Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise Mobility Server 3.8
  3. BEMS Installation Guide
  4. Preinstallation and preupgrade requirements for on-premises BEMS
  5. Port requirements

Port requirements

Before you install or upgrade
BEMS
, you should familiarize yourself with how
BEMS
 uses ports.
The
BEMS
 services use various ports to communicate with the
BlackBerry Infrastructure
, the
BlackBerry Dynamics NOC
, and internal resources (for example, your organization's messaging software). This section lists the default ports that
BEMS
 uses for outbound, inbound, and internal communications. All ports are TCP, unless otherwise specified. The ports must be open and ready for
BEMS
 to use and not blocked by a firewall.
BEMS
 must be installed in
BlackBerry UEM
 environments that use
BlackBerry Dynamics
.
BEMS
 has port requirements for communication with
UEM
 and the
BlackBerry Dynamics NOC
.

BEMS
 services TCP ports

Ports
Connection
Service
Purpose
8443
Outbound
Connect, Presence
To connect to the
Cisco
 User Data Service
Presence
To connect to the Presence Web Service (CIMP server)
BlackBerry Mail (Push Notifications Service)
Optionally, if your environment uses
Microsoft Graph
, 8443 or another configured port to the reverse proxy appliance. For information about how
Microsoft Graph
 communicates with
BEMS
, see Data flow: BEMS notification flow using the Microsoft Graph API.
If your environment uses
Microsoft Graph
, you can complete the following:
  • Restrict the firewall to only accept connections from
    Microsoft
    's list of IP addresses. For more information on the available
    Microsoft Graph
     Change notifications IP addresses, see the
    Microsoft
     resource Other endpoints not included in the Microsoft 365 IP Address and URL Web service.
  • Restrict the reverse proxy server to only proxy the /notificationClient URI (for example, bems_server_name.example.com:443/notificationClient" ;="bems.example.com:8443/notificationClient BEMS_Pool".
  • If the reverse proxy appliance is installed in a DMZ, make sure that port 8443 is open from the reverse proxy to each
    BEMS
     node.
Inbound
Dashboard
The Dashboard binds to this port and allows
BEMS
 administrators and
BEMS
 Docs users to access the Dashboard using a web browser.
BlackBerry Mail (Push Notifications Service), Presence, and Docs
To connect from the
BlackBerry Proxy
.
Docs
To connect from
Microsoft Office Web Apps
 or
Office Online
 Server for Docs.
Presence
To connect from the
BlackBerry Proxy
 server.
BlackBerry Mail (Push notifications Service), Presence
To connect from the
BlackBerry Proxy
 server, and optionally for Microsoft Graph (Push Notifications) to the reverse proxy server appliance. For more information about how Microsoft Graph communicates with BEMS, see Data flow: BEMS notification flow using the Microsoft Graph API.
BlackBerry Mail (Push Notifications Service), Presence, Docs
To connect from the
BlackBerry Proxy
 server, and from
Microsoft Office Web Apps
 or
Office Online
 Server (Docs).
443
Outbound
BlackBerry Mail (Push Notifications Service)
To connect to
  • the
    BlackBerry Dynamics
     NOC (includes connections to APNs) (gdweb.good.com)
  • Firebase Cloud Messaging
     (FCM) for
    Android
     Push Notifications
  • Microsoft Exchange Server
     (
    Microsoft Exchange Web Services
    , AutoDiscover), optionally to
    Microsoft Graph
Connect
In a
Skype for Business
 on-premises environment that uses non-trusted application mode, to connect to:
  • lyncdiscoverInternal.<
    DomainName
    >.com
  • FQDN of the internal
    Skype
     Front End pool
BlackBerry Mail (Push Notifications Service)
In an
Entra
 environment, to connect to the following:
  • login.microsoftonline.com
  • graph.microsoft.com
  • *.aadrm.com
Docs
In a
SharePoint Online
 environment, to connect to:
  • login.microsoftonline.com
  • *.sharepoint.com
Docs
In a
Box
 environment, to connect to *.box.com.
17080 or 17433 (SSL)
Outbound
BlackBerry Mail (Push Notifications Service)
To connect to the
BlackBerry Proxy
 server.
BEMS
 requires visibility of all instances of the
BlackBerry Proxy
 server (17080 and 17433), regardless of whether KCD is enabled or not, so that if one
BlackBerry Proxy
 fails,
BEMS
 can communicate with the next
BlackBerry Proxy
 in the cluster for authentication tokens.
1433, 1434
Outbound
BlackBerry Mail (Push notifications Service), Connect, Presence
To connect to the
Microsoft SQL Server
 database (default).
To connect to the SQL Browser service when using dynamic ports.

