_user@remote_server::remote/path/

Table 19. Options for the rsync push command

Command option Explanation

rsync rsync executable command

-z Compresses any data from the files rsync sends to the destinationcomputer (useful for slow connections); the compression method isthe same method used by the UNIX gzip compression utility

-a Enables recursion and preserves almost everything during thesynchronization

Figure 49. Basic Setup tab of the Local Network Setup page of WebConfig


Table 19. Options for the rsync push command (continued)

-v Increases the amount of information you receive during the transfer(default is for rsync to work silently); a single -v providesinformation about which files are transferring and a brief summaryat the end, while two -v flags provides information about skippedfiles and slightly more information at the end

--progress Displays the progress of individual files

/home/local_user/* Local directory to push out to the remote location

remote_user@remote_server

remote_user is the team name at the remote location andremote_server can be either the remote server's IP address or thefully qualified domain name; the password prompt following thersync line is for this account

:: A double colon in the destination field copies from the local serverto the remote server; a double colon also separates the host namefrom the path that follows

remote/path Destination folder or path

/ Eliminates confusion rsync might have with the command whenappended to the trailing directory; without it, the path might beinterpreted as /REMOTE_USER/dir/dir/ or something similar

You are then prompted to provide the password for the remote_user accountentered into the syntax.

Pulling data from another location

To pull data from another location, use this command: rsync -zav --progressremote_admin@remote_server::remote_user/* /home/local_user/Files

v The transfer is initiated by the local server, but the files are pulled from theremote server.

v The double colon indicates from where the files are copied.v /home/local_user/Files represents the path to the destination folder on the

local system.

As with the push method, you are prompted to provide a password for theremote_admin account.

rsync 151

Print service

IBM Lotus Foundations print servicesYou can connect any type of printer that users are sharing on the internal networkto the parallel printer port of a IBM Lotus Foundations Start server. IBM LotusFoundations Start does not support the bi-directional mode of parallel devices; itcan send output to printers but cannot read detailed status information. Thismeans that any special print manager and status monitor software on yourworkstation should be disabled.

IBM Lotus Foundations supports network printing. This helps you to manage theprint queues through IBM Lotus Foundations directly for multiplenetwork-enabled printers. The printer queues are accessible through InternetPrinting Protocol (IPP), and standard Windows network printing. IBM LotusFoundations also enables aliased printing queues.

The administrator or installer must provide the appropriate drivers for thespecified printer at the workstation.

IBM Lotus Foundations supports parallel port printers and a range of localUSB-based printers. Print services do not support green-enabled printers that shutthemselves off when there is inactivity on the port.

Configuring local print servicesBefore you can print on a printer connected to your IBM Lotus Foundations server,you must configure IBM Lotus Foundations for printing.1. Click Printers in the left menu of WebConfig. The Print Setup page is

displayed. IBM Lotus Foundations lists all the available printers.2. For Printing Services, select Enable or Disable. You are not able to print with

the printers connected to your server unless you enable printing services.3. Click Save Changes. It takes approximately 5 seconds to detect connected

printers. Printers are not displayed in the list immediately after clicking SaveChanges.

Configuring your workstationFollow these steps to configure a printer for your workstation:

Note: Driver installations can vary according to each printer and manufacturer.The following instructions are provided as a basic guideline. For more information,refer the printer manufacturer's installation guide.1. Access the IBM Lotus Foundations server file share. This can be done through

Microsoft Windows Network or by clicking Start → Run and typing in either\\server_ip or \\server_hostname. A window is displayed that shows thenetwork file and print services to which you have access.

2. Right-click the printer icon to which you want to connect and click Connect.3. If the required driver is not detected as already installed, a print installation

warning is displayed. Click Yes to continue.


4. Select the printer in the list provided and click OK. If your printer is not listed,click Have Disk and point to the driver provided by your printer'smanufacturer.

5. Enter a name for the printer and click Next. If this is the only printer that theworkstation is communicating with, it assumes that this printer is the default.

6. Indicate whether you want to print a test page and click OK.

Configuring network printersFollow these steps to configure network printers:1. Click Printers in the left menu of WebConfig.2. If Printing Service is disabled, select Enable and click Save Changes.3. Click Add Network Printer.4. Enter the details pertaining to the network printer to be added.5. Click Save Changes to add the network printer.6. Permit IBM Lotus Foundations to probe the address for printer information,

and click Printers in the left menu. Once the printer has been found, it displaysthe printer information.

Other network printingIf you are trying to configure network printing where the printer is not physicallyconnected to a IBM Lotus Foundations server, perform these steps:1. In the Windows Control Panel, click Printers & Faxes → Add a Printer. Select A

network printer, or a printer attached to another computer on the secondscreen of the Add Printer Wizard.

2. Select Connect to a printer on the Internet or a home or office network.3. Enter the http address that corresponds with the location of the printer queue

in the URL field. For example, http://printer_ip/printers/NAME_OF_PRINTER.Do not forget to include the :631 to indicate the correct port number.

4. Select the appropriate printer brand and model number in the list provided.Choose whether or not to use the existing driver or to re-install the driver andclick Next.

5. Select whether or not you would like to use this printer as the default and clickNext.

6. Select whether or not you wish to share this printer and click Next.7. Select whether or not you wish to print a test message, then click Next, then

Finish.

You should now be configured to print to the networked printer directly throughIBM Lotus Foundations. You can configure printing services through Linux andMac workstations.

Creating an aliased printer queueFollow these steps to create an aliased printer queue:1. Click Printers in the left menu of WebConfig.2. Click Add Printer Alias....3. Enter the alias to apply to a particular printer.4. Click Save Changes to create the alias.


Web services

Web services integrate Web-based applications in order for businesses tocommunicate with one another and with customers.

Web serverThe Web server featured in IBM Lotus Foundations is based on the industrystandard Apache Web server with support for the PHP and Perl scriptinglanguages.

In addition to the Apache Web server integrated into IBM Lotus Foundationsoperating system, the Lotus Domino Web server is included with the IBM LotusFoundations Start add-on. For more information, refer to “Lotus Dominointegration” on page 158.

Master Web serverWhat is the master Web server?

The master Web server is designed to serve your intranet site and the personalWeb pages of your IBM Lotus Foundations users. Although it is possible to makethese sites available to outside users, you can choose to keep them private forsecurity reasons.

Master Web services are provided from IP addresses assigned to the internal andexternal network interfaces of IBM Lotus Foundations. If the Web server is enabledand access is granted to outside users, anyone accessing the IBM LotusFoundations server's internal or external Internet Protocol (IP) address from a Webbrowser can access information about the master server.

Webmaster directory

A webmaster team is created and configured as the master Web serveradministrator. When the webmaster team is created, a shared network directorycalled webmaster is made available to all members of the webmaster team, and thesubdirectory WWW is created in the webmaster network drive. This is thedirectory from which intranet files are served. Any files saved in this directory areautomatically accessible through the master Web site.

