What is Oracle Collaboration Suite & what are the components that constitute OCS?

Oracle Collaboration Suite is a suite of enterprise-class messaging and collaboration applications. Oracle Collaboration Suite contains the following components:

1.Calendar

Oracle Calendar is the time management component of Oracle Collaboration Suite, combining group and resource scheduling functionality with a variety of access methods to give you up-to-date task management information.
2.Content Services

Oracle Content Services is an enterprise content management system that enable users to collaborate more efficiently.

3.Discussions

Oracle Discussions is a scalable, manageable, and easy-to-use application for managing online discussion forums
4.Mail

Oracle Mail is Oracle Collaboration Suite's open-standards-based solution for enterprise-wide e-mail, voice mail and faxes
5.Mobile Collaboration

Oracle Mobile Collaboration is a collection of applications that enables you to access your e-mail, voice mail, calendar, contacts, tasks, files and corporate directories from any device with wireless or voice access.
6.Real-Time Collaboration

Oracle Real-Time Collaboration is the real-time messaging and conferencing component of Oracle Collaboration Suite. Oracle Real-Time Collaboration lets you participate in chats and Web conferences as well as publish your presence and availability.
7.Search

Oracle Collaboration Suite Search offers gives users of Oracle Collaboration Suite a configurable, all-in-one search solution across the following Oracle Collaboration Suite components: Oracle Mail, Oracle Calendar and Oracle Content Services.
8. Voicemail & Fax

Oracle Voicemail & Fax provides Oracle Collaboration Suite with centralized and secure message storage and retrieval for voice mail and faxes.
9.Workspaces

Oracle Workspaces let you can share documents, hold discussions, administer meetings and manage tasks

How should you map Application Components to Collaboration Suite Middle Tier Components?

I. The OC4J Instances

The more important ones that should usually be running at all times are the following:

1. OC4J_Content: The Content Services application that runs the various file-serving protocol servers.
   
2. OC4J_Mail: The Mail application that runs the various e-mail protocol servers
   
3. OC4J_OCSADMIN: The Ultrasearch application.
   
4. OC4J_OCSCLIENT: The starting point of the user interface to Oracle Collaboration Suite that must be running if any of the web clients are to be used.
   
5. OC4J_Portal: A PL/SQL application that requires several Java modules,including the PPE that renders the pages to be returned to the user, to be running on the middle tier
   

An Oracle Collaboration Suite infrastructure instance will be configured with one OC4J instance that should be running at all times. This is the OC4J_SECURITY instance that runs the OIDDAS application.

Note that there is also a HOME OC4J instance created in both middle tier and infrastructure instances. It should never be necessary to start this.

II. Mapping Application Components to Middle Tier Components

a) The Web Cache and HTTP Server (the Apache web listener) manage the HTTP traffic between browsers and middle tier instances.

b) Portal, consisting of the component that generates pages and the parallel page engine, is necessary to construct the web pages seen by end users.

c) The Calendar server itself consists of a set of processes visible in the Application Server Control window as just one component: the Calendar Server.

To see the individual processes, use the opmnctl utility:

$ opmnctl status ias-component=CalendarServer

d) Content Services is two components: the server component and a web interface component that runs within an OC4J container. These are shown in Application Server Control as the components Content and OC4J_Content.

e) The Mail application also consists of two components: Mail Application and OC4J_Mail. The Mail application is the Mail protocol servers. The OC4J_Mail component provides the Mail web interface.

g) The Real-Time Collaboration components are OC4J_imeeting and Real-Time Collaboration.The imeeting component manages the web interface for web conferencing; the Real-Time Collaboration component is the server process that enables real-time communication between users.

h) The Search component, based on the Ultrasearch web crawling facility that can crawl through database and web content, is accessed through the OC4J_OCSADMIN component.

i) The wireless capability is two components: OC4J_Wireless and Wireless.

j) Workspaces are implemented in PL/SQL and therefore cannot be controlled through OPMN or Application Server Control.

k) The Management component is the Enterprise Manager daemon. Since this is the Application Server Control process it clearly cannot be started or stopped through Application Server Control; you must manage it with the emctl utility.

