Enabling Lotus Notes to communicate via Direct Access and UAG
I had a call recently from a customer on IBM’s Notes who wants to use Direct Access. The issue was that it did not work through Direct Access by default, but as you read on, we did get it working!
Why it did not work by default?
If you think about the Direct Access architecture, it really depends on TCP/IP version 6. Ben discussed this in detail at: http://blogs.technet.com/b/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx, so I won’t go much further here.
The issue with Notes is that by default, it will not initiate an IPv6 communication. With Note version 8.0 and above, IBM enabled IPv6 communications by adding a simple line to the "[notes]" section of the notes.ini file. This is discussed in detail here: http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_EXAMPLES_OF_USING_NOTES_INI_VARIABLES_WITH_IPV6_STEPS.html. Simply stated, once we enabled the “TCP_EnableIPv6=1” setting, Notes started initiating communications on IPv6. When we added Forefront Unified Access Gateway (UAG), we were able to convert IPv6 to IPv4, which is the only protocol the IBM Domino servers were configured to communicate with. With this change the Notes clients no longer needs to set a location, they simply use the “Office” location and connect remotely just as if they were on the network.
Error Message if IPv6 is not enabled:
If you try to access a Domino server via Direct Access without the change mentioned above, you will get the error message “The remote server is not a known TCP/IP host.” This simply means Notes could not resolve and connect to the Domino server. If you try to trace the server (Notes File Menu –> Preferences -> Notes Ports) you will see that it cannot resolve the host, as Direct Access clients use IPv6. See figure below.
Success with TCP_EnableIPv6=1:
Once you make the required change to the correct notes.ini file (note, there can be a few of these files and the location is configurable), the client will resolve via IPv6 and communicate just fine. You can even go into the trace and see that it resolves to an IPv6 address, see figure below.
Other items to consider:
Clients caching server addresses:
IBM Notes also has the ability to cache server name and IP addresses. This caching can break roaming workstations or workstations that change from local network to a Direct Access connected network. To resolve this, Notes implements a “Dont_Use_Remembered_Addresses” setting in the "[notes]" section of the notes.ini file, discussed here: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Dont_Use_Remembered_Addresses.
To eliminate caching issues, set the above value to “1”.
Manual IPv4 addressed assignment and configuration in the directory (Name and Address Book) or a connection document:
With some network typologies, it may have been necessary to configure the Domino server to listen on a specific IP address, to hard code an IP address in a connection document or hard code IPv4 address in the Directory (names.nsf). These changes can affect and break the way a Direct Access client resolves names to IPv6 addresses. Any place that an IPv4 address is configured has the potential to break Direct Access. Use host names instead.
To eliminate this issue, do not use IPv4 addresses in the notes.ini, address book/directory (names.nsf) or a connection document.
It is possible that IPv4 addresses may be used in bookmarks creating a dependence on Notes and IPv4 routing.
To eliminate this issue, do not use IPv4 addresses in bookmarks.
Opening Databases via File -> Application -> Open:
If opening databases via the File -> Application -> Open command and you input the IP v4 address, this will create a connection document based on the IPv4 address, which will break when using Direct Access.
To eliminate this issue, do not use IPv4 addresses in the open command.
Kevin Saye, Security Technical Specialist – Microsoft
Noam Ben-Yochanan, Program Manager – Microsoft
Pratyush Garge, Software Engineer – IBM