|
|
03-19-2007, 04:29 PM
|
#1
|
Knows Where the Search Button Is
Join Date: Mar 2007
Location: PA
Model: 8700
Carrier: Cingular
Posts: 16
|
BES in DMZ or behind Firewall
Please Login to Remove!
I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.
|
Offline
|
|
03-19-2007, 05:03 PM
|
#2
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Toronto, ON
Model: 8100
Carrier: Rogers
Posts: 108
|
A BES server in the DMZ is not a supported configuration. However, you can setup a remote BlackBerry Router in the DMZ. The BES can be situated in the internal network and connect to the BlackBerry router, which in turn talks to the SRP network. The BlackBerry Router in the DMZ will still need to initiate an outbound bi-directional connection using port 3101.
One advantage of this setup is multiple BES servers can use the BlackBerry Router in the DMZ.
|
Offline
|
|
03-20-2007, 04:26 AM
|
#3
|
BlackBerry Extraordinaire
Join Date: Feb 2005
Location: Port 3101.org
Model: .
Carrier: .
Posts: 2,491
|
Don't do DMZ. For instructions for a supported configuration click on the link in my signature.
|
Offline
|
|
03-22-2007, 05:38 PM
|
#4
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Toronto, ON
Model: 8100
Carrier: Rogers
Posts: 108
|
...but the BES Router in the DMZ is supported.
|
Offline
|
|
03-23-2007, 05:37 AM
|
#5
|
BlackBerry Extraordinaire
Join Date: Feb 2005
Location: Port 3101.org
Model: .
Carrier: .
Posts: 2,491
|
Yes, the router segment of the BES can be if you want a segregated install but theitdude was asking about installing the entire BES in the DMZ I think. If you don't need to do it, I don't see why you would ever want to consider it.
|
Offline
|
|
03-23-2007, 11:39 AM
|
#6
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Toronto, ON
Model: 8100
Carrier: Rogers
Posts: 108
|
For sure. I had one client who had a policy about internal servers hitting the Internet directly, so we installed the BlackBerry Router in the DMZ.
|
Offline
|
|
03-23-2007, 11:51 AM
|
#7
|
Knows Where the Search Button Is
Join Date: Feb 2006
Location: Atlanta
Model: 8100
Carrier: Tmobile
Posts: 36
|
I don't see why you'd need to put it on the dmz when its just an outgoing connection on the one port, its not like you have to have two way communication open on several ports where there'd be a real risk.
|
Offline
|
|
03-23-2007, 12:05 PM
|
#8
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Toronto, ON
Model: 8100
Carrier: Rogers
Posts: 108
|
It was just a client policy. They had 2 firewalls that we had to configure to make this work.
|
Offline
|
|
03-27-2007, 04:13 AM
|
#9
|
Knows Where the Search Button Is
Join Date: Mar 2007
Location: PA
Model: 8700
Carrier: Cingular
Posts: 16
|
I have everything working with the router in the DMZ and the other services on an internal server. It makes the network security guys happy too.
|
Offline
|
|
03-27-2007, 08:38 AM
|
#10
|
Thumbs Must Hurt
Join Date: Apr 2005
Location: Toronto, ON
Model: 8100
Carrier: Rogers
Posts: 108
|
Good stuff. Moving forward, if you add a second BES, you can just point at the same BlackBerry router.
|
Offline
|
|
03-27-2007, 08:54 AM
|
#11
|
BlackBerry Extraordinaire
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
|
Thanks aschieman for sharing. I'm interested to know how the BlackBerry Server Configuration panel settings will look like. Could you please share with us? For e.g. for the Router Host, instead of "localhost", I guess you must have maintained as the ip address of the remote Router? etc... Any other changes needed?
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.
|
Offline
|
|
03-30-2007, 10:53 PM
|
#13
|
Knows Where the Search Button Is
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
|
Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.
The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.
Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).
All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?
|
Offline
|
|
04-19-2007, 01:12 AM
|
#14
|
Thumbs Must Hurt
Join Date: Feb 2006
Location: Canada
Model: 7250
Carrier: Telus
Posts: 131
|
Quote:
Originally Posted by theitdude
I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.
|
Sorry but this is the dumbest thing I have heard from someone. You are running BES under Windows Server which is not the best secure OS on the market and you want to connected it to the DMZ so that you don't have to open a port on your firewall?
Uhm.. I bet you didn't know that on most high-end firewalls you must setup rules in order to send/recieve traffic, that also includes setting up the same kind of rules on your DMZ.
Stop being lazy and open the damn port!
Andrew
|
Offline
|
|
04-22-2007, 11:10 AM
|
#15
|
BlackBerry Extraordinaire
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
|
Quote:
Originally Posted by theitdude
I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.
|
So instead of opening only 3101 outbound from the LAN to the Internet, you'll open 3101 outbound from the DMZ to the internet, and whatever else the BES needs to talk to Echange from the DMZ to the LAN? And that is more secure how???
|
Offline
|
|
04-22-2007, 11:14 AM
|
#16
|
BlackBerry Extraordinaire
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
|
Quote:
Originally Posted by twinkiefan
Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.
The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.
Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).
All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?
|
Realize that any hacker worth his slat, if hegains access to a server in the DMZ that has a constant connection to the LAN, like a BES, will walk right through those holes. If the BES in on the LAN, you only have one outbound port to open, for one specific server. With BES in the DMZ, that port is stil open, but then how many ports did you have to open for the BES to talk to the LAN?
DMZs were a great concept when we could get away with that segment never talking to the LAN. As soon as you start opening ports between the DMZ and the LAN, all you really are doing is adding complexity for your IT staff and not really slowing down hackers.
|
Offline
|
|
10-10-2007, 03:42 AM
|
#17
|
New Member
Join Date: May 2007
Model: 7290
PIN: N/A
Carrier: TIM GR
Posts: 7
|
Hi,
I have a customer and we have installed BES to the LAN and Blackberry Router to DMZ (customer's request). Now they want to change the ip of the the router. Can anyone tell me what changes have to be done to the servers that have BES and Blackberry Router?
Thanks in advance.
|
Offline
|
|
10-10-2007, 06:24 AM
|
#18
|
BlackBerry Genius
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
|
If they're using DNS to the host; you'd just need to update internal DNS, flush cache, and restart services for good measure. Otherwise, just update the field(s) mentioned in this article:
How to move from a local to a remote BlackBerry Router service
Also, make sure any current ports open between these IPs are open for the new IP in the firewall(s)
|
Offline
|
|
10-12-2007, 10:52 AM
|
#19
|
New Member
Join Date: Feb 2005
Location: Ottawa
Model: 8700
Carrier: Bell/Rogers/
Posts: 11
|
Quote:
Originally Posted by twinkiefan
Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.
The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.
Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).
All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?
|
Technically this config is not supported. I have talked to our RIM technical rep on this. Support would be "best effort." The main issue is the amount of trafic between the bes and the mail server- the bes doesn't respons well to latency here. Espcially if you are using Exchange. You would also be dealing with some messy firewall rules to all the mapi and ldap traffic over the firewall (again for Exchange.)
|
Offline
|
|
|
|