Oracle Collaboration Suite Fine Tuning

Runtime Configuration
The critical directives & their values in the httpd.conf file of an Oracle Collaboration Suite installation in production are the following:

• 
  KeepAlive on
  
• 
  MaxKeepAliveRequests 100
  
• 
  KeepAliveTimeout 15
  
• 
  MinSpareServers 5
  
• 
  MaxSpareServers 20
  
• 
  StartServers 5
  
• 
  MaxClients 150

How to modify the refresh rate of Global Address List (GAL) in Oracle Calendar?

The default value for the Global Address List (GAL) refresh rate is once a week.

To modify the refresh rate of the GAL globally:
1. Edit the $ORACLE_HOME_MID/ocal/misc/unison.ini file.
2. Locate the [OUTLOOK_CONNECTOR] section.
3. Modify the value of the gal-minimal-lifetime-days parameter. The default value is 7. The value represents the number of days for the refresh interval. A value of "0" (zero days) means that every time the application is started, GAL updates are automatically queried. If a new GAL is available, it is downloaded.

To modify the refresh rate of the GAL locally:
1. Edit the ctoc.ini file (default location: c:\Program files\oracle\Outlook Connector).
2. Locate the [CTOC] section.
3. Modify the value of the gal-minimal-lifetime-days parameter. The default value is 7. The value represents the number of days for the refresh interval.

How to enable resource conflict in Oracle calendar part of ORacle Collaboration Suite 10.1.2?

Navigate to ORACLE_HOME/ocal/misc/unison.ini and change the following parameters as
shown

• 
  resourceconflicts = TRUE under [LIMITS] section
  
• 
  allowresourceconflict = FALSE under [ENG] section
  

How to protect ROOT user password in production & connect to LDAP server?

Step 1:

Add the entry in web.xml of the J2EE project

<env-entry> 

<description>

Password for jndi

</description> 

<env-entry-name>

jndi-password

</env-entry-name> 

<env-entry-value>

welcome123

</env-entry-value> 

<env-entry-type>

java.lang.String

</env-entry-type> 

</env-entry>

Step 2:

Lookup the password by using JNDI lookup as following

Context initial = new InitialContext(); 

Context environment = (Context)initial.lookup("java:comp/env"); 

String password = (String)environment.lookup("jndi-password");

Step 3:

Deploy the application in an OC4J using Enterprise Manager. For eg. I have deployed the application “HomePortlet” in oc4j_test.

Step 4: Navigate to the web module of the application, Click on environment link as shown below

Step 5: Update the “Deployed Value” in the environment entries heading and click “apply”.

LDAP API Programming Best Practices

We recently had problems with load on our single sign on (SSO) server. There were 100s of open LDAP connections to our LDAP servers.

By looking at the LDAP code there are two places where we make LDAP connections, or, as they are known in Java contexts.

Hashtable env = new Hashtable();

env.put(Context.INITIAL_CONTEXT_FACTORY,

"com.sun.jndi.ldap.LdapCtxFactory");

env.put(Context.PROVIDER_URL, "ldap://hostname.com");

LdapContext ctx = new InitialLdapContext(env,null);

// do something with ctx

ctx.close()

The contexts were always closed and this is where LDAP connection pooling came into the picture.

env.put("com.sun.jndi.ldap.connect.pool", "true");

This turns on connection pooling. The following code is for your reference

DirContext ctx=null;

NamingEnumeration answers=null;

Properties env = new Properties();

//Bind the context

env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );

env.put( Context.PROVIDER_URL, "ldap://" + bundle.getString("LDAP_SERVER") + ":" +

bundle.getString("LDAP_PORT") + "/");

env.put( Context.SECURITY_PRINCIPAL, bundle.getString("ROOTDN") );

// env.put( Context.SECURITY_CREDENTIALS, bundle.getString("ROOTPASS") );

env.put( Context.SECURITY_CREDENTIALS,password);

//LDAP connection pooling is implemented

env.put("com.sun.jndi.ldap.connect.pool", "true");

ctx = new InitialDirContext(env);

StringBuffer uidBuffer = new StringBuffer();

//pass the logged in username from portal to query and fetch the attributes from LDAP Server

uidBuffer.append("uid="+LoggedInUser);

//System.out.println(LoggedInUser);

SearchControls ctls = new SearchControls();

ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);

answers = ctx.search("",uidBuffer.toString(), ctls);

while(answers.hasMore()) {

SearchResult sr = (SearchResult)answers.next();

Attributes attrs = sr.getAttributes();

//get all the required values

Attribute givenname=attrs.get("givenname");

Attribute middlename = attrs.get("middlename");

Attribute sn = attrs.get("sn");

//format all the fetched attributes to get the exact values & add all the formatted values to the array list and

return

if(givenname !=null)

{

formattedGivenname=formatGivenname(givenname.toString());

list.add(formattedGivenname);

}else

{

formattedGivenname=" ";

list.add("");

}

if(middlename !=null)

{

formattedMiddlename=formatMiddlename(middlename.toString());

list.add(formattedMiddlename);

}else

{

formattedMiddlename=" ";

list.add("");

}

if(sn !=null)

{

formattedSn=formatSn(sn.toString());

list.add(formattedSn);

}else

{

formattedSn=" ";

list.add("");

}

}

}catch (NamingException ne)

{

System.err.println(ne.toString());

}

finally

{

if(answers !=null)

{

answers.close();

}

if(ctx != null)

{

ctx.close();

}

}

Although in theory the connection pooling was working, it was still creating a lot of connections.

Then, upon closing all NamingEnumerations (Marked in Red), we finally got the perfect results. 100s of requests a minute & only around 10–15 LDAP connections open at any one time.

LDAP API Programming Best Practices

I. When creating contexts, share the factory to use pooling

II. Make sure you close everything. If it has a close(), use it.

How to create an user who can manage OID DAS?

Step 1:

Login to OIDDAS as super user & create this new user by name ‘oid_admin’. Provide this new user ‘Allow User Management and Application Provisioning’ access by clicking on ‘Privileges’ button as shown below

Step 2:

Login to Oracle Directory Manager as root user. Navigate to Entry Management->
cn=OracleContext->  cn=Groups ->
cn=OracleDASAdminGroup
Append the DN of this new user in the uniquemember attribute in the "properties" tab in the right frame.

How does Access Control List Evaluation works?

When a user tries to perform an operation on a given object, the directory server determines whether the user has the appropriate access by

1) Examining the orclEntryLevelACI attribute of the user entry

2) Proceeds to the nearest Access Control Point (ACP). ACPs are the entries in which the orclACI attribute has been given a value.

3) Continues with each superior or higher ACPs in succession until the evaluation is complete

Portal Page Security & Dynamic Groups in Portal 10.1.4

An important restriction to the use of dynamic groups in portal is that only 2 caching options can be used for pages in portal. They are 1) Don't cache 2) Cache page definition content for X minutes

The reason for these particular caching options is because portal will invalidate pages when a group or a user that is referenced in that page's Access Control List (ACL) in portal are modified or deleted.

Portal gets this information from OID through the DIP (Directory Integration Provisioning) ; however for dynamic groups there is no such notification. The portal does not have any automated way to know that changes have been done to the dynamic groups.

Static & Dynamic groups in Oracle Internet Directory

Static Groups

A static group is one whose entry contains a list of members you explicitly administer. A static group is best suited for a group whose membership is unlikely to change frequently.

When you create the entry for this kind of group, you associate with either the groupofNames (or) groupofUniqueNames object class. Both the object classes have a multi-valued attribute for storing the names of group members. To assign an user as a member of a group, you add the DN of each member to the respective multi-valued attribute.

Dynamic Groups

A dynamic group is one whose membership, rather than maintained in a list, is computed on the fly.

Example 1:

Suppose you want to send an e-mail to all users in the ou=sales naming context. To do this, you create a dynamic group in which you specify ou=sales as the naming context of interest.

Example 2:

You want to send an email to all the employees who report to a manager named Anne Smith

The elements contained in the dynamic group depends on a parameter named "labeledURI", which is a dynamic group property.

A labeledURI is an LDAP URL that defines an ldap search request. For e.g.

labeledURI = ldap:// LDAP_SERVER_NAME:PORTNO/dc=oracle,dc=com ?? sub? (title=Manager)

Therefore dynamic groups provide great flexibility to define groups & change it any moment by modifying labledURI.