Internal TCP ports for internal
BEMS
 communications

Ports
Purpose
8101
SSH connectivity to
BEMS
.
8443
Used by the
BlackBerry
 Mail (Push notifications Service) and Presence service.
8099
Used by the .NET Component Manager.
8060
Used by the Lync Presence Provider (LPP).
6379
Used by LPP in a
Skype for Business
 environment and
BEMS
-Core in a
Cisco Unified Communications Manager
 IM and Presence environments to read and write to the Redis service database.
1001
Used by
BEMS
 for internal process communications when Active Directory Rights Management Services (AD RMS) and
Entra
-IP RMS are used in the environment.

BlackBerry Push Notifications
 (
Mail
) service TCP ports

Devices must be able to connect to the
Apple
 Push Notification Service (APNS) and cloud messaging servers to receive push notifications from
BEMS
. If your Wi-Fi network restricts outbound access, verify that the proper outbound ports are open for your devices.
Ports
Connection
Purpose
61616 or 61617 (SSL)
Bidirectional
Connection to and from servers that host
BEMS
 in the same cluster.
To support clustering,
BEMS
 employs ActiveMQ's enterprise features. By design, network port 61616 and 61617 (SSL) are used for inter-
BEMS
 communication. Any firewall between
BEMS
 nodes in the same cluster should have rules allowing bi-directional communication between
BEMS
 nodes over port 61616 and/or 61617 (SSL).
80
Outbound
To connect to
Microsoft Exchange Server
 (AutoDiscover).
389 or 636 (SSL)
Outbound
To connect to
Active Directory
 using LDAP.
3268 or 3269 (SSL)
Outbound
To connect to the Global catalog.
Google
 Authentication Server URLs
Outbound
To connect to the following URLs:
  • https://accounts.google.com/o/oauth2/auth
  • https://oauth2.googleapis.com/token
  • https://www.googleapis.com/oauth2/v1/certs

BlackBerry Connect
 and
BlackBerry Presence
 service TCP and UDP ports

If you install Connect for
Skype for Business
, if the
Skype for Business
 database server is using a static port, then you must open that port. The range of ports is necessary only when the
Skype for Business
 database server is using dynamic ports.
Ports
Connection
Purpose
8080 or 8082 (SSL)
Inbound
Connection from the BlackBerry Proxy server and is used by the
BlackBerry Connect
 service.
By default, SSL communication is enabled with a new
BEMS
 2.12.5.6 or later installation and is bound to port 8082. If you upgraded from
BEMS
 2.10 or earlier and SSL communication with the
BlackBerry Connect
 app is not enabled, use port 8080. For more information, see Configure BlackBerry Connect app settings in BlackBerry UEM" in the BlackBerry Connect administration content.
49555
Inbound
Connection from the on-premises
Skype for Business
 server (for
BlackBerry Connect
) when the Connect service is trusted by
Skype for Business
.
49777
Inbound
Connection from the on-premises
Skype for Business
 for
BlackBerry Presence
.
5061
Outbound
To connect from the
BlackBerry Connect
 service to the on-premises
Skype for Business
 server configured as trusted mode.
1434
Outbound
UDP port to connect to the on-premises
Skype for Business
 database. This is used for the initial setup only.
49152 to 57500
Outbound
A random port in this range to the
Skype for Business
 database. This is used for the initial setup only.
5222
Outbound
To connect to the
Cisco Jabber
 XMPP Service.
To connect to the Presence Web Service (CIMP server).
8083
Outbound
To connect to the
Cisco
 IM and Presence Service.

BlackBerry Docs
 service TCP ports

Ports
Connection
Purpose
80 or 443
Outbound
To connect to your
Microsoft SharePoint
 server.
443
Outbound
To connect to
Microsoft Office Web Apps
 or
Office Online
 Server.
445 or 139
Outbound
To connect to the CIFS share.
389 or 636
Outbound
To connect to
Active Directory
 using LDAP.
137, 138
Outbound
UDP port to connect to the CIFs share.