Firewall and connection requirements for the BlackBerry Enterprise Server, BlackBerry Device Service, and Universal Device Service

Article ID: KB03735

Type: Support Content

Last Modified: 11-19-2014


Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Device Service
  • Universal Device Service
  • BlackBerry Enterprise Server
  • BlackBerry Enterprise Service 10

To establish a connection when the BlackBerry Enterprise Server, BlackBerry Device Service, and Universal Device Service are behind a firewall, verify the following information:

On the firewall, verify that port 3101 is open for outbound initiated, bi-directional Transmission Control Protocol (TCP) traffic.

BlackBerry Enterprise Service 10 has additional firewall configuration requirements (see KB34193).

Use one of the following configurations to specify the ports or host names allowed by the firewall. The configurations are listed from least restrictive to most restrictive:

  • If the firewall has the ability to specify acceptable external host names, add and as acceptable sub-domains.
  • If the firewall has the ability to specify acceptable external Internet Protocol (IP) addresses, add the following range of IP addresses to the allowed list:

    IP Address Netmask / 24 Netmask = / 24 Netmask = / 22 Netmask = / 20 Netmask = / 20 Netmask = / 19 Netmask = / 20 Netmask = Netmask = / 19 Netmask = / 19 Netmask = / 20 Netmask = / 21 Netmask = / 21 Netmask =
  • Ideally, complete IP address ranges should be allowed through the firewall.
  • If the BlackBerry Enterprise Server is configured in a way that will not allow the use of address ranges, individual IP addresses may be allowed.

Note: The use of the IP ranges listed above is strongly encouraged in order to stay connected in the event that IP addresses change in the future.

The following tables list individual IP addresses for each region.
  • If BlackBerry smartphone users connect to BlackBerry Enterprise Servers that are located in multiple regions, then the IP addresses for each region will need to be allowed through the firewall.
  • Configure the firewall to allow the IP addresses that are associated with the regional location of the BlackBerry Enterprise Server:

    Asia Pacific Region (APAC) excluding People's Republic of China, but including Hong Kong, Macau and Taiwan


    Europe, the Middle East, and Africa Region (EMEA)

    Latin America and the Caribbean

    People's Republic of China only (CN) not including Hong Kong, Macau or Taiwan

    Saudi Arabia and United Arab Emirates

    United States only (US)

To verify the connection settings, use the following steps:

  1. Open the BlackBerry Server Configuration tool.
  2. Select the BlackBerry Router tab.
    Note: Do not specify an IP address in the SRP Address field, because the BlackBerry Enterprise Server may lose the connection if the Server Routing Protocol (SRP) address is updated.
    The SRP address should appear as, where xx is the region.
  3. To determine the SRP address that the BlackBerry Enterprise Server is using, use the SRP Address Look Up Tool.
CollapseAdditional Information
The IP addresses listed in the preceding tables are current as of the date of publication and are subject to change. Please contact BlackBerry Technical Support Services for more information.


By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at