[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot sync a Blackberry with BES 4.1.4

Posted on 2008-11-17
7
Medium Priority
?
802 Views
Last Modified: 2013-11-12
I setup a Blackberry Ent Server for groupwise on a Windows 2003 server. I have opened port 3101 for both incoming and outgoing and have forwarded all traffic on port 3101 to the address of the BES. The BES manager is able to find GroupWise users.

I get the following message when I try to setup an email connection on the blackberry device:

Activating user@domain.com
Retrying...

Eventually it times out after several tries and says that the server is not responding. I am using the external IP address and port number to connect where is asks for the ip address on the blackberry device. I setup a user password in the Blackberry Manager and used that password on the device as well
eg:  24.67.99.x:3101
0
Comment
Question by:ksbrett
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:ZENandEmailguy
ID: 22981952
Questions:

1) Did you generate a GroupWise Trusted Application and does it appear in ConsoleOne under Tools | GroupWise System Operations | Trusted Applications?

2) Are you using NAT between your public IP address and the IP address of the BES server?  NAT may be the problem.  It was for the GroupWise Mobile Server (GMS) at one of my clients last week.  Their Cisco guy issued some magical commands and all started working...I don't what they were however.

3) Can you temporarily open all ports between your external IP and your internal BES server IP to test to see if the problem is firewall related?  If the problem still occurs, immediately close the ports.

4) Can the BES server get to the GroupWise server?  You mentioned it could find GW users so it is seeing the domain database to get user accounts, but is it able to get to the post office to find stuff to sync?

BES works very well with GroupWise but it can be a bit of a pain to get everything configured and syncing.

Scott Kunau
0
 

Author Comment

by:ksbrett
ID: 23006553
Thanks ZENandEmailGuy
1) Yes I generated a trusted application and yes it appears in ConsoleOne. When I go to the properties, the IP address and port number are blank. I entered the IP address of the BES server but I'm not sure what port to use.

2) Yes I am using NAT but I am also running a Groupwise Mobile server on the network and it works without issue. I am using the same firewall commands for the BES as I am for the GMS except each is mapping a diffrent port to a different inside IP.

3) I used an IP scanning utility and scanned the outside IP for all open ports. All of the other open ports show up as they should but port 3101 does not. I'm not sure why this port will not open. I guess this is a firewall issue: Here is the PIX 501 code:

4) I'm not sure how to test if the BES can see the domain without performing a sync.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.11.20 10:08:48 =~=~=~=~=~=~=~=~=~=~=~=


User Access Verification


ASA Version 7.2(3)

hostname gate
domain-name gate.com
enable password rzycxxBfj78quXmu encrypted
names
name 192.168.0.7 citrix
name 192.168.0.6 win-dns
name 192.168.0.5 nov-dns
name 192.168.0.4 blackberry

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 24.71.X.X 255.255.252.0

interface Ethernet0/0
 switchport access vlan 2

             

