Port forwarding
You can port forward all incoming client traffic to a
BlackBerry Proxy
server in a DMZ. The benefit of this approach compared to the other deployment options is that no extra appliance is required in the DMZ.Because the
BlackBerry Proxy
is a component of the BlackBerry Connectivity Node
, to install the BlackBerry Proxy
in a DMZ, you must install the entire BlackBerry Connectivity Node
in the DMZ. For more information on distributed architecture, see BlackBerry UEM distributed installation.You must open additional ports between the DMZ and the work network so that the
BlackBerry UEM Core
servers and all enterprise application servers used in the BlackBerry
Dynamics
deployment are reachable from the BlackBerry Connectivity Node
in the DMZ. Requirements:
- TheBlackBerry Connectivity Nodemust be reachable from the internet on port 17533.
- You must configure eachBlackBerry Connectivity Nodeinstance separately.
- EachBlackBerry Proxyserver must have a publicly routable DNS name (for example, bp01.domain.com). You can create a unique public DNS entry for eachBlackBerry Connectivity Nodeinstance or use the same public DNS entry for allBlackBerry Connectivity Nodeinstances by using round robin DNS. You can configure the external FQDN for theBlackBerry Proxyin theBlackBerry UEMmanagement console.
A
BlackBerry Connectivity Node
inside a DMZ is not required. You can port forward from the edge of the perimeter network directly into the work network where the BlackBerry Proxy
server resides. The BlackBerry Proxy
server requires only one inbound port, TCP 17533. As long as the perimeter firewall is configured to allow only this port to the BlackBerry Proxy
server, then access is secured.