I want to install Blackberry Express Server on my Exchange 2010 server for users at my company, but I am wary of simply opening up ports to my server directly to the internet.
Are there any good ways to ensure that inbound traffic is blackberry-only and safe? I know Blackberry does allow a seperate server to be installed in the DMZ, although that would really be overkill for my organization.
This is a blackberry article about the firewall requirements: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03735
To communicate with the BlackBerry infrastructure, your BES server needs to maintain a bidirectional TCP connection to srp.[country].blackberry.net on port 3101 (the SRP address will vary depending on what country you're in).
If your firewall is any good, you should be able to configure it such that it will only allow traffic on port 3101 between srp.[country].blackberry.net and the internal IP address of your BES server. This rule will ensure that only legitimate BlackBerry traffic goes through your firewall.