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd rzycxxBfj78quXmu encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name quailsgate.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network frontbridge_SRV
 network-object 12.129.X.0 255.255.255.0
 network-object 63.241.X.0 255.255.255.0
 network-object 24.67.X.87 255.255.255.255
 network-object 207.46.X.64 255.255.255.192
 network-object 207.46.X.0 255.255.255.0
 network-object 213.199.X.0 255.255.255.0
 network-object 213.244.X.0 255.255.255.0
 network-object 216.32.X.0 255.255.255.0
 network-object 216.32.X.0 255.255.255.0
 network-object 65.55.X.0 255.255.255.192
 network-object 65.55.X.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out-in extended permit tcp any interface outside eq citrix-ica
access-list out-in extended permit tcp any interface outside eq 1677
access-list out-in extended permit tcp any interface outside eq 6504
access-list out-in extended permit tcp any interface outside eq 6505
access-list out-in extended permit tcp any interface outside eq 4500
access-list out-in extended permit tcp any interface outside eq 500
access-list out-in extended permit tcp any interface outside eq 52080
access-list out-in extended permit tcp any interface outside eq 47493
access-list out-in extended permit tcp any interface outside eq 47513
access-list out-in extended permit tcp any interface outside eq 52443
access-list out-in extended permit tcp any interface outside eq 51443
access-list out-in extended permit tcp any interface outside eq 51080
access-list out-in extended permit tcp any interface outside eq https
access-list out-in extended permit tcp any interface outside eq ldaps
access-list out-in extended permit tcp any interface outside eq 7205
access-list out-in extended permit tcp any interface outside eq 631
access-list out-in extended permit tcp any interface outside eq 2620
access-list out-in extended permit tcp any interface outside eq pop3
access-list out-in extended permit tcp any interface outside eq 47808
access-list out-in extended permit udp any interface outside eq 47808
access-list out-in extended permit tcp any interface outside eq 3389
access-list out-in extended permit tcp any interface outside eq ldap
access-list out-in extended permit tcp any interface outside eq www
access-list out-in extended permit tcp any interface outside eq 2368
access-list out-in extended permit tcp any interface outside eq 6320
access-list out-in extended permit tcp any interface outside eq 6323
access-list out-in extended permit tcp any interface outside eq 61031
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.199.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.X interface outside eq smtp
access-list out-in extended permit tcp host 62.209.45.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 206.16.57.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp host 216.200.206.X interface outside eq smtp
access-list out-in extended permit tcp host 216.117.146.X interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq 41794
access-list out-in extended permit tcp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 41792
access-list out-in extended permit tcp any interface outside eq 41793
access-list out-in extended permit udp any interface outside eq 41792
access-list out-in extended permit udp any interface outside eq 41793
access-list out-in extended permit udp any interface outside eq 41794
access-list out-in extended permit udp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 3102
access-list out-in extended permit tcp any interface outside eq 2626
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 12.129.20.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.X interface outside eq smtp
access-list out-in extended permit tcp object-group frontbridge_SRV interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq pcanywhere-data
access-list out-in extended permit tcp any interface outside eq 5632
access-list out-in extended permit udp any interface outside eq pcanywhere-status
access-list out-in extended permit udp any interface outside eq 5631
access-list out-in extended permit tcp any interface outside eq 5900
access-list out-in extended permit tcp any interface outside eq 5800
access-list out-in extended permit tcp any interface outside eq 3101
access-list qvyvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip any any inactive
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool qvypool 192.168.20.2-192.168.20.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface citrix-ica citrix citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 3389 citrix 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp nov-dns smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 nov-dns pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 nov-dns 1677 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps nov-dns ldaps netmask 255.255.255.255
static (inside,outside) tcp interface www nov-dns www netmask 255.255.255.255
static (inside,outside) tcp interface ldap nov-dns ldap netmask 255.255.255.255
static (inside,outside) tcp interface 631 nov-dns 631 netmask 255.255.255.255
static (inside,outside) tcp interface 6320 192.168.0.80 6320 netmask 255.255.255.255
static (inside,outside) tcp interface 2368 192.168.0.80 2368 netmask 255.255.255.255
static (inside,outside) tcp interface 6323 192.168.0.80 6323 netmask 255.255.255.255
static (inside,outside) tcp interface 61031 192.168.0.80 61031 netmask 255.255.255.255
static (inside,outside) tcp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) tcp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
static (inside,outside) tcp interface 41793 192.168.0.71 41793 netmask 255.255.255.255
static (inside,outside) tcp interface 41792 192.168.0.71 41792 netmask 255.255.255.255
static (inside,outside) udp interface 41792 192.168.0.71 41792 netmask 255.255.255.255
static (inside,outside) udp interface 41793 192.168.0.71 41793 netmask 255.255.255.255
static (inside,outside) udp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) udp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
static (inside,outside) tcp interface 3102 citrix 3102 netmask 255.255.255.255
static (inside,outside) tcp interface https citrix https netmask 255.255.255.255
static (inside,outside) tcp interface 47808 192.168.0.31 47808 netmask 255.255.255.255
static (inside,outside) udp interface 47808 192.168.0.31 47808 netmask 255.255.255.255
static (inside,outside) tcp interface pcanywhere-data 192.168.0.32 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 5632 192.168.0.32 5632 netmask 255.255.255.255
static (inside,outside) udp interface pcanywhere-status 192.168.0.32 pcanywhere-status netmask 255.255.255.255
static (inside,outside) udp interface 5631 192.168.0.32 5631 netmask 255.255.255.255
static (inside,outside) tcp interface 2626 win-dns 2626 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 192.168.0.11 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 192.168.0.11 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 blackberry 3101 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 24.71.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 207.81.100.138
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet 24.70.3.146 255.255.255.255 outside
telnet 171.68.225.212 255.255.255.255 outside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 24.70.3.146 255.255.255.255 outside
ssh 171.68.225.212 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 64.59.168.13 64.59.168.15
dhcpd update dns

dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd update dns interface inside



class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

service-policy global_policy global
group-policy qvyvpn internal
group-policy qvyvpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value qvyvpn_splitTunnelAcl
username scott password NAiWlHPXAGC.pFRq encrypted privilege 15
username scott attributes
 vpn-group-policy qvyvpn
username kimco password w8CBFP7sYPe6XNUG encrypted privilege 15
username kimco attributes
 vpn-group-policy qvyvpn
username admin password TCcG.3xgCkgvUxY7 encrypted privilege 15
username ksbrett password dVc8gF9zGhM84iDc encrypted privilege 15
username ksbrett attributes
 vpn-group-policy qvyvpn
tunnel-group qvyvpn type ipsec-ra
tunnel-group qvyvpn general-attributes
 address-pool qvypool
 default-group-policy qvyvpn
tunnel-group qvyvpn ipsec-attributes
 pre-shared-key *
tunnel-group 207.81.x.x type ipsec-l2l
tunnel-group 207.81.x.x ipsec-attributes
 pre-shared-key *
prompt context hostname
Cryptochecksum:322957e78a8d9d4e14f9bc00db5cdbf4
: end
 
0
 

Author Comment

by:ksbrett
ID: 23006576
Sorry, I forgot that I recenly upgraded the firewall and I am now using an Cisco ASA-5505 for the firewall
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 18

Expert Comment

by:ZENandEmailguy
ID: 23019358
The fact that you generated the Trusted App and that you can see users tells me that you're good to go as far as BES install into GW.  I'm not a firewall guy but appreciate you sending the log/config because a friend of mine is a CCIE and I've taken the liberty to send your last post over to him to a look.  I'll post back as soon as he gets back to me...probably over the weekend.

Scott
0
 

Author Comment

by:ksbrett
ID: 23030053
Scott
I have the firewall config working. I placed a port listner on the server running BES and then pinged it from an outside IP with success using port 3101.

Is there somthing that I may be missing that I have to setup with Blackberry service.

Thanks
0
 
LVL 18

Accepted Solution

by:
ZENandEmailguy earned 1600 total points
ID: 23057198
Look in the properties of the BlackBerry Server (there is a manager utility available...sorry I don't have access to any of that right now) and confirm each of the settings.  Also, put your POA into Verbose logging if it isn't already and watch to see if you see any lines in the logs about RIM or BlackBerry and trusted app.  If you see those words, then the BES is successfully connecting to the POA.

One other thought.  Do you have the GroupWise client installed on the BES server?  If so, which one?  Version 6.5 uses API calls to the POA and version 7 uses SOAP over port 7191.  If you're using ver 7 make sure that SOAP is enabled on the POA (it is NOT by default).

Scott
0
 

Author Comment

by:ksbrett
ID: 23130609
Thanks Scott,
I resolved the issue. I found out that it was a misconfiguration from my phone carrier. They did not have the phone switched over to a BES plan even thought we were being billed for one. I will award you the points for all your help. Thanks again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BlackBerry can provide (arguably) the best global email delivery solution. That is, until something goes wrong at which point it can be a nightmare to troubleshoot. The log files on a BES can only be decoded by an expert and some of the errors that …
Novell released its latest version of GroupWise a few weeks ago.  The version is 2012 and it only runs on Linux (SUSE Linux Enterprise Server 10/11 is the first choice and I'm not sure about other Linux distributions, such as Red Hat, Debian, etc.) …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month18 days, 3 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question