Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone



Similar documents
Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

Decommissioning the original Microsoft Exchange

Installing the BlackBerry Enterprise Server Management console with a remote database

BlackBerry IT Policy Manager Research In Motion

Disaster Recovery Planning for BlackBerry Enterprise Server for Microsoft Exchange

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

BlackBerry Enterprise Server Performance Characteristics and Sizing Recommendations

Accessing BlackBerry Data Services Using Wi-Fi Networks

BlackBerry Enterprise Server 2.1 for Microsoft Exchange Service Pack 3, Hotfix 2 update information March 13, 2002

BlackBerry Enterprise Server. BlackBerry Administration Service Roles and Permissions Version: 5.0 Service Pack: 4.

BlackBerry Enterprise Server Express for Microsoft Exchange

BlackBerry Professional Software For Microsoft Exchange Compatibility Matrix January 30, 2009

Reference Document: Best Practices for Managing Your BlackBerry Environment

Essential Managing the BlackBerry Enterprise Server using the BlackBerry Administration Service

Synchronization Server SDK Version Release Notes and Known Issues List

Technical Note. BlackBerry Enterprise Server for Novell GroupWise

Deploying BlackBerry Desktop and Handheld Software Research In Motion

Technical Note. BlackBerry Enterprise Server for Microsoft Exchange

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

BlackBerry Enterprise Server Resource Kit BlackBerry Analysis, Monitoring, and Troubleshooting Tools Version: 5.0 Service Pack: 2.

BlackBerry Enterprise Solution and RSA SecurID

MS Skype for Business and Lync. Integration Guide

BlackBerry Enterprise Server for Microsoft Exchange. Compatibility Matrix January 31, 2011

introducing The BlackBerry Collaboration Service

Remote Firewall Deployment

BlackBerry Enterprise Server for Microsoft Exchange. Compatibility Matrix March 25, 2013

Self Help Guides. Setup Exchange with Outlook

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)

Compatibility Matrix March 05, 2010

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

BlackBerry Enterprise Server Express for Microsoft Exchange

Deploying Java Applications

Cisco Collaboration with Microsoft Interoperability

Web Security Firewall Setup. Administrator Guide

BlackBerry Enterprise Server Express System Requirements

Galileo International. Firewall & Proxy Specifications

Administration Guide. Wireless software upgrades

BlackBerry Enterprise Server version 3.6 for Microsoft Exchange Research In Motion

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Dell One Identity Cloud Access Manager How to Configure for High Availability

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

BlackBerry Business Cloud Services. Version: Release Notes

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

BlackBerry Enterprise Server for Microsoft Exchange

eprism Security Suite

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

What are cookies and how does Glendale Career College use them?

Installation and Administration Guide

Technical White Paper BlackBerry Enterprise Server

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

BlackBerry Desktop Manager Version: User Guide

Technical White Paper BlackBerry Security

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

SIP Trunking Configuration with

BES10 Self-Service. Version: User Guide

BlackBerry Enterprise Server for Microsoft Office 365. Version: Release Notes

New Security Features

Installation Guide Supplement

SIP Trunking with Microsoft Office Communication Server 2007 R2

New Security Features

BlackBerry Mobile Voice System - BlackBerry MVS Client

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Guide to Securing Microsoft Windows 2000 DHCP

Work Space Manager for BES _449

Transparent Identification of Users

Self Help Guides. Create a New User in a Domain

BlackBerry Enterprise Server for Microsoft Exchange Version: 4.1 Service Pack: 7. Installation Guide

BlackBerry Web Desktop Manager. User Guide

Dell One Identity Cloud Access Manager Installation Guide

WATCHDOX by BlackBerry Training Services Program Description ( WATCHDOX by BlackBerry Training Services Program Description )

Configuration Guide BES12. Version 12.2

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

Preliminary Course Syllabus

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

Sage HRMS 2014 Sage Employee Self Service

DeltaV System Health Monitoring Networking and Security

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. Installation and. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

DameWare Server. Administrator Guide

Intel Internet of Things (IoT) Developer Kit

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Feature and Technical

Contents Notice to Users

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

Strong Authentication for Microsoft SharePoint

SwiftBroadband and IP data connections

Compatibility Matrix BES12. September 16, 2015

BlackBerry Enterprise Server Express. Version: 5.0 Service Pack: 4. Update Guide

BlackBerry Enterprise Server Express for IBM Domino. October 7, 2014 Version: 5.0 Service Pack: 4. Compatibility Matrix

