Does anyone have experience with putting the Router Service in a DMZ? Our Security group says our BES environment is our biggest security risk now and that this would help.

I think there are probably some better ways to provide security but wanted to get some input from the experts!

John

I'm guessing your security group needs to get their head out of their asses

Seriously though ... hows about those people in HR with laptops that go home with unencrypted hard drives and get them stolen ... Ok, enough of my rant.

I know people that have put the router in the DMZ ... done it myself a few times.

That said, the ONLY time I've ever seen it done has been a mandate from the security / networking group that has rules that says "Anything that touches the Internet must be in the DMZ". I get it ... Generally it is overkill ... but it does provide an extra layer of security ... one that that most people think isn't worth (I for one GENERALLY agree with it ... I won't say in 100% of the cases)

Check out the attached PDF for info on putting the BlackBerry Router in the DMZ.

... enjoy!

Attached Files

Placing_the_BlackBerry_Router_in_the_DMZ.pdf (223.9 KB, 336 views)

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

FWIW, I will be placing a router in our DMZ for our test environment. This will be used for Wi-Fi bypass for some testing purposes. I will let you know how it goes (and trust me, I'll be documenting the process for others to use, should this actually work).

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

we will be doing this for our test environment as well (one of them anyway). though it is severa months out in my estimation takes forever to get anything done around here

__________________

I'll also be doing it shortly & have a step by step plan (see below). I found I had to source information from several RIM articles & piece them together. None seemed to be a complete guide in my opinion. But hey, I guess I'll find out how good my plan is when I complete it in my test environment.

My Plan
Add firewall rules for Blackberry Router Service in DMZ. Refer to the following:
Placing the BlackBerry Enterprise Solution in a Segmented Network Technical Note
Placing the BlackBerry Router in the DMZ
Requirements:
*External facing firewall - open port 3101 to allow outbound initiated, bi-directional communication connection to an external server (TCP/IP).
*Internal facing firewall - open port 4101 to allow outbound initiated, bi-directional communication connection to enable communication between the BlackBerry Handheld Manager & the BlackBerry Router.
*Support for the resolution of Internet addresses using DNS.
*Transparency of the proxy server for proxy firewalls.

Prepare to install BlackBerry Enterprise Server Router Service on remote physical Windows 2003 Server located in DMZ.
1. Open the BlackBerry Server Configuration Panel on the BES >> click on the BlackBerry Server tab & record the ‘SRP Identifier’ & the ‘SRP Authentication Key’ >> click on the BlackBerry Router tab & record the ‘SRP Address, ‘SRP host port (outbound)’, & ‘BlackBerry services connection port (inbound)’.
2. Stop the BES BlackBerry services. Change the BlackBerry Router service startup to ‘Manual’.
3 a). Install the BlackBerry Enterprise Server Router instance v4.1.6 as per steps 2b, 3, 4, & 5 of KB17075.
b). BlackBerry Enterprise Server Router instance - v4.1.6 MR2 as per release notes.
4. Do not start the BlackBerry Router service or restart the server until the following registry settings have changed. To enable remote
services such as the BlackBerry Dispatcher to connect so that the BlackBerry Router can route BlackBerry traffic, complete the following
steps as per KB13732:
a). Select Start > Run and type regedit to open the Registry Editor.
b). Go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion\BlackBerryRouter, then double-click AllowRemoteServices.
c). Change the Value data field entry to 1, then click OK.
d). Close the Registry Editor, then restart the BlackBerry Router service.
5. Test the connection to the BlackBerry Infrastructure. The test program attempts to connect to the wireless network using the SRP
address that you specified during the installation and the BlackBerry Router listen port.
a). On the BlackBerry Router server, at the command prompt, switch to the location in which the BlackBerry Enterprise Server Software is installed.
Type bbsrptest <srpaddress> -<port>, where <paddress> is the SRP address that you provided during the installation and <port> is the
BlackBerry Router listen port. For example, at the command line, type: bbsrptest.exe * host server.yourdomain.com *port 80
If the test is not successful, use the Microsoft Windows Socket (WINSOCK) error code to diagnose the problem. Refer to *Common connection errors* in the BlackBerry Enterprise Server version 4.0 Troubleshooting Guide for Novell GroupWise.
6. As per KB13732, on the new v4.1.6 BlackBerry Enterprise Server:
a). Open BlackBerry Server Configuration, then select the BlackBerry Server tab.
b). In the Router Host field, type the host name of the new Router service and click Apply then OK.
7. On the new v4.1.6 BlackBerry Enterprise Server - change the registry entries for these values:
a). Stop the BlackBerry Dispatcher service on the new BlackBerry Enterprise Server.
b). On the new BlackBerry Enterprise Server, open the registry editor & backup the registry to a safe location.
c). Change the registry entry value for \\HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\NetworkAccessNode from the default to the remote computer DNS name (for example, server.yourdomain.com).
d). Change the registry entry value for \\HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Dispatcher\TcpPort to the ServicePort value that is specified on the BlackBerry Router (for example, 80). Note: If a TCP port is not specified on the BlackBerry Router computer, the default value is 3101.
e). Restart the BlackBerry Dispatcher service.
8. Open the BlackBerry Manager to verify the SRP connection (for example, to srp.xx.blackberry.net). If the connection is not available (in other words, a red X appears on the server icon), restart the BlackBerry Manager.
9. Start all BlackBerry Services on the BES except the BlackBerry Router Service & then verify data transmission to/from test BlackBerry devices.

Thanks for everyone's responses!

hdawg, I'm completely with you!! That's a rant that I've been through many, many times! That PDF gives some pretty good info so I'll use it with my testing

Otto, let me know what you come up with your testing!

Devans, I agree that it seems like more info needs to be put together in one place for this! Thanks for the steps you put together. I'll use those in my testing too!

I'll let you guys know how it goes!

I feel the pain on the router and DMZ.

__________________
AUTIGER92
Exchange\Blackberry Admin
4 - BES Servers (4.1.6), 3 Exchange Organizations,
~1800 BB Users, and a headache.
War Eagle!!

I would be interested in peoples thoughts about the pros and cons of having the router service running on the BES when it is configured to dispatch to a router in the DMZ.
The document implies chaining can occur ?

Router opens an OUTBOUND connection to RIM's servers o port 3101.

Router in the DMZ does that and must also open a connection with the rest of the infrastructure inside the firewall.

If I can hack my way into your Router, chances are I'll hack my way inside your firewall using the open ports between DMZ and internal.

IMHO, unless the servers in the DMZ have no link back inside the network, a DMZ is useless. Like a screen door in front of your front door. It'll slow me down a few seconds, but won't stop me.

While I agree that putting the router in the DMZ is a bad idea, there are definitely reasons to have a DMZ. Web Servers/ Public DNS and anon SMTP that forwards to the internet just to name a few. They have a purpose and are far from useless

__________________
MCSA 2003 +M MCITP | EMA
Who cares, RIM will just change how they do Cert's again