1. The BlackBerry Enterprise Server
MDS is a component of the BlackBerry Enterprise
Server (BES), so before we dig into MDS, let’s talk about the BES. The
BES is a server solution that sits inside an organization’s firewall and
provides a secure conduit for the exchange of mail and Personal
Information Manager (PIM) data between BlackBerry devices and the
organization’s mail server. There are versions of the BES for IBM Lotus
Domino®, Novell GroupWise®, and Microsoft Exchange mail servers.
When
a new mail message appears in a mobile user’s inbox, the BES picks it
up and wirelessly delivers it to the user’s device. If the user’s device
is not within wireless coverage, the message is queued up and delivered
when possible. When the mobile user reads the message (either on the
desktop mail client or on the BlackBerry), the BES can synchronize read
status between the two entities. When the mobile user sends an email
message from a device, the BES receives it, delivers it to the mail
server, and places it into the user’s sent mail folder. When the mobile
user replies to an email message, the device records the user’s response
and sends the response to the BES, the BES appends the content of the
original message (no need to do this on the device—too much extra work)
and forwards it to its destination(s).
When the mobile user creates,
edits, or accepts a calendar entry, the BES makes sure that the
information is accurately synchronized between the device and the mail
account. The same is true for contacts in the address book, to-do list,
and even notes (through the BlackBerry MemoPad application). Changes
made in any of these applications on the desktop or the BlackBerry are
automatically synchronized by the BES.
For security, the BES has multiple components working
together to make the BlackBerry solution the most secure mobile
platform on the market. To begin with, all communication between a
BlackBerry device and the BES is encrypted using either Advanced
Encryption Standard (AES) or Triple Data Encryption Standard (Triple
DES), which are two strong standards for encryption in the market today.
When a BlackBerry device and the BES “connect” for the first time
during the Enterprise Activation (EA) process, the parties negotiate a
set of encryption keys that encrypt all communication between them. Even
though all the data passes through the RIM Network Operations Center
(NOC), because access to the keys is restricted to only those two
entities, there is no way for anyone but the device and the BES to see
the data sent between them. Additionally, to protect against prying
eyes, the keys are periodically renegotiated to keep the encryption
fresh.
The second layer of security applies at the
organization’s firewall. With many server-based solutions, access to the
server from external mobile devices is typically provided through open
ports on the company’s firewall. For most non-BlackBerry solutions, when
a mobile user uses the web browser to access an internal website,
firewall administrators must open the necessary ports (port 80 in the
case of HTTP, 443 for HTTPS) to allow access. In some cases,
organizations use a nonstandard port for this access, hoping to thwart
the bad guys, but that doesn’t protect them from hackers trying any
available port just to find an opening.
Contrary
to what many people believe, when you deploy the BlackBerry solution to
your enterprise, you’re not exposing any part of your organization to
outside parties. With the BlackBerry Enterprise Solution, administrators
must open only one port in the firewall (port 3101), and it’s open as
an outbound initiated port only. This means that while the port is open,
it is open outbound only—anyone trying to connect through the port from
outside the firewall won’t gain access to the environment.
When the BES starts up, it opens up a connection to
the infrastructure using a proprietary protocol called Server Routing
Protocol (SRP). All communication between the BES and the NOC is
transmitted securely over this SRP connection. Because the connection is
initiated by the BES, it uses an outbound connection through the
firewall and does not expose any open ports to the outside world. In no
situation does the NOC ever initiate a connection to the BES; it
communicates with the BES using the bidirectional connection created by
the BES.
The BlackBerry solution tries to be as secure as
possible and, at the same time, do what it can to conserve battery life
on the device. Every bit of data transmitted over the wireless network
to or from a BlackBerry device impacts its battery life. Therefore, not
only is the data between the BES and device encrypted, it is compressed
first. By automatically compressing all transmitted data, the BlackBerry
solution reduces the amount of work a device needs to do to communicate
with the server and, therefore, achieves battery life unlike any other
device on the market.
