[hayabusa]

My firewall team is arguing with me about having port 3101 open for outbound connections to RIM's network while my BES is on the LAN. They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it. All my other BES servers connect this way but I am using a CLP client that allows them to do this. In the above situation a CLP proxy client is not possible because of the way the company is owned. Does anyone have any other ideals? I was thinking I could put a DMZ in and put the router portion on another domain since this part of the company doesn't have a dmz but this means puting in another server and providing a domain trust since this would be a different domain. Any ideal would be great I'm racking my brain trying to come up with ways to get this running

[Ugg]

Quote:

Originally Posted by hayabusa

They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it.

Presumably the server's DNS lookups are handled by something internally that passes the request on to an external DNS server? Couldn't you make sure that srp.us.blackberry.net was defined in there (or even just in the BES's "hosts" file)?

Surely though if you allow 3101 out only to the addresses currently defined by srp.us.blackberry.net and someone spoofs the DNS your firewall won't allow 3101 out to the spoofed address anyway?

(I suppose that by their logic you wouldn't trust any external DNSes and maintain a local DNS with all potential contacts in it instead - sounds like a lot of work!)

[x14]

You can put the BES Router in the DMZ as a standalone server. The Dispatcher will talk directly with the Router.

[hayabusa]

I offered up to put the entire thing in the DMZ but my firewall team is telling me that this option is a no go as well because then they have more open ports coming inbound to exchange and this would be even a bigger hole in security. Any other ideals??? desperate on this

[southwestcomm]

Tell your firewall team they need exam the policy. If it was that easy to use the port for what they are afraid have many many companies would have been attacked by now.

[John Clark]

Just tell them to close them all and then there's no chance of an attack. Honestly, I'm all for security but how much money does it cost a company when they've got to have all their IT people searching for hours on how to circumvent some crazy policy that prevents a legitimate application like BES from working. It makes no sense to me. *smfh*

/rant and going back to lurking only in the BES Admin corner. *flame suit on*

[penguin3107]

Quote:

Originally Posted by John Clark

Just tell them to close them all and then there's no chance of an attack. Honestly, I'm all for security but how much money does it cost a company when they've got to have all their IT people searching for hours on how to circumvent some crazy policy that prevents a legitimate application like BES from working. It makes no sense to me. *smfh*

/rant and going back to lurking only in the BES Admin corner. *flame suit on*

No need for the flame suit. You're spot on with this post.
Blocking outbound traffic on one port, for one machine, with a very legitimate task borders on paranoia to the point of lunacy.

Sounds to me like these network admins have a chip on their shoulder from some other "event" that happened in this company and now its payback time.
They're merely flexing their IT muscles and making themselves appear powerful in the process. In reality, this will bite them in the ass soon enough.

[hdawg]

Quote:

Originally Posted by hayabusa

My firewall team is arguing with me about having port 3101 open for outbound connections to RIM's network while my BES is on the LAN. They are telling me they don't want to do this because they fear someone could spoof srp.us.blackberry.net and we could potentially connect to it. All my other BES servers connect this way but I am using a CLP client that allows them to do this. In the above situation a CLP proxy client is not possible because of the way the company is owned. Does anyone have any other ideals? I was thinking I could put a DMZ in and put the router portion on another domain since this part of the company doesn't have a dmz but this means puting in another server and providing a domain trust since this would be a different domain. Any ideal would be great I'm racking my brain trying to come up with ways to get this running

Provide Firewall and connection requirements for the BlackBerry Enterprise Server to your firewall team; if that doesn't suffice, contact your supervisor and instruct him / her that the firewall team is preventing you from doing your job.

[hayabusa]

After further conversations with our firewall team I have discovered that they do not allow NAT translations in the firewall. All communications that initiate outbound connections must use proxy authentication to get out. I believe that my only options for this particular issue is to put a router in the dmz and route its traffice back to the bes server in another domain accross another firewall. The only other option I think I might have is to install the circuit layer proxy client on a server living on the internal intranet and install the router service on this machine. This would be like using a dmz except the the clp will alllow proxy authentication and thus allow for us to make a connection outbound. I will then have to route the traffic through the firewall and out to the other domain to the BES. Does anyone have any experiance using the CLP client from the Microsoft Internet authuthentication server?

[John Clark]

Is it always this much trouble to install a BES?

[hdawg]

Wow; please tell me security everywhere else in your company is like this?

Put the router in the DMZ

[contra]

its an outbound initiated connection - is has to come from the BES first, that in itself is pretty secure. I used to be a firewall admin - the best thing to do is to get them to fully understand what is required for connection, and they should be able to provide a secure solution - Maybe some others can share what they did in their own large secure companies ? I was the bes admin and the FW admin so I had it easy

[adamli9]

Our security and firewall groups also happen to be unreasonably paranoid. Usually we have to escalate our requests with management if we can't reach a compromise or solution. When we installed our BES environment last summer, it had upper management support, so we were able to implement it properly.