1
On-Premise Solution (Appliance-X)
Site Readiness Checklist
Version 4.0
2
Table of Contents
Introduction ................................................................................................................................................................4
Prerequisites ...............................................................................................................................................................4
Virtualization Server ...............................................................................................................................................4
Domain Name & Branding ......................................................................................................................................4
Certificates ..............................................................................................................................................................4
Mail Relay (SMTP) Identification ............................................................................................................................4
NTP Server ..............................................................................................................................................................5
Third-Party Licensing ..............................................................................................................................................5
Yum and Python Package Repositories ..................................................................................................................5
Deployment Configuration .........................................................................................................................................6
Architecture ............................................................................................................................................................6
Appliance-X Basic ................................................................................................................................................6
Appliance-X Advanced ........................................................................................................................................6
Checklist......................................................................................................................................................................7
Firewall Connectivity Matrix .......................................................................................................................................9
Appliance-X Basic....................................................................................................................................................9
Appliance-X Advanced ......................................................................................................................................... 10
Hardware Requirements ......................................................................................................................................... 11
Server Sizes .......................................................................................................................................................... 11
Small ................................................................................................................................................................ 12
Medium I ......................................................................................................................................................... 12
Medium II ........................................................................................................................................................ 12
Medium III ....................................................................................................................................................... 13
Large I .............................................................................................................................................................. 13
Large II+ ........................................................................................................................................................... 13
Additional File Storage ........................................................................................................................................ 14
Server Images .......................................................................................................................................................... 14
Additional Connector Add-Ons ................................................................................................................................ 15
UCC (Unified Content Connector) ....................................................................................................................... 15
Server Size ....................................................................................................................................................... 15
Port Requirements .......................................................................................................................................... 15
3
Single Sign-On Identity Connector ...................................................................................................................... 16
Office Online Server ............................................................................................................................................ 16
Port Requirements .......................................................................................................................................... 16
Appendix .................................................................................................................................................................. 17
SSL Certificates .................................................................................................................................................... 17
Installing Red Hat from .iso ................................................................................................................................. 18
4
Introduction
The BlackBerry Workspaces on-premise solution enables organizations to securely share, sync, control, and track
files among internal users and with partners and customers through software installed at the customer site.
This document provides a mandatory checklist for customers to verify that their site is prepared for the
Appliance-X installation. It should be filled by the customer and returned to BlackBerry Professional Services
prior to the deployment process. Proper site preparation is essential to ensure a smooth installation.
Prerequisites
The following section lists the prerequisites for BlackBerry Workspaces Appliance-X installation. Note that these
prerequisites are the responsibility of the customer.
Virtualization Server
The customer must have an installed Virtualization platform, with capacity available to support the
specifications as detailed in Hardware Requirements, section 7. Available platforms include, but are not limited
to, ESX, ESXi, and Hyper-V. The customer may also choose to install the servers in their private Cloud
environment such as Azure or AWS.
Domain Name & Branding
BlackBerry Workspaces installation requires clear identification of the domain name as well as the appropriate
authorization certificates. The customer must provide BlackBerry Workspaces with the preferred FQDN (Fully
qualified domain name; such as workspaces.mycompany.com). This address is branded into the Appliance and
serves as the suffix of all URLs used to access the BlackBerry Workspaces services.
Certificates
The BlackBerry Workspaces Virtual Appliance must be provisioned with certificates that correspond to the
domain where it is installed. Since the core value of the product relies on its security, no self-signed certificates
may be used, and only approved certificate authorities can sign the certificates.
Please refer to the included Appendix for detailed SSL certificate requirements.
Mail Relay (SMTP) Identification
The BlackBerry Workspaces application uses email as part of standard operation. Therefore, an SMTP server
must be specified for service to function.
5
NTP Server
Virtual Appliance installation requires precise timing synchronization. Both IP address and Hostname formats are
supported.
