Skip Navigation

Deployment options

The recommended deployment configurations for 
Direct Connect
 are: 
  • Port forwarding
  • Proxy forwarding
  • Reverse proxy with SSL bridging
These are sample configurations for typical environments. However, DMZ architecture is optional as long as you ensure the correct ports are open. For information about port requirements, see the BlackBerry UEM Planning Guide. For assistance in designing a custom environment, contact BlackBerry Enterprise Consulting
BlackBerry UEM
 does not support deep packet inspection in the network segment between the external firewall and 
BlackBerry Proxy
. Even though the Direct Connect connection is TLS, the protocol to the BlackBerry Proxy server is Good Relay Protocol (GRP), which is a binary protocol. Also, the payload of the GRP may be encrypted with TLS if the application layer established an HTTPS/TLS connection to the application server. 
BlackBerry Dynamics
 app establishes a TLS connection to the 
BlackBerry Proxy
 and authenticates to the 
BlackBerry Proxy
 over GRP. The 
BlackBerry Proxy
 then uses the SSL certificate signed by 
BlackBerry UEM
 to authenticate to the 
BlackBerry Dynamics
 app. If SSL bridging is used, you must replace the default 
BlackBerry UEM
 signed certificate with a custom third-party certificate that can be used to authenticate 
BlackBerry Dynamics
 apps. 
Connections to the application server are never attempted through the 
BlackBerry Dynamics NOC
 when configured for Direct Connect.
The following image shows the layers and protocols used in Direct Connect. 
Direct Connect protocols
The following table compares the connection models supported by 
BlackBerry Dynamics
.
Connection Model
Authentication
Encryption
Connection requirements
Intranet connection requirements
Through the 
BlackBerry Dynamics NOC
By the 
BlackBerry Dynamics NOC
 and 
BlackBerry Connectivity Node
AES 256 by GRP
Outbound
Outbound
Direct Connect configured for port forwarding
By the 
BlackBerry Connectivity Node
AES 256 by TLS protocol
One inbound IP address per 
BlackBerry Connectivity Node
Multiple inbound IP addresses, one per app server
Direct Connect configured using a forward proxy
By the 
BlackBerry Connectivity Node
AES 256 by TLS protocol
One inbound IP address per proxy
One inbound IP address per 
BlackBerry Connectivity Node
Direct connect configured using a reverse proxy with SSL bridging
First by the SSL bridging appliance and then by the 
BlackBerry Connectivity Node
AES 256 by TLS protocol
One inbound IP address per proxy
One inbound IP address per 
BlackBerry Connectivity Node