BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 02-21-2005, 09:46 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2005
Location: Ireland
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default BES 4 - architechture advice

Please Login to Remove!

Hi folks,

We're looking at BES 4, which has just been released here in Ireland.

One of the options that particularly appeals to us is the modular capabilities of the system - specifically, being able to put the MDS function within the DMZ.

For security reasons, we had to turn MDS off on 3.6 and it's prevented us from really developing the full potential of the system.

Has anyone tried this configuration yet and can you give me any pro's and cons of it?

I'm a BES Admin who "inherited" the 3.6 server with absolutely no training or even much of a handover and I'm determined we're going to do it right with 4. I'd greatly appreciate the benefit of experience if anyone is willing to help me out!

Many thanks!
Offline  
Old 02-21-2005, 10:24 AM   #2 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Jan 2005
Location: Virginia Beach, VA
Model: 7130e
Carrier: VZW
Posts: 444
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm curious to hear some opinions on this, too!

Our BES/MDS is the same box and on our internal network.

Our network security guys were OK with that because the only way a BB handheld can communicate to the BES/MDS is via a secured tunnel that the BES initiates. They felt the risk was limited to users who disable their security screensaver password losing their devices, and even then, that BB could be deactivated quickly enough.
Offline  
Old 02-21-2005, 02:53 PM   #3 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2004
Location: Metro NYC
Posts: 175
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

With 4.0, it is the Router (not MDS) that can be placed in the DMZ. If you do this, you lose "least-cost routing." This feature allows the BES to forward messages, calendar updates, etc. via the LAN rather than wireless network.

The recommended approach continues to be to *not* place any component in the DMZ. However, the Router can be.
__________________
-- Aric Rosenbaum
BlackBerry consulting, BlackBerry development
www.arconsultinginc.com
BlackBerry consulting and development (RIM SI Partner)
Offline  
Old 02-22-2005, 02:16 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2005
Location: Ireland
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hmmm our reseller definitely told us that MDS can be put on a separate box in the DMZ - this is in addition to the router being in the DMZ. We were also told that RIM were happy with this "workaround" to previous concerns about MDS and had no problem recommending it

Our security issues with the current version of MDS are mainly surrounding the fact that if you have any browser facing control panels within the LAN proper, in theory, they could be accessed using a BB.
Offline  
Old 02-24-2005, 09:58 AM   #5 (permalink)
Knows Where the Search Button Is
 
Join Date: Oct 2004
Location: Las Vegas, NV
Model: 8100
OS: 4.5.0.xx
Carrier: T-Mobile
Posts: 45
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You could solve that issue with either MDS in a DMZ (which I think can be done as well) or by proxy server. You could have the BES link to a proxy and restrict the URL's for your internal hosts from the proxy. A mini proxy could even be installed directly on the same server as MDS for this.

As for the ROUTER in a DMZ, you could still allow internal LAN connected hosts to connect to this for least cost routing.
Offline  
Old 02-25-2005, 10:43 PM   #6 (permalink)
Thumbs Must Hurt
 
emale's Avatar
 
Join Date: Sep 2004
Model: 8800
Carrier: Rogers
Posts: 156
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You CANNOT put MDS on a separate box. Attachment service yes, but not MDS. RIM doesn't support BES servers in a DMZ, but they do seem to support the router in a DMZ. This goes for Exchange, Lotus and Groupwise.
Offline  
Old 02-28-2005, 10:13 AM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2005
Location: Ireland
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

emale, this is the information we're being given by our RIM approved vendor in Ireland. It's not like I just decided to make it up for fun.

I will pass your comments onto them and see what they say.
__________________
The thread killer apparently :s
Offline  
Old 02-28-2005, 06:40 PM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2004
Location: Metro NYC
Posts: 175
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

emale is correct. Check out:

http://www.blackberry.com/knowledgec...8&vernum=0

and search for "DMZ".

It specifically states to *not* place the BES in the DMZ and the Router *can* be placed in the DMZ. The MDS cannot be seperated from the BES.
__________________
-- Aric Rosenbaum
BlackBerry consulting, BlackBerry development
www.arconsultinginc.com
BlackBerry consulting and development (RIM SI Partner)
Offline  
Old 03-01-2005, 09:48 AM   #9 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2005
Location: Ireland
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I never said he wasn't correct - I was simply passing on what we'd been told. I intend to feed this back to our vendor.

Oh and for reference, although RIM don't support it for Exchange, it IS possible to put BES 3.6 with MDS in a DMZ - we've done it and got it working on the test server. We just haven't bothered rolling it out as we now want to start testing 4 instead.
__________________
The thread killer apparently :s
Offline  
Old 03-01-2005, 03:36 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2004
Location: Metro NYC
Posts: 175
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

>> I never said he wasn't correct

I didn't mean to suggest anything negative in my post.


>> it IS possible to put BES 3.6 with MDS in a DMZ

Possible yes. And as you state, just not supported. This is why they broke out the Router.
__________________
-- Aric Rosenbaum
BlackBerry consulting, BlackBerry development
www.arconsultinginc.com
BlackBerry consulting and development (RIM SI Partner)
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.