Third-Party Licensing
As part of BlackBerry Workspaces’ installation process, license activation for third party software is required. All
licenses should be provided by the customer prior to installation. This software includes:
1. Microsoft products (Windows Server 2016 and Microsoft Office 2016 Standard/Pro edition)
2. Red Hat Enterprise Linux 9
App-X Installation
Type
Third Party Software Licenses
Amount
Notes
Basic
Microsoft Windows Server 2016
1
Microsoft Office 2016 Standard/Pro
edition
1
Standard, Professional, or
Professional Plus
Red Hat Enterprise Linux 9.3
1
RHEL Server license
Advanced
Microsoft Windows Server 2016
1+
Number of servers may vary. Consult
with your PS Consultant
Microsoft Office 2016 Standard/Pro
1+
1 license required for each 2016
server installed. Consult with your PS
Consultant if there are questions
Red Hat Enterprise Linux 9.3
4+
Number of servers may vary. Consult
with your PS Consultant
Yum and Python Package Repositories
BlackBerry Workspaces must install packages using a yum repository and Python pip repository. To maintain
updates, it is highly recommended to allow outbound connections to the Yum repos and pip repo below over
TCP 443. Red Hat Satellite Server may also be used in place of Red Hat yum repo. Please consult with your
Professional Services Consultant if you cannot allow outbound access to these internet resources.
TCP 443 Outbound:
• cdn.redhat.com
• dl.fedoraproject.org
• pypi.org
6
Deployment Configuration
Architecture
The standard BlackBerry Workspaces virtual appliance solution is comprised of 2 virtual machines as detailed
below. This deployment model is called Appliance-X Basic. For specialized deployments, or deployments which
require High Availability, a larger scalable model is available called Appliance-X Advanced. Due to the varying
nature of Appliance-X Advanced deployments, server count and specifications may vary. Therefore, please ask
your Professional Services Consultant if you have any questions.
Appliance-X Basic
Server Name
Responsibility
Master-Main
Provide all end-user services, including database and file storage
Conversion - Windows
Convert Microsoft Office files to BlackBerry Workspaces secure formats
Appliance-X Advanced
Server name
Responsibility
Add copies of
server for scale
Secondary copy of
server for high
availability
Orchestration
Deployment and configuration
management
Frontend
BlackBerry Workspaces application
frontend & load balance end users
between application resources.
If you add a copy of the server for scale,
an external load balancing solution is
required.
7
Main
Internal appliance services, including
database and file storage
Application
BlackBerry Workspaces application,
including web application and API service
Conversion -
Windows
Converts Microsoft Office files
to BlackBerry Workspaces secure format
Checklist
1. Network settings
Main RHEL IP:
___.____.____.____
Conversion Windows IP:
___.____.____.____
Network Mask:
8
___.____.____.____
Gateway:
___.____.____.____
DNS 1:
___.____.____.____
DNS 2:
___.____.____.____
2. Please enter the name of the organization hosting the service, and
the email address of the hosting service administrator.
Hosting organization name:
Click here to enter text.
Administrator email address:
Click here to enter text.
3. Please enter the server’s desired URL:
Please note that this domain will require proper SSL certificates
FQDN:
Click here to enter text.
4. Local server time-zone
Click here to enter text.
5. NTP server details
IP or Hostname:
Click here to enter text.
6. SMTP server details
Server IP:
___.____.____.____
Port (default 25):
Click here to enter text.
User (optional):
Click here to enter text.
Password (optional):
Click here to enter text.
7. How much space will be dedicated to the server for storage of end
users’ documents?
• Note: Please plan for 20% overhead to this number for
database storage. Example:
• 500 GB for document storage
Dedicated storage space:
Click here to enter text.
9
• 100 GB for database storage
8. Have you obtained required trusted-signed certificates?
Yes
☐
No ☐
9. Have you obtained the required Microsoft license keys? (Windows
Server 2016 and Office 2016 Standard or Professional edition)
Yes
☐
No ☐
Firewall Connectivity Matrix
The firewall connectivity matrix details the access settings required for the BlackBerry Workspaces product.
These settings must be configured by the customer to enable BlackBerry Workspaces service.