The webmaster directory also contains the log subdirectory, where server accessand error logs are maintained, as well as a cgi-bin directory, where all CommonGateway Interface (CGI) scripts, such as Perl scripts, are stored.

Configuring your master Web server

To configure your master Web server, perform these steps:1. Click Web Server in the left menu of WebConfig. The Basic Setup tab of the

Web Server Setup screen is displayed.


2. In the Web Server row, select one of the following radio buttons: Enable, OnlyTrusted Hosts, Disable, or Dynamic Redirect.

Table 20. Web Server enablement options

Option Description

Enable v Enables the Web server

v Enables users on the internal network and users on the Internet to accessWeb pages on this server

v Serves pages out of the webmaster's WWW directory

v Web server logs are written in the webmaster's directory

Only TrustedHosts

v Enables the Web server

v Enables users on the internal network to access Web pages on this server



Disable Disables the Web server; no one can access Web pages on this server

Figure 50. Basic Setup tab of the Web Server Setup page in the WebConfig console


Table 20. Web Server enablement options (continued)

Option Description

DynamicRedirect

v Enables redirection of Web connections

v Can be employed to circumvent blocked HTTP (Web) ports

v All Web requests directed at IBM Lotus Foundations are handled by adynamic DNS server, automatically redirecting them to a different port onthe IBM Lotus Foundations server; redirection is almost transparent toclients, who might notice the host name and port changed slightly

v DynamicDNS must be enabled (see “Domain Name Service” on page 123for more information)

3. In the Secure Web Server row, select one of the following radio buttons:Enable, Only Trusted Hosts, or Disable.

Table 21. Secure Web Server enablement options

Option Description

Enable v Enables the secure Web server

v Enables users on the internal network and users on the Internet to accessWeb pages on this server



Only TrustedHosts

v Enables the secure Web server

v Enables users on the internal network to access Web pages on this server



Disable Disables the secure Web server; no one can access secure Web pages on thisserver

4. In the MySQL Server row, select one of the following radio buttons: Enableor Disable.

Table 22. MySQL Server enablement options

Option Description

Enable v Enables the MySQL server

v Users on the internal network have access to personal databases anddatabases of any teams to which they belong

Disable v Disables the MySQL server

v Users do not have access to personal or team databases

v Default setting

User and team databases are automatically created when user and teamaccounts are set up. MySQL databases can be used to store dynamic Web pagedata for services such as online catalogs and stores.MySQL is an advanced feature for users that are familiar with SQL(Structured Query Language). Refer to “MySQL server” on page 127 for moreinformation.

5. In the Users' personal home pages row, select one of the following radiobuttons: Enable, Only Trusted Hosts, or Disable.

Web services 157

Table 23. Users' personal home pages enablement options

Option Description

Enable v Enables users' personal home pages to be viewed from anywhere

v Master Web server must also be enabled

v Format for addresses of personal home pages: http://server.domain/~username

Only TrustedHosts

v Enables users' personal home pages to be viewed only from the localnetwork

v Master Web server must also be enabled

v Format for addresses of personal home pages: http://server.domain/~username

Disable Disables personal home pages

This setting enables users to serve personal home pages to users on yournetwork or the entire Internet from the WWW subdirectory located in eachuser's personal network directory.

6. In the Choose a team to act as webmaster field, select a team from thedrop-down list to maintain the server. Although the webmaster team iscreated as the administrator of the master Web server and is listed as thedefault option for this field, any team can perform server maintenance tasks.

7. In the Webmaster Email address field, enter the email address of thewebmaster (the person in charge of the Web site), or a name of a user on theserver.

8. In the Web Proxy port field, enter the appropriate Web proxy port. Leavingthe default value of 0 enables the server to choose the Web proxy port.

9. In the Megabytes of WWW cache field, enter the appropriate number ofmegabytes for the WWW cache field. Refer to “Web caching” on page 164 formore details.


Lotus Domino integrationIBM Lotus Foundations Start 1.2 supports the Lotus Domino Web Server. This Webserver provides an integrated Web application server that can host Web sites andLotus Notes applications internally and externally.

The Domino Integration option sets which Web server to use on a specific Webport.

To configure which Web server uses a specific port, follow these steps:1. Click Web Server in the left menu of WebConfig. The Basic Setup tab of the

Web Server Setup page is displayed.2. Click the Domino Integration tab.

Figure 51. Domino Integration tab of the Web Server Setup page in the WebConfig console


3. In the Port 80 row, select one of the following radio buttons: Foundations,Domino, or Both.

Table 24. Domino integration options for Port 80

Option Description

Foundations Enables Web traffic for only IBM Lotus Foundations on port 80

Domino Enables Web traffic for only Lotus Domino on port 80

Both Enables Web traffic for both IBM Lotus Foundations and LotusDomino on port 80

If you enable Web traffic for both servers, note the following information:v The top level domain (for example, http://example.com) is used by the Lotus

Domino Web server.v To use IBM Lotus Foundations Web pages from a user or team share, type

the top level domain followed by /~user or team/webpage_name.html (forexample, http://example.com/~user/webpage_name.html).

v To use IBM Lotus Foundations Web pages from the specific domain'sWebmaster team folder, type the top level domain followed by/webmaster/webpage_name.html (for example, http://example.com/webmaster/webpage_name.html).

4. In the Port 443 row, select one of the following radio buttons: Foundations,Domino, or Both.

Table 25. Domino integration options for Port 443

Option Description

Foundations Enables Web traffic for only IBM Lotus Foundations on port 443

Domino Enables Web traffic for only Lotus Domino on port 443

Both Enables Web traffic for both IBM Lotus Foundations and LotusDomino on port 443

If you enable Web traffic for both servers, note the following information:v The top level domain (for example, https://example.com) is used by the

Lotus Domino Web server.v To use IBM Lotus Foundations Web pages from a user or team share, type

the top level domain followed by /~user or team/webpage_name.html (forexample, https://example.com/~user/webpage_name.html).

v To use IBM Lotus Foundations Web pages from the specific domain'sWebmaster team folder, type the top level domain followed by/webmaster/webpage_name.html (for example, https://example.com/webmaster/webpage_name.html).

5. In the Port 4443 row, the only radio button available is Domino. Port 4443 isused exclusively by the Lotus Domino Web server and cannot be used by theIBM Lotus Foundations Web server.

Virtual Web serversAlthough virtual Web servers enable you to host a number of Web sites from thesame server, these sites are displayed to outside users as though they are all hostedby different servers. To configure virtual Web servers on the outside interface, yourInternet service provider (ISP) has to assign you multiple Internet Protocol (IP)

Web services 159

addresses or you have to use name-based virtual Web sites, which use uniquedomain names to distinguish among Web sites that share a single IP address.

