Has anyone had any luck configuring BES behind an ISA box?
I get error 10060 (connection failed) when initiating the connection from the blackberry server. I set up an access rule allowing TCP 3101 both ways between the ISA box and Blackberry's SPA's. No luck.
I created an access policy called BLACKBERRY_OUTBOUND.
I used TCP ports 3101 and 3500.
I get this when I run the srp test tool:
C:\>bbsrptest srp.na.blackberry.net NetworkAccessNode is srp.na.blackberry.net. Attempting to connect to srp.na.blackberry.net (204.187.87.33), port 3101 connect() failed: Connection timed out (10060)
Here is what the ISA server log has in it:
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 192.168.0.24 GATEWAY - TCP - - 4028 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:02 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - - 192.168.0.24 GATEWAY - TCP - - 4028 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:11 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - - 192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:09 AM 206.51.26.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - - 192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:11 AM 206.51.26.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - - 192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:19:56 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -
RE: Blackberry Enterprise Server - 13.Sep.2005 4:21:00 AM
Guest
We have added the following definitions and rules to the ISA Proxy server:
-Protocol definition Name : BlackBerry Enterprise Server
Connection : Port : 3101 Protocol : TCP Direction : Outbound
- Client address set Name : BlackBerry server Address : addr. of BES server
- Protocol rule Name : BlackBerry Action : Allow Protocol : BlackBerry Enterprise server Schedule : Always Client Addr. : BlackBerry server
Running the test on our BES server gave the following result:
C:\temp>bbsrptest -host srp.eu.blackberry.net Attempting to connect to srp.eu.blackberry.net (193.109.81.33), port 3101 Sending test packet Waiting for response Receiving response Checking response Successful
I've run BES 3.5, 3.6, and now 4.0 for sometime behind my ISA2000 box.
I remember toying with this one for quite sometime and I don't remember why, but I created a IP Packet Filter for TCP/Fixed/3101 for Local and Remote. That's all that was needed. I'm currently running 4.0 with no problems.
This is funny because I'm setting up the BES rule on my new ISA2k4 boxes at this very moment.
RE: Blackberry Enterprise Server - 23.Sep.2005 2:56:00 PM
Guest
There is an issue with BES for one of their servers. If you are on a support call they will deny it til the cows come home. Depending on your configuration for DNS do ipconfig /flushdns and nbtstat -RR on the client then re-run the test. not the IP addresses that pass and those that fail. Each time you run the test you'll find that the ip changes if you do the flush dns and wins cash...and that it only fails on one specific IP.... we have the same issue and got tired of arguing with them...the BES software will keep retrying and eventually will find a different server and work.
If it's working at all and only failing for that test then you have duplicated the issue we experienced both direct connecting and behind ISA/Proxy.. jer
BES 4.0 uses bidirectional on 3101 only. You need to make sure that your rule does not restrict the request to just the srp.ca.blackberry.net or srp.na.blackberry.net the BES software defaults to. Once you create a protocol for the traffic on port 3101 and create a rule to allow that traffic anywhere you will be in business.
However, Even since I installed this BES Server behind my ISA 2004 box my Firewall Service locks up intermittently and I have never experienced this behaviour before. I am positive the BES server is causing this. I just need a way to prove it.
Has anyone else got a BES 4.0 Server working without issues behind an ISA 2004 Server?
I think this portion of the logs above is the most relevant.
quote:
FWX_E_NETWORK_RULES_DENIED
Fix the Network Rule that pertains to the BES Server to the External Network. Is the BES Server in the Perimeter? What is the Network Rule for Perimeter to External?
Posts: 1
Joined: 14.Oct.2005
From: San Diego
Status: offline
I tried using port 3101 in many ways. Finally - I used an outbound rule using the TCP protocol I created - From ALL Networks - To All networks and did not specify a port - So Everything goes out... That worked.
When I specified only port 3101 - It Did Not Work?? !!! To get on with the install - I Specified the TCP protocol and the To: = External.
I Disabled the Published incoming rule and it still works. I disabled the Specific Outgoing rule - 3101 and it still works... Next I will work with support to find out why all ports works and what they say - 3101 does not!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Blackberry Enterprise Server 
Blackberry Enterprise Server - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread