[xmorpheus]

Hi folks,

We're looking at BES 4, which has just been released here in Ireland.

One of the options that particularly appeals to us is the modular capabilities of the system - specifically, being able to put the MDS function within the DMZ.

For security reasons, we had to turn MDS off on 3.6 and it's prevented us from really developing the full potential of the system.

Has anyone tried this configuration yet and can you give me any pro's and cons of it?

I'm a BES Admin who "inherited" the 3.6 server with absolutely no training or even much of a handover and I'm determined we're going to do it right with 4. I'd greatly appreciate the benefit of experience if anyone is willing to help me out!

Many thanks!

[aristobrat]

I'm curious to hear some opinions on this, too!

Our BES/MDS is the same box and on our internal network.

Our network security guys were OK with that because the only way a BB handheld can communicate to the BES/MDS is via a secured tunnel that the BES initiates. They felt the risk was limited to users who disable their security screensaver password losing their devices, and even then, that BB could be deactivated quickly enough.

[arconsulting]

With 4.0, it is the Router (not MDS) that can be placed in the DMZ. If you do this, you lose "least-cost routing." This feature allows the BES to forward messages, calendar updates, etc. via the LAN rather than wireless network.

The recommended approach continues to be to *not* place any component in the DMZ. However, the Router can be.

[xmorpheus]

Hmmm our reseller definitely told us that MDS can be put on a separate box in the DMZ - this is in addition to the router being in the DMZ. We were also told that RIM were happy with this "workaround" to previous concerns about MDS and had no problem recommending it

Our security issues with the current version of MDS are mainly surrounding the fact that if you have any browser facing control panels within the LAN proper, in theory, they could be accessed using a BB.

[rgeorge]

You could solve that issue with either MDS in a DMZ (which I think can be done as well) or by proxy server. You could have the BES link to a proxy and restrict the URL's for your internal hosts from the proxy. A mini proxy could even be installed directly on the same server as MDS for this.

As for the ROUTER in a DMZ, you could still allow internal LAN connected hosts to connect to this for least cost routing.

[emale]

You CANNOT put MDS on a separate box. Attachment service yes, but not MDS. RIM doesn't support BES servers in a DMZ, but they do seem to support the router in a DMZ. This goes for Exchange, Lotus and Groupwise.

[xmorpheus]

emale, this is the information we're being given by our RIM approved vendor in Ireland. It's not like I just decided to make it up for fun.

I will pass your comments onto them and see what they say.

[arconsulting]

emale is correct. Check out:

http://www.blackberry.com/knowledgec...8&vernum=0

and search for "DMZ".

It specifically states to *not* place the BES in the DMZ and the Router *can* be placed in the DMZ. The MDS cannot be seperated from the BES.

[xmorpheus]

I never said he wasn't correct - I was simply passing on what we'd been told. I intend to feed this back to our vendor.

Oh and for reference, although RIM don't support it for Exchange, it IS possible to put BES 3.6 with MDS in a DMZ - we've done it and got it working on the test server. We just haven't bothered rolling it out as we now want to start testing 4 instead.

[arconsulting]

>> I never said he wasn't correct

I didn't mean to suggest anything negative in my post.


>> it IS possible to put BES 3.6 with MDS in a DMZ

Possible yes. And as you state, just not supported. This is why they broke out the Router.