Every virtual Web site must be associated with a maintenance team, which canmaintain the content for only one virtual Web site. This content, though, can resideon different virtual Web servers. For example, you create a virtual Web server forexample.com and one for example.net, but you want both sites to display the sameinformation. You must create two virtual Web servers, but the virtual Web serverscan share the same maintenance team. In contrast, if you want to display differentcontent on example.com than what is displayed on example.net, the two virtualWeb servers need two different maintenance teams.

If the virtual Web site is maintained by users on the local network, they can bemade members of the maintenance team. If the site is maintained by outside users,they have to use File Transfer Protocol (FTP) to access to the Web site directory. Ifthey have an account on the server, they can use their own login name andpassword. If they do not have an account on the network, they have to use theteam name and password.

Creating a new virtual Web server

To create a new virtual Web server, perform these steps:1. Click Web Server in the left menu of WebConfig. The Basic Setup tab of the

Web Server Setup screen is displayed.2. Click the Virtual Web Server tab.

3. Click Add Virtual Web Server. The New Virtual Domain screen is displayed.4. In the Hostname of Virtual Web Server field, enter your Internet domain

name. This host name is used as a Domain Name Service (DNS) entry fordomain name resolution.

Figure 52. Virtual Web Server tab of the Web Server Setup page of WebConfig


5. The name of your IBM Lotus Foundations server automatically populates theIP Address of Virtual Web Server field. If you want to use a different IPaddress, enter it in this field.

Note: Your ISP must provide you with an extra IP address if you areconfiguring a virtual Web server on an outside, untrusted interface.

6. In the Choose a team to act as webmaster field, select a team to performwebmaster duties from the drop-down list.

7. In the Trusted hosts only field, select Yes or No. This option determineswhether the virtual Web site is accessible only by trusted hosts. This optionenables you to host both an intranet and a public Web site from the sameserver.

8. In the Enable users' personal home pages field, select Enable or Disable. Thisoption determines whether you want to serve personal home pages from theWWW subdirectory located in each user's personal network directory.


Deleting a virtual Web server

To delete a virtual Web server, perform these steps:1. Click Web Server in the left menu of WebConfig. Click the Virtual Web Server

tab of the Web Server Setup page. The Virtual Domains Setup section isdisplayed, showing all existing virtual domains.

2. Click the appropriate server's delete icon in the Action column.3. Click OK to confirm the deletion in the window.

All Web files for that server reside in the team's directory and are not deletedunless the team maintaining the site is deleted.

Editing a virtual Web server

To edit a virtual Web server, perform these steps:1. Click Web Server in the left menu of WebConfig. Click the Virtual Web Server

tab of the Web Server Setup page. The Virtual Domains Setup section displaysall existing virtual domains.

Web services 161

2. Click the appropriate server's edit icon in the Action column. The ModifyVirtual Domain page is displayed.

3. Change the appropriate server settings.4. Click Save Changes.

Hosting multiple Web sitesIf your IBM Lotus Foundations server is used as a Web hosting platform for anumber of Web sites owned by various customers, you should use the followingstrategy.

For example, if your IBM Lotus Foundations server is used to serve a Web site forAcmeWidgets, follow these steps:1. Create a team called AcmeWidgets.2. Create a virtual Web server and choose the AcmeWidgets team as the Webmaster

team. Anyone from the AcmeWidgets team can access these files using FileTransfer Protocol (FTP) with the user name AcmeWidgets and the team'spassword.

Secure Web servicesSecure Socket Layer (SSL) encryption

The IBM Lotus Foundations Web server can serve secure Web pages, which aretransmitted over the Internet using Secure Socket Layer (SSL) encryptiontechnology. All browsers on the market support SSL encryption. For SSL to work,the Web server must have a file with a security certificate. This file is unique toevery Web server and, for encryption to properly work, the certificate has to be

Figure 53. The Virtual Domains Setup section of the Web Server Setup page of WebConfig


issued by a proper certificate authority. When the user loads a secure page, itscertificate is compared to the certificate held by the certificate authority. If theymatch, the site is considered trusted, and encrypted communication can commence.

You can purchase SSL security certificates from a number of Internet securitycompanies.

IBM Lotus Foundations security certificates

The security certificates that IBM Lotus Foundations generates can be checked forauthenticity by all Web browsers. The security certificate generated by IBM LotusFoundations is placed in the webmaster directory and named certificate.pem.

A user loading the first secure Web page from the server is warned that thissecurity certificate is valid, but that the company issuing it cannot be consideredtrusted. The user has to manually approve the continuation of the transaction.Despite this warning, information exchanged between the Web browser and theWeb server cannot be viewed by others.

If you purchase a security certificate from a certificate authority, delete the fileautomatically created by IBM Lotus Foundations and replace it with the one youpurchased. See “SSL certificate” for more information. You might also want to storea copy of the purchased certificate in a different directory.

SSL certificateAlthough a security certificate is automatically generated the first time you powerup your IBM Lotus Foundations server, you can overwrite this certificate at anytime with a third-party certificate purchased from a certificate authority.

Note: You can only use X.509–based certificates.

Replace with a third-party certificate

To replace the automatically generated security certificate with a third-partysecurity certificate, follow these steps:1. Click Web Server in the left menu of WebConfig. The Basic Setup tab of the

Web Server Setup page is displayed.2. Click the SSL Certificates tab.3. Enter your personal information in the PKCS#10 Request Specifics fields.4. Click Generate PKCS#10 Request. A Security Alert window is displayed. Click

Yes.5. The System Message box at the top of the page shows that IBM Lotus

Foundations is generating a new certificate request based on the informationyou provided in the previous steps. A new certificate request is generated inthe PKCS#10 Certificate Request box.

6. Copy and paste the new certificate request from the PKCS#10 CertificateRequest box and give it to your certificate authority. They use this to generatea new certificate.

7. Once you have received the new certificate from your certificate authority, copyand paste it into the X.509 Certificate box.

8. Click Replace Certificate.

Web services 163

Web cachingTo improve bandwidth, IBM Lotus Foundations can temporarily store Web filesaccessed by internal users in a cache. If a user requests any of these stored files,IBM Lotus Foundations serves them from the cache instead of from the originalWeb site. Internet bandwidth is used only to retrieve Web pages that have notpreviously been viewed, resulting in much faster access to the Internet.

Configuring Web caching

To configure Web caching, perform these steps:1. Click Web Server in the left menu of WebConfig. The Basic Setup tab of the

Web Server Setup page is displayed.2. Enter the amount of data to be cached in the Megabytes of WWW cache field.

Specify 5-10 MB for every active user on the internal network.v Once the cache is full, the oldest files are deleted to make space for new

ones.v Configuring the cache size to zero disables the Web cache server.

