Thankyou very much, this is exactly what I needed to understand i.e. the flow and this document is really very helpful.
Now as per the document in step 3 i.e The message reaches the corporate firewall, where it passes through port 3101 to the BlackBerry Enterprise Server. - For this to work, I need to open port 3101 inbound also in the firewall from the RIM network to the BES server right ?
If yes, then do I need to assign a public IP to BES server and have a rule like
From RIMS Network to BES Public -allow port 3101 ?
It should be port forwarding i.e. allow 3101 traffic from RIM's network to BES private IP ?
Pls let me know which would be ideal from security point of view and functional for BES.
Second question is in step 4 i.e. The BlackBerry Enterprise Server decrypts the message, decompresses it, and routes it to the messaging server. - In this flow are there any chances of a spam or virus attack where a blackberry device i.e source can be spoofed or something of that sort ? or the PIN number of a blackberry device is unique using which we register a device to BES express Server and cannot be altered in anyway, the main reason being the BES will be routing mail to exchange directly and not via the email security appliance if I understood it right?
i.e. Steps 1-5 in my environment for our domain users sending email out to other domain users will be Blackberry User Device->RIM's N/W->office firewall ->Allow Incoming port 3101->BES Express Server<->VPN Tunnel ->Exchange Server -> Spam filter appliance->Datacenter firewall->Internet
and if some outside domain blackberry device is sending emails to our domain users steps 6-11 will be
Internet->Datacenter firewall->Allow SMTP traffic-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->BES Express Server->Outgoing port 3101->RIM N/W-> Blackberry User Device
Pls let me know.