[bencav]

My security team has been pushing hard to get our BES placed in an isolated network. I have been pushing back, but I have been asked to take a look at what it would take to make this happen. I know there are a couple of threads on this topic that talk about the pros and cons, but I haven't been able to find any info on the impact that switching the MAPI ports on Exchange from dymanic to static might have. Has anyone tried this? Any issues with BES our Outlook performance afterwards?

[gibson_hg]

You don't need to place the BES in the DMZ, just the Router has to be there. The Router will connect to the outside and the BES will communicate to the Router through 1 port. It's easier then setting up your Exchange to use static ports.

Also, if you have issues and call RIM you will be out of luck as it's also not supported.

If you change to static ports the BES doesn't care as long as MAPI still works. It's Exchange and Outlook users that will suffer the most if it doesn't work.

Remember that BES is just like Outlook, if MAPI works then BES/Exchange/Outlook works. If MAPI is screwed then so is the BES/Exchange/Outlook.

Here is the KB about placing the BES Router component in the DMZ:

BlackBerry Search Results

This might help with the people in your company. Just tell them that if the BES goes down and they want to call RIM for help that they may as well set the BES on fire.

Set it up properly and you will be fine, but it's up to you and the people in the company.

[bencav]

Thanks- Yeah, I have documented the support issues and the issues around MAPI communication being sensative to delays that could be caued by a firewall, but I seem to fighting a losing battle. It goes back to the bbproxy vulnerability. (even though there are still no known exploits) The security guys are worried about a zero day threat taking advantage of the encrypted comunication path from the handheld into our production server network. Noone here is worried about the SRP traffic so we really woudn't get much out of a DMZ router implementation. The security guys really want to be able to packet scan un-encrypted traffic from the BES before it gets to other production servers.