3. Click Save Changes.4. For Web caching to run transparently, ensure that your Web browser is not

configured to use a proxy server.


Web filtering

IBM Lotus Foundations provides positive Web filtering, which is a feature thatenables the system administrator to permit access to specific Internet sites, whileblocking access to all others.

Enabling the Web filterFollow these steps to enable the Web filter:1. Select Web Server in the left menu of WebConfig. The Web Server Setup page

is displayed.2. In the Content filtering field, select Enable.3. Click Save Changes.

If you plan to use Web filtering with Web caching, all proxy server settings mustbe removed.

Exempting workstations from filteringTo provide a specific workstation with access to all Internet sites, follow thesesteps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. In the Add New Workstation field of the Workstations Exempt from Filtering

section, enter their host name or IP address.4. Click the green plus sign to add the entry. The new entry is displayed in the

list of workstations with full access.To remove full access for a workstation, click the delete action button locatednext to the workstation name or IP address. The exemption list can take up to 2minutes to refresh.

Exempting ports from filteringWhen enabled, the IBM Lotus Foundations content filter monitors port 80 and allothers above 1023 (1024-65535). If an application uses a port between 1024 and65535 that you need to open, follow these steps to permit that application tobypass the content filter. Note all other applications using this port also are exemptfrom Web filtering. Creating port exemptions is for transmission control protocol(TCP) traffic only. If an application uses some other protocol, there is no need toadd an exempt port.

Follow these steps to add port exemptions:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. In the Add New Port field of the Ports Exempt From Filtering section, enter the

port number you want to exempt .4. Click the green plus sign to add the entry.


Adding permitted Web sitesFor users to access a specific Web site, the administrator has to add it to thePermitted Websites list. By default, the Web sites lotus.com and ibm.com areautomatically added.

To add a Web site you want to permit all users access to, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. In the Permitted Websites section, enter the site's name in the empty Add New

Website field. To view the permitted Website list, click Display PermittedWebsite List.

4. Click the green plus sign to accept the change. The Web site you entered is nowdisplayed in the Permitted Websites list.v You can use wildcards to enable all prefixes of a given domain. For example,

to enable www.example.com, my.home.example.com, and office.example.com,type:

*.example.com

v You can use wildcards in the place of any label (dot-separated block) withina domain name. To do this, replace any label of the domain with an asterisk.For example, in order to enable both example.com and example.org, type:

example.*

v The two rules above cannot be used at the same time. For example,*.example.* permits www.example.com, office.example.org, but notmy.home.example.org.

Adding denied Web sitesWhen you add a denied Web site, users cannot request access to it. To manuallyadd a denied Web site, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Go to the Denied Websites section. Enter the Web site address in the Add New

Website field.4. Enter the reason for denial. This section is optional.5. Click the green plus sign to add the entry. When this is done, the Denied

Websites box displays a link labeled Display Denied Website List. You caneither click this link to view the current list and add new entries or add newentries on the main.

Accepting access requestsIf a user has requested access to a Web site that has not been authorized, a noticeis displayed in their browser.

The user can request that this site be authorized by the administrator by clickingthe Request Access button.

The administrator can view the all the pending requests in the main ContentFiltering section of WebConfig by clicking the link Display Pending List.

To accept or deny requests, follow these steps:


1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Click Content Filtering Requests.4. A list containing the requested sites is displayed. Choose to permit the site by

clicking the green plus icon.

Users can now access the permitted Web site.

Denying access requestsTo deny a requested Web site, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Click Content Filtering Requests as you would if you were going to accept a

request. The list of pending requests is displayed.4. If you want to immediately deny the request, click the delete button. If you

want to provide a reason, click the edit action button and enter it into the fieldlabeled Reason for Denial. When you are done, click Deny Request.

List managementThe list management feature enables you to import and customize content filteringlists from other IBM Lotus Foundations servers. You can export and customize thelocal content filtering list to share with other IBM Lotus Foundations servers.

Importing a list

To import a content filtering list you must first obtain an exported list fromanother IBM Lotus Foundations server. Refer to “Exporting a list” for how to dothis. After this is done, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Click Import/Export Website Lists

4. Choose whether you want the imported list to include the list of permitted Websites. Click either the Enable or Disable radio button.

5. Choose whether you want the imported list to include the list of denied Websites. Click either the Enable or Disable radio button.

6. Click the Browse button in the File To Import field and locate the file youwant to import. The file name and path should now be displayed.

7. Click Import Lists.

Exporting a list

To export a content filtering list, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Click Import/Export Website Lists

4. Choose whether you want the exported list to include the list of permitted Websites. Click either the Enable or Disable radio button.

5. Choose whether you want the exported list to include the list of denied Websites. Click either the Enable or Disable radio button.

Web filtering 167

6. Click Export Lists. A text file is generated that you can save and use to port toanother IBM Lotus Foundations server.

Email reportingThe IBM Lotus Foundations content filter can send instant email notifications everytime a Web site has been requested and email a daily report of all requested sites.

To use the email reporting options, follow these steps:1. Click Web Server in the left menu of WebConfig.2. Click the Content Filtering tab.3. Click Configure Report Options. The Content Filter Reporting Options page is

displayed.4. To enable daily reports, set the Daily Reports to Enabled. That this feature

requires the internal SMTP server to be enabled.5. If you enabled daily reports, in the Time of Day for Daily Report drop down,

choose the time of day that the daily report of pending content filteringrequests is to be mailed to the administrator. 0:00 represents midnight.

6. To enable instant notification, set Instant Notification to Enabled. This featurerequires the internal SMTP server to be enabled.

7. Enter the email address for the administrator in the Administrator's EmailAddress field.



Hardware components reporting

IBM Lotus Foundations has the capability of reporting on hardware that isdetected in the server—including processors, memory, Ethernet and hard diskdrives—and verify whether that hardware is currently supported by the version ofIBM Lotus Foundations running.

The Hardware Status page displays the details of all the hardware on the system,and information pertaining to the compatibility/support of the hardware withinthe current version of IBM Lotus Foundations.

To view the Hardware Status list, click Hardware Status in the left menu ofWebConfig. The Hardware Status page is displayed.

While the server polls the hardware, the Hardware Status page displays thefollowing message: (Collecting hardware status data. Please wait...)

The information displayed varies according to the specific hardware in your server.

Table 26. Hardware Status columns

Column Description

Type Type of hardware being reported; for example, CPU and memory

Description Brand of hardware

Device ID Where the hardware is located in the server

Status Specifies if the hardware is one of three states:

v Supported - Has its required drivers installed in the IBM LotusFoundations platform

v Unsupported - Does not have its driver installed

v Support Unknown - The IBM Lotus Foundations platform cannotdetermine the required driver


Log messages

Accessing log messagesIBM Lotus Foundations keeps a log that displays the messages from all the IBMLotus Foundations subsystems. To view the log from the firewall subsystem, referto the “Firewall log information” section.