How to check the content of a dynamic group?

a) Using OIDDAS web interface

b) By running ldapsearch command for e.g

$ ldapsearch -h LDAP_SERVER_NAME -p PORTNO -b "cn=DYNGROUP,cn=groups,dc=default_realm,dc=com" -s base "(objectclass = *)"

you get,

objectclass=top

objectclass=orclDynamicGroup

objectclass=groupofUniqueNames

How does an LDAP client locate directory servers in a Distributed Environment?

To perform an operation on a particular entry, a client must be able to find the server in which that entry resides. So, for discovering the directory server, the client looks for ldap.ora in the following file system directories in order of preference.

• The directory pointed by the LDAP_ADMIN environment variable.For checking the environment variable, use the following command, 
  

$ echo $LDAP_ADMIN

• The directory ORACLE_HOME/ldap/admin
  
• The directory pointed by the TNS_ADMIN environment variable.
  
• The directory ORACLE_HOME/network/admin

Process control of Oracle Internet Directory components

Since OID is a part of the Oracle AS infrastructure, OPMN is responsible for monitoring OID as an Oracle AS component.

The processes associated with OID are

• OIDMON ($ORACLE_HOME/bin/oidmon)  is a daemon process responsible for the process control of all OID server instances
  
• OIDCTL($ORACLE_HOME/bin/oidctl) is a commandline tool that let you configure additional OID server instances.
  

OID Integration with OPMN:

OPMN knows only about OIDMON & is unaware of the OID server instances.

OIDMON & ODS_PROCESS Table:

OIDMON is responsible for starting, stopping & restarting & monitoring all OID server instances such as Directory server instances, Replication server instances.

OIDMON reads the contents of the ODS_PROCESS table in the ODS database user schema periodically. The periodicity is controlled by the value of "sleep" commandline argument at oidmon startup. The default value is 10 seconds.

Oracle Internet Directory Terminologies- Part II

Identity Management Realm:

An identity management realm defines an enterprise scope over which certain identity management policies are defined and enforced by the deployment. for example, all employees in the US domain.

You can define multiple identity management realms within the same Oracle Identity Management infrastructure. This enables you to isolate user populations and enforce a different identity management policy—for example, password policy, naming policy, self-modification policy—in each realm.

Each identity management realm has a realm-specific administrator with complete administrative control over the realm.

Resource Access Descriptor (RAD):

Information for connecting and authenticating users to the databases is called resource access information. It is stored in an entry called a resource access descriptor (RAD) from which it can be retrieved and shared by various Oracle components.

Information about the resources that an application uses to service a user request is called resource type information.  A resource type can be, for example, an Oracle Database or a Java Database Connectivity Pluggable Data Source. Resource type information includes such items as the class used to authenticate a user, the user identifier, and the password.

Resource access information for each user is stored in the cn=User Extensions node in the Oracle Context.

 

Resource access information for each application is stored in the object identified by the application name—in this example, cn=Oracle Reports, cn=Products,cn=Oracle Context,dc=us,dc=acme,dc=com. This is the user information specific to that product. 

Resource type information is stored in the container cn=resource types, cn=common,cn=products,cn=Oracle Context.

Oracle Internet Directory Terminologies- Part I

Entry:

Each collection of information about an object is called an entry.An entry can include, for example, information about an employee, a conference room, or a shared network resource such as a printer.

Distinguished Name (DN):

Each entry in an online directory is uniquely identified by a distinguished name. The distinguished name tells you exactly where the entry resides in the directory hierarchy.

Directory Information Tree (DIT):

The directory hierarchy is represented by a Directory Information Tree (DIT). To locate a particular entry within the overall DIT, a client uniquely identifies that entry by using the full DN.

Attributes:

In an online directory, each information item about an entry is called an attribute. Attributes in a typical employee entry can include, for example, a job title, an e-mail address, or a phone number.

Some of the commonly used LDAP Attributes are cn,sn,ou,telephoneNumber,etc

Object Classes: 

An object class is a group of entries that define the structure of an entry.When you define a directory entry, you assign one or more object classes to it. Some of the attributes in these object classes are mandatory and others are optional and can be empty.

