Skip Navigation

Port forwarding

You can port forward all incoming client traffic to a 
BlackBerry Proxy
 server in a DMZ. The benefit of this approach compared to the other deployment options is that no extra appliance is required in the DMZ.
Because the 
BlackBerry Proxy
 is a component of the 
BlackBerry Connectivity Node
, to install the 
BlackBerry Proxy
 in a DMZ, you must install the entire 
BlackBerry Connectivity Node
 in the DMZ. For more information on distributed architecture, see BlackBerry UEM distributed installation.
You must open additional ports between the DMZ and the work network so that the 
BlackBerry UEM Core
 servers and all enterprise application servers used in the 
BlackBerry Dynamics
 deployment are reachable from the 
BlackBerry Connectivity Node
 in the DMZ. 
Requirements: 
  • The 
    BlackBerry Connectivity Node
     must be reachable from the internet on port 17533. 
  • You must configure each 
    BlackBerry Connectivity Node
     instance separately.
  • Each 
    BlackBerry Proxy
     server must have a publicly routable DNS name (for example, bp01.domain.com). You can create a unique public DNS entry for each 
    BlackBerry Connectivity Node
     instance or use the same public DNS entry for all 
    BlackBerry Connectivity Node
     instances by using round robin DNS. You can configure the external FQDN for the 
    BlackBerry Proxy
     in the 
    BlackBerry UEM
     management console.
Direct Connect architecture
BlackBerry Connectivity Node
 inside a DMZ is not required. You can port forward from the edge of the perimeter network directly into the work network where the 
BlackBerry Proxy
 server resides. The 
BlackBerry Proxy
 server requires only one inbound port, TCP 17533. As long as the perimeter firewall is configured to allow only this port to the 
BlackBerry Proxy
 server, then access is secured.