To access this log click Logs and Reports in the left menu of WebConfig. The LogMessages page is displayed.

Customizing message displayThe Highlight drop-down menu enables you to highlight messages coming from aspecific IBM Lotus Foundations subsystem, such as Disk manager and Fast/PortForward, making them easier to view.

To customize your message log display follow these steps:1. Select a subsystem from the Highlight drop-down menu.2. Select an option from the Priority drop-down menu.v The priority list customizes what message is highlighted.v By default, only messages that show a change in the system display;

however, you can display error messages and debug messages.3. Click Apply. The appropriate messages are highlighted.

Firewall log informationFor ICSA Labs firewall compliance, IBM Lotus Foundations logs requests to sendtraffic through the firewall. See “Firewall services” on page 77 for moreinformation about the IBM Lotus Foundations firewall. Firewall logging is onlyenabled when the Restrict Outgoing Connections field is set to Yes.

The following firewall information is logged:v All permitted inbound access requests from public network clients that use a

service identified in the security policy hosted on the IBM Lotus Foundationsserver itself or on a private or service network server.

v All permitted outbound access requests from private and service network clientsthat use a service identified in the security policy on a public network server.

v All access requests from private, service, and public network clients to traversethe IBM Lotus Foundations firewall that violate the security policy.

v All access requests from private, service, and public network clients to sendtraffic to the IBM Lotus Foundations server itself that violate the security policy.

v All attempts to authenticate at an Administrative Interface on the IBM LotusFoundations server itself.

v All access requests from private, service, and public network clients to sendtraffic to the IBM Lotus Foundations server itself on the port or ports used forRemote Administration.

v Each Startup.

The logs contain the following information:


v Date and Time: When the event occurred with an accurate date stamp andtimestamp

v Protocol: TCP, UDP, ICMP, Otherv Source IP address

v Destination IP address

v Destination Port: Either TCP and UDP or Message Type; for example, ICMPv Disposition of the event: For example, Blocked or Allowed

To view the firewall log, you must be a member of the log team. This team isautomatically created by IBM Lotus Foundations.

The firewall log file is displayed in the team folder on IBM Lotus Foundations. Thefile wvlog.current contains the latest log messages.

To add a user to the log team, follow these steps:1. Click Users in the left menu of WebConfig. The Users tab of the User Setup

page is displayed.

2. Click the appropriate user's edit icon in the Action column. The ModifyUser screen is displayed.

3. Select the log team in the Join Teams field. Click Join. The team is displayed inthe Member of Teams field.



Anti spam

Included with IBM Lotus Foundations is the ability to use real-time block lists(RBLs).

The RBL feature uses publicly accessible third-party RBL servers to compare the IPaddress of incoming email to a list of known spammers. If the IP is on the list thenthe email is rejected. The list of RBL providers used by IBM Lotus Foundations isdynamically updated when necessary. Your server's Software Update servicechecks IBM's Software Update servers for any changes daily. If you want to use aprovider not currently used by default, you can update the list by following theinstructions included in http://www-01.ibm.com/support/docview.wss?uid=swg21387961.

To enable RBL, follow these steps:1. Click Email Server in the left menu of WebConfig.2. Click the Filters tab.3. Select one of the following options:v Strong RBL - Stronger check of spam candidates than Medium RBL.v Medium RBL - Blocks known spam servers. Medium RBL blocks most spam

email.v No RBL - Disables RBL spam protection.


An optional Spam Scanner license can be purchased. The Spam Scanner licenseprovides the following enhanced functionality:v White and black lists at both the global and user levelv Content Scannerv Network Scanner

For information on these additional features, see the IBM Lotus Foundations AntiSpam add-on.


http://www-01.ibm.com/support/docview.wss?uid=swg21387961




Virus scanner

AntiVirus for IBM Lotus Foundations is an optional add-on. You must have a validAntiVirus for IBM Lotus Foundations virus scanner license to use this feature.

AntiVirus for IBM Lotus Foundations virus scanner gives you complete anti-viralprotection for your IBM Lotus Foundations server with both file- and mail-levelvirus scanning. AntiVirus for IBM Lotus Foundations scans for viruses on the localfile system as well as incoming and outgoing email messages including mailcollected from external mailboxes. AntiVirus for IBM Lotus Foundations detectsinfected, suspicious, corrupted and password-protected files, and files that fail tobe scanned because of an error. All infected, suspicious, and corrupted objects thatcannot be automatically repaired are quarantined.

File virus scanner

AntiVirus for IBM Lotus Foundations file virus scanner is not a real-time scanner,meaning that it does not scan for viruses as data is transmitted, copied, or movedto the IBM Lotus Foundations server. Instead, the IBM Lotus Foundations serverruns a scheduled file scan once every 12 hours by default. This provides maximumstability and available resources to the daily operations of the IBM LotusFoundations server, which is especially important if you are using several featuresof the server at the same time. When a virus is encountered, it is cleaned up ifpossible. Otherwise it is renamed to filename-INFECTED and the user in whosedirectory the file was found is informed through email of the virus.

Mail virus scanner

AntiVirus for IBM Lotus Foundations mail virus scanner scans all incoming andoutgoing email messages, including attachments, for viruses. When mail messagesthat contain infected, suspicious, and other objects are detected, the virus isimmediately removed and a warning is sent to the sender and recipient along withthe original, but virus-free, mail message.

Configuring the file virus scannerTo configure your file virus scanner, follow these steps:1. Click File Server in the left menu of WebConfig. The Basic Setup tab of the

File Server Setup page is displayed.


2. In the File Virus Scanner field, select Enable.3. Click Save Changes.

Configuring the email virus scannerTo configure your email virus scanner, follow these steps:1. Click Email Server in the left menu of WebConfig. The Summary tab of the

Email Server Setup page is displayed.

Figure 54. Basic Setup tab of the File Server Setup page of WebConfig


2. Click the Filters tab.

3. For the Mail Virus Scanner field, select All Emails or Inbound Only toactivate mail virus scanning.

Figure 55. Summary tab of the Email Server Setup page of WebConfig

Figure 56. Filters tab of the Email Server Setup page of WebConfig

Virus scanner 177

IBM Lotus Foundations Start performance optimization

With such a vast array of features, it can be challenging to determine how IBMLotus Foundations can be optimized for performance in specific deploymentscenarios. How fast the processor should be, how much memory is required, andhow often backups should run are all valid questions. With its robust applicationserver, IBM Lotus Foundations Start introduces even more questions whenconsidering optimization.

This chapter explores some IBM Lotus Foundations Start performanceconsiderations to assist you in deploying IBM Lotus Foundations Start as a robust,reliable, and efficient back-end server.

