Securing IBM lotus notes Traveler on iOS
However, there are still a sizable number of Enterprises running IBM Lotus Notes and they have the same requirements
to secure email on mobile devices as everybody else.
Now because IBM does not fully support all ActiveSync features it loses some of the native mail functionality, in particular Tasks (To
Do in IBM world) and setting Out of Office on iOS devices.
IBM’s solution to these gaps are their Traveler Companion and Notes To Do apps. These provide the ability to sync tasks
to and from mobile devices (Notes To Do), in addition to enabling the setting of Out of Office notifications from
the device (Traveler Companion).
In general, to enable these apps to work enterprises had to expose their IBM Traveler infrastructure to the Internet.
As you can from the diagram below there is a requirement to expose the Traveler service using a load balancer or firewall.
This unfortunately can open up access to the Traveler server to any device with the correct credentials and also
introduces another potential vector to the internal corporate messaging system.
In comparison, in a Microsoft Exchange environment tasks and out of office can be set using the native client routing
through a hardened reverse proxy, for example MobileIron Sentry, which does not require any public exposing of the
Some potential solutions to the IBM users are traditional VPN’s but these are costly and expose further dangers as they
open up a full tunnel from the device and due to the nature of mobile will be up almost all of the time.
A more elegant solution is provided by MobileIron’s AppConnect AppTunnel integration. Essentially this enables a Client
Certificate authenticated (leveraging SCEP), on Demand, TLS Tunnel with strict traffic control, to be launched whenever
the To Do or Companion App is launched. This is known as an AppTunnel and is exclusively tied to the configured App.
The services available to the AppTunnel are restricted both by destination IP/DNS name and port (i.e. 443 connections
to the Internal IP/DNS name of the Traveler server only).
The AppTunnel is routed via a hardened reverse proxy appliance called an AppSentry (usually located in a DMZ) to the
internal interface of the Traveler server (so no need to have your Traveler server IP exposed to the Internet). The
AppConnect configuration automatically populates the correct server URL and username of the end user so the only
prompt they receive is to enter their Notes password.
The same configuration can be used for both IBM Apps and the User experience is seamless. The user can open the To Do
App on their mobile device, see tasks which they had created on their desktop client and can edit them or create
new ones which will then sync up to the desktop client. For the Companion app the user can see the status of their
Out of Office, toggle it on or off, and edit the Out of Office message.
Other security benefits of using the AppConnect functionality are the ability to restrict data leakage by preventing
Cut & Paste from the Apps, preventing or restricting what the Apps can share with other Apps using Open In controls,
and of course the ability to remotely remove all data from the Apps on device retirement or if the device is detected
as compromised in some way, for example Jailbroken. These benefits are not just applicable to IBM Apps, the MobileIron
AppConnect program partners with many major IT solution Vendors and they also provide an AppConnect SDK to enable
software developers to add AppConnect functionality to their own Apps. AppTunnels can also be used for secure access
to internal websites/Intranets as well as fileshares to enable a rich office experience for mobile users.
In conclusion, the combination of IBM’s Notes Companion and Traveler To Do App, with MobileIron AppConnect, provides
an excellent solution to securely enable Mobile workers to have a full PIM experience while on the go.