Managing Wireless BlackBerry Device Software Updates on the BlackBerry Enterprise Server

NCD ThinPATH Load Balancing Startup Guide

BES12 Cloud Migration Program Description ( BES12 Cloud Migration Program Description )

Netop Remote Control Security Server

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

A Practical Look at Network Address Translation. A Nokia Horizon Manager White Paper

Remote Logging Agent Configuration Guide

Configuration Guide BES12. Version 12.1

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4. Upgrade Guide

Best Practices of Deploying and Maintaining BlackBerry for Microsoft Exchange

Transcription:

Placing the for Originally posted: June 2002 Affected software versions BlackBerry Enterprise version 2.0 for Microsoft Exchange version 2.1 for Microsoft Exchange version 3.5 for Microsoft Exchange Summary Some organizations support the placement of -facing servers in demilitarized zones. However, Research In Motion (RIM) recommends against placing a in a demilitarized zone, and does not support this configuration. This document explains how placing a in a demilitarized zone can reduce the security level of the zone and can impact features. Connecting to the SRP host Note: The Relay Protocol (SRP host) is srp.xx.blackberry.net, where xx is a variable that represents na for a in North America and eu for a in Europe. When you start the service, it makes a persistent Transmission Control Protocol (TCP) connection to the SRP host using one of two methods. Placing the behind the firewall A secure connection requires authentication from both sides of the connection: the service and the SRP host. The method in which the is placed behind the firewall is illustrated below (figure 1). BlackBerry Enterprise Wireless Network Figure 1: behind a firewall In this method, the firewall must be configured so that the can initiate a TCP connection through the firewall to the SRP host. The connection type is outbound-initiated only; no host can initiate an inbound connection to your. Note: When you configure the firewall to enable the connection to the SRP host, RIM recommends that you do not limit the connection to a specific IP address because RIM might add to the SRP host additional IP addresses that provide additional redundancy or fail-over protection. 2002 Research In Motion Limited www.blackberry.net Page 1 of 5

Placing the in a demilitarized zone The second connection method involves installing the in a demilitarized zone. This method is illustrated below (figure 2). BlackBerry Enterprise Wireless Network Figure 2: in a demilitarized zone Because the requires a MAPI connection to each Microsoft Exchange that hosts mailboxes for BlackBerry users, this method requires extensive configuration changes. You must reconfigure the firewall and each Microsoft Exchange. Because the connects to each mailbox server using MAPI, the configuration is identical to the configuration that enables Microsoft Outlook users to connect to their Microsoft Exchange s through the firewall. You must complete the following changes: Microsoft Exchange Configure the Microsoft Exchange so that it uses static ports. Open static ports to enable the to connect through the firewall to each Microsoft Exchange on the static ports. Open the network authentication ports (such as Kerberos) to enable the to authenticate to a domain controller. If you use the first connection method, you have to open only one TCP connection. If you use the second connection method, you must open multiple ports, both TCP and User gram Protocol (UDP). If you use the second connection method, the proximity of the to the mail servers to which it is connecting might affect the stability of the. MAPI is not a TCP application and performs better with a direct connection to the destination host. Note: The versions of the that are discussed in this document do not require a connection to a Global Catalog for remote address lookups. 2002 Research In Motion Limited www.blackberry.net Page 2 of 5

Mobile Service If you place the inside the firewall, features that are available in version 3.5 for Microsoft Exchange, such as Mobile Service (MDS), are supported. MDS creates a conduit between the BlackBerry handheld and your intranet and other corporate data. If the on which Mobile Service is installed is located outside your firewall, you cannot access intranet data unless you open the firewall further to enable access to internal data sources such as the corporate intranet or customer relationship management (CRM) application databases. Mail / Mobile Service Figure 3: Mobile Service enables connectivity to intranet data Alternatives to placing the in a demilitarized zone If strict corporate policy prohibits direct communication between internal servers and hosts, two alternative methods are available. RIM supports both alternative configurations. Using a proxy server This connection method uses a proxy server that is located in the demilitarized zone. In this configuration, the connects to your proxy server only. The proxy server then communicates with the wireless network over the as illustrated below (figure 4). Mail / Mobile Service Proxy Figure 4: connects directly to the proxy server Using a proxy server has the following security characteristics: The proxy server can be configured to enable only the to make port 3101 requests. The firewall can be configured to enable only the to connect through port 3101, which prevents all internal servers from communicating to the through port 3101. 2002 Research In Motion Limited www.blackberry.net Page 3 of 5