Minimum hardware requirementsThe Lotus Domino server that sits at the heart of IBM Lotus Foundations Start is aproduct built for enterprise scalability. While Lotus Domino initially requires asubstantial pool of resources to be able to operate almost regardless of the numberof users, the incremental resources required for each additional user is typicallyless than for traditional applications built for small deployments. Keep this inmind when choosing the hardware required to run the system.

The basic requirements are met with a IBM Lotus Foundations Appliance. The IBMLotus Foundations Appliance has two hardware server choices: IBM Systemmodels 9234-CNx and 9234-DNx. The IBM Lotus Foundations Appliance also hasIBM Lotus Foundations preloaded.

The basic requirements are also met with the IBM System x3105. This server iscapable of supporting 25 - 30 average users1. Allowances should be made if yourdeployment environment differs significantly from the average, particularly withrespect to the amount of email traffic and the size of the users' mail databases thatare stored on the server.

Minimum requirements to run IBM Lotus Foundations Start:v 2 GB of memoryv Pentium® 4 3.0 GHz processor (or AMD equivalent)

To accommodate Lotus Domino, it is recommended that you use a system withSATA disks. For larger installations and/or installations with higher performancerequirements, it is recommended that you use a system with higher-end SCSIdisks.

Deploy IBM Lotus Foundations Start on hardware as fast as your budgetaccommodates, particularly if you intend to deploy applications in addition to thestandard email/groupware bundled with IBM Lotus Foundations Start.

1 The average email user sends and receives approximately 100-200 emails per day,and has a mail database of 500 MB. The average email is 50 KB in size. Forcalculation purposes, the average IBM Lotus Foundations Start user uses a LotusNotes client connected live to the server.


Quick reference and hardware sizing guideThe following table illustrates the recommended sizes based on number of usersfor optimum system selection:

Table 27. Recommended configurations based on number of users

Number of users Configuration usedin baseline

Representative basehardwareconfigurations

Notes®

1 -5 AMD Athlon64 3500+2.2 GHz, Intel®

Pentium 4 3.2 GHzor greater, 100 GBSATA

IBM LotusFoundationsAppliance EntryModel,IBM LotusFoundationsAppliance AdvancedModel

Requires external idbbackup

6 -50 Intel Core 2 Duo 2.0GHz / 800 MHz Bus/ 2 MB Cache(E4400), 1 GB DDR2SDRAM (4 GB max),2 x 250 GBremovable SATAhard disk drives

IBM System x3105,IBM LotusFoundationsAppliance EntryModel,IBM LotusFoundationsAppliance AdvancedModel

One disk reserved foridb backup

50 -150 Intel Core 2 Duo 2.6GHz / 1066 MHzBus / 4 MB Cache(E6600), 2 GB DDR2PC5300, 3 x 250 GBremovable SATAhard disk drives

IBM System x3105,IBM LotusFoundationsAppliance EntryModel,IBM LotusFoundationsAppliance AdvancedModel

One disk reserved foridb backup

150+ Dual Intel Xeon® 1.86GHz, 4 MB Cache, 4x 1024 MB DDR2, 4 x512 DDR2, 4 x 73.4GB 10K SAS Drives(IBM P/N: 39R7340)

IBM System x3400,IBM LotusFoundationsAppliance AdvancedModel (up to 500users)

For larger numbersof users, additionaldisk space is requiredfor data storage,double backup, andidb backup. LotusDomino with 150email databases of250 MB is 65 GB.Lotus Domino and500 email databasesis 127 GB. Doublebackups require thedisk spacerequirement to bedoubled.


Email protocol choices affecting server performanceThis section provides the major protocol choices provided to permit email clients toconnect to the IBM Lotus Foundations Start server and their relative impact on theserver. This section includes the load required, based on relative system usage, tosupport the protocol, as well as any document conversions required to transmit theemails. Thus, a number of 0 would be considered no load on the server, with theload on the server increasing as the number becomes larger.v Lotus Notes (local replication of email database) - 0.5v Lotus Notes (server copy of email database) - 1v Lotus iNotes - 3v Internet Message Access Protocol version 4 (IMAP4) - 3v IMAP4 over Secure Sockets Layer (SSL) - 3.5v Post Office Protocol version 3 (POP3) - 2v POP3 over SSL - 2.5

When determining the type of client to deploy, how many users, and type of users,the above demonstrates that not all clients are equivalent.

Other services running on the IBM Lotus Foundations serverEven if the server is used almost exclusively for email and email-related services,consideration must be given to services such as Spam Scanner and AntiVirus forIBM Lotus Foundations. The load that these services place on the server isdetermined by the amount of external email received on the system. Resourceplanning should be based on the actual amount of email the system receives. Inother words, include real email, viruses, and spam email a user receives duringresource planning; do not only include the amount of legitimate email a userreceives.

Careful consideration should also be given to the many other services running onthe IBM Lotus Foundations Start server, including the file server, Web server, andPoint-to-Point Tunneling Protocol (PPTP).

IBM Lotus Foundations Start requires a minimum of 2 GB of memory for LotusDomino. If your system uses other services, consider upgrading memory to ensurethat adequate memory is available to run services in addition to Lotus Domino.

The same consideration should be given to the processor selection: allowancesshould be planned so other services might adequately run with the Lotus Dominoserver.

Backup schedulingIBM Lotus Foundations Start includes an idb job that takes care of backing up thenotesbackup team. This job is the LF Start Backup job. The job itself takes care ofbacking up the Lotus Domino databases safely to the notesbackup team each timethe job runs so the databases are in a consistent state when backed up. You shouldschedule the job for minimum impact on the business operations.

Carefully consider when a backup is scheduled to start and how often the backupis scheduled to run. You should gauge approximately how long your backups takebased upon how much data you have.

IBM Lotus Foundations Start performance optimization 181

The following information should help you in your planning:

Table 28. Lotus Domino backup duration based on number of users

Number of Users Lotus Domino backup duration

20 First back up approximately 60 minutes; subsequent backupsapproximately 15 minutes

50 First back up approximately 3 hours; subsequent backupsapproximately 1 hour

150 First back up approximately 3.5 hours; subsequent backupsapproximately 1.5 hours

For example: If you have 20 users with a total email size of 5 GB and total diskspace used on the system is 150 GB, you can expect the backing up the LotusDomino databases part of the LF Start Backup job to take approximately 15minutes. A full backup of the same system takes approximately two to three hours,plus another two to three hours to perform the backup verification (for a total offour to six hours).

Most offices like to perform their backups during off-hours, as backups place anextra load on the server. An example schedule assumes that you want the backupsto start at some time after 9:00 PM and complete by 7:00 AM. If you schedule theLF Start Backup job to begin at 9:00 PM, with 5 GB of data, the estimated time tocompletion for the Lotus Domino database backups part of the LF Start Backup jobwould be 9:15 PM. Given the estimate that a full idb backup takes up to six hoursto complete, the idb backup part of the LF Start Backup job should start no laterthan 1:00 AM. To provide a bit of margin (and a bit of room for growth in thedatabase and system server usage), schedule the LF Start Backup job for 10:00 PM.

