[sjk_s]

Hi All,

I am new to blackberry server and would like your guidance and suggestion for the new setup. Below is my current exchange setup

Exchange Setup :

All our emails are coming in and going out via an email security appliance i.e.
For all incoming emails -> come to Firewall - > security appliance -> Exchange Server
Similarly
For all outgoing emails -> exchange server - > security appliance ->out of Firewall

We are planning to install the BES Express software which is free version as we are not expecting more than 15 users.

Our exchange server is residing in our datacenter and we have a vpn tunnel from datacenter to our office with full access.

1) I would like to avoid setting it up on the same exchange server and was wondering if we can install BES Express running in our office and connect to exchange server running in datacenter via vpn tunnel ?

2) If the above will create issues, can I install vmware player on the exchange server which is a DC and run the BES Express Server via vmware?

3) Or for the current scenario installing on the exchange server is the only option ?

4) If BES express is installed in office and exchange in datacenter, in which firewall do i need to open the port 3101? in datacenter or our office ?

5) How will BES Express work via an smart host or email security appliance - what would be the actual flow of email - as I want all the emails to come and go via the email security appliance i.e. in either situations ie if BES is running in our office or if its running in datacenter ?

Pls let me know.

SJK

[x14]

For that limited amount of people there is no reason to install BES on a seperate server especially with a VPN connection in between.

Smart Host has zero impact on BES because BES uses the mail environment to route mail. As long as mail is routing properly within your Exchange environment BES will work fine.

[hdawg]

Quote:

1) I would like to avoid setting it up on the same exchange server and was wondering if we can install BES Express running in our office and connect to exchange server running in datacenter via vpn tunnel ?

I'd recommend doing exactly this ... give BES its own operating system with no Domain Controller or Exchange server on it.

Quote:

2) If the above will create issues, can I install vmware player on the exchange server which is a DC and run the BES Express Server via vmware?

RIM supports ESX 2.5.2 ... that said, it works on Microsoft Virtual server and other virtual platforms. Pretty much if the virtualization application supports the OS that the BES is running on ... it'll work. It won't be supported by RIM, but it'll work.

Quote:

3) Or for the current scenario installing on the exchange server is the only option ?

Nope.

Quote:

4) If BES express is installed in office and exchange in datacenter, in which firewall do i need to open the port 3101? in datacenter or our office ?

Port 3101 Outbound initiated from BES to RIMs network.

Quote:

5) How will BES Express work via an smart host or email security appliance - what would be the actual flow of email - as I want all the emails to come and go via the email security appliance i.e. in either situations ie if BES is running in our office or if its running in datacenter ?

Previously answered. BES is a middle-ware application. It simply injects mail into Exchange and sucks out mail to deliver to HHs; it is not a mail delivery agent.

Pls let me know.

SJK[/QUOTE]

[sjk_s]

Thankyou very much for your reply.

So I need not open any port in the datacenter where exchange server is and I need to open outgoing port only in our office firewall where the BES server is residing.

So by doing this the blackberry users can send and receive emails or its one way ?

I am a bit confused here as to I just wanted to know how exactly the flow of email would be when blackbery is in place i.e. below scenario

Datacenter firewall-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->Office Firewall ->BES Express Server->Outgoing port 3101

How exactly will the blackberry device interact with RIM's network via the above setup to send and receive emails ?

Thanks in advance for all ur help.

[hdawg]

Quote:

So I need not open any port in the datacenter where exchange server is and I need to open outgoing port only in our office firewall where the BES server is residing.

So by doing this the blackberry users can send and receive emails or its one way ?

As long as there isn't stopping BES <-> Exchange / SQL / AD communication and port 3101 to RIM; correct.

Quote:

I am a bit confused here as to I just wanted to know how exactly the flow of email would be when blackbery is in place i.e. below scenario

Datacenter firewall-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->Office Firewall ->BES Express Server->Outgoing port 3101

How exactly will the blackberry device interact with RIM's network via the above setup to send and receive emails ?

See the document attached to this post for how message flow works with BES. All routing from BES to / from Exchange is done via MAPI.

[sjk_s]

Thankyou very much, this is exactly what I needed to understand i.e. the flow and this document is really very helpful.

Now as per the document in step 3 i.e The message reaches the corporate firewall, where it passes through port 3101 to the BlackBerry Enterprise Server. - For this to work, I need to open port 3101 inbound also in the firewall from the RIM network to the BES server right ?

If yes, then do I need to assign a public IP to BES server and have a rule like
From RIMS Network to BES Public -allow port 3101 ?

Or

It should be port forwarding i.e. allow 3101 traffic from RIM's network to BES private IP ?

Pls let me know which would be ideal from security point of view and functional for BES.

