- BlackBerry Enterprise Server
Placing the BlackBerry Enterprise Server in the demilitarized zone (DMZ) is neither recommended nor supported.
If the BlackBerry Enterprise Solution is placed in the DMZ, a number of communication ports may need to be opened between the DMZ and the internal network to allow the BlackBerry services to transfer data for their respective functions such as Mail, Calendar, Browsing, Instant Messaging etc. Additionally, connections through those ports must be allowed to be initiated from the insecure side of the firewall into the secure portion of the network (i.e. inbound-initiated connections).
The BlackBerry Enterprise Server should not be placed in the DMZ because of the number of connections required to make a mail server call for email messages. The mail server varies the available port numbers, making the port numbers inconsistent. It is difficult to configure the firewall for all of the available port numbers. In addition, issues with name resolution might occur when polling the Domain Controller or Global Catalog Server.
As a security practice, installing the BlackBerry Router in the DMZ can be done and is fully supported. This is the only BlackBerry Enterprise Server component that should exist outside of an organization's firewall. For additional information on installing the remote BlackBerry Router in the DMZ, please review the documentation Placing the BlackBerry Router in the DMZ - Security Note - BlackBerry Enterprise Server found within the BlackBerry Enterprise Server Security section of the Administrator Documentation. It is recommended to consult with internal Network Security Group before opening any ports between DMZ and Internal Network, to understand the risks that may be associated with this change.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.