I was just told that we're installing a BES. The sysadmin came to me for help on where it should be placed in our network. My first response is that since people from the outside to talk to it, that the BES needs to be in the DMZ.
However on page 8 of the manual it is clearly stated "Do not put in the DMZ." Our company has very strict rules that communication that is initiated outside must go to the DMZ. No punching holes from the Internet directly to the internal network.

Does anyone here know the rationale behind the "no dmz rule?" And what have other admins out there done to keep both the BES and thier network secure?

If you are using BES for Exchange then you have to punch a ton of holes in your firewall for MAPI to communicate to Exchange.

The communication from the BES is initiated outwards by the BES upon startup and from that point traffic is allowed bidirectional on the same connection.

outbound-initiated traffic should be common already on ports such as 80, 8080, etc. its nothing new. just open up 3101 for outbound-initiated TCP and you're done with the firewall configuration. BBTechGuy's statement concerning what all you'd have to open up on the internal firewall for BES to talk to Exchange over MAPI is right on and its probably the easiest point to sell to your security guys on why it should go inside the BES.

The whole jist of it is that the BES server is constantly maintaining 2 types of connections, the first is to the RIM Relay which is port 3101 outbound initiated bidirectional like people have already mentioned, in addidtion to that, the BES server maintains a MAPI connection using RPC (assuming exchange server here) for each of the BES users. I guarantee your firewall admin will not open up any sort of RPC port, especially to your exchange server on the firewall.

Now having said that, it is possible to split the Blackberry Router portion of the BES server off and drop it onto your DMZ and then have the internal BES talk through the firewall to the BB Router.

I have never setup a BB Router service off the same box as the BES itself, but it is a supported configuration from RIM so you can most likely find documentation on how to do it from them.

cd.

We went with a completely different route. We use a Gauntlet firewall to do all off the outbound communications. The Gauntlet functions like a port proxy. Our BES talk to the Gauntlet and the Gauntlet talks to the srp.

When went with this route becase we started with BES 2.2 for Domino and there was no option an external router as there is today. It's been working for us great so we never bother changing the architecture.

Place the router in the DMZ that should eliminate your sec. concerns. You just need a basic hardware not even a server. Setting up the router is no deal at all. (follow the rim docu)

Thanks for all of the feed back. This BES nOOb appreciates all of the help. I'll see if I can scrounge up some older hardware for the router bit. We have several old compaq dl360s lying around that sound like would fit the bill nicely.

And yes as one of the Firewall admins.... RPC + Firewalls = bad.