Appliance-X Basic
Source
Target
Port
Master-Main RHEL Server
SMTP Server
• 25
Master-Main RHEL Server
Conversion Windows Server
• 22
• 4510
• 4511
• 443
• 4431
• 4432
• 4433
• 8082
Master-Main RHEL Server
Red Hat Yum Repository
(Internet)
• 443
Master-Main RHEL Server
Pypi.org (Internet)
• 443
Conversion Windows Server
Master-Main RHEL Server
• 4510
• 4511
• 8543
• 8443
• 53 (+UDP)
• 4505
•
4506
End User Devices
Master-Main RHEL Server
• 80
• 443
IT Admins
Master-Main RHEL Server
• 5000
•
8081
10
Appliance-X Advanced
Source
Target
Ports
Orchestration server
Main server
•
25
Orchestration server Main server
•
22
•
5666
Orchestration server Frontend server
•
22
•
5666
Orchestration server Application server
•
22
• 5666
Orchestration server
Conversion-Windows
server
•
22
•
5666
•
4510
•
4511
Main server
External Cloud Storage
•
443
Main server Orchestration server
•
4505
•
4506
•
8543
Main server
Frontend server
• 3000
Main server Application server
•
8009
•
8080
Main server
Conversion-Windows
server
•
443
•
4431
•
4432
•
8082
Main server
Main server
•
6379
Frontend server Orchestration server
•
4505
•
4506
• 8543
Frontend server Application server
•
8009
•
8080
Frontend server Main server
•
53 (+UDP)
•
8443
Frontend server
Conversion-Windows
server
•
443
•
4433
Application server
SMTP server
• 25
Application server Orchestration server
•
4505
•
4506
•
8543
Application server
Main server
•
3306
11
Source
Target
Ports
•
8443
•
8081
•
11211
•
2049
•
111
•
53 (+UDP)
Application server
Frontend server
• 3000
Conversion-Windows
server
Orchestration server
•
4505
•
4506
•
8543
Conversion-Windows
server
Main server
•
8080
•
8443
•
53 (+UDP)
End User Devices Frontend server
•
443
•
80
IT Admins Orchestration server
•
5000
• 7767
IT Admins
Main server
•
8081
All Linux Servers
Red Hat Yum Repository
(Internet)
• 443
All Linux Servers
Pypi.org (Internet)
• 443
Hardware Requirements
The minimum hardware requirements can be found below. In some situations, it may be recommended to
exceed these minimum requirements. Please reference the below server sizes based on the number of
registered users in the system.
Server Sizes
Server size
Workspaces Architecture
Number of Users
HA Included
HA Possible
Small
Basic
0 - 500
No
No
Medium I
Advanced
500 – 2,000
No
Yes
Medium II
Advanced
2,000 – 5,000
No
Yes
Medium III
Advanced
5,000 – 25,000
Yes
Yes
Large I
Advanced
50,000 – 100,000
Yes
Yes
Large 2 +
Advanced
100,000 +
Yes
Yes
12
Small
Server
name
Operating
System
vCPU
Memory
HDD1
HDD2
HDD3
HDD4
Master-
Main
RHEL 9.3
6
16 GB
100 GB
40 GB
Filespace; See
Checklist Item
#7
DB; 20% of
HDD3
Conversion
- Windows
Windows
Server 2016
4
8 GB
100 GB
100 GB
Medium I
Server name
Operating
System
vCPU
Memory
HDD1
HDD2
HDD3
HDD4
Main1
RHEL 9
2
8 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
DB; 20% of
HDD3
Main2
RHEL 9
2
8 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
20% of
HDD3
Application1
RHEL 9
2
8 GB
100 GB
Orchestration
RHEL 9
2
4 GB
100 GB
Frontend1
RHEL 9
2
4 GB
100 GB
Conversion1
Windows Server
2016
2
8 GB
100 GB
100 GB
Medium II
Server name
Operating
System
vCPU
Memory
HDD1
HDD2
HDD3
HDD4
Main1
RHEL 9
4
8 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
DB; 20% of
HDD3
Main2
RHEL 9
4
8 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
20% of
HDD3
Application1
RHEL 9
4
8 GB
100 GB
Orchestration
RHEL 9
2
4 GB
100 GB
Frontend1
RHEL 9
2
4 GB
100 GB
Conversion1
Windows Server
2016
4
8 GB
100 GB
100 GB
13
Medium III
Server name
Operating
System
vCPU
Memory
HDD1
HDD2
HDD3
HDD4
Main1
RHEL 9
8
16 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
DB; 20% of
HDD3
Main2
RHEL 9
8
16 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
20% of
HDD3
Application1
RHEL 9
4
8 GB
100 GB
Application2
RHEL 9
4
8 GB
100 GB
Application3
RHEL 9
4
8 GB
100 GB
Orchestration
RHEL 9
2
4 GB
100 GB
Frontend1
RHEL 9
2
6 GB
100 GB
Frontend2
RHEL 9
2
6 GB
100 GB
Conversion1
Windows Server
2016
4
8 GB
100 GB
100 GB
Conversion2
Windows Server
2016
4
8 GB
100 GB
100 GB
Large I
Server name
Operating
System
vCPU
Memory
HDD1
HDD2
HDD3
HDD4
Main1
RHEL 9
16
16 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
DB; 20% of
HDD3
Main2
RHEL 9
16
16 GB
100 GB
40 GB
Filespace on NFS;
See Checklist Item
#7
20% of
HDD3
Application1
RHEL 9
8
16 GB
100 GB
Application2
RHEL 9
8
16 GB
100 GB
Application3
RHEL 9
8
16 GB
100 GB
Orchestration
RHEL 9
2
4 GB
100 GB
Frontend1
RHEL 9
4
6 GB
100 GB
Frontend2
RHEL 9
4
6 GB
100 GB
Conversion1
Windows Server
2016
8
16 GB
100 GB
100 GB
Conversion2
Windows Server
2016
8
16 GB
100 GB
100 GB
Conversion3
Windows Server
2016
8
16 GB
100 GB
100 GB
Large II+
For deployments larger than 100,000 users, consult with your BlackBerry Professional Services representative.