Note: The proxy server that is selected must support a transparent proxy. The does not know how to use a proxy; it requires the appearance of a direct connection to the SRP host. Several proxy servers enable this configuration (for example, Microsoft ISA server and Microsoft Proxy Sever). Each server requires the installation of an agent on the client (the ) that gives the appearance of a direct connection. Using port forwarding (IP port translation) This connection method uses port forwarding at the firewall. In this configuration, the is configured to connect to <firewall.yourdomain>.com instead of the SRP host. The firewall must be configured to forward port 3101 requests to the SRP host. Mail Port 3189 / Mobile Port 3101 Figure 5: connected to the firewall and proxy configuration Because many firewalls and proxy solutions exist, RIM does not support any specific firewall or proxy solution. Configuration of proxy servers and firewalls are the responsibility of each individual organization. This document only provides the information that is required to implement a solution. For assistance with the configuration your firewall or proxy, contact your solution vendor. Conclusion When you install the for Microsoft Exchange, RIM recommends that you place the server inside your corporate firewall, as close as possible to the mail server that it services (for example, on the same switch). Placing the outside the firewall reduces the overall security of your demilitarized zone. If strict corporate policy prohibits direct communication between internal servers and hosts, two alternative methods are available: using a proxy server or Port Address Translation (PAT). RIM supports both alternative configurations. 2002 Research In Motion Limited www.blackberry.net Page 4 of 5

Appendix A: Relevant Microsoft Q articles XADM: No Way to Configure Port for UDP New Mail Notification Packets (Q264035) You can configure a Microsoft Exchange computer so that is uses specific TCP ports for the information store, directory, and System Attendant. This configuration enables access to the Microsoft Exchange through a firewall, router, or other device that blocks certain TCP or UDP ports. You cannot configure the ports that are used when the Microsoft Exchange sends a client a new mail notification packet. In a situation in which UDP traffic from the Microsoft Exchange to the client is blocked, clients might not receive new mail notification. XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a (Q155831) This article explains how to enable the Microsoft Exchange Client so that it connects to the Microsoft Exchange over an existing connection to the and through a firewall. To enable this connection, you must verify that the ports that are assigned to these connections are static. This requires that you add entries to the registry. XCLN: Exchange 2000 Static Port Mappings (Q270836) This article explains how to enable Microsoft Exchange down-level MAPI clients computers (either Microsoft Exchange client computers or client computers that are using Microsoft Outlook in Corporate or Workgroup mode on the Microsoft Exchange 2000 ) so that they connect to the Microsoft Exchange 2000 over an existing connection to the through a firewall. XCLN: How MAPI Clients Access Active Directory (Q256976) In Microsoft Exchange 4.0, 5.0, and 5.5, the directory service is on the server to which MAPI clients log in and look up addresses in the Global Address List. In Microsoft Exchange 2000, the directory service integrates with the Microsoft Windows 2000 operating system (Active Directory). As a result, the directory service might or might not be located on the Microsoft Exchange 2000. In this environment, a MAPI client accesses the directory and logs in mailboxes differently than previous versions of the Microsoft Exchange. This article explains how each version of Microsoft Outlook and Microsoft Exchange Client accesses the Active Directory. Part number: TAE-00038-001 2002 Research In Motion Limited. All rights reserved. The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties of Research In Motion Limited. RIM, Research In Motion, 'Always On, Always Connected', the envelope in motion symbol and the BlackBerry logo are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. All other brands, product names, company names, trademarks and service marks are the properties of their respective owners. The handheld and/or associated software are protected by copyright, international treaties and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D,445,428; D,433,460; D,416,256. Other patents are registered or pending in various countries around the world. Please visit www.rim.net/patents.shtml for a current listing of applicable patents. RESEARCH IN MOTION LIMITED (RIM) ON BEHALF OF ITSELF AND ITS AFFILIATES MAKES NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION OR GRAPHICS CONTAINED IN THIS ADVISORY FOR ANY PURPOSE. THE CONTENT CONTAINED IN THIS DOCUMENT, INCLUDING RELATED GRAPHICS, ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. RIM HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL RIM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION CONTAINED HEREIN. THIS DOCUMENT, INCLUDING ANY GRAPHICS CONTINED WITHIN THE DOCUMENT, MAY CONTAIN TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. UPDATES ARE PERIODICALLY MADE TO THE INFORMATION HEREIN AND RIM MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME. 2002 Research In Motion Limited www.blackberry.net Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information