I have numerous Handheld admins that need to get on the BES server to add/remove users and assign IT-Policies. However, I do not want to give them local admin rights on the BES server nor do I want them to login locally or through RDP (Term service). Does BES have a remote administratin tool I can load on the admins desktops?
Role Administration: I have already implemented Role Administration, but is there a role where I can allow my admins to add/remove and assign IT-Policy, but stop them from modifying the IT-Policy.
I recommend the above method - thats how we have it setup here.
I have the blackberry manager installed on a dedicated machine.
Otherwise - our BES is in the DMZ, so we cant remote into it, the only other way would be a trip down to the kvm desk, which is often busy...
This means that I can do most of what I need to do whist sat at my desk.
The only things I cant do, are restart the BES (Though RIM advise against restarting it unless necessary), and checking the logs. The only useful thing missing is checking the logs, but never mind.
Something to think about...you can use the batch user administration tool to add/remove users, set activation passwords, set policy, etc. (Requires the BESUserAdminService to be installed and running on BES).
[it's part of the ResKit]
I use a vbscript to prompt for options and then execute the BESUserAdminClient.exe utility to perform the actions. This allows me to give the script/utility to the admins so they don't need the gui...or have to track me down. (I don't allow deletions via the script).
Placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ) is neither recommended nor supported.
As a security practice, installing the single BlackBerry Router component in the DMZ can be done and is fully supported. This is the only BlackBerry Enterprise Server component that should ever exist outside of an organization's firewall. For additional information on installing the BlackBerry Router in the DMZ, see the Placing the BlackBerry Enterprise Solution in a segmented network: BlackBerry Enterprise Server Version 4.0 and later guide for installing the BlackBerry Enterprise Server in a segmented network.
The reason why the BlackBerry Enterprise Server should not be placed within the DMZ is related to the number of connections required to make a Microsoft® Exchange Server call for email messages. Microsoft Exchange varies the available port numbers, which means that they are not necessarily consistent. There are a large number of ports available, and it would be difficult to configure the firewall for them. Issues with name resolution might also occur when polling the Domain Controller or Global Catalog Server.
Placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ) is neither recommended nor supported.
As a security practice, installing the single BlackBerry Router component in the DMZ can be done and is fully supported. This is the only BlackBerry Enterprise Server component that should ever exist outside of an organization's firewall. For additional information on installing the BlackBerry Router in the DMZ, see the Placing the BlackBerry Enterprise Solution in a segmented network: BlackBerry Enterprise Server Version 4.0 and later guide for installing the BlackBerry Enterprise Server in a segmented network.
The reason why the BlackBerry Enterprise Server should not be placed within the DMZ is related to the number of connections required to make a Microsoft® Exchange Server call for email messages. Microsoft Exchange varies the available port numbers, which means that they are not necessarily consistent. There are a large number of ports available, and it would be difficult to configure the firewall for them. Issues with name resolution might also occur when polling the Domain Controller or Global Catalog Server.
To add to that, the only port requifred by a BES is an outbound connection on 3101. As a server communicating with the outside world, it's as secure as it gets.
yyyyeah - why do you need your BES in the DMZ? That should just be for a webserver.
Just allow port 3101 open to your (hopefully static IP) of your BES and enable IPS and AVS on it? Pretty simple and about a thousand times more secure! If you can't argue that to your Security Admin that one port to one ip isn't secure - you're working for the gov.
__________________
Todd M
Sr. Network Administrator
Placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ) is neither recommended nor supported.
As a security practice, installing the single BlackBerry Router component in the DMZ can be done and is fully supported. This is the only BlackBerry Enterprise Server component that should ever exist outside of an organization's firewall. For additional information on installing the BlackBerry Router in the DMZ, see the Placing the BlackBerry Enterprise Solution in a segmented network: BlackBerry Enterprise Server Version 4.0 and later guide for installing the BlackBerry Enterprise Server in a segmented network.
The reason why the BlackBerry Enterprise Server should not be placed within the DMZ is related to the number of connections required to make a Microsoft® Exchange Server call for email messages. Microsoft Exchange varies the available port numbers, which means that they are not necessarily consistent. There are a large number of ports available, and it would be difficult to configure the firewall for them. Issues with name resolution might also occur when polling the Domain Controller or Global Catalog Server.
Tell me about it! My sys admin refuses to remove the windows firewall from my BES. I am constantly adding UDP ports to the exception list when I notice my mail taking 2-5 minutes to get to my BB. Thank god I was able to dissuade him from trying to put it in the DMZ!
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1