Skip Navigation

System and network requirements

Verify that your environment and the servers that host
BEMS
meet the following system and network requirements.
Item
Requirement
Software
Verify that you have installed
JRE
8 on the servers where you will install
BEMS
and that you have an environment variable that points to its location.
Operating system
Verify that your server is running an operating system that supports
BEMS
. For information about the supported operating systems, see the BEMS Compatibility Matrix.
Supported browsers
Verify that the servers that host and access the
BEMS
Dashboard have a supported browser installed.
Administration rights
  • The user that performs the installation must have local administrative privileges on the host machine. The user that performs the installation must also have db_owner permissions to all the
    BEMS
    databases. For more information, visit support.blackberry.com/community to read article 42661.
  • The
    BEMS
    service account must have "Log on as a service" right.
  • Disable antivirus software before you install or upgrade the
    BEMS
    software.
  • Exclude the
    BEMS
    directory from virus scanning.
  • The local
    Windows
    firewall must be disabled.
A Group Firewall Policy will cause the installer to fail its prerequisite checks, even if the local firewall is disabled.
Inbound TCP Ports
The following ports must be open and ready for
BEMS
and not blocked by any firewall:
  • 8080 from the
    BlackBerry Proxy
    or
    Good Proxy
    server or 8082 if SSL is required for inbound
    BlackBerry Proxy
    or
    Good Proxy
    communications, respectively
  • 8443 from the
    BlackBerry Proxy
    or
    Good Proxy
    server for
    Push Notifications
    ,
    Presence
    , and
    Docs
    and from
    Microsoft Office Web Apps
    or
    Office Online
    Server for
    Docs
  • Optionally if your environment uses
    Microsoft Graph
    , from 8443 or another configured port to the reverse proxy appliance. For information about how
    Microsoft Graph
    communicates with
    BEMS
    , see Architecture: BEMS notification flow using the Microsoft Graph API. You can complete the following:
    • Restrict the firewall to only accept connections from
      Microsoft
      's list of IP addresses. For more information on the available
      Microsoft Graph
      Change notifications IP addresses, see https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide.
    • Restrict the reverse proxy server to only proxy the /notificationClient URI (for example,
      bems_server_name
      .example.com:443/notificationClient" ;="bems.example.com:8443/notificationClient BEMS_Pool"
    • If the reverse proxy appliance is installed in a DMZ, make sure that port 8443 is open from the reverse proxy to each
      BEMS
      node.
  • 49555 from the on-premises
    Skype for Business
    server (for
    BlackBerry Connect
    ) when the
    Connect
    service is trusted by
    Skype for Business
  • 49777 from
    Skype for Business
    for the
    Presence
    service
  • 61616 TCP port to and from
    BEMS
    servers in the same cluster (bidirectional)
  • 61617 TCP (SSL) to and from
    BEMS
    servers in the same cluster (bidirectional)
To support clustering,
BEMS
employs ActiveMQ's enterprise features. By design, network port 61616 and 61617 (SSL) are used for inter-
BEMS
communication. Any firewall between
BEMS
nodes in the same cluster should have rules allowing bi-directional communication between
BEMS
nodes over port 61616 and/or 61617 (SSL).
Outbound TCP Ports
Verify that the following ports are open and ready for
BEMS
and not blocked by any firewall:
  • 443 to
    BlackBerry Dynamics NOC
    (gdweb.good.com)
  • 443 to
    Microsoft Exchange
    , optionally to
    Microsoft Graph
  • 443 to
    Firebase Cloud Messaging
    (FCM) for
    Android
    Push Notification
  • 443 or 80 to
    Microsoft SharePoint
  • 443 to
    Microsoft Office Web Apps
    or
    Office Online
    Server
  • 5061 (for
    BlackBerry Connect
    ) to the on-premises
    Skype for Business
    server configured as trusted mode
  • 17080 to the
    BlackBerry Proxy
    or
    Good Proxy
    server
  • 17433 to the
    BlackBerry Proxy
    or
    Good Proxy
    server
    2
  • 1433 to the
    Microsoft SQL Server
    (default)
  • 8443 to the Presence Web Service (CIMP server)
  • 5222 to the Presence Web Service (CIMP server)
  • 8083 to the
    Cisco
    IM and Presence Service
  • 61616 TCP port to and from
    BEMS
    servers in the same cluster (bidirectional)
  • 61617 TCP (SSL) to and from
    BEMS
    servers in the same cluster (bidirectional)
  • Google
    Authentication Server URLs:
    • https://accounts.google.com/o/oauth2/auth
    • https://oauth2.googleapis.com/token
    • https://www.googleapis.com/oauth2/v1/certs
  • In a
    SharePoint Online
    environment, 433 to the following:
    • login.microsoftonline.com
    • *.sharepoint.com
  • In an
    Entra
    Information Protection environment, 443 to the following:
    • login.microsoftonline.com
    • graph.microsoft.com
    • *.aadrm.com
  • In a
    Box
    environment, 443 to *.box.com
For installing
Connect
for
Skype for Business
, if the
Skype for Business
database server is using a static port then open that port. The range of ports is necessary only when the
Skype for Business
database server is using dynamic ports.
Devices must be able to connect to the
Apple
(APNS) and cloud messaging servers to receive push notifications from
BEMS
. If your
Wi-Fi
network restricts outbound access, make sure that the proper outbound ports are open for your devices.
Internal ports
The following ports are used by
BEMS
:
  • 8080 or 8082 for use by the
    BlackBerry Connect
    service
  • 8101 for SSH connectivity to
    BEMS
  • 8443 for
    Push Notifications
    and
    Presence
  • 8099 for use by the .NET Component Manager
  • 8060 for use by the Lync Presence Provider (LPP)
  • 6379 for use by
    Lync
    Presence
    Provider (LPP) in a
    Skype for Business
    environment and
    BEMS-Core
    in a
    Cisco Unified Communications Manager
    IM and Presence environments to read and write to the Redis service database
  • 1001 for use by
    BEMS
    for internal process communications when
    Active Directory
    Rights Management Services (AD RMS) and
    Entra
    -IP RMS is used in the environment
TCP/IP port access to the database
1433 to the
Microsoft SQL Server
default
1
A plus sign (+) indicates support for service packs and updates released subsequent to the core version.
2
BEMS
requires visibility of all
BlackBerry Proxy
or
Good Proxy
servers (17080 and 17433), regardless of whether KCD is enabled or not, so that if one
BlackBerry Proxy
or
Good Proxy
fails,
BEMS
can communicate with the next
BlackBerry Proxy
or
Good Proxy
in the cluster for authentication tokens, etc.