Monday, 17 September 2018

The Road to Domino 10: Requirements Upgrading Notes Traveler or higher

In our preparations for Domino 10, we will initially upgrade our production environment to Domino 9.0.1 Feature pack 9. Part of this upgrade is also the upgrade to Notes Traveler The Notes Traveler version has a major update, the Run as User feature, that is selected by default. In order to be able to carry out the Notes Traveler upgrade a number of requirements must be arranged on the Domino Server and in the Mail databases. Below is a short description of the steps we have carried out. Note that Notes Traveler is also running on our Domino (Mail) Server. We do not have a separate traveler server yet.

Starting with IBM Traveler, the Run as User feature will now be enabled by default.
When running as the user, the Traveler server will access the user's mail file as the user ID instead of the server ID. This feature resolves several long standing issues with accessing the user's mail file as the server ID, including:
  • Honor ACL controls on mail file and corporate lookup for the user.
  • Prevent event notices and automated responses from being sent from the server ID.
  • Prevent the server ID from being assigned as the owner of the mail profile when there is no owner defined.
Important notes: For the Run as User feature to function properly, the Traveler server must be listed as a trusted server in the user's Mail Server document.
To disable Run as User, set the following notes.ini parameter: NTS_USER_SESSION=false

A. Server document of the user's Mail server
On the Security Tab in the Server Access section you can find the Trusted servers field
If the Traveler server is not in the mail server's Trusted Servers list, mobile users cannot access their mail file through the Traveler server.
In our case there is no separate Traveler Server so there is no need to add a server in the Trusted Servers Field.

B. Server document of the user's Traveler server / User's Traveler server 
Select the Security tab in the Server document. In the Server Access section you can find the field Access server and Not access server.

If  the field Access server is non-blank only those servers and users will be allowed to access. All others not listed will be denied access.
If the field Not access server is non-blank those servers and users will be denied access even those that are also in the 'Access server' list.
If you have servers listed in the Access server field check the box labeled 'users listed in all trusted directories'. If individual users are listed in the Not access server field remove them if you want to allow them to sync.
In our case we selected in the Field Access server 'All users can access this server' and in the field Not access server the Group 'Terminated Employees' from the Domino Directory.

IBM Notes Traveler Access section, Access server and Not access server

This is configured similar to the Security tab, Server Access section. However, Traveler does not log console messages for these access controls because they are Traveler configuration parameters, so they are treated as expected events. To see these log entries you must be logging the user on FINE or FINEST.

C. ACL of the user's mail file  - Basics tab
For the Feature Run as User anything less than Editor Access in the Access Control List of the user's mail file or without all boxes checked can restrict actions that the user can take on his own mail file
Reader Access can receive emails and invitations, but cannot reply or accept because Readers cannot create the response documents. Author Access can only Create documents if you check that box.

For all users we set the Field and Attributes settings as shown above. All users have Editor Access in their personal mail file.

D. ACL of the user's mail file - Advanced tab
For the Maximum Internet name and Password field all users should have at least Editor Acces.
Restricts access for Internet users that authenticate using name and password (so iNotes users using basic auth), and all Traveler users (mobile and IMSMO) when running as user.

Default value is Editor which is sufficient to create, delete, read and write docs in the mail database.
Other values like Reader or No Access cause exceptions reading or writing specific documents in the user's mail file. In our case all users have Editor Access in the Maximum Internet name and Password field.

With the requirements as described above we are going to perform the Notes Traveler upgrade in our production environment. For more information see the IBM Technote How to resolve synchronization issues that start after upgrading to IBM Traveler (or higher).

No comments:

Post a Comment