Second question is in step 4 i.e. The BlackBerry Enterprise Server decrypts the message, decompresses it, and routes it to the messaging server. - In this flow are there any chances of a spam or virus attack where a blackberry device i.e source can be spoofed or something of that sort ? or the PIN number of a blackberry device is unique using which we register a device to BES express Server and cannot be altered in anyway, the main reason being the BES will be routing mail to exchange directly and not via the email security appliance if I understood it right?

i.e. Steps 1-5 in my environment for our domain users sending email out to other domain users will be Blackberry User Device->RIM's N/W->office firewall ->Allow Incoming port 3101->BES Express Server<->VPN Tunnel ->Exchange Server -> Spam filter appliance->Datacenter firewall->Internet

and if some outside domain blackberry device is sending emails to our domain users steps 6-11 will be

Internet->Datacenter firewall->Allow SMTP traffic-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->BES Express Server->Outgoing port 3101->RIM N/W-> Blackberry User Device

Pls let me know.

[hdawg]

Quote:

Thankyou very much, this is exactly what I needed to understand i.e. the flow and this document is really very helpful.

Unfortunately, and I'll address this throughout the rest of the response, you don't understand the flow ... at least from a firewall perspective.

Quote:

Now as per the document in step 3 i.e The message reaches the corporate firewall, where it passes through port 3101 to the BlackBerry Enterprise Server. - For this to work, I need to open port 3101 inbound also in the firewall from the RIM network to the BES server right?

No, you do not. When a connection is made from a server behind your firewall to a destination on the Internet (or anywhere else for that matter), as long as their isn't a proxy server manipulating data (which isn't supported with BlackBerry unless it is transparent to BES) the connection is bi-directional. You only need to open port 3101 outbound initiated, once the BES opens the connection to RIMs NOC, the NOC can then push data back into your network to your BES. You don't need to open 3101 inbound as the NOC will never be initiating any connections with your BES. A connection is opened and it stays open ... if it ever drops, the BES re-establishes the connection. Yes, this means that for every BES in the world there are persistently open connections to RIMs SRP networks.

Quote:

If yes, then do I need to assign a public IP to BES server and have a rule like
From RIMS Network to BES Public -allow port 3101 ?

See Above.

Quote:

Or

It should be port forwarding i.e. allow 3101 traffic from RIM's network to BES private IP ?

No, see above; you don't need to allow traffic from RIMs network to the BES.

Quote:

Pls let me know which would be ideal from security point of view and functional for BES.

Previously answered.

Quote:

Second question is in step 4 i.e. The BlackBerry Enterprise Server decrypts the message, decompresses it, and routes it to the messaging server. - In this flow are there any chances of a spam or virus attack where a blackberry device i.e source can be spoofed or something of that sort ? or the PIN number of a blackberry device is unique using which we register a device to BES express Server and cannot be altered in anyway, the main reason being the BES will be routing mail to exchange directly and not via the email security appliance if I understood it right?

Every bit of data that is sent from a BB HH which is destined to its BES is encrypted with a master encryption key that the BES and the HH establish during the Enterprise Activation process. For this spoofing to happen, the device would need to be spoofed and the master encryption key for the device must be compromised ... this hasn't happened yet (at least publicly), and its certainly not something I spend any thought on.

Quote:

i.e. Steps 1-5 in my environment for our domain users sending email out to other domain users will be Blackberry User Device->RIM's N/W->office firewall ->Allow Incoming port 3101->BES Express Server<->VPN Tunnel ->Exchange Server -> Spam filter appliance->Datacenter firewall->Internet

NO, incoming port 3101 isn't needed. A session between the BES and RIMs NOC has already been established, therefore no additional port(s) need be opened. The already open connection between the BES and RIMs NOC allows for RIM to push the data from the HH into your network to your BES for message delivery. The rest of the model is correct.

Quote:

and if some outside domain blackberry device is sending emails to our domain users steps 6-11 will be

Internet->Datacenter firewall->Allow SMTP traffic-> Spam filter appliance ->Exchange Server ->VPN Tunnel <->BES Express Server->Outgoing port 3101->RIM N/W-> Blackberry User Device

Correct. I hope this explains it a bit. If you're still confused I think it may just be your understanding of how firewalls work.

Much like on a firewall you don't have to open port 80 inbound to any PC on your network for them to browse the web, you only need to open port 80 outbound ... RIMs SRP connection works much the same. The port 80 connection is established with a web server, and the web server pushes data back through the socket opened. Just imagine the BES has having that one socket opened ... but constantly.

[sjk_s]

Thankyou very much for your detailed reply. I really appreciate it. I now fully understand the flow and the connectivity between the RIM's network and Black berry user.

Now I have a last qeneric question i.e for people who have a blackberry device and have exchange in their company but do not have provision to install BES inhouse so does any company provide this service i.e. if the users receive any email in their inbox it can be received in their blackberry as well and they can reply it too - Just wanted to know if there is any hosting service available for this scenario ..

Thanks once again for all your help and excellent guidance.

[sjk_s]

I found the answer to my previous question in below link :

Verizon Wireless - BlackBerry Email System Requirements

Thanks once again for all ur help.