In addition to the security features just described, the BES provides additional capabilities, such as the following:
Support for more than 450 over the air (OTA)
wireless IT policies that give a BES administrator control over the
features and capabilities of the device
Remote wipe and locking, which protects an organization when a device is lost or stolen
OTA backup and restore of device data, which provides an easy way to get a device back up and running after being replaced
OTA deployment of BlackBerry applications
Integration
with Enterprise instant messaging systems, such as IBM Lotus SameTime®
and Microsoft Office Communication Server (OCS)
As an example, Figure 1
shows a typical Enterprise BlackBerry environment. The BES is sitting
inside the firewall and has ready access to the organization’s mail
servers. As previously mentioned, the firewall has only one port opened
to support the BlackBerry platform, and it is open as an outbound
initiated connection. The BES is connected to the BlackBerry NOC, as are
the BlackBerry devices.
The NOC is in constant connection with the BES though the SRP
connection initiated by the BES on startup. The NOC is also in constant
connection with BlackBerry devices through an efficient heartbeat
connection maintained with the device.
Whenever the BES has data for
a device, it sends it to the NOC for delivery. Whenever a device has
data for the BES, it sends it to the NOC across the carrier’s network
(or through a Wi-Fi connection if available), and the NOC sends the data
to the BES over its SRP connection. The BES also supports the queuing
of requests when the device is out of coverage; it holds onto messages
destined for the device and purges them after seven days (for more
information, refer to BlackBerry Knowledge Base article #KB01868).
2. BlackBerry MDS Overview
The BlackBerry MDS is an Enterprise Application
gateway for BlackBerry. It is included as a free component of the BES
and is typically installed on the same physical server as the BES. As an
organization’s BlackBerry application adoption increases, it might make
sense, for performance reasons, to move the MDS components onto a
separate server.
Figure 2
shows a typical BlackBerry environment with a single server running the
BES and MDS. The role of MDS in a BlackBerry environment is to act as a
gateway between BlackBerry applications and the web and application
servers inside the firewall that contain the data the device needs.
For
devices activated against a BES, PIM data is synchronized with the
device through the Synchronization Service and other parts of the BES.
The browser and custom applications requesting corporate data (data
residing inside the firewall) from a server get access to its data
through MDS. You can open the necessary firewall ports and access the
data bypassing MDS, but as you will soon see, that is a much less
efficient way to do it, and it unnecessarily opens an organization to
greater security risks.
When an application requests data from an application
server, the request makes its way to MDS, and MDS retrieves the data on
the behalf of the device. From the application server standpoint, all
requests from BlackBerry devices appear as if they were made by the
server running MDS (they come from the MDS server’s IP address, after
all) rather than the individual BlackBerry devices.
MDS even performs some optimization on the data it
receives from the application server before sending it to the
destination device. This is done to minimize utilization of the wireless
network and reduce the work required on the device to receive and
process the data. The optimizations that MDS performs are described in
detail later.
For the developer, it looks like the BlackBerry
application is connecting directly with the server that contains the
data, as shown in Figure 3. Developers do not need
to concern themselves with any of the components of MDS; from the
developer’s standpoint, all the application has to do is open a
connection to the web or application server and request the data it
needs. The NOC, BES, and MDS handle everything else seamlessly.
Remember that, although the BES and MDS are RIM
proprietary software components that perform special tasks, developers
need to disregard these components and develop the applications they
need by using open, industry standards for application development.
There is nothing proprietary about the applications you build for a
BlackBerry device. Many of the open standards in place for mobile
development apply well to BlackBerry applications.
Don’t forget that all the
data transmitted between the BES and a BlackBerry device is encrypted
using keys that only the BES and the device know. Additionally, all data
sent between a device and the BES is also compressed. The seamless,
secure access to corporate data and the optimization of data before
transmission to a device allows MDS to simplify and accelerate
development of Enterprise Applications for BlackBerry, because much of
the network complexity a developer has to deal with when building mobile
applications is no longer an issue.