There are three types of object classes:

• Structural Object Classes
  

Structural object classes describe the basic aspects of an object. Most of the object classes that you use are structural object classes, and every entry should belong to at least one structural object class. Examples of structural object classes are person and groupOfNames.

Structural object classes use structure rules to place restrictions on the kinds of objects you can create under any given object class. 

• Abstract Object Classes
  

An abstract object class is a virtual object class. For example, the object class top is an abstract object class.he top object class includes the mandatory attribute objectClass as well as several optional attributes such as creatorsName.

• Auxiliary Object Classes
  

Auxiliary object classes are groupings of optional attributes that expand the existing list of attributes in an entry

Naming Contexts

A directory naming context is a subtree that resides entirely on one server. It must be a complete subtree, that is, it must begin at an entry that serves as the top of the subtree, and extend downward to either leaf entries or references to subordinate naming contexts. It can range in size from a single entry to the entire directory information tree (DIT).

To enable users to discover specific naming contexts, you can publish those naming contexts in Oracle Internet Directory by using either Oracle Directory Manager or ldapmodify.

What is a Configuration Set Entry?

The configuration parameters for each Oracle directory server instance are stored in an entry called a configuration set entry, or configset. The Oracle directory server is installed with a default configuration set entry (configset0) so that you can run the directory server immediately.

What is Directory Metadata?

Directory metadata is the information used by the directory server during run time for processing LDAP requests.It is stored in the underlying data repository. During startup, the directory server reads this information and stores it in a local metadata cache. It then uses this cache during its runtime to process incoming LDAP operation requests.

The directory server has the following types of metadata in its local metadata cache:

• Directory Schema 
  

The definitions of object classes, attributes, and matching rules supported by the directory server.

• Access control policy point (ACP)
  

  The directory server uses ACPs when determining whether to allow a certain LDAP operation performed by a user.

• Root DSE entry
  

The root DSE (DSA-Specific Entry) contains a number of attributes that store information about the directory server itself. For e.g.Naming contexts DNs,  Sub Schema Subentry DN, etc

• Privilege groups
  

The directory schema supports directory group objects through the standard  groupofuniquenames and groupofnames object classes.Oracle Internet Directory extends these standard group objects through an auxiliary object class called orclprivilegegroup. This object class, which supports privilege groups that can be used in access control policies

• Password policy entry
  

A special entry containing information about the policies enforced by the directory server for the user password credentials.The directory server uses this information during runtime to enforce the password policies.

What is an Oracle Directory Server Instance?

Each Oracle directory server instance is also called an LDAP server instance.

1. The Oracle Internet Directory listener/dispatcher sends the request to the Oracle directory server which, in turn creates server processes. 
   
2. A server process handles an LDAP operation request and connects to the Oracle database instance to access the directory store
   
3. The directory server handles the client request by generating one server process for each operation.
   

The number of server processes created is determined by the configuration parameter ORCLSERVERPROCS. The default is 1 (one). 

Database connections from each server process are spawned as needed, depending on the value set for the configuration parameter ORCLMAXCC. The number of database connections spawned by each server is equal to ORCLMAXCC + (ORCLMAXCC/2) + 1. The default value of ORCLMAXCC in configset0 is 2. The server processes communicate with the data server by way of Oracle Net Services. an Oracle Net Services Listener/Dispatcher relays the request to the Oracle Database.

What is an Oracle Internet Directory Node?

An Oracle Internet Directory node consists of one or more directory server instances connected to the same directory store. The directory store—that is, the repository of the directory data—is an Oracle Database.

The Oracle directory replication server uses LDAP to communicate with an Oracle directory (LDAP) server instance. To communicate with the database, all components use OCI/Oracle Net Services. Oracle Directory Manager and the command-line tools communicate with the Oracle directory servers over LDAP.

What are the components of Oracle Internet Directory?

• Oracle directory server, which responds to client requests for information about people and resources by using a multitiered architecture directly over TCP/IP
  
• Oracle directory replication server, which replicates LDAP data between Oracle directory servers
  
• Directory administration tools, which include: Oracle Directory Manager, which simplifies directory administration through a Java-based graphical user interface & a variety of command-line administration and data management tools 
• Oracle Internet Directory Software Developer's Kit

What Is Oracle Internet Directory?

Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of an Oracle Database.

What is Lightweight Directory Access Protocol?

LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate.

Oracle Identity Management-Basics

The Oracle Identity Management infrastructure includes the following components:

• Oracle Internet Directory- A general purpose directory service that enables fast retrieval and centralized management of information about users and network resources
  
• Oracle Directory Integration and Provisioning- This component enables synchronization between Oracle Internet Directory and other directories and user repositories
  
• Oracle Delegated Administration Services- This component provides trusted proxy-based administration of directory information by users and application administrators.
  
• Oracle Application Server Single Sign-On: This component provides single sign-on access to Oracle and third-party Web applications.
  
• Oracle Application Server Certificate Authority: This component generates and publishes X.509 V3 PKI certificates to support strong authentication methods.
  

What is an Online Directory & Why is it used?

A directory is a way in which complex information is organized making it easy to find e.g employees in a company,books in a library,etc

An online directory is a specialized database that stores & retrieves collections of information about objects. Although an online directory is a database—that is, a structured collection of data—it is not a relational database. The following points contrasts online directories with relational databases.

1. The online directory is primarily read focussed whereas the relational database is primarily write-focussed
2. Online directory is designed to handle simple transactions on small units of data while RDB handles large transactions on large data
3. Online directory is designed to store information in entries while RDB is designed to store information in rows in relational tables.

What is Network Address Translation?

The NAT Concept

NAT (also known as network masquerading, native address translation or IP masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses.

The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x - using CIDR notation) into the IP Address on the NAT-enabled gateway device.

In other words, NAT runs on the device that's connected to the Internet and hides the rest of your network from the public, thus making your whole network appear as one device to the rest of the world.

Benefits

a) It prevents malicious activity initiated by outside hosts from reaching those local hosts.

b) The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space.

c) NAT is secure since it hides your network from the Internet.

We have a simple network of 4 hosts (computers) and one router that connect this network to the Internet. All hosts in our network have a private Class C IP Address, including the router's private interface (192.168.0.1), while the public interface that's connected to the Internet has a real IP Address (203.31.220.134).

How does NAT works?

The trick to understanding how NAT works is to realize that only the device (router, firewall or pc) that connects directly to the Internet performs NAT.

1. All requests the workstations generate are sent to the Internet via the router

2. The router will then perform NAT on these packets and send them to their destination.

3. As each packet arrives into the router's private interface, the router will strip the source IP Address from the 3rd layer (network layer) e.g 192.168.0.10 and place its own public IP address (203.31.220.134) before sending it to the Internet.

4. This is how the packet then seems to have originated from the router itself.

1. In this illustration, a workstation from our network has generated a packet with a destination IP Address 135.250.24.10.

2. Logically, this packet is first sent to the gateway, which performs NAT on this packet and then sends it to the Internet

3. During the initial NAT operation, the original packet's Source IP is changed from 192.168.0.12 to that of the router's public interface, which is 203.31.220.134

4. The router stores this information in a special address within its memory (also called NAT Table)

5. When the expected reply arrives it will know to which workstation within its network it needs to forward it.

The NAT Table

The NAT table is the heart of the whole NAT operation, which takes place within the router (or any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from the internal (private) network to the external (public-Internet) network, and vice versa, is tracked and a special table is created to help the router determine what to do with all incoming packets on all of its interfaces.

Static NAT

Static NAT allows the mapping of public IP Addresses to hosts inside the internal network.

In this mode each private host has a single public IP Address mapped to it, e.g private host 192.168.0.1 has the public IP Address 203.31.218.208 mapped to it. Therefore any packets

generated by 192.168.0.1 that need to be routed to the Internet will have their source IP field replaced with IP Address 203.31.218.208.

Dynamic NAT

With Dynamic NAT, we map our internal IP Addresses to real public IP Addresses, but the mapping is not static, meaning that for each session the internal hosts communicate with

the Internet, the public IP Addresses remain the same, but are likely to change. These IPs are taken from a pool of public IP Addresses that have been reserved by our ISP for our public network.

The router is configured with a special NAT timeout and, after this timeout is reached (no traffic sent/received during that time), the router will expire the particular mapping and reuse it for a different internal host.

Finding a practical implementation for Dynamic NAT is perhaps more difficult than any other NAT mode.