Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please help evaluate security options

Status
Not open for further replies.
AgentK

AgentK

IS-IT--Management
Jul 10, 2002
47
US
Hi,

I plan to setup a blackberry enterprise server (BES), assuming that my exchange is in the INSIDE, based on the BES document, there are two options that i am considering.

Option 1-Place BES on INSIDE network
Create a hole from OUTSIDE to INSIDE
static (inside,outside) 209.99.2.x 172.16.1.x
access-list outside_acl permit tcp host any host 172.16.1.x eq 3101 (tcp 3101 required for inbound connection and 3DES encryption, BES will drop message that is not encrypted)

OPTION 2- Place BES on DMZ
Static (dmz,outside) 209.99.2.x 192.168.1.x
Access-list outside_acl permit tcp host any host 192.168.1.x eq 3101
Because the BES communicate w/ exchange by MAPI, additional port are needed ie...,135,137,138,139
Access-list inside_acl permit tcp host 192.168.1.x any eq 135
Access-list inside_acl permit udp host 192.168.1.x any range
137 139.

Your thought on this will be greatly appreciated.
Thanks for your time
K


 
Sort by date Sort by votes
I tested both scenarios, The best option and easier option is to place the Blackbery server on the INSIDE where the exchange resides. All mail commnunication traffic between the backberry server and RIM device treated as smpt traffic.
There is no need create static between [dmz,outside]zone or [inside,outside]zone.
 
Upvote 0 Downvote
Well, you should consider security implications of permitting any traffic from entire internet to a server situated on the inside, if an exploit is discovered for the BES on the inside the attacker could be inside your firewall, with the BES on the DMZ you have complete control of what the BES can do towards the inside.

Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
Dopehead,
Great suggestion with security conciousness,

but option 1 required no addition open port required bet. the BES and Internet[inside,outside], since all communication bet. BES and Internet are treated as smtp from the exchange, The BES acted as if it is any MAPI client such as outlook.

 
Upvote 0 Downvote
Ah, i just have no clue what blackberry is, thought it was some mailscanner or something.

Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
267
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
67
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n
quazimotto
  • Locked
  • Question
BWM Help Please!
Replies
0
Views
59
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top