Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.7
  3. BEMS Installation Guide
  4. Prerequisites: Installing and configuring BEMS
  5. Core requirements
  6. System and network requirements

System and network requirements

Verify that your environment and the servers that host
BEMS
 meet the following system and network requirements.
Item
Requirement
Software
Verify that you have installed
JRE
 8 on the servers where you will install
BEMS
 and that you have an environment variable that points to its location.
Operating system
Verify that your server is running an operating system that supports
BEMS
. For information about the supported operating systems, see the BEMS Compatibility Matrix.
Supported browsers
Verify that the servers that host and access the
BEMS
 Dashboard have a supported browser installed.
Administration rights
  • The user that performs the installation must have local administrative privileges on the host machine. The user that performs the installation must also have db_owner permissions to all the
    BEMS
     databases. For more information, visit support.blackberry.com/community to read article 42661.
  • The
    BEMS
     service account must have "Log on as a service" right.
  • Disable antivirus software before you install or upgrade the
    BEMS
     software.
  • Exclude the
    BEMS
     directory from virus scanning.
  • The local
    Windows
     firewall must be disabled.
A Group Firewall Policy will cause the installer to fail its prerequisite checks, even if the local firewall is disabled.
Inbound TCP Ports
The following ports must be open and ready for
BEMS
 and not blocked by any firewall:
  • 8080 from the
    BlackBerry Proxy
     or
    Good Proxy
     server or 8082 if SSL is required for inbound
    BlackBerry Proxy
     or
    Good Proxy
     communications, respectively
  • 8443 from the
    BlackBerry Proxy
     or
    Good Proxy
     server for
    Push Notifications
    ,
    Presence
    , and
    Docs
     and from
    Microsoft Office Web Apps
     or
    Office Online
     Server for
    Docs
  • Optionally if your environment uses
    Microsoft Graph
    , from 8443 or another configured port to the reverse proxy appliance. For information about how
    Microsoft Graph
     communicates with
    BEMS
    , see Architecture: BEMS notification flow using the Microsoft Graph API. You can complete the following:
    • Restrict the firewall to only accept connections from
      Microsoft
      's list of IP addresses. For more information on the available
      Microsoft Graph
       Change notifications IP addresses, see https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide.
    • Restrict the reverse proxy server to only proxy the /notificationClient URI (for example,
      bems_server_name
      .example.com:443/notificationClient" ;="bems.example.com:8443/notificationClient BEMS_Pool"
    • If the reverse proxy appliance is installed in a DMZ, make sure that port 8443 is open from the reverse proxy to each
      BEMS
       node.
  • 49555 from the on-premises
    Skype for Business
     server (for
    BlackBerry Connect
    ) when the
    Connect
     service is trusted by
    Skype for Business
  • 49777 from
    Skype for Business
     for the
    Presence
     service
  • 61616 TCP port to and from
    BEMS
     servers in the same cluster (bidirectional)
  • 61617 TCP (SSL) to and from
    BEMS
     servers in the same cluster (bidirectional)
To support clustering,
BEMS
 employs ActiveMQ's enterprise features. By design, network port 61616 and 61617 (SSL) are used for inter-
BEMS
 communication. Any firewall between
BEMS
 nodes in the same cluster should have rules allowing bi-directional communication between
BEMS
 nodes over port 61616 and/or 61617 (SSL).
Outbound TCP Ports
Verify that the following ports are open and ready for
BEMS
 and not blocked by any firewall:
  • 443 to
    BlackBerry Dynamics NOC
     (gdweb.good.com)
  • 443 to
    Microsoft Exchange
    , optionally to
    Microsoft Graph
  • 443 to
    Firebase Cloud Messaging
     (FCM) for
    Android
     Push Notification
  • 443 or 80 to
    Microsoft SharePoint
  • 443 to
    Microsoft Office Web Apps
     or
    Office Online
     Server
  • 5061 (for
    BlackBerry Connect
    ) to the on-premises
    Skype for Business
     server configured as trusted mode
  • 17080 to the
    BlackBerry Proxy
     or
    Good Proxy
     server
  • 17433 to the
    BlackBerry Proxy
     or
    Good Proxy
     server
    2
  • 1433 to the
    Microsoft SQL Server
     (default)
  • 8443 to the Presence Web Service (CIMP server)
  • 5222 to the Presence Web Service (CIMP server)
  • 8083 to the
    Cisco
     IM and Presence Service
  • 61616 TCP port to and from
    BEMS
     servers in the same cluster (bidirectional)
  • 61617 TCP (SSL) to and from
    BEMS
     servers in the same cluster (bidirectional)
  • Google
     Authentication Server URLs:
    • https://accounts.google.com/o/oauth2/auth
    • https://oauth2.googleapis.com/token
    • https://www.googleapis.com/oauth2/v1/certs
  • In a
    SharePoint Online
     environment, 433 to the following:
    • login.microsoftonline.com
    • *.sharepoint.com
  • In an
    Entra
     Information Protection environment, 443 to the following:
    • login.microsoftonline.com
    • graph.microsoft.com
    • *.aadrm.com
  • In a
    Box
     environment, 443 to *.box.com
For installing
Connect
 for
Skype for Business
, if the
Skype for Business
 database server is using a static port then open that port. The range of ports is necessary only when the
Skype for Business
 database server is using dynamic ports.
Devices must be able to connect to the
Apple
 (APNS) and cloud messaging servers to receive push notifications from
BEMS
. If your
Wi-Fi
 network restricts outbound access, make sure that the proper outbound ports are open for your devices.
Internal ports
The following ports are used by
BEMS
:
  • 8080 or 8082 for use by the
    BlackBerry Connect
     service
  • 8101 for SSH connectivity to
    BEMS
  • 8443 for
    Push Notifications
     and
    Presence
  • 8099 for use by the .NET Component Manager
  • 8060 for use by the Lync Presence Provider (LPP)
  • 6379 for use by
    Lync
    Presence
     Provider (LPP) in a
    Skype for Business
     environment and
    BEMS-Core
     in a
    Cisco Unified Communications Manager
     IM and Presence environments to read and write to the Redis service database
  • 1001 for use by
    BEMS
     for internal process communications when
    Active Directory
     Rights Management Services (AD RMS) and
    Entra
    -IP RMS is used in the environment
TCP/IP port access to the database
1433 to the
Microsoft SQL Server
 default
1
 A plus sign (+) indicates support for service packs and updates released subsequent to the core version.
2
BEMS
 requires visibility of all
BlackBerry Proxy
 or
Good Proxy
 servers (17080 and 17433), regardless of whether KCD is enabled or not, so that if one
BlackBerry Proxy
 or
Good Proxy
 fails,
BEMS
 can communicate with the next
BlackBerry Proxy
 or
Good Proxy
 in the cluster for authentication tokens, etc.