Configuring Corporate Firewalls to support BBM Enterprise

In most public and corporate networks, one or more firewalls are configured to add an additional level of security. These firewalls permit and deny network traffic between devices on the internal network and the Internet.

If the BBM Enterprise app is being used while on a network with such firewalls configured, they might be restricting necessary network traffic and interfering with the use of the BBM Enterprise app.

If any issues are observed, customers should ensure that their firewalls are configured using the information below.

Important Notes

• The wildcard (*) must allow arbitrarily subdomain levels (i.e. *.example.com must match foo.bar.baz.example.com).
• All communication is initiated from client to server, but once initiated, communication may flow in either direction on the established source and destination ports.
• Although the client makes every effort to remain connected to the infrastructure, OSes may either terminate the app or induce a deep sleep state. In these cases, the phone’s native push notification service (Google Cloud Messenger for Android or Apple Push Notification Service for iOS) is leveraged to wake the client on receipt of message or voice/video call.
• The following URLs need to be accessible from the customers’ networks in general (not from the mobile phones). During the process of accepting a BBME activation link via an email from the administrator, these addresses are required to support the BBID account creation.
  • https://enterprise.blackberryid.blackberry.com/ebbidportal/createaccount
  • https://idp.blackberry.com
• The BBM Enterprise app does not include explicit proxy-awareness (manual or PAC-based, anonymous or authenticated) and relies on the underlying system to handle proxies. While most of the functionality listed below can be routed over an HTTPS proxy, some functions (STUN, TURN, SRTP) cannot be routed over an HTTPS proxy and need to be whitelisted (depending on the network topology).

​
Required IP addresses, ports and protocols

The following IP addresses, port and protocols should be allowed on corporate firewalls. This enables the BBM Enterprise app to function as expected:

Function	FQDN	Ports	Protocol
Core BBM Enterprise Functions (required for messaging capabilities)
Activation (BlackBerry UEM)	discoveryservice.blackberry.com (Android/iOS/Desktop) <country code>.bbsecure.com (Android/iOS/Desktop) for example, ca.bbsecure.com	TCP: 443	HTTPS
Identity	enterprise.blackberryid.blackberry.com (Android/iOS/Desktop) idp.blackberry.com (Android/iOS/Desktop) blackberryid.blackberry.com (BB10)	TCP: 443	HTTPS
Messaging	sip.bbm.bbmenterprise.com sip.bbmbeta.bbmenterprise.com (for beta testing only) push.bbm.bbmenterprise.com push.bbmbeta.bbmenterprise.com (for beta testing only)	TCP: 443, 5061 (Client will try 5061 first, and fallback to 443 on failure.)	SIP-TLS
Service APIs File and avatar sharing	*.bbmenterprise.com	TCP: 443	HTTPS
Provisioning	inet.icrs.blackberry.com	TCP: 443	HTTPS
Stickers API	goods.bbm.blackberry.com	TCP: 443	HTTPS
Stickers image downloads	download.cdn.oly-na.blackberry.com bbmolyna.akamaized.net bbmolyeu.akamaized.net bbmolyap.akamaized.net	TCP: 80, 443	HTTP, HTTPS
Voice and Video Functions (required to use VVOIP features)
Voice and Video Data	stun.shared.bbmenterprise.com	TCP: 3478 UDP: 3478	STUN
	turn.shared.bbmenterprise.com turn.bbmbeta.bbmenterprise.com (for beta testing only)	TCP: 443,3478 UDP: 3478	TURN
		TCP: 10000-60000 UDP: 10000-60000	SRTP/RTCP
Secondary Functions
Problem Reporting	quip.webapps.blackberry.com	TCP: 443	HTTPS
MixPanel	api.mixpanel.com	TCP: 80, 443	HTTP, HTTPS
Glympse	api.glympse.com	TCP: 80, 443	HTTP, HTTPS
BBM Consumer integration functions (required to see avatars for BBM Consumer contacts)
Avatar downloads for BBM Consumer contacts	download.cdn.oly-na.blackberry.com download.cdn.oly-eu.blackberry.com download.cdn.oly-ap.blackberry.com	TCP: 80, 443	HTTP, HTTPS