BlackBerry Forums Support Community

fkeessen · 06-07-2005, 07:16 AM

Hi,

We are going to deploy BES 4.0 for GroupWise. The big question i have; Must we put a seperated Blackberry router in the DMZ? Or is it 'safe' to put the BES Server on the local LAN and open port 3101.

What are your 'implenentations' and views on this!

Thanks in advance for helping me out!

Regards,

Frank

jibi · 06-07-2005, 03:29 PM

We have ours within the DMZ with port 3101 open for outbound TCP connections only. I don't personally see the DMZ model for the router as a needed option, although it serves its purpose for some corporate networks (it just really depends on your network infrastructure and its implementation).

fkeessen · 06-08-2005, 02:22 AM

Hi,

Thanks for the reply. I've investigated the documentation (BlackBerry Security Whitepaper for release 4.0). On page 5;

"The connection to the wireless network is outbound-initiated by the BlackBerry Enterprise server and must be authenticated. No inbound-initiated traffic is permitted."

So i place mine BES on the local lan with only the 3101 port open for outbound traffic.

Further more; In the Quick start installation guide " Do NOT put the BlackBerry Enterprise server in a Demilitarized zone (DMZ)"

So problem is solved!

Regards,

Frank

ocman · 06-08-2005, 12:49 PM

It works great. We have our router on a small dedicated server sitting in our DMZ.

We NAT the server communication and just have 3101 open back to the main BES server on the LAN.

jibi · 06-08-2005, 08:41 PM

Security policies aside, but out of curiosity, what are the real advantages of having the router component in the DMZ? Assuming the firewall is setup for bi-directional, outbound-initiated traffic on port 3101 to the four IP ranges provided by RIM and the 3 hostnames (or 1 or 2) provided by RIM, would there really be any danger of some sort of break? Or is this mainly "piece of mind" for security administrators?

*Edit: I suppose this could have to do with allowing access to the Exchange server from a third-party provider, even if its an extremely limited theoretical possibility only, there is the hole that would be open for the cautious administrators.

FlemmingRiis · 06-09-2005, 03:04 AM

Quote:

Originally Posted by jibi

Security policies aside, but out of curiosity, what are the real advantages of having the router component in the DMZ? Assuming the firewall is setup for bi-directional, outbound-initiated traffic on port 3101 to the four IP ranges provided by RIM and the 3 hostnames (or 1 or 2) provided by RIM, would there really be any danger of some sort of break? Or is this mainly "piece of mind" for security administrators?

*Edit: I suppose this could have to do with allowing access to the Exchange server from a third-party provider, even if its an extremely limited theoretical possibility only, there is the hole that would be open for the cautious administrators.

peace of mind and policies would be my guess, alot of places dont allow outbound traffic from non dmz zones.

BlackBerry Forums Support Community

BES server and a seperate router in DMZ?