BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-07-2005, 08:16 AM   #1 (permalink)
New Member
 
Join Date: Jun 2005
Model: 7100
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default BES server and a seperate router in DMZ?

Please Login to Remove!

Hi,

We are going to deploy BES 4.0 for GroupWise. The big question i have; Must we put a seperated Blackberry router in the DMZ? Or is it 'safe' to put the BES Server on the local LAN and open port 3101.

What are your 'implenentations' and views on this!

Thanks in advance for helping me out!

Regards,

Frank
Offline  
Old 06-07-2005, 04:29 PM   #2 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

We have ours within the DMZ with port 3101 open for outbound TCP connections only. I don't personally see the DMZ model for the router as a needed option, although it serves its purpose for some corporate networks (it just really depends on your network infrastructure and its implementation).
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 06-08-2005, 03:22 AM   #3 (permalink)
New Member
 
Join Date: Jun 2005
Model: 7100
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Solved!

Hi,

Thanks for the reply. I've investigated the documentation (BlackBerry Security Whitepaper for release 4.0). On page 5;

"The connection to the wireless network is outbound-initiated by the BlackBerry Enterprise server and must be authenticated. No inbound-initiated traffic is permitted."

So i place mine BES on the local lan with only the 3101 port open for outbound traffic.

Further more; In the Quick start installation guide " Do NOT put the BlackBerry Enterprise server in a Demilitarized zone (DMZ)"

So problem is solved!

Regards,

Frank
Offline  
Old 06-08-2005, 01:49 PM   #4 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Model: 9530
Carrier: Verizon
Posts: 57
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It works great. We have our router on a small dedicated server sitting in our DMZ.

We NAT the server communication and just have 3101 open back to the main BES server on the LAN.
Offline  
Old 06-08-2005, 09:41 PM   #5 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Security policies aside, but out of curiosity, what are the real advantages of having the router component in the DMZ? Assuming the firewall is setup for bi-directional, outbound-initiated traffic on port 3101 to the four IP ranges provided by RIM and the 3 hostnames (or 1 or 2) provided by RIM, would there really be any danger of some sort of break? Or is this mainly "piece of mind" for security administrators?

*Edit: I suppose this could have to do with allowing access to the Exchange server from a third-party provider, even if its an extremely limited theoretical possibility only, there is the hole that would be open for the cautious administrators.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.

Last edited by jibi : 06-08-2005 at 10:54 PM.
Offline  
Old 06-09-2005, 04:04 AM   #6 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Location: Denmark
Model: 7230
Carrier: TDC
Posts: 102
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jibi
Security policies aside, but out of curiosity, what are the real advantages of having the router component in the DMZ? Assuming the firewall is setup for bi-directional, outbound-initiated traffic on port 3101 to the four IP ranges provided by RIM and the 3 hostnames (or 1 or 2) provided by RIM, would there really be any danger of some sort of break? Or is this mainly "piece of mind" for security administrators?

*Edit: I suppose this could have to do with allowing access to the Exchange server from a third-party provider, even if its an extremely limited theoretical possibility only, there is the hole that would be open for the cautious administrators.
peace of mind and policies would be my guess, alot of places dont allow outbound traffic from non dmz zones.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.