Security! Escort the BES Router out of here!

I recently completed a Blackberry Enterprise Server 5 migration for a medium sized, 1,000 user financial services firm here in New York with requirements that had a slight deviation from the typical BES design.  Our initial objectives were simple, migrate the BES 4.x environment to version 5 on fresh servers while maintaining the upmost security and full transparency to the end user which of course, means no reactivations.  Full transparent migration capabilities between two Blackberry org’s come courtesy of a fabulous little utility known as the Blackberry Transporter Tool.  Since this a well known global financial services firm the “InfoSec”  department requires all internet facing servers to be placed on a segmented network to minimize the attack surface and to maximize the workload factor for a potential hacker/malware attack.  Thankfully, in version 5.x RIM has made it much easier to place the Blackberry “Router” server role in a segmented network on a non domain joined machine.  The BES Router component routes and exchanges handheld data between RIM’s infrastructure and the corporate network.  Naturally, in the eyes of any competent IT professional RIM’s network should be considered dirty and untrusted, especially with all the recent outages on RIM’s blamed on a rumored virus attack.   Either way, it is best practice and great for job security to protect corporate assets from the mesh of strange networks we call the Internet.

So, most of the project was pretty cut and dry, create the BES database on the existing SQL Cluster which resides on the EMC CLARiiON SAN configured in a RAID10 disk group, carve out some new 2008 R2 VM’s, one for the back end and one for the front end.  The backend Blackberry Enterprise server was assigned a vNIC which was associated with the Production “Server” network.  This network is considered “Trusted" and all desktops/servers (especially Exchange) can bi-directionally communicate with it.  Now, in a typical environment with a more relaxed approach on security this would be the server holding all roles including the Router service.  As previously stated the Router service would then communicate to RIM’s infrastructure via Internet to exchange data.  I instead, create a design where we would carve out that second VM and associate the vNIC to the DMZ network.  The following picture illustrates the segmented design.   


I had the firewall guys create the following rules to make this all work with the least amount of exposure:

A.  No outside internet access port 80, 443 etc.  For this firm I didn’t populate the corporate proxy server to block internet access.
B.  Port tcp/3301 allowed bi-directionally through firewall to front end BES server in DMZ only.

A. No outside internet access port 80, 443 etc.
B. Port tcp/3301 allowed bi-directionally through firewall into internet.  The ACL was configured to only allow source/destination to RIM’s public IP’s.  

Now, the BES application is ready to be installed.  The back end install was a pretty standard install and nothing new here to discuss.  I installed all services and configured the SQL database, SRP Key, and all other items such as the CAL’s.  Once that was completed I went ahead and started the BES installer for the DMZ server which will hold both router and controller roles.  The BlackBerry Controller monitors the BlackBerry Router and restarts the BlackBerry Router if it stops responding.  The front end server is not required to be joined to a domain which allows us to limit the ports that we punch open on the firewall.  Start the BES setup.exe file and in the setup type dialog box, select Install a standalone BlackBerry Router. Click Next and finish the rest of the installation.


Once the front end Router server installation is completed make your way to the “Blackberry Server Configuration Panel” utility on the Back end  BES and select the “Blackberry Router” tab (see below pic).  Under the SRP address populate the front end Router servers’ IP address.  Test all connectivity and you should be good to go!  Note – I also recommend using some kind of front end reverse proxy server to sit in front of the Router server such as Microsoft TMG 2010 for maximum security. 


No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.

Powered by WordPress. Designed by Woo Themes