In part 1 of this series, we reviewed the steps needed to have an instance of Blackberry UEM cloud set up. In this post, we will review the steps needed to set up the Blackberry Connectivity Node.
- Part 1 – Introduction, Prerequisites, and Setup
- Part 2 – Install and Configure Blackberry Connectivity Node (you are here!)
- Part 3 – Configure AD sync with Blackberry Connectivity Node
- Part 4 – Configure Push Notification with BlackBerry Enterprise Mobility Server (BEMS)
Also just a quick recap, Blackberry Connectivity Node offers more the features listed below:
- BlackBerry Cloud Connector – synchronizes Blackberry UEM cloud with on-premise directory
- Blackberry Proxy – offers Blackberry Dynamics apps, such as Blackberry Work, access to the backend resources behind the firewall
- BlackBerry Secure Connect Plus – provides VPN like connectivity for 3rd party apps
- BlackBerry Secure Gateway – hides your mail server from outside network while remaining accessible to UEM activated devices
- BlackBerry Gatekeeping Service – controls which device can access Exchange ActiveSync
In this post, we will focus on the first two features listed above. I may share details of the remaining features via future post. So stay tuned.
Depending on the number of devices you plan to support and your RPO and RTO, you may opt for just one Blackberry Connectivity Node. If possible, I highly recommend setting up at least N+1 node for better redundancy. This is particularly useful in a multi-site environment with different subnets since both nodes will be set up as active/active. Whether you install one or more node, the steps are relatively the same.
You can review the hardware via this link. Similar to other Blackberry UEM components, this connectivity node requires a minimum of 8 GB of memory.
Asides from building a standard server (hopefully it’s a virtual machine), you will also need:
- A directory account with read permissions to access Active Directory
- A Blackberry UEM cloud account to download the installation software and activation files (i.e. an account with Security Administrator role)
- A service account with permissions to install and configure Blackberry Connectivity Node (I generally would use the same directory account)
- Firewall rules from Blackberry Connectivity Node to Blackberry NOC over:
- 443: for activating connectivity node
- 3101: for all other outbound connections
- The rules above may change if you decide to route traffic through either your proxy server or Blackberry Router
We will proceed with downloading the installation and activation files for the Blackberry Connectivity Node. Start by logging into your tenant. Then navigate to Settings > External integration > BlackBerry Connectivity Node setup follow by the hamburger icon with the plus sign as shown below.
Click Download and save the installation file. Upon clicking Download, you will be taken to another page to continue with the download.
Server group is meant for grouping nodes within the same region and will share the same email and enterprise connectivity profiles. If desire, it needs to be created first under the Blackberry Connectivity Node setup page. This link provides further details on the steps required.
If you will activate the node right after installation, click Generate from the same screen earlier and save the activation file as well. Keep in mind that this activation file is only valid for 60 minutes from the time you generate it and can be used only once! Below is a sample file. Note that by default it uses 443 and 3101. You can change the traffic flow to utilize your own proxy or Blackberry Router either during or post installation.
Let’s back to the installation process. Start by right-clicking on the installer and select Run as administrator.
You can change the installation and log file folder location from the default (i.e C drive). If so, you will get a warning prompt.
Upon clicking Close, it should open a web browser and take you to the console page to continue with the configuration. Otherwise, the console URL is simply http://localhost:8088.
You can click on the hyperlink to configure the proxy settings. And per page 19 of the configuration guide:
“If you want to send data through an HTTP proxy before it reaches the BlackBerry Dynamics NOC, in the BlackBerry Connectivity Node console (http://localhost:8088), click General settings > BlackBerry Router and proxy. Select the Enable HTTP proxy checkbox and configure the proxy settings.”
Keep in mind, however, re-configuring proxy may require re-installing the BCN node per this Blackberry KB.
Otherwise, fill in the Friendly name and click Next. If you have more than one connectivity node setup, however, you should use a unique name for the Friendly name on each of your nodes. The first instance name will always show up under Settings -> External integration -> Company directory -> Company directory connection -> Company directory status -> Directory connection. When the first instance ever becomes unavailable, Blackberry NOC will connect to whichever node is available at the time for the directory sync. However, the instance name that appears under Directory connection will not change. This is by design per Blackberry technical support.
