Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Nomad Web server connection options

Daniel Nashed  25 January 2023 09:57:35

Nomad Web is a modern HCL client offering in form of a Progressive Web Application (PWA) running in your web browser.
In addition to Windows or Mac, it also works on Ubuntu and other Linux distributions! So there is finally a client offering for Linux clients again!

The Nomad Web application is installed on a server providing the required files for download.
Those files can be stored on a SafeLinx or Domino/Nomad Web server.

Your browser downloads the application and runs it locally in your browser.
It is basically a cross compile using the Notes basic client code.


Special connectivity requirements: WebSockets


Nomad Web clients cannot directly connect to your Domino servers using NRPC with a standard TCP/IP connection.

Because the client is in a browser it uses modern web technologies to connect to the server.
This brings new advantages but also new challenges.

Standard HTTPS connections are not a stateful network connection.
You can send multiple HTTPS request over the same connection and have a TLS session.
But it isn't a TCP/IP network session in the way NRPC would require it.

Modern web technology supports so called web-sockets to allow stateful network connections for web applications.

Nomad Web tunnels the NRPC session with all it's transactions via WebSockets to Domino.
But because Domino itself does not understand WebSocket NRPC connections, you need a server component to translate the network packages.


SafeLinx Server


Until the Nomad Server was released recently a HCL SafeLinx server was the only network component allowing to bridge the protocols.
You don't need to separate license a SafeLinx server. But it is a separate server component, which is not always intuitive to deploy.


Therefore the HCL Domino Container Community project provides an easy to configure SafeLinx container -->
https://opensource.hcltechsw.com/domino-container/safelinx/

The container is easy to configure specifying just a couple of environment variables instead of using the old fashioned Java admin client application.

SafeLinx offers a connection module specially designed for Nomad Web bridging the WebSocket protocol to NRPC.


It also allows you to define target Domino servers and the corresponding internet host name.

Safelinx handles the TLS connection and tunnels the NRPC connection to the right target host.


In addition to a static configuration mapping Domino server names to host names to connect to, SafeLinx can leverage a LDAP connection to a Domino server to map server names dynamically.

The SafeLinx container image uses this type of configuration to avoid complex configurations.



"Server Name Indication"


SafeLinx receives all the traffic over the same HTTPS connection using a single TLS/SSL certificate on a single IP address to dispatch all the traffic acting as a secure reverse proxy.


The first NRPC package connecting the client to the server contains the target Domino server name in the first network package.
SafeLinx uses this Domino name to map the session to the right Domino server using it's FQDN (lookup in it's own configuration or via LDAP from a Domino server).


The resulting stateful WebSocket connection is handled by the SafeLinx server.


This means you can use a single SafeLinx server to connect to multiple Domino servers in parallel.

SafeLinx ensures the dispatching and handles the stateful WebSocket connection tunneling the NRPC socket connection for you.



Nomad Web Server


Because not every customer wants to install a separate SafeLinx server, HCL came up with a new server component called "Nomad Web Server".


A Nomad Web Server consists mainly on two parts.

Let's have a look at the two binary files shipped with the Windows version:


nwsp-win.exe


Is a Node.js application compiled into a single executable. Node.js provides native WebSocket protocol already and a Node.js application is a low overhead way to implement a way to bride protocols.

All connections are going thru this component and will be routed to the target Domino server directly.


You can run this component separately from your Domino server and configure all settings in a YAML file.

In this case the YAML configuration contains settings for the TLS certificate/key and also mapping configuration for your Domino servers.

Very similar to what SafeLinx provides with it static configuration.



nnomad.exe


The more convenient way is to use this component directly on a Domino server in combination with a Nomad servertask.

This server task is started on a Domino server running on the same host.

Both components talk to each other using a private TLS connection.


The Nomad servertask provides configuration information to connect to the own Domino server it is running on.
And also provides connectivity information to other Domino servers in the Domain.


This is comparable to what SafeLinx provides using the LDAP lookup.


Both components work hand in hand and glue together. You can even leverage existing TLS Credentials in your Domino Certificate store (certstore.nsf).


The only configuration needed in this case is the hostname for the certificate specified in a notes.ini setting:

NOMAD_WEB_HOST=domino.acme.com


This would also work for wild-card certificates like this:


NOMAD_WEB_HOST=*.acme.com



The TLS Credentials document just must be assigned to the Domino server to have Domino decrypt the private key.
And it needs to be a unique match in your certstore.nsf.



Using a Load Balancer or Secure Reverse Proxy in front of Nomad Web with SNI



Nomad Web Server and SafeLinx work very similar in handling the connection and establishing the session.

Both also handle the mapping to the right Domino server in the same way analyzing the first NRPC package.



But what if you want to put NGINX or another load balancer in front of your server?

Note: I would even advice you to add a robust load balancer like NGINX as a first line of defense in front of any Node.js application like Nomad Server.


Because the websocket protocol is HTTPS based, most modern load-balancers and reverse proxies can handle the HTTPS session and even dispatch traffic over server name indication (SNI).


This means you can run those HTTPS sessions on the same IP and TLS port 443 you are using for other connections.


The only special requirement for WebSockets is a configuration which supports the WebSocket upgrade header.

You find a sample configuration for NGINX in the Nomad Web Server documentation referenced below.



Conclusion and additional tips



This blog post is mainly intended to give you and overview and not an instruction how to setup Nomad Web.