14
Additional File Storage
In addition to the OS drives, 3 additional disks are required to store end users’ uploaded files and database files
on “Main” Red Hat servers. Data stored on these drives will remain encrypted at all times. Depending on the
deployment option selected, the drive mount points will differ.
Deployment Type
Disk Purpose
Server Location
Mount Point
Size
Basic AppX
Filespace
Master-Main
/opt/watchdox/storage/filespace
Customer
Discretion
Database
Master-Main
/mnt/database
20% of Filespace
FS Cache
Master-Main
/opt/watchdox/storage/fs_cache
40 GB
Advanced AppX
Filespace
Main
/opt/watchdox/storage/filespace
Customer
Discretion
Database
Main
/mnt/database
20% of Filespace
FS Cache
Main
/opt/watchdox/storage/fs_cache
40 GB
Note: If more than one Main server exists in the environment, the Filespace should be on NFS storage.
Server Images
Below are operating system prerequisites for the Workspaces deployment.
Servers
Requirements
Red Hat Linux
Enterprise
• Static IP for each server on eth0 interface
• Red Hat Enterprise Linux version 9.3. No other Red Hat versions are
supported at this time. Red Hat server images can be downloaded
from Red Hat: https://access.redhat.com/downloads
• For instructions on setting up the Red Hat ‘/’ mount, please see
“Appendix- Configuring Red Hat ‘/’ during install”.
• Root account or a user account with SUDO privilege.
• If a user account was used instead of root, NOPASSWD configuration
must be granted in /etc/sudoers. This does not eliminate the user’s
password, this removes the repeat password prompt when the user
elevates commands via sudo.
• SSH service is available and running
• SELinux is either disabled or in permissive mode
• Base packages that are included with the standard RHEL 9 image.
Those required packages can be viewed at KB-64702.
Windows
• Static IP for each server
• Windows Server 2016 64-bit is activated
• Microsoft Office 2016 64-bit, Standard or Professional is activated
• Validate that the C: and D: drives were created (100 GB each)
• Create the D:\Temp directory with FULL permission assigned to all
users
• Set environment variables %TEMP% and %TMP% for system, user, and
default user to D:\Temp
15
• Ensure the BlackBerry Workspaces Cygwin package is installed. The
installer is provided before deployment and includes these packages:
alternatives, base-cygwin, base-files, bash, bzip2, ca-
certificates, coreutils, csih, curl, cygrunsrv, cygutils, cygwin,
dash, diffutils, dos2unix, editrights, file, findutils, gawk, getent,
grep, groff, gzip, hostname, ipc-utils, less, libargp, libattr1,
libbz2_1, libcom_err2, libcrypt0, libcurl4, libdb5.3, libedit0,
libexpat1, libffi6, libgcc1, libgdbm4, libgmp10, libgnutls28,
libgssapi_krb5_2, libhogweed2, libiconv2, libidn11, libintl8,
libk5crypto3, libkrb5_3, libkrb5support0, liblzma5,
libmetalink3, libmpfr4, libncursesw10, libnettle4,
libopenldap2_4_2, libopenssl100, libp11-kit0, libpcre1,
libpipeline1, libpopt0, libreadline7, libsasl2_3, libssh2_1,
libssp0, libstdc++6, libtasn1_6, libwrap0, login, lynx, man-db,
mintty, openssh, p11-kit, p11-kit-trust, perl, popt, rebase,
rsync, run, sed, tar, terminfo, texinfo, tzcode, unzip, vim, vim-
common, vim-minimal, wget, which, windows-default-
manifest, xxd, xz, zip, zlib0
Additional Connector Add-Ons
BlackBerry Workspaces supports Connectors that allow the organization to utilize other third-party services to
incorporate with Workspaces. The Connectors include services such as SharePoint, Windows File Share, and
Single Sign On services via SAML. The following are prerequisites that should be completed prior to installing the
Connectors:
UCC (Unified Content Connector)
If the customer will be installing the UCC to support integration with SharePoint on-prem, SharePoint Online,
Windows File Share, or One Drive for Business, then an additional Windows server will be required. The
prerequisites for this connector are listed below:
Server Size
• OS: Windows Server 2016
• CPU: 4 vCPU
• Memory: 8 GB
• Storage: 100 GB
Port Requirements
Source
Target
Port
Master-Main server (Basic deployment)
or
Main server (Advanced deployment)
Unified Content Connector
8443
16
Unified Content Connector
External Repository
Per third-
party service
requirements
(usually 443)
Unified Content Connector
Frontend server (Advanced deployment)
443
Single Sign-On Identity Connector
No additional server is required for Single Sign-on via SAML. The customer is expected to already have a single
sign-on service in place prior to the configuration. If you need recommendations for a third-party SAML
provider, please contact your BlackBerry Professional Services Consultant for assistance.
