We have a PIX 501 v 6.3(5) PDM 3.0(4) and need to make changes to allow Blackberry Enterprise Server to work with Exchange 2007. I have made change via CLI and PDM and still fails connection test. The SRP address is srp.us.blackberry.net and the BES ip addresses are 206.51.26.33 & 204.187.87.33. No matter what changes I make I always get the Connection refused (10061). I can ping each and resolve the name.
I would appreciate any help. CLI is fine but I would especially like to know how to configure via the PDM if possible.

Thank you

BES is pretty simple when it comes to making a connection to SRP.

You only need to configure your firewall to allow Outbound Initiated Bi-directional traffic on port 3101 TCP.

Thought so too. Done the above and still 10061 error.

Hi from Italy.

I have the same problem: the SRP state of my BES Enterprise Server (with Domino 6.5) is always "disconnected".
Can anyone help me to configure the PIX 501 to "Outbound Initiated Bi-directional traffic on port 3101 TCP.".

Thanks in advance

Unless you have made configuration changes to prevent connections initiated internally from recieving return traffic (an unlikely config if you're using a 501) your PIX shouldn't require any specific configuration to make it work. Feel free to do a sh run and dump your config here for specific information.

Check your default ACL (probably called outside_in) and see if you are denying by default. If so, you might want to add the following line to the access list:

access-list outside_in permit tcp any host <put your outside interface here> eq 3101

On the other hand, if you can't figure out why if or why your PIX is blocking the traffic, you might not want to be messing around with your PIX.

Hi.

This is the ACL of my Pix .... I don't think that I'm denying the return traffic.
Can you take a look ?

access-list webmail permit tcp any host <webmail static ip> eq www
access-list acl-vpn permit ip <static addresses to permit VPN connections>

That's all.

Thak you

Those are the only two ACL's and the complete contents of each?

If so, it should be working. Feel free to edit out any sensitive info (password hashes, public IP's, etc) and post/PM the full config & I'll tell you what's wrong.