• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Blackberry Enterprise Server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Blackberry Enterprise Server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Blackberry Enterprise Server - 22.Aug.2005 12:19:00 PM   
Mezzmor

 

Posts: 2
Joined: 22.Aug.2005
From: Orlando, FL
Status: offline
Has anyone had any luck configuring BES behind an ISA box?

I get error 10060 (connection failed) when initiating the connection from the blackberry server. I set up an access rule allowing TCP 3101 both ways between the ISA box and Blackberry's SPA's. No luck.

Any advice?

Thanks
Post #: 1
RE: Blackberry Enterprise Server - 22.Aug.2005 4:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mezz,

Is that the only protocol BES uses?

Thanks!
Tom

(in reply to Mezzmor)
Post #: 2
RE: Blackberry Enterprise Server - 22.Aug.2005 6:53:00 PM   
sikoniko

 

Posts: 57
Joined: 14.Oct.2002
Status: offline
There are 3 ports that need to be open for BES to work. I will check at work tomorrow but I believe TCP3000 was the one that BES was bound to.

(in reply to Mezzmor)
Post #: 3
RE: Blackberry Enterprise Server - 23.Aug.2005 8:25:00 AM   
sikoniko

 

Posts: 57
Joined: 14.Oct.2002
Status: offline
OK, I was wrong. here are the ports:

Port 3101 TCP Outbound
Port 3101 TCP Inbound
Port 3500 TCP Outbound
Port 3500 TCP Inbound

I know it did not work with 3101 in/out alone. I did not try removing them after adding 3500.

We have BES 4.0 for exchange working without issue.

(in reply to Mezzmor)
Post #: 4
RE: Blackberry Enterprise Server - 23.Aug.2005 10:30:00 AM   
Mezzmor

 

Posts: 2
Joined: 22.Aug.2005
From: Orlando, FL
Status: offline
Arrgh.

OK. This is what I have so far.

I created an access policy called BLACKBERRY_OUTBOUND.

I used TCP ports 3101 and 3500.

I get this when I run the srp test tool:

C:\>bbsrptest srp.na.blackberry.net
NetworkAccessNode is srp.na.blackberry.net.
Attempting to connect to srp.na.blackberry.net (204.187.87.33), port 3101
connect() failed: Connection timed out (10060)

Here is what the ISA server log has in it:

Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
192.168.0.24 GATEWAY - TCP - - 4028 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:02 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -
192.168.0.24 GATEWAY - TCP - - 4028 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:11 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -
192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:09 AM 206.51.26.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -
192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:20:11 AM 206.51.26.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -
192.168.0.24 GATEWAY - TCP - - 4026 0 0 0 0xc0040012 FWX_E_NETWORK_RULES_DENIED 0x0 0x0 Firewall 8/23/2005 10:19:56 AM 204.187.87.33 3101 Blackberry OUTBOUND Denied Connection 192.168.0.24 Internal Blackberry North America - -

What the heck am I doing wrong?

Thanks

(in reply to Mezzmor)
Post #: 5
RE: Blackberry Enterprise Server - 13.Sep.2005 4:21:00 AM   
Guest
We have added the following definitions and rules to the ISA Proxy server:

-Protocol definition
Name : BlackBerry Enterprise Server

Connection :
Port : 3101
Protocol : TCP
Direction : Outbound

- Client address set
Name : BlackBerry server
Address : addr. of BES server

- Protocol rule
Name : BlackBerry
Action : Allow
Protocol : BlackBerry Enterprise server
Schedule : Always
Client Addr. : BlackBerry server

Running the test on our BES server gave the following result:

C:\temp>bbsrptest -host srp.eu.blackberry.net
Attempting to connect to srp.eu.blackberry.net (193.109.81.33), port 3101
Sending test packet
Waiting for response
Receiving response
Checking response
Successful

(in reply to Mezzmor)
  Post #: 6
RE: Blackberry Enterprise Server - 13.Sep.2005 8:11:00 PM   
Andy2Long

 

Posts: 16
Joined: 7.Oct.2003
From: Torrance, CA
Status: offline
Did you configure the ISA 2004 BlackBerry protocol with:

Primary Connections
3101 TCP Outbound
3500 TCP Outbound

Secondary Connections
3101 TCP Inbound
3500 TCP Inbound

For ISA 2000 I only needed:
Primary TCP 3101 Outbound
Secondary TCP 3101 Inbound

This is for BES 3.6, so maybe 3500 is used for BES 4.0?

