BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-17-2005, 06:52 PM   #1 (permalink)
New Member
 
Join Date: Oct 2005
Model: none
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Physical Architecture question

Please Login to Remove!

I was just told that we're installing a BES. The sysadmin came to me for help on where it should be placed in our network. My first response is that since people from the outside to talk to it, that the BES needs to be in the DMZ.
However on page 8 of the manual it is clearly stated "Do not put in the DMZ." Our company has very strict rules that communication that is initiated outside must go to the DMZ. No punching holes from the Internet directly to the internal network.

Does anyone here know the rationale behind the "no dmz rule?" And what have other admins out there done to keep both the BES and thier network secure?
Offline  
Old 10-17-2005, 07:10 PM   #2 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: May 2005
Model: 7100
Carrier: T-Mobile
Posts: 299
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

If you are using BES for Exchange then you have to punch a ton of holes in your firewall for MAPI to communicate to Exchange.

The communication from the BES is initiated outwards by the BES upon startup and from that point traffic is allowed bidirectional on the same connection.
Offline  
Old 10-17-2005, 07:27 PM   #3 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

outbound-initiated traffic should be common already on ports such as 80, 8080, etc. its nothing new. just open up 3101 for outbound-initiated TCP and you're done with the firewall configuration. BBTechGuy's statement concerning what all you'd have to open up on the internal firewall for BES to talk to Exchange over MAPI is right on and its probably the easiest point to sell to your security guys on why it should go inside the BES.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 10-18-2005, 08:01 AM   #4 (permalink)
BlackBerry Extraordinaire
 
Join Date: Dec 2004
Location: in a house...
Model: lots
Carrier: Rogers
Posts: 1,148
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The whole jist of it is that the BES server is constantly maintaining 2 types of connections, the first is to the RIM Relay which is port 3101 outbound initiated bidirectional like people have already mentioned, in addidtion to that, the BES server maintains a MAPI connection using RPC (assuming exchange server here) for each of the BES users. I guarantee your firewall admin will not open up any sort of RPC port, especially to your exchange server on the firewall.

Now having said that, it is possible to split the Blackberry Router portion of the BES server off and drop it onto your DMZ and then have the internal BES talk through the firewall to the BB Router.

I have never setup a BB Router service off the same box as the BES itself, but it is a supported configuration from RIM so you can most likely find documentation on how to do it from them.

cd.
Offline  
Old 10-18-2005, 08:22 AM   #5 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

We went with a completely different route. We use a Gauntlet firewall to do all off the outbound communications. The Gauntlet functions like a port proxy. Our BES talk to the Gauntlet and the Gauntlet talks to the srp.

When went with this route becase we started with BES 2.2 for Domino and there was no option an external router as there is today. It's been working for us great so we never bother changing the architecture.
Offline  
Old 10-18-2005, 08:30 AM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
boma0021's Avatar
 
Join Date: Jan 2005
Location: LE
Model: Pearl
Carrier: T-Mobile
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Place the router in the DMZ that should eliminate your sec. concerns. You just need a basic hardware not even a server. Setting up the router is no deal at all. (follow the rim docu)
Offline  
Old 10-19-2005, 10:54 AM   #7 (permalink)
New Member
 
Join Date: Oct 2005
Model: none
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for all of the feed back. This BES nOOb appreciates all of the help. I'll see if I can scrounge up some older hardware for the router bit. We have several old compaq dl360s lying around that sound like would fit the bill nicely.

And yes as one of the Firewall admins.... RPC + Firewalls = bad.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.