Deployment options
The recommended deployment configurations for
Direct Connect
are:
- Port forwarding
- Proxy forwarding
- Reverse proxy with SSL bridging
These are sample configurations for typical environments. However, DMZ architecture is optional as long as you ensure the correct ports are open. For information about port requirements, see the BlackBerry UEM Planning Guide.
BlackBerry UEM
does not support deep packet inspection in the network segment between the external firewall and BlackBerry Proxy
. Even though the Direct Connect connection is TLS, the protocol to the BlackBerry Proxy server is Good Relay Protocol (GRP), which is a binary protocol. Also, the payload of the GRP may be encrypted with TLS if the application layer established an HTTPS/TLS connection to the application server. A
BlackBerry
Dynamics
app establishes a TLS connection to the BlackBerry Proxy
and authenticates to the BlackBerry Proxy
over GRP. The BlackBerry Proxy
then uses the SSL certificate signed by BlackBerry UEM
to authenticate to the BlackBerry
Dynamics
app. If SSL bridging is used, you must replace the default BlackBerry UEM
signed certificate with a custom third-party certificate that can be used to authenticate BlackBerry
Dynamics
apps. Connections to the application server are never attempted through the
BlackBerry Dynamics NOC
when configured for Direct Connect.The following image shows the layers and protocols used in Direct Connect.
The following table compares the connection models supported by
BlackBerry
Dynamics
.Connection Model | Authentication | Encryption | Connection requirements | Intranet connection requirements |
|---|---|---|---|---|
Through the BlackBerry Dynamics NOC | By the BlackBerry Dynamics NOC and BlackBerry Connectivity Node | AES 256 by GRP | Outbound | Outbound |
Direct Connect configured for port forwarding | By the BlackBerry Connectivity Node | AES 256 by TLS protocol | One inbound IP address per BlackBerry Connectivity Node | Multiple inbound IP addresses, one per app server |
Direct Connect configured using a forward proxy | By the BlackBerry Connectivity Node | AES 256 by TLS protocol | One inbound IP address per proxy | One inbound IP address per BlackBerry Connectivity Node |
Direct connect configured using a reverse proxy with SSL bridging | First by the SSL bridging appliance and then by the BlackBerry Connectivity Node | AES 256 by TLS protocol | One inbound IP address per proxy | One inbound IP address per BlackBerry Connectivity Node |