Thanks,

Andy

(in reply to Mezzmor)
Post #: 7
RE: Blackberry Enterprise Server - 14.Sep.2005 1:38:00 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
I've run BES 3.5, 3.6, and now 4.0 for sometime behind my ISA2000 box.

I remember toying with this one for quite sometime and I don't remember why, but I created a IP Packet Filter for TCP/Fixed/3101 for Local and Remote. That's all that was needed. I'm currently running 4.0 with no problems.

This is funny because I'm setting up the BES rule on my new ISA2k4 boxes at this very moment.

(in reply to Mezzmor)
Post #: 8
RE: Blackberry Enterprise Server - 23.Sep.2005 2:56:00 PM   
Guest
There is an issue with BES for one of their servers. If you are on a support call they will deny it til the cows come home. Depending on your configuration for DNS do ipconfig /flushdns and nbtstat -RR on the client then re-run the test. not the IP addresses that pass and those that fail. Each time you run the test you'll find that the ip changes if you do the flush dns and wins cash...and that it only fails on one specific IP.... we have the same issue and got tired of arguing with them...the BES software will keep retrying and eventually will find a different server and work.

If it's working at all and only failing for that test then you have duplicated the issue we experienced both direct connecting and behind ISA/Proxy..
jer

(in reply to Mezzmor)
  Post #: 9
RE: Blackberry Enterprise Server - 20.Dec.2005 8:48:23 PM   
PaulCyr

 

Posts: 60
Joined: 17.Mar.2001
From: Charlottetown, PE, Canada
Status: offline
BES 4.0 uses bidirectional on 3101 only.
You need to make sure that your rule does not restrict the request to just the srp.ca.blackberry.net or srp.na.blackberry.net the BES software defaults to.
Once you create a protocol for the traffic on port 3101 and create a rule to allow that traffic anywhere you will be in business.

However,
Even since I installed this BES Server behind my ISA 2004 box my Firewall Service locks up intermittently and I have never experienced this behaviour before. I am positive the BES server is causing this. I just need a way to prove it.

Has anyone else got a BES 4.0 Server working without issues behind an ISA 2004 Server?

(in reply to Guest)
Post #: 10
RE: Blackberry Enterprise Server - 20.Dec.2005 10:24:30 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
I think this portion of the logs above is the most relevant.

quote:

FWX_E_NETWORK_RULES_DENIED


Fix the Network Rule that pertains to the BES Server to the External Network. Is the BES Server in the Perimeter? What is the Network Rule for Perimeter to External?

(in reply to PaulCyr)
Post #: 11
RE: Blackberry Enterprise Server - 2.Apr.2006 8:58:34 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
This is all it took.

Primary Connections
3101 TCP Outbound

Secondary Connections
3101 TCP Inbound

From
BES server IP

To
External

(in reply to ClintD)
Post #: 12
RE: Blackberry Enterprise Server - 16.Jul.2008 4:59:08 PM   
jskog

 

Posts: 1
Joined: 14.Oct.2005
From: San Diego
Status: offline
I tried using port 3101 in many ways.  Finally - I used an outbound rule using the TCP protocol I created - From ALL Networks - To All networks and did not specify a port - So Everything goes out...  That worked.

When I specified only port 3101 - It Did Not Work?? !!!  To get on with the install - I Specified the TCP protocol and the To: =  External.

I Disabled the Published incoming rule and it still works.  I disabled the Specific Outgoing rule - 3101 and it still works...  Next I will work with support to find out why all ports works and what they say - 3101 does not!

Jackson 

(in reply to Mezzmor)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Blackberry Enterprise Server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts