View Single Post
Old 10-21-2007, 09:05 AM   #7 (permalink)
BlackBerry Genius
hdawg's Avatar
Join Date: Aug 2006
Model: hdawg
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts

Thankyou very much, this is exactly what I needed to understand i.e. the flow and this document is really very helpful.
Unfortunately, and I'll address this throughout the rest of the response, you don't understand the flow ... at least from a firewall perspective.

Now as per the document in step 3 i.e The message reaches the corporate firewall, where it passes through port 3101 to the BlackBerry Enterprise Server. - For this to work, I need to open port 3101 inbound also in the firewall from the RIM network to the BES server right?
No, you do not. When a connection is made from a server behind your firewall to a destination on the Internet (or anywhere else for that matter), as long as their isn't a proxy server manipulating data (which isn't supported with BlackBerry unless it is transparent to BES) the connection is bi-directional. You only need to open port 3101 outbound initiated, once the BES opens the connection to RIMs NOC, the NOC can then push data back into your network to your BES. You don't need to open 3101 inbound as the NOC will never be initiating any connections with your BES. A connection is opened and it stays open ... if it ever drops, the BES re-establishes the connection. Yes, this means that for every BES in the world there are persistently open connections to RIMs SRP networks.

If yes, then do I need to assign a public IP to BES server and have a rule like
From RIMS Network to BES Public -allow port 3101 ?
See Above.


It should be port forwarding i.e. allow 3101 traffic from RIM's network to BES private IP ?
No, see above; you don't need to allow traffic from RIMs network to the BES.

Pls let me know which would be ideal from security point of view and functional for BES.
Previously answered.

Second question is in step 4 i.e. The BlackBerry Enterprise Server decrypts the message, decompresses it, and routes it to the messaging server. - In this flow are there any chances of a spam or virus attack where a blackberry device i.e source can be spoofed or something of that sort ? or the PIN number of a blackberry device is unique using which we register a device to BES express Server and cannot be altered in anyway, the main reason being the BES will be routing mail to exchange directly and not via the email security appliance if I understood it right?
Every bit of data that is sent from a BB HH which is destined to its BES is encrypted with a master encryption key that the BES and the HH establish during the Enterprise Activation process. For this spoofing to happen, the device would need to be spoofed and the master encryption key for the device must be compromised ... this hasn't happened yet (at least publicly), and its certainly not something I spend any thought on.

i.e. Steps 1-5 in my environment for our domain users sending email out to other domain users will be Blackberry User Device->RIM's N/W->office firewall ->Allow Incoming port 3101->BES Express Server<->VPN Tunnel ->Exchange Server -> Spam filter appliance->Datacenter firewall->Internet
NO, incoming port 3101 isn't needed. A session between the BES and RIMs NOC has already been established, therefore no additional port(s) need be opened. The already open connection between the BES and RIMs NOC allows for RIM to push the data from the HH into your network to your BES for message delivery. The rest of the model is correct.

and if some outside domain blackberry device is sending emails to our domain users steps 6-11 will be

Internet->Datacenter firewall->Allow SMTP traffic-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->BES Express Server->Outgoing port 3101->RIM N/W-> Blackberry User Device
Correct. I hope this explains it a bit. If you're still confused I think it may just be your understanding of how firewalls work.

Much like on a firewall you don't have to open port 80 inbound to any PC on your network for them to browse the web, you only need to open port 80 outbound ... RIMs SRP connection works much the same. The port 80 connection is established with a web server, and the web server pushes data back through the socket opened. Just imagine the BES has having that one socket opened ... but constantly.
Offline   Reply With Quote