BES 10 Server managing IOS / Android

**xelsed** · 02-02-2013, 08:59 PM

If we deploy BES behind the firewall can we manage IOS and Android devices via the blackberry network or must we put a hole in our Firewall? I keep getting diffrent answers on this. i we can use Blackberry's network can the phone use it for ActiveSync traffic also ?

**oufc_gav** · 02-04-2013, 05:50 AM

The BDS component for BB10 devices only needs an outbound TCP port 3101 connection (like BES5).
UDS for iOS/Android is different. The Communication Module needs a publically accessible DNS name, and have a number of ports open. It can be installed on a separate server in a DMZ for this reason.
It requires TCP port 443 in and outbound (for both Android and iOS). Outbound TCP 2195 and 5223 for Apple Push Notification Service. Outbound port 80 & 443 for the Apple Root Certification Authority.
If you put the Communication module in the DMZ there is a separate set of ports to go between that server and the UDS server in the main network.

**jamusbojangles** · 02-08-2013, 09:12 AM

You will also need ActiveSync available outside your environment (exposed to the web)
If you don't, UDS will not work. You work around this by setting up a permanent VPN on the mobiles devices.

**wlane** · 05-07-2013, 04:04 PM

hi.. the inbound connection over port 443.. what would be the source address? an SME i spoke to a few weeks ago told me it would be from a fixed IP / Host. i hope you can shed some light on this for me..

thx

**HotFix** · 05-08-2013, 11:44 AM

Originally Posted by wlane

hi.. the inbound connection over port 443.. what would be the source address? an SME i spoke to a few weeks ago told me it would be from a fixed IP / Host. i hope you can shed some light on this for me..

thx

From what I understand It depends on the management mode used in BES 10.1. If you use the standard management mode your devices will connect directly to your ActiveSync servers from the outside, so the source IP could be any IP. If you use the ehanced management mode (where you get the secure container), all ActiveSync communication is proxied through your BES so the ActiveSync server sees that as the source IP.

**smoothrunnings** · 05-09-2013, 10:08 AM

Originally Posted by xelsed

If we deploy BES behind the firewall can we manage IOS and Android devices via the blackberry network or must we put a hole in our Firewall? I keep getting diffrent answers on this. i we can use Blackberry's network can the phone use it for ActiveSync traffic also ?

No not until BES 10.1 comes out, 10.1 is supposed to change the way UDS works by pushing all the traffic through port 3101.

**johnnyuk** · 05-09-2013, 11:46 AM

Originally Posted by oufc_gav

If you put the Communication module in the DMZ there is a separate set of ports to go between that server and the UDS server in the main network.

Can anyone clarify what the ports are you should open between the Communications module in the DMZ and the UDS server on your internal network?

Between my DMZ server and my internal UDS server I have ports 8081, 8082, and 8083 open in both directions. I'm having trouble getting my Apple Push Notification traffic to work. Am I missing any ports between the DMZ and UDS core and in with direction should they be open?

Or is BES 10.1 really close? If it is I could wait for that to make everything simpler before trying to get UDS working for iOS, it works for Android as it is.

Thanks in advance.

Posted via CB10

**HotFix** · 05-10-2013, 08:43 PM

BES 10.1 is really close as it hit gold release candidate, and the version we are running is very solid.

My suggestion is to wait a week or to if you can and hopefully save yourself some unnecessary headaches (hopefully) .

Posted via CB10

**johnnyuk** · 05-10-2013, 10:34 PM

That's good to know as I really need the BES10.1 upgrade for the extra IT policies so I can start my live Z10 and Q10 roll out. Not quite enough granularity in there right now for our secure environment. Hoping my carrier doesn't sit on OS10.1 much longer either.

I actually fixed my APNs problem on UDS this evening and have been torture testing an iToy since with activating, wiping, reactivating and trying out all the policies. It was a traffic direction configuration error between my external firewall and Apple in the end, not the internal ports. A diagram in another thread here that is far better than the one in the UDS install guide helped me out a lot.

Very impressed with the control over the iOS devices compared to my experiments with a Samsung Galaxy Tab which were very disappointing. On the Samsung I saw unreliable lock, password and wipe control and no EAS profile control without buying the Touchdown app on the device. Not good. Really hope 10.1 brings Samsung support with it, they are the major player, forget Motorola. If not maybe BES10.x could control the Samsung Knox security features in futute?

Posted via CB10