I'm using a Bell 7250 on my corporate BES 3.6
I installed the newest Mobiel SSH 2.0 and created a new session.

I'm trying to connect to an outside SSH host that is listening on Port 443 and Port 22 but cannot connect.
I CAN get to it on 443 from behing my corp. proxy server and firewalls.
Using MobileSSH through my BES doesn't work, I see connecting with MDS and then eventually see: "Disconnected: Unable to contact server '[my server's IP]' on port '443', endure that your server is running and listening on that port". I get the same problem using port 22, but I know I can't go out on that port from my corporate BES.

I know my host is up since I'm connected to it now from my desktop PC while testing with MobileSSH on my 7250. I can see my desktop connection to this host on 443 and when checking my host's firewall logs I don't see any attempts coming on eith port from MobileSSH.

I know my MDS and MobileSSH are talking since I CAN connect to SSH servers inside my LAN.

Is there a log file in MobileSSH?
Can anyone offer suggestions to help resolve this?

Thank you,
field172.
ps. Ikodorro - thanks for making the error message stay on the screen until 'ok' is clicked and thanks for fixing the problem with saving sessions using ports other than the defaults.

I have notified others in Idokorro about your situation.

I am wondering: Can you connect using a desktop client from inside your LAN to that same outside host? If not, your firewall needs to be adjusted to allow outgoing SSH connections.

This is necessary, because the SSH connection goes through your intranet BES server before connecting to outside hosts. Since if you are using a BES, MobileSSH can be made subject to the same restrictions as the intranet that your BES server resides on. Just doublechecking if you were aware of this;

Hi field172,

MobileSSH does not create any log files unfortunately. In addition to what Mark suggested you may also want to check the following.

Since you can connect to servers inside your firewall I agree that your MDS should be properly configured.

The connection from your BlackBerry to this server will go through your BES. You mentioned you can connect from your desktop, but can you connect from your BES using the same hostname or IP Address that you specified on your BlackBerry?

I think I've just suggested the same thing that Mark did though.

If you are still having difficulties I encourage you to contact for assistance.

Thanks for your super quick replies Mark and WhiteRonin,

I suspect there is an issues somewhere between our BES and our Internet Proxy server. I assumed it should work on 443 since our proxy passes all traffic on 80 and 443 (hence my selection of 443 for my SSH server out there on the 'net).
I can use my BB browser through our BES and successfully hit http and https web-sites so I assume MobileSSH on my BB through my BES would also work, eveidently my assumption was incorrect.

I don't know much about BES, can it be configured to use/not use proxies per application? Maybe it proxys BB browser traffic out to the Internet but it's not proxying the MobileSSH traffic?

I'll have to bug my BES admins to help with this but them fella's is up to der eyeballs with more important things for the next week or so.

Thanks for trying guys,

field172.

I believe the Mobile Data Service on the BES only proxies HTTP and HTTPS traffic.

Mobile SSH on the other hand is trying to open a socket connection rather than an HTTP connection (even if it is to an HTTPS port) so I do not believe it is actually going through your proxy server. That may be why you are having trouble reaching a server outside of your firewall.

That's right...

How MDS works on BES, is that it acts as a gateway (NAT) rather than a proxy server. Basically, when you use MobileSSH, you're connecting through your BES and your BES redirects the connection back out. MDS also provides a fully encrypted tunnel between your BlackBerry and your BES server (an additional 2nd layer of encryption on top of SSH encryption!)

The "MDS" connection flows more or less like the following:

MobileSSH -> Carrier -> BlackBerry.net -> Into your Intranet -> Your BES -> Back out to Internet -> Destination Host

BES kind of acts like a software-based router for MDS connections, rather than as a proxy server.

(1) Make sure MDS is enabled on your BES server
(2) If you need access SSH hosts outside your corporate Intranet, make sure that your corporate firewall that your BES is connected to, has outgoing ports 22 enabled.

A litmus test would be to install a desktop SSH client on a computer inside your Intranet, and test from there. If your desktop SSH can't "get out" on port 22 on an external host, your BlackBerry cannot either. (I am assuming, of course, the most common network topology of the BES server being on the same Intranet as your office desktop computer, where you may use a desktop-based SSH client from) Once this is fixed, and your desktop SSH works, then your MobileSSH should work assuming the BES is configured correctly, because it hops into and out of your corporate network. If it works from your office desktop, try getting the sysadmin (you?) to test a Windows-based SSH session from the same server that BES resides on (if you already have a SSH client on that computer) to a known external trusted SSH host. This may help troubleshoot any port-blocking issues for firewalls, such as any software-based firewall installed on the BES computer that may not exist on your office desktop. Firewall policy vary from company to company, so there may be a reason why outgoing port 22 is not allowed.

There's an alternative method if you want to bypass this altogether. With MobileSSH 2.0, you can use the BlackBerry's own TCP/IP stack instead of using the BES server. (Session List->Click Wheel->Settings) Then you would not be limited by your corporate firewall's restrictions, but your corporation would not be able to log these connections. Your BlackBerry would need to support a TCP/IP stack, and this is sometimes tricky to configure on certain carriers.

(Note: If there's a need for full auditing and monitoring of telnet/SSH connections, then the higher-end Idokorro MobileAdmin product provides that in the "Mobile Terminal" telnet/ssh component of Mobile Admin. MobileAdmin also supports extra security features that certain organizations may need)

Thanks for the detailed explanations.

I'll try to test it right from the BES (using an SSH client to this outside host on 443), that's a good suggestion.

FYI: I CAN get to my outside host on port 443 with an SSH client from my desktop PC which is proxied and behind numerous firewalls (I do have to tell the app, Putty, to connect to the proxy and login in order to have it talk to the outside world).

Mark - I'd love to go direct and bypass the BES but as you know my Bell 7250 has no TCP/IP stack available at this time. This is a shame since it would be very useful to have this available.

Regards,
field172.

Let me know how that goes.

The same advice would also apply to port 443 as well as port 22, since that should technically go through the same MDS method.

I understand about Bell Mobility. I hope that in a few months that Bell Mobility will permit a TCP/IP stack just like on all other North American carriers (even including Verizon 7250 which works with MobileSSH without BES), since not all businesses have a BES server. No promises, though about Bell...