You can put a BES in a DMZ but there are security risks with names.nsf being in a dmz. Lotus has information with regards to this and you may want to consider speaking with them. There really isn't any good reasons to put the BES in the DMZ because you still have to open ports (1723) etc to allow the BES to talk to the internal mail servers. Your best bet is to keep the BES on the lan and open 3101 as suggested by BlackBerry. You can review the @Stake Security Assesment at http://www.blackberry.com/knowledgec...0&vernum=0
This decribes how secure the BES is on a lan. This security assesment discourages companies from placing a BES in a DMZ as there is no benifits from doing so, only potential security risks.