[theitdude]

I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.

[aschieman]

A BES server in the DMZ is not a supported configuration. However, you can setup a remote BlackBerry Router in the DMZ. The BES can be situated in the internal network and connect to the BlackBerry router, which in turn talks to the SRP network. The BlackBerry Router in the DMZ will still need to initiate an outbound bi-directional connection using port 3101.

One advantage of this setup is multiple BES servers can use the BlackBerry Router in the DMZ.

[BBAdmin]

Don't do DMZ. For instructions for a supported configuration click on the link in my signature.

[aschieman]

...but the BES Router in the DMZ is supported.

[BBAdmin]

Yes, the router segment of the BES can be if you want a segregated install but theitdude was asking about installing the entire BES in the DMZ I think. If you don't need to do it, I don't see why you would ever want to consider it.

[aschieman]

For sure. I had one client who had a policy about internal servers hitting the Internet directly, so we installed the BlackBerry Router in the DMZ.

[Lokean]

I don't see why you'd need to put it on the dmz when its just an outgoing connection on the one port, its not like you have to have two way communication open on several ports where there'd be a real risk.

[aschieman]

It was just a client policy. They had 2 firewalls that we had to configure to make this work.

[theitdude]

I have everything working with the router in the DMZ and the other services on an internal server. It makes the network security guys happy too.

[aschieman]

Good stuff. Moving forward, if you add a second BES, you can just point at the same BlackBerry router.

[noname]

Thanks aschieman for sharing. I'm interested to know how the BlackBerry Server Configuration panel settings will look like. Could you please share with us? For e.g. for the Router Host, instead of "localhost", I guess you must have maintained as the ip address of the remote Router? etc... Any other changes needed?

[aschieman]

The setup is configured through the registry. The remote router has to know that is will be acting as such, and the dispatcher service on each BES has to know which router to use (as opposed to the local router). Here is a great doc from RIM on the setup:

Placing the BlackBerry Enterprise Solution in a segmented network BlackBerry Enterprise Server Version 4.0 and later

[twinkiefan]

Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.

The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.

Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).

All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?

[autsoldnow]

Quote:

Originally Posted by theitdude

I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.

Sorry but this is the dumbest thing I have heard from someone. You are running BES under Windows Server which is not the best secure OS on the market and you want to connected it to the DMZ so that you don't have to open a port on your firewall?

Uhm.. I bet you didn't know that on most high-end firewalls you must setup rules in order to send/recieve traffic, that also includes setting up the same kind of rules on your DMZ.

Stop being lazy and open the damn port!

Andrew

[CanuckBB]

Quote:

Originally Posted by theitdude

I've set up a BES, but we're reluctant to open the port in the firewall. Do I have any other options? I was told to set up the BES in a DMZ, but there's issues with that too.

So instead of opening only 3101 outbound from the LAN to the Internet, you'll open 3101 outbound from the DMZ to the internet, and whatever else the BES needs to talk to Echange from the DMZ to the LAN? And that is more secure how???

[CanuckBB]

Quote:

Originally Posted by twinkiefan

Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.

The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.

Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).

All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?

Realize that any hacker worth his slat, if hegains access to a server in the DMZ that has a constant connection to the LAN, like a BES, will walk right through those holes. If the BES in on the LAN, you only have one outbound port to open, for one specific server. With BES in the DMZ, that port is stil open, but then how many ports did you have to open for the BES to talk to the LAN?

DMZs were a great concept when we could get away with that segment never talking to the LAN. As soon as you start opening ports between the DMZ and the LAN, all you really are doing is adding complexity for your IT staff and not really slowing down hackers.

[argi6argi]

Hi,
I have a customer and we have installed BES to the LAN and Blackberry Router to DMZ (customer's request). Now they want to change the ip of the the router. Can anyone tell me what changes have to be done to the servers that have BES and Blackberry Router?
Thanks in advance.

[hdawg]

If they're using DNS to the host; you'd just need to update internal DNS, flush cache, and restart services for good measure. Otherwise, just update the field(s) mentioned in this article:
How to move from a local to a remote BlackBerry Router service

Also, make sure any current ports open between these IPs are open for the new IP in the firewall(s)

[bencav]

Quote:

Originally Posted by twinkiefan

Not sure what the big deal about placing the BES in a DMZ is...we've successfully done so with 6 BES servers, essentially placing them on their own network segment. Firewall allows all traffic from internal LAN to the BES segment, but had to punch holes to allow the traffic from BES segment to the internal LAN.

The reason we do so is because the traffic between BES and the outside world (and the traffic between modularized BES components) is encrypted, thus limiting the visibility we have into that traffic to see what's being transmitted over the wire(s). Our Info Security folks didn't like that at all, so we found a way to make BES work in a DMZ; traffic locked down to IP-to-IP traffic from DMZ to internal and YES, RIM does support this, there is documentation in the online support site/knowledge center.

Another reason they wanted this done is they'd rather limit the risk of one of the BES servers being hijacked and granting access to the rest of our internal servers vs. relying on humans to manage software configuration and policy (or course, we still have to do that, too!).

All in all, not as difficult as we expected and certainly a great learning experience...did I spin that right?

Technically this config is not supported. I have talked to our RIM technical rep on this. Support would be "best effort." The main issue is the amount of trafic between the bes and the mail server- the bes doesn't respons well to latency here. Espcially if you are using Exchange. You would also be dealing with some messy firewall rules to all the mapi and ldap traffic over the firewall (again for Exchange.)