BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-22-2008, 05:56 PM   #1 (permalink)
Talking BlackBerry Encyclopedia
 
hayabusa's Avatar
 
Join Date: Aug 2006
Location: Kansas
Model: 9000
Carrier: Cingular
Posts: 251
Post Thanks: 0
Thanked 0 Times in 0 Posts
Angry Firewall team won't let me have outbound 3101 open

Please Login to Remove!

My firewall team is arguing with me about having port 3101 open for outbound connections to RIM's network while my BES is on the LAN. They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it. All my other BES servers connect this way but I am using a CLP client that allows them to do this. In the above situation a CLP proxy client is not possible because of the way the company is owned. Does anyone have any other ideals? I was thinking I could put a DMZ in and put the router portion on another domain since this part of the company doesn't have a dmz but this means puting in another server and providing a domain trust since this would be a different domain. Any ideal would be great I'm racking my brain trying to come up with ways to get this running
Offline  
Old 01-22-2008, 06:10 PM   #2 (permalink)
Ugg
Thumbs Must Hurt
 
Join Date: Dec 2006
Model: 8310
OS: 4.5
Carrier: O2
Posts: 197
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by hayabusa View Post
They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it.
Presumably the server's DNS lookups are handled by something internally that passes the request on to an external DNS server? Couldn't you make sure that srp.us.blackberry.net was defined in there (or even just in the BES's "hosts" file)?

Surely though if you allow 3101 out only to the addresses currently defined by srp.us.blackberry.net and someone spoofs the DNS your firewall won't allow 3101 out to the spoofed address anyway?

(I suppose that by their logic you wouldn't trust any external DNSes and maintain a local DNS with all potential contacts in it instead - sounds like a lot of work!)
Offline  
Old 01-22-2008, 06:14 PM   #3 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

You can put the BES Router in the DMZ as a standalone server. The Dispatcher will talk directly with the Router.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 01-22-2008, 06:36 PM   #4 (permalink)
Talking BlackBerry Encyclopedia
 
hayabusa's Avatar
 
Join Date: Aug 2006
Location: Kansas
Model: 9000
Carrier: Cingular
Posts: 251
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I offered up to put the entire thing in the DMZ but my firewall team is telling me that this option is a no go as well because then they have more open ports coming inbound to exchange and this would be even a bigger hole in security. Any other ideals??? desperate on this
Offline  
Old 01-22-2008, 10:38 PM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2005
Model: Many
Carrier: Sprint
Posts: 1,475
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

Tell your firewall team they need exam the policy. If it was that easy to use the port for what they are afraid have many many companies would have been attacked by now.
Offline  
Old 01-22-2008, 10:48 PM   #6 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,667
Post Thanks: 1
Thanked 84 Times in 65 Posts
Default

Just tell them to close them all and then there's no chance of an attack. Honestly, I'm all for security but how much money does it cost a company when they've got to have all their IT people searching for hours on how to circumvent some crazy policy that prevents a legitimate application like BES from working. It makes no sense to me. *smfh*

/rant and going back to lurking only in the BES Admin corner. *flame suit on*
Offline  
Old 01-23-2008, 06:17 AM   #7 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by John Clark View Post
Just tell them to close them all and then there's no chance of an attack. Honestly, I'm all for security but how much money does it cost a company when they've got to have all their IT people searching for hours on how to circumvent some crazy policy that prevents a legitimate application like BES from working. It makes no sense to me. *smfh*

/rant and going back to lurking only in the BES Admin corner. *flame suit on*
No need for the flame suit. You're spot on with this post.
Blocking outbound traffic on one port, for one machine, with a very legitimate task borders on paranoia to the point of lunacy.

Sounds to me like these network admins have a chip on their shoulder from some other "event" that happened in this company and now its payback time.
They're merely flexing their IT muscles and making themselves appear powerful in the process. In reality, this will bite them in the ass soon enough.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 01-23-2008, 06:26 AM   #8 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,631
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by hayabusa View Post
My firewall team is arguing with me about having port 3101 open for outbound connections to RIM's network while my BES is on the LAN. They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it. All my other BES servers connect this way but I am using a CLP client that allows them to do this. In the above situation a CLP proxy client is not possible because of the way the company is owned. Does anyone have any other ideals? I was thinking I could put a DMZ in and put the router portion on another domain since this part of the company doesn't have a dmz but this means puting in another server and providing a domain trust since this would be a different domain. Any ideal would be great I'm racking my brain trying to come up with ways to get this running
Provide Firewall and connection requirements for the BlackBerry Enterprise Server to your firewall team; if that doesn't suffice, contact your supervisor and instruct him / her that the firewall team is preventing you from doing your job.
Offline  
Old 01-23-2008, 08:15 PM   #9 (permalink)
Talking BlackBerry Encyclopedia
 
hayabusa's Avatar
 
Join Date: Aug 2006
Location: Kansas
Model: 9000
Carrier: Cingular
Posts: 251
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

After further conversations with our firewall team I have discovered that they do not allow NAT translations in the firewall. All communications that initiate outbound connections must use proxy authentication to get out. I believe that my only options for this particular issue is to put a router in the dmz and route its traffice back to the bes server in another domain accross another firewall. The only other option I think I might have is to install the circuit layer proxy client on a server living on the internal intranet and install the router service on this machine. This would be like using a dmz except the the clp will alllow proxy authentication and thus allow for us to make a connection outbound. I will then have to route the traffic through the firewall and out to the other domain to the BES. Does anyone have any experiance using the CLP client from the Microsoft Internet authuthentication server?
Offline  
Old 01-23-2008, 08:26 PM   #10 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,667
Post Thanks: 1
Thanked 84 Times in 65 Posts
Default

Is it always this much trouble to install a BES?
Offline  
Old 01-23-2008, 08:34 PM   #11 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,631
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wow; please tell me security everywhere else in your company is like this?

Put the router in the DMZ
Offline  
Old 01-23-2008, 10:36 PM   #12 (permalink)
Knows Where the Search Button Is
 
Join Date: Nov 2007
Model: 8100
PIN: N/A
Carrier: vodafon
Posts: 38
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

its an outbound initiated connection - is has to come from the BES first, that in itself is pretty secure. I used to be a firewall admin - the best thing to do is to get them to fully understand what is required for connection, and they should be able to provide a secure solution - Maybe some others can share what they did in their own large secure companies ? I was the bes admin and the FW admin so I had it easy
Offline  
Old 01-24-2008, 10:43 AM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Oct 2007
Model: 9000
OS: 4.6.0.266
PIN: N/A
Carrier: AT&T
Posts: 59
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Our security and firewall groups also happen to be unreasonably paranoid. Usually we have to escalate our requests with management if we can't reach a compromise or solution. When we installed our BES environment last summer, it had upper management support, so we were able to implement it properly.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.