It might not always be possible to schedule the backups without impactingbusiness operations, as the business might be open for extended time periods orthe amount of data might require the backup windows overlap into the businessday. In these circumstances, it is valuable to consider what time of the day theextra load would have the least impact on the business.

Uninterruptible power supplies (UPS)

For information about uninterruptible power supplies (UPS) and IBM LotusFoundations, refer to the IBM technote UPS support in Lotus Foundations(http://www-01.ibm.com/support/docview.wss?uid=swg21387015).

Future capacity planningThe storage space required on a server for files and email can rapidly increase.Anticipate your future needs and choose the correct hard disk drive capacities, butalso be aware that increased capacities have an impact on your server performance.Effects of increased storage on server performance include the following:v idb backups take longer to performv More memory and processor power required to process mailv More memory and processor power required to process full text indexes (if

enabled)

Ever-increasing size in users' mail databases can have a negative overall impact tothe server. It is worth considering setting user email quotas to limit the growth ofmail databases. Desktop clients, such as Lotus Notes, can be set to automatically



archive older email offline so an archive of email is still available without sufferingthe performance penalties associated with keeping the seldom-accessed old mailactive on the server.

Lotus Domino is an application platform. If you intend to use applications, thenconsiderations need to be made regarding disk capacity, processor, and memory toaccommodate the needs of the applications. Each application has different systemneeds, so application documentation should be referenced for capacity planning.

IBM Lotus Foundations Start performance optimization 183

GlossaryADSL Asymmetric Digital Subscriber Line. ADSL

uses standard phone lines to deliverhigh-speed data communications. ADSL usesthe portion of a phone line's bandwidth notused by voice, allowing for simultaneousvoice and data transmission.

Bandwidth This term describes information-carryingcapacity of telephone or network wiring.Bandwidth is typically measured in bits persecond.

Bit Binary Digit. The smallest unit ofcomputerized data. A bit is represented aseither 1 or 0.

Cable Modem Cable modems provide Internet access overcable TV networks (which use fiber-optic orcoaxial cables). They are much faster thanmodems that use phone lines.

Cache A copy of a program or data that is used forfaster access. See also Web Cache.

Certificate Authority An issuer of security certificates used in SSLconnections. See also SSL.

Client A computer system or process that requestsa service from another computer system orprocess.

Data Encryption Encrypting data is accomplished byapplying a scrambling code that makes thedata unreadable to anyone who does nothave a decryption key. Authorized personnelwith access to this key can unscramble it.Data encryption is a useful tool againstmalicious users.

DHCP Dynamic Host Configuration Protocol. Thisis an industry-standard protocol that assignsIP information to computers.

Disk Quota Disk Quota defines the maximum amount ofhard disk space allowed for a user's files.

DNS Domain Name Service. A set of guidelinesand rules that allows you to navigate theInternet using domain names instead of IPaddresses.

DDNS or DynamicDNS Dynamic Domain Name Service. A servicethat automatically updates DNS informationwhen a new IP address is assigned to anetwork.

DNS Server A computer or server that matches an IPaddresses to a domain name. Some ISPsprovide a specific DNS address.

DSL Digital Subscriber Line. Technology thatprovides data transmission over thetelephone network.


Ethernet A LAN that connects devices like computers,printers, and terminals. Ethernet transmitsdata over twisted-pair or coaxial cables at10, 100, or 1000 Mbps.

EtherTalk Networking protocol used by Appleequipment connected directly to Ethernet.

FastForward The ability to create a passage (or open aport) through your firewall to a service or aserver hosting a service. See also PortNumber.

Firewall A device that provides secure Internet accessand protects internal networks fromintruders.

FTP File Transfer Protocol. An Internet-basedprotocol used to copy files betweencomputers (typically a client and a server)using UNIX-based command parameters.You can download shareware or freewareapplications that remove all the complexitiesof UNIX and allow you to connect to FTPsites using a Web browser.

Gateway A computer or server that is connected tomultiple networks and is capable of routingor delivering packets between them.

HTML Hypertext Markup Language. A set of tagsand instructions used to create web pages.HTML tags create page layouts, format text,insert graphics and multimedia, and more.

HTTP Hypertext Transfer Protocol. A protocol thatmakes hypertext information such as webpages available over the Internet.

Hub A piece of hardware that connectscomputers together in a LAN, allowinginformation to travel between them.

Internet Gateway A gateway for accessing the Internet, whichis loosely defined as points of entrance toand exit from a communications network. Agateway is the node that translates betweentwo otherwise incompatible networks ornetwork segments. Gateways perform codeand protocol conversion to facilitate trafficbetween data highways of differingarchitecture. A gateway can be thought of asa function within a system that enablescommunications with the outside world.

IMAP Internet Message Access Protocol. A protocolthat allows a client to access email withoutdownloading it to a local computer. Usedmainly to read email from a remote location.

IMAP Server A server that uses IMAP to provide access tomultiple server-side folders.

IP Address Internet Protocol Address. The numericaddress used to identify and locate a server,computer, or Web site on the Internet.


IP Address (Dynamic) A temporary IP address that is assigned to acomputer by a DHCP server each time itgoes online.

IP Address (Static) A permanent IP address that is assigned to acomputer in a Internet Protocol network.Network devices that serve multiple users,such as servers, routers, and printers, aretypically assigned static IP addresses.

IPsec Internet Protocol Secure. A type of secureconnection between computers at differentlocations, creating Virtual Private Networks.See also VPN (Virtual Private Network).

ISDN Integrated Services Digital Networking. Adigital-communication networking systemused for high-speed communication with theInternet. ISDN is available through mosttelephone companies.

ISP Internet Service Provider. An organizationthat maintains a server directly connected tothe Internet. Users who are not directlyconnected to the Internet typically connectthrough an ISP.

Java™ Designed by Sun Microsystems, Java is aprogramming language for addinganimation and other action to Web sites. Toview Web sites created with Java, yourbrowser has to have Java enabled.

JavaScript™ Designed by Sun Microsystems andNetscape as an easy-to-use supplement toJava, JavaScript code can be added tostandard HTML pages to create interactivedocuments. Most modern browsers supportJavaScript.

kbps Kilobits per Second (thousands of bits persecond). This is a measure of bandwidth, theamount of data that can flow in a giventime, on a data transmission medium.

LDAP Lightweight Directory Access Protocol. TheLDAP server provides a directory of users'names and email addresses.

LAN Local Area Network. A LAN links togethercomputers that are in the same building.10BaseT Ethernet is the most common LAN.See also Hub.