Simply upload the activation file you saved previously and click Activate.
Once activation is successful, you will see the page below where you can configure additional options.
Again, you will need to follow the same steps above plus generating a unique activation file to set up additional Blackberry Connectivity Node.
When you log back into the UEM cloud tenant, you should now see the BlackBerry Connectivity Node listed under Blackberry Connectivity Node setup and BlackBerry Connectivity Node status.
Did you notice from the screenshot above that the Blackberry UEM-Blackberry Proxy Service has Paused under the Status column? In my case, we do route traffic from the connectivity node to Blackberry Dynamics NOC through our own proxy server. Per Blackberry KB below and Blackberry technical support, it was possibly due to packet inspection (or SSL intercept) by the proxy server. Thus, Blackberry Dynamics NOC rejected the packet as it was no longer the same and refused to connect.
Once we bypassed SSL intercept from the connectivity node to Blackberry Dynamics NOC, we got the proxy service running and connected just fine. If you have multiple connectivity nodes like me, you may not see the status change until at least an hour later per the same Blackberry KB above.
If you have any anti-virus solution in place (who doesn’t nowadays?), you need to exclude anti-virus scanning on specific directories and services.
- Exclude the directories below per this KB:
- <drive>:\Program Files\BlackBerry\
- Exclude the services below
- BlackBerry UEM – BlackBerry Cloud Connector
- BlackBerry UEM – BlackBerry Gatekeeping Service
- BlackBerry UEM – BlackBerry Secure Connect Plus
- BlackBerry UEM – BlackBerry Proxy Service
- BlackBerry UEM – BackBerry Secure Gateway
Now that you have Blackberry Connectivity Node setup, communication between Blackberry Work and Microsoft Exchange will go through Blackberry Proxy within this node. To confirm, you will need to first upload the Blackberry Work log and then work with Blackberry support. The log should confirm the mail flow is routing through Blackberry Proxy.
*GPS:GD11122925.GPS-BCN (i.e of the assigned BCN Proxy)
One additional note on the proxy configuration. We did experience intermittent connectivity issue from Blackberry Work later on. Blackberry technical support confirmed both external and internal traffic will go through your proxy if it’s enabled. In other word, a typical traffic will flow like this:
Blackberry Work -> Blackberry Dynamics NOC -> Web proxy -> BCN -> Web proxy -> Mail server -> Web proxy -> BCN -> Web proxy -> Blackberry Dynamics NOC -> Blackberry Work
As a workaround, we temporarily unchecked Enable HTTP proxy within BCN setting. And now traffic will flow like this:
Blackberry Work -> Blackberry Dynamics NOC -> BCN -> Mail server -> BCN -> Blackberry Dynamics NOC -> Blackberry Work
Blackberry support then confirmed from the BCN log that proxy was no longer configured (i.e. all the values are set to blank instead of the name of the proxy for the relevant fields).
- 2018-08-01 09:39:48,548 INFO [main] [,] ConfigurationManager – Retrieving Good Web Proxy properties from zuos.properties..
- 2018-08-01 09:39:48,550 WARN [main] [,] PropertyLoader – loadProperties() – Properties File Not Found: E:\Program Files\BlackBerry\BlackBerry Connectivity Node\Proxy Server\META-INF\spring\zuos.properties
- 2018-08-01 09:39:48,577 INFO [main] [,] ConfigurationManager – Retrieving Good GP Proxy properties from ZUOS properties.
- 2018-08-01 09:39:48,577 INFO [main] [,] ConfigurationManager – Updated key=proxy.auth.username value=
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Updated key=proxy.auth.domain value=
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Updated key=proxy.use value=false
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Updated key=proxy.https.port value=
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Updated key=proxy.https.host value=
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Updated key=proxy.auth.password value=
- 2018-08-01 09:39:48,578 INFO [main] [,] ConfigurationManager – Retrieving NOC URLs from Core DB..
Also per Blackberry support, you can also check the zuos.PROPERTIES file on the BCN and confirm that the proxy server is not listed.
C:\Program Files\BlackBerry\BlackBerry Connectivity Node\common-settings
False means proxy is not in used.
In part 3 of this series, we will continue with using this newly built Blackberry Connectivity Node to sync our company’s directory.