[noname]

Hello all,

I know RIM does not support BES that is placed inside a DMZ as per KB12281 - What is the support for placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ). It appears that this is applicable for MS Exchange only, what about Lotus Domino?

My main IT back in the US is looking at placing a BES Domino in DMZ and they haven't got successful on doing so and have to place it back into the Intranet. And they have been working with RIM (which I'm quite surprised as their KB12281 says it is unsupported). I am concern as if they ever successfully deployed the BES Domino in DMZ (with RIM's help), I wonder if there is any impact in terms of supporting it? I mean getting that machine to run is one thing but supporting on a daily basis is another thing.

Have anyone have their BES Domino placed inside DMZ and running without any issues? Could you please share anything to look out for?

[BigA]

No need to place the BES in the DMZ. Just make sure that the BES can talk OUT on port 3101 TCP and can reach the SRP server closest or in your country.
Click here to look up your SRP server.
https://www.blackberry.com/SRPAddressLookup/index.do

==

To further answer your question on supporting the BES in the DMZ. You are going to have to lock down the Microsoft box pretty tight. Like long complex passwords, locked down or disabling all login accounts except for the BESAdmin account. Turn off all unnecessary services, try not to run IIS if possible. Keep in mind that this box is going to be limited in terms of use and flexibility meaning because it's in the DMZ this box should not have any internal access. This will severely limit your capabilities.

In my environment can manage and maintain all of my servers from my blackberry with 3rd party applications installed on my bb. This is something you will not be able to do with out opening up your dmz to your internal network which is not recommended.

[hdawg]

Quote:

Originally Posted by noname

What is the support for placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ)[/URL]. It appears that this is applicable for MS Exchange only, what about Lotus Domino?

...

Have anyone have their BES Domino placed inside DMZ and running without any issues? Could you please share anything to look out for?

Not only have we done this but we have customers that we host a Domino BES for them in our data center and they open up 1352 to their network to the single IP of their BES. This is for the crazies that choose to not do a VPN tunnel.

It works perfectly fine ... supportability, just make sure you know what you're doing regarding the network and any support issues should be totally unrelated to the network. Domino is TOTALLY different than Exchange in this case.

[noname]

Many thanks BigA and hdawg for your inputs. I think the complications are with the MS SQL server being remain behind the firewall. For Domino, I understand that port 1352 needs to be opened. For SQL, default port is 1433 for TCPIP communications. I always like to think further ahead... Is there any other ports to be considered w.r.t. below?

(1) Connectivity of Desktop Manager
(2) Connectivity of remote BlackBerry Manager clients
(3) Connectivity of remote Domino Admin clients

I guess I've open up some complexities for discussions...

[hdawg]

Quote:

(1) Connectivity of Desktop Manager

No, but device manager will need 4101 to the BlackBerry Router to work. Desktop manager uses device manager to talk to the BES.

Quote:

(2) Connectivity of remote BlackBerry Manager clients

This can get hairy. You'll need file & print sharing enabled on the BES ... which will require RPC traffic to be allowed through the firewall (probably not going to want that), so port 135 but then allow other random ports as rpc starts with 135 but then opens higher random port numbers (1024 through 65535). In the end, best bet here is to just run the Manager local on the BES.

Quote:

(3) Connectivity of remote Domino Admin clients

Unfortunately I have no clue about this ... I'm guessing 1352 only still; but it is a guess.

[noname]

Thanks hdawg, looks like its not a straight forward thing for putting BES inside DMZ... how I wish for a test box. Many thanks again! If other still have any ideas/things that I should look out for, please do advise me.

[BigA]

Not sure if this would work. But you could try to make a VPN/SSL VPN/SSH/PPTP (what ever you use) connection from the BES in the DMZ into your internal network. This way you would not have to manage multiple ports open on your DMZ. You could just make tunneling rules that would apply to the BES into your internal network. You would also need split tunneling enabled for this to work properly.