IBM Support

Authentication and tunneling with a Forward Proxy or Reverse Proxy with DOLS

Technote (FAQ)


Is Lotus Domino Off-Line Services (DOLS) supported with Forward and Reverse Proxies? Can the Lotus Domino Sync Manager replicate in this configuration? Which authentication methods are supported?


DOLS is supported in environments configured with either a Forward Proxy or Reverse Proxy; however, some considerations and limitations apply.

Forward Proxies

In the case of a Forward Proxy, enter the proxy address and port in Sync Manager > Options > Proxy Settings:

Because you are tunneling through the Forward Proxy, make sure that tunneling is possible in the proxy configuration, and that the HTTP CONNECT method is allowed and enabled. A simple method to verify if the proxy is configured correctly is to set up the Lotus Notes® client for HTTP tunneling via the proxy. To do this:

1. In the Notes client select File > Mobile > Edit Current Location, and click the icon next to the "Proxy configuration" field:

2. In the Proxy Server Configuration enter the fully qualified host name (FQHN) and port in the HTTP Tunnel fields:

3. Click OK and make sure the Proxy configuration field is empty in the Location document (you may have to remove ":8080" that the wizard enters for you).
4. Save the document, then select File > Preferences > Ports > Trace and enter the name of the Domino server to which you are connecting. Then press the Trace button. Because the Notes client is now tunneling the requests over HTTP via the proxy server, in the Trace information you should see that it is connecting to your destination server via the proxy:
    Determining path to server dominoserver
    Available Ports:  TCPIP
    Checking normal priority connection documents only...
    Allowing wild card connection documents...
    Checking for dominoserver/NESCAR at last known address '' on TCPIP...
        Using address '' for dominoserver/NESCAR on TCPIP
      Connecting to Proxy Server: ...
      Network Connection established with Proxy
      Proxy Server has successfully negotiated connection
    Connected to server dominoserver/NESCAR
If, however, the Forward Proxy does not support tunneling or the CONNECT method, the following error displays:
    Network Connection established with Proxy
    Proxy Server failed to negotiate connection with target

The latest versions of IBM® WebSphere® Edge Server Caching proxy do not allow requests over HTTP but require Secure Socket Layer (SSL).

The following information is provided as reference only; currently these proxies are not officially supported as no comprehensive tests have been performed with these products:

If the proxy servers require an authentication method not supported by the Notes client tunneling feature, the following error displays:
    Connecting to Proxy Server: ...
    Network Connection established with Proxy
    Proxy Server failed to negotiate connection with target
    Unable to connect to pit2pc11 on TCPIP ( Proxy Server authentication failed, no common authentication scheme )

The Notes 7.0.2 client, and therefore, DOLS Sync Manager support only Basic Authentication (Base64 encoding) for providing credentials to a Proxy. This means that the Sync Manager cannot establish a connection with products that require a different authentication mechanism.

Reverse Proxies

The situation for Reverse Proxies is quite different. A Reverse Proxy is accessible from the internet, hides the internal hostnames of the servers that it protects, and allows connectivity based on URL mapping rules. While a Reverse Proxy can handle HTTP traffic, it cannot handle Domino NRPC traffic; or to say in different terms, Domino NRPC cannot route through a Reverse Proxy. Lotus® Domino® Web Access and Lotus® QuickPlace® can still download and install the Sync Manager from a Reverse Proxy; however, the Sync Manager will not be able to contact the Domino server through the Reverse Proxy for the synchronization process.

To make sure the DOLS Sync Manager can connect to the Domino server, it is necessary to either:

1. Set the $DOLS_TCPIPAddress parameter in the notes.ini of the server, by listing the FQHN of the Domino server. This will insure that the Sync Manager knows the destination address to which it is connecting for all offline subscriptions installed from this Domino server.
    Example: $DOLS_TCPIPAddress=


2. Specify the FQHN of the Domino server in the Admin - Network Settings section of the Offline Configuration Document form for the main application database.

With the $DOLS_TCPIPAddress or Network Settings configuration in place the Sync Manager will actually attempt to connect directly to the Domino server after it is downloaded and configured by a DOLS subscription installation. For a user accessing the Reverse Proxy from the Internet, the firewall would prevent the connection to the Domino and the following error will be reported:

The server is not responding. The server may be down or you may be experiencing network problems. Contact your system administrator if this problem persists.

To solve this problem it is possible to either use a Domino passthru server (also configurable via the Offline Configuration document) or a Forward Proxy server for establishing the connection to the final Domino server.

Enabling Basic Authentication in Microsoft ISA

Perform these steps to enable Basic Authentication in Microsoft ISA.

1. Select Networks under the Configuration branch:

2. Open the Internal network object:

3. Select the Web Proxy tab, click the Authentication button and select Basic:

4. Click OK in all windows and then click the Apply button to make the changes effective.

Related information

Initial synchronization fails while installing offline

Document information

More support for: Lotus End of Support Products
Lotus Domino Web Access

Software version: 6.0, 6.5, 7.0

Operating system(s): Windows

Reference #: 1255059

Modified date: 09 February 2007