1

I want to install Blackberry Express Server on my Exchange 2010 server for users at my company, but I am wary of simply opening up ports to my server directly to the internet.

Are there any good ways to ensure that inbound traffic is blackberry-only and safe? I know Blackberry does allow a seperate server to be installed in the DMZ, although that would really be overkill for my organization.

This is a blackberry article about the firewall requirements: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03735

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
SLY
  • 1,286
  • 1
  • 13
  • 28

1 Answers1

2

To communicate with the BlackBerry infrastructure, your BES server needs to maintain a bidirectional TCP connection to srp.[country].blackberry.net on port 3101 (the SRP address will vary depending on what country you're in).

If your firewall is any good, you should be able to configure it such that it will only allow traffic on port 3101 between srp.[country].blackberry.net and the internal IP address of your BES server. This rule will ensure that only legitimate BlackBerry traffic goes through your firewall.

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • 3
    In addition, the connection is initiated from the BES server, so no inbound rules need to be created on the firewall to allow the BES server to communicate with the RIM network. Assuming you're firewall is configured with the typical ANY>ANY>ALLOWED internal to external rule then no special configuration\rules should be needed. – joeqwerty Dec 15 '10 at 00:26