Specially for intranet environments the Nomad Server is an easy to install component, which helps you to deploy Nomad Server quite quickly.


We added the Nomad Server package to the Domino community image as an add-on, which can be automatically build into the Domino server image -->
https://opensource.hcltechsw.com/domino-container/.

Still even for intranet deployments I would always add a secure load balancer in front of the Nomad server.

SafeLinx in contrast is already a secure load-balancer written in C on a more robust stack.


But both options provide you with the required WebSocket connectivity for Nomad Web.




References for more details:


Nomad Web Documentation

https://help.hcltechsw.com/nomad/1.0_web/nomad_web.html

Nomad Server Documentation

https://help.hcltechsw.com/nomad/1.0_admin/nomadserver_domino.html

WebSocket Wikipedia

https://en.wikipedia.org/wiki/WebSocket

RFC6455 The WebSocket Protocol

https://datatracker.ietf.org/doc/html/rfc6455

The WebSocket API (WebSockets)

https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API
Comments

1Christian Henseler  26.01.2023 18:45:47  Nomad Web server connection options

Thank you very much for this enlighting post.

Would you mind to dive deeper into your recommendation to put a load balancer in front of an intranet Nomad Web Server running directly in front of (a single) Domino server hosting the Nomad Web component? I miss the point in your argumentation (or your use case does not match the use case I have in mind, when one has to provide Nomad Web entry point in dislocated isolated sites)

Are there recommendstions how many clients a single Nomad Web server can deal with or is the limitation on the backend side as a result of numbers of Domino Server NRPC connections the Nomad Web server has to deal with?

Thank you very much in advance

2Daniel Nashed  27.01.2023 21:13:51  Nomad Web server connection options

@Christian, would you trust a Note.js server as your fist line of defence?

External environments are more exposed. But you also have to protect from internal risks inside your network.

From what I know the performance of Nomad web is similar to a SafeLinx server and I don't have exact numbers for both.

But you can assume that a Nomad server infront of a single server should not bring you into any scalability issues.

You need more CPU and more RAM. Specially for RAM I saw quite some increase in my small server and I have no idea how much that increases based on the number of users.

I hope the initial memory is more than what is added per user. But I have no practical experience.

If you are planning a larger deployment with Nomad servers, lets take this to HCL ..

-- Daniel

3Christian Henseler  28.01.2023 14:19:40  Nomad Web server connection options

Thank you very much for your answer, but I don‘t see a security benefit from using a load balancer. I am not talking about a Reverse Proxy.

What are your specific security concerns in regard to node.js applications in general and Nomad Server especially?

Shouldn’t HCL provide a secure Architecture instead of forcing Domino customers to build an additional line of defense, is Nomad Server so insecure that you recommend an additional security wall around Nomad Server, even within intranets?

In our use case we have to ensure Nomad Web functionality in isolated sites and putting a Reverse Proxy in front of all Nomad Web Servers is quite an overkill. As sites might be isolated from time to time, we are not able to use a central SafeLinx Infrastructure or a central Nomad Web Server.

And from a security perspective using a central Nomad Web Server to access dislocated Domino servers with clients in the same dislocated site isn‘t perfect from my point of view and is generating additional traffic that could be avoided.

If your a cloud minded/central infrastructure minded customer, all your dislocated sites depend on connectivity.

There are still use cases, where „cloud“ is not the best solution

4Daniel Nashed  28.01.2023 19:12:30  Nomad Web server connection options

@Christian, this is my personal opinion as a partner:

I would not let anyone directly access any Node.js based server.

It's not the HCL implementation I don't trust. It's the platform I would personally not trust!

The SafeLinx server is written in C instead. I would have wished HCL would have taken their experience from SafeLinx and nartively implement the same functionality right into Domino.

Instead Node.js is used for the connection with all it's potential vulnerabilites coming up from time to time.

A NGINX proxy is a specially hardened piece of software designed for very high loads in secure environments.

Adding a NGINX proxy on a machine isn't much extra effort. The configuration is very simple. The only challenge would be the certificate deployment, which is integrated into Nomad Server.

But I have shown how to automatically deploy certificates for NGINX in an earlier post.

5Christian Henseler  29.01.2023 10:57:33  Nomad Web server connection options

Once again thank you very much for your point of view :-)

In large organizations, the pure technical aspects are only one part of a solution.

SafeLinx as well as NGINX are products new to Domino administrators, resulting in a know how and support problem.

Furthermore, if other Reverse Proxy and Load Balancing products are already part of your IT services portfolio, you might even won‘t be able to introduce these new products.

If you have to use other products, you‘ll have to deal with additional licences costs and in most cases such infrastructure components are managed by other IT groups.

If you need a multi site deployment with isolated sites, you can‘t rely on a central HA Safelinx infrastructure, and you get a know problem on the side of local administrators.

As I hope to shed some light on, a technical simple solutions might result in an enormous complexity on the organizational layer of IT departments.

For all these reasons I was quite happy that HCL published Nomad Server as Domino server component and you will propably agree, that Nomad Server is pretty simple to be installed.

Reading your blog post I was wondering about your recommendation in regards to put an additional security layer in front of Nomad servers, especially when no one else focussed on this matter in Nomad server presentations or Node.js on Domino presentations.

That you need LB components in front of Traveler, Verse, Nomad servers in HA environments, is common sense.

Thank you very much :-)

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]