Mbps Megabits per Second (millions of bits persecond). This is a measure of bandwidth (theamount of data that can flow in a giventime) on a data transmission medium.

MX Record Mail Exchange Record. A DNS resourcerecord type that indicates which host canhandle mail for a particular domain.

NetBIOS Network Basic Input Output System. Aprotocol for networking on IBM PC andcompatible systems.

Glossary 187

NAT Network Address Translation. NAT enablesone publicly visible IP address to refer tomany IP addresses internally on a LAN,making it look like all traffic was generatedby a single external IP address.

NFS Network file system. A protocol developedby Sun Microsystems which enables acomputer to access files over a network as ifthey were on its local drive.

NIC Network Interface Card. An adapter cardthat physically connects a computer to anetwork cable.

NTP Network Time Protocol. An Internetstandard protocol (built on top of TCP/IP)that assures accurate synchronization to themillisecond of computer clock times in anetwork of computers. Running as acontinuous background client program on acomputer, the NTP client sends periodictime requests to external time servers,obtaining server time stamps and usingthem to adjust the client's clock.

Packet A unit of data transmitted over a network.Large chunks of information are broken upinto packets before they are sent across theInternet.

Packet Filter A filter that blocks traffic based on a specificIP address or type of application (email, FTP,Web), which is specified by port number.

Peer-to-Peer Network A network where there is no dedicatedserver. Computers with access privileges canshare files and peripherals with all othercomputers on the network.

PING Packet InterNet Groper. A program used todetermine if a server is functional. It sendssmall packets to the server, which replieswith similar packets.

POP3 Post Office Protocol version 3. A protocolused most often by ISPs for receiving emailmessages. POP3 servers enable access to asingle Inbox (as opposed to IMAP servers,which provide access to multiple server-sidefolders.

Port Number A number assigned to an applicationprogram running on a computer in aTCP/IP-based network such as the Internet.The number is used to link the incomingdata to the correct service. There are severalstandard port numbers. For example, port 80is used for Web traffic.

PPP Point-to-Point Protocol. A method oftransmitting protocols (such as IP) over aserial link. PPP is most often used in dial-upmodem connections from a home computerto an ISP.


PPPoE Point-to-Point Protocol over Ethernet. PPPoEis often used to connect DSL providers.Because it is based on two commonstandards (PPP and Ethernet), it is easy tointegrate into existing networks.

PPTP Point-to-Point Tunneling Protocol. PPTPensures secure communications over VirtualPrivate Networks.

Protocol A set of rules that govern networkexchanges.

Proxy Server A server that acts as a barrier between aninternal network and the Internet. Proxyservers can work with firewalls, which helpkeep outside users from gaining access toconfidential information. A proxy server alsoenables the caching of Web pages forquicker retrieval.

RBL Realtime Blackhole List. A 'spam' blockerthat has different levels of spam protection(such as Strong or Medium).

Router A device that handles the connectionbetween two or more networks.

Routing The act of directing packets betweennetworks.

Routing Table A list of destinations known to the router(server) that enables user traffic to get toand from its destinations.

RSA Rivest Shamir Adleman. An Internetencryption and authentication system thatuses an algorithm developed by Ron Rivest,Adi Shamir, and Leonard Adleman.

Security Certificate Information used by the SSL protocol toestablish a secure connection. Containsinformation about who a certificate belongsto, who issued it, its unique serial number,its valid dates, and its encrypted 'fingerprint'that is used to verify the contents of thecertificate. See also SSL.

Server A computer or software package thatprovides specific services to a client. Theterm can refer to a particular piece ofsoftware (such as a Web server) or to themachine on which the software is running.A single server can run several differentserver software packages.

SNMP Simple Network Management Protocol. Aprotocol used to collect statisticalinformation from a host about parameterssuch as central processing unit (CPU)utilization.

SMTP Simple Mail Transfer Protocol. A protocolused for transferring or sending emailmessages between servers. Another protocol(such as POP3) is used to retrieve themessages.

Glossary 189

SQL Structured Query Language. A languageused to create advanced databases.

SSL Secure Sockets Layer. A protocol that enablesencrypted, authenticated communications totravel across the Internet. SSL is used mostlyin communications between Web browsersand Web servers. URLs that begin with httpsindicate that an SSL connection is beingused. Each side of an SSL connection mustsend a valid Security Certificate to the other.Each side then encrypts what it sends usingboth certificates, ensuring that only theintended recipient can de-crypt it, that theother side can be sure of the data's origin,and that the message has not been tamperedwith.

Subnet A portion of a network (which can be aphysically independent network segment)that shares a network address with otherportions of a network. A subnet isdistinguished by its own subnet number.

TCP/IP Transmission Control Protocol/InternetProtocol. A suite of protocols that allowcomputers to communicate on the Internet.

Telnet An application that lets you access resourceson a UNIX or Linux computer. To useTelnet, you need to be familiar withUNIX-based programs.

UDP User Datagram Protocol. A protocol usedthroughout the Internet for services such asDNS.

URL Uniform Resource Locator. The standardmethod to give an address of any resourceon the Internet. A URL looks like this:(http://www.ibm.com).

VPN Virtual Private Network. VPNs enablecommunication between users in differentoffices. To prevent people on the Internetfrom intercepting transmissions, allinformation that passes through a VPN isprotected with 128 bit encryption, thestrongest encryption technology available.

WAN Wide Area Network A network that connectsdifferent LANs using routers.

Web Browser An interface that lets you view material onthe Internet.

Web Cache An area on your hard disk that is reservedfor storing images, text, and other files thathave been viewed on the Internet.


WebConfig Web-based configuration system for IBMLotus Foundations. To connect toWebConfig, enter (http://hostname:8043) inthe address bar of a Web browser. Forexample, if your IBM Lotus Foundationsserver's host name is thunder, enter(http://thunder:8043) in the address bar.

WebMail Server A system that enables users to access theiremail account using any standard Webbrowser.

Glossary 191

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationOffice 4360One Rogers StreetCambridge, MA 02142U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

TrademarksIBM, the IBM logo, ibm.com, Lotus, and Notes are trademarks or registeredtrademarks of International Business Machines Corporation in the United States,other countries, or both. These and other IBM trademarked terms are marked ontheir first occurrence in this information with the appropriate symbol (® or ™),indicating US registered or common law trademarks owned by IBM at the timethis information was published. Such trademarks may also be registered orcommon law trademarks in other countries. A current list of IBM trademarks isavailable on the Web at http://www.ibm.com/legal/copytrade.shtml

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in theUnited States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, or service names may be trademarks or service marks ofothers.


http://www.ibm.com/legal/copytrade.shtml

��

Printed in USA

public.dhe.ibm.compublic.dhe.ibm.com/software/dw/lotus/foundations/start/english/... · file...

Documents