Configuring network firewalls to work with BlackBerry Enterprise Service 10

Article ID: KB34193

Type: Support Content

Last Modified: 03-14-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Service 10
Jump to: Environment | Overview
CollapseEnvironment
  • BlackBerry Enterprise Service 10 version 10.1 and later
CollapseOverview

BlackBerry Enterprise Service 10 version 10.1 and later requires the ability to communicate with several services external to the local network. This requires corporate firewalls to be properly configured to allow the BlackBerry Enterprise Server sourced traffic to reach BlackBerry external services. This is similar to previous BlackBerry Enterprise Server solutions that required the firewall to allow communications with the BlackBerry Infrastructure over port 3101 for SRP communication. Refer to KB03735 for details of whitelisting those IP ranges. The listings in this document are in addition to the server's existing SRP communication requirements.



Device Requirements

Whether the smartphone is attempting a connection over the Mobile Network or a Wireless Network the requirements below would need to be met.

Note: <country> represents a unique country code dependent on the EULA selected during installation. For example, if Canada was selected, then <country> would be ca. To find a specific country code, see the ISO Standard.

Device Operating System TCP Port Protocol Domain IP Address
BlackBerry 10 OS 80 HTTP inet.registration.blackberry.com 216.9.242.176
216.9.242.177
68.171.242.240
68.171.242.241
BlackBerry 10 OS 443 HTTPS inet.registration.blackberry.com 216.9.242.176
216.9.242.177
68.171.242.240
68.171.242.241
Android / iOS 80 HTTP/TLS <country>.bbsecure.com 216.9.242.244/32
Android / iOS 443 HTTPS <country>.bbsecure.com 216.9.242.244/32



 

Configuration

Use one of the following methods to configure the firewall:


Method 1

The recommended and least restrictive firewall configuration is to enable the listed TCP ports to carry outbound initiated bi-directional communications to blackberry.net, blackberry.com, and bbsecure.com subdomains.

TCP Port Subdomain
3101 blackberry.net, blackberry.com, bbsecure.com
443 blackberry.com, bbsecure.com
80 blackberry.com


Method 2

If required to specify specific domain names and/or IP addresses, use the following configurations (All ports are outbound initiated bi-directional connections).

Warning: All IP addresses are current at the time of writing and may be subject to change at any time, with little notice.

Note: <country> represents a unique country code dependent on the EULA selected during installation. For example, if Canada was selected, then <country> would be ca. To find a specific country code, see the ISO Standard.

Common IP Addresses to all regions

Usage TCP Port Protocol Domain IP Address
Enhanced Licensing Management 443 HTTPS license.blackberry.com 68.171.242.252
UDS Core Components 443 HTTPS

ca.swsmanager.bbsecure.com

Note: This address is not regionalized

216.9.242.246
UDS Core Components 443 HTTPS <country>.swstps.bbsecure.com 216.9.242.247
UDS Console 443 HTTPS bss.blackberry.com 68.171.232.36*
BlackBerry Dispatcher/Router 3101 TCP (Outbound) <country>.srp.blackberry.com Refer to KB03735 for region specific IP addresses**
BlackBerry World for Work 80 HTTP appworld.blackberry.com IP not available
BlackBerry Enrollment 443 HTTPS discoveryservice.blackberry.com 68.171.232.35
Meta Data 443 HTTPS

origin-www.blackberry.com/download/
metadata/BES/deviceMetadata.xml.gz ***

208.65.77.102


* - To configure UDS Console to use a proxy server to reach out to the BlackBerry Signing Service, see KB31557.

** - To verify which BlackBerry Infrastructure the BlackBerry Dispatcher or Router is being connected to, see KB04359.

*** - Starting with BlackBerry Enterprise Service 10 version 10.1.3, each night after midnight the system will check the listed URL. If the file has changed the file will be downloaded to the server and applied to the database. The file will update metadata such as new platform OS versions (ie iOS7, Android 4.3), new devices (ie iPhone 5S) and specifications of devices.


Current Regional IP Addresses

Note: See second table below for future expansion of IP Addresses based on region

Region Usage TCP Port Protocol Domain Current IP Addresses

Asia Pacific Region (APAC) excluding People's Republic of China, but including Hong Kong, Macau and Taiwan

BlackBerry Secure Connect Service 3101 TCP (Outbound) <country>.bbsecure.com 93.186.19.240/32
Canada BlackBerry Secure Connect Service 3101 TCP (Outbound) ca.bbsecure.com 216.9.242.244/32
Europe, the Middle East, and Africa Region (EMEA) BlackBerry Secure Connect Service 3101 TCP (Outbound) <country>.bbsecure.com 93.186.19.240/32
Latin America and the Caribbean BlackBerry Secure Connect Service 3101 TCP (Outbound) <country>.bbsecure.com 216.9.242.244/32
People's Republic of China only (CN) not including Hong Kong, Macau or Taiwan BlackBerry Secure Connect Service 3101 TCP (Outbound) cn.bbsecure.com 93.186.19.240/32

Saudi Arabia and United Arab Emirates

BlackBerry Secure Connect Service 3101 TCP (Outbound) <country>.bbsecure.com 93.186.19.240/32
United States only (US) BlackBerry Secure Connect Service 3101 TCP (Outbound) us.bbsecure.com 216.9.242.240/32



Regional IP Addresses Upcoming Changes

Note: All IP address listings in the following table do not have a targeted date of activation at this time but are currently reserved. To protect yourself against these future changes it is recommended to include these IP address ranges in your firewall rules.  Please note that they are currently not active and you will not be able to use them at this time.

Region Future IP Expansion Future Disaster Recovery IP Addresses

Asia Pacific Region (APAC) excluding People's Republic of China, but including Hong Kong, Macau and Taiwan

93.186.19.241/32 68.171.240.244/32, 68.171.240.245/32
Canada 216.9.242.245/32 74.82.72.244/32, 74.82.72.245/32
Europe, the Middle East, and Africa Region (EMEA) 93.186.19.241/32 93.186.17.240/32, 93.186.17.241/32

Latin America and the Caribbean

68.171.242.208/32, 68.171.242.209/32 74.82.72.208/32, 74.82.72.209/32
People's Republic of China only (CN) not including Hong Kong, Macau or Taiwan 180.149.150.240/32, 180.149.150.241/32 180.149.204.240/32, 180.149.204.241/32

Saudi Arabia and United Arab Emirates

131.117.168.128/32, 131.117.168.129/32 5.100.168.128/32, 5.100.168.129/32
United States only (US) 68.171.242.200/32, 68.171.242.201/32 74.82.72.200/32, 74.82.72.201/32

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.