Securing IBM lotus notes Traveler on iOS
However, there are still a sizable number of Enterprises running IBM Lotus Notes and they have the same requirements to secure email on mobile devices as everybody else.
Now because IBM does not fully support all ActiveSync features it loses some of the native mail functionality, in particular Tasks (To Do in IBM world) and setting Out of Office on iOS devices.
IBM’s solution to these gaps are their Traveler Companion and Notes To Do apps. These provide the ability to sync tasks to and from mobile devices (Notes To Do), in addition to enabling the setting of Out of Office notifications from the device (Traveler Companion).
In general, to enable these apps to work enterprises had to expose their IBM Traveler infrastructure to the Internet.
As you can from the diagram below there is a requirement to expose the Traveler service using a load balancer or firewall. This unfortunately can open up access to the Traveler server to any device with the correct credentials and also introduces another potential vector to the internal corporate messaging system.
In comparison, in a Microsoft Exchange environment tasks and out of office can be set using the native client routing through a hardened reverse proxy, for example MobileIron Sentry, which does not require any public exposing of the Exchange environment.
Some potential solutions to the IBM users are traditional VPN’s but these are costly and expose further dangers as they open up a full tunnel from the device and due to the nature of mobile will be up almost all of the time.
A more elegant solution is provided by MobileIron’s AppConnect AppTunnel integration. Essentially this enables a Client Certificate authenticated (leveraging SCEP), on Demand, TLS Tunnel with strict traffic control, to be launched whenever the To Do or Companion App is launched. This is known as an AppTunnel and is exclusively tied to the configured App. The services available to the AppTunnel are restricted both by destination IP/DNS name and port (i.e. 443 connections to the Internal IP/DNS name of the Traveler server only).
The AppTunnel is routed via a hardened reverse proxy appliance called an AppSentry (usually located in a DMZ) to the internal interface of the Traveler server (so no need to have your Traveler server IP exposed to the Internet). The AppConnect configuration automatically populates the correct server URL and username of the end user so the only prompt they receive is to enter their Notes password.
The same configuration can be used for both IBM Apps and the User experience is seamless. The user can open the To Do App on their mobile device, see tasks which they had created on their desktop client and can edit them or create new ones which will then sync up to the desktop client. For the Companion app the user can see the status of their Out of Office, toggle it on or off, and edit the Out of Office message.
Other security benefits of using the AppConnect functionality are the ability to restrict data leakage by preventing Cut & Paste from the Apps, preventing or restricting what the Apps can share with other Apps using Open In controls, and of course the ability to remotely remove all data from the Apps on device retirement or if the device is detected as compromised in some way, for example Jailbroken. These benefits are not just applicable to IBM Apps, the MobileIron AppConnect program partners with many major IT solution Vendors and they also provide an AppConnect SDK to enable software developers to add AppConnect functionality to their own Apps. AppTunnels can also be used for secure access to internal websites/Intranets as well as fileshares to enable a rich office experience for mobile users.
In conclusion, the combination of IBM’s Notes Companion and Traveler To Do App, with MobileIron AppConnect, provides an excellent solution to securely enable Mobile workers to have a full PIM experience while on the go.