Office Online Server
The customer is expected to already have installed a working version of Office Online Server (OOS) or Office
Web Apps Server (OWAS). There is no additional server required to connect Workspaces with an existing Office
Online environment.
Port Requirements
Source
Target
Port
Master-Main server (Basic deployment and
vApp)
or
Application server (Advanced deployment)
OWAS
or
OOS
443 (HTTPS)
OWAS
or
OOS
Master-Main server (Basic deployment and
vApp)
or
Application server (Advanced deployment)
443 (HTTPS)
End-user machine
OWAS
or
OOS
443 (HTTPS)
OWAS
or
OOS
End-user machine
443 (HTTPS)
17
Appendix
SSL Certificates
The BlackBerry Workspaces Virtual Appliance must be provisioned with SSL certificates by an approved
certificate authority. The SSL certificate should be generated before the installation. There are many ways to
generate a CSR (Certificate Signing Request). BlackBerry recommends the following, which can be performed on
almost any Linux server from the Terminal. Once complete, submit the CSR to your Certificate Authority and
retain the Private Key:
openssl req -new -newkey rsa:2048 -nodes -keyout /tmp/privateKey.key -out
/tmp/CSR.csr
The Appliance-X installation requires 3 certificate pieces:
• SSL Certificate
o Definition: The SSL certificate that will be used to secure communication with end users. This
certificate should have the site’s URL in either the Subject Name or Subject Alternative Name (SAN)
attributes. This must be signed by a valid 3
rd
party, publicly trusted certificate authority (not self-
signed or internally signed).
o S
ample:
-----BEGIN CERTIFICATE-----
MII/………
……………………
-----END CERTIFICATE-----
o Further information: http://technet.microsoft.com/en-us/library/cc778623(v=ws.10).aspx
• SSL Certificate Private Key
o Definition: This is the private key used to decrypt the communication.
o Sample:
-----BEGIN PRIVATE KEY
….
-----END PRIVATE KEY-----
o Further information: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
18
• SSL Intermediate CA Bundle
o Definition – a combination of the certificates validating the SSL site certificate. This bundle usually
contains 2-3 certificates, including the intermediate and root certificates.
o S
ample:
-----BEGIN CERTIFICATE-----
MIIE5T…
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MerR….
-----END CERTIFICATE-----
o Link: http://en.wikipedia.org/wiki/Intermediate_certificate_authorities
Installing Red Hat from .iso
These basic instructions are recommended for widest compatibility. If custom partitions are used outside of
these instructions, additional storage space may be required to satisfy Workspaces logging and installation
requirements. Please review with your Professional Services Consultant if you have any questions about
deployment.
1. From the boot screen, select “Install Red Hat Enterprise Linux”:
2. Select “Installation Destination”:
19
3. Select only the 100 GB hard drive for OS installation. Do not check or select the other hard drives. Choose
“Custom” Storage Configuration, then click “Done”:
20
4. Click the “+” button to create a new partition:
21
5. Select Mount Point = “/boot” and Desired Capacity = “1024 MiB”. Click “Add mount point”:
6. Click the “+” again. Select Mount Point = “swap” and Desired Capacity = “4 GiB”. Click “Add mount point”:
22
7. Click the “+” again. Select Mount Point = “/” and Desired Capacity = “100 GiB”. Click “Add mount point”:
8. The partition table should look like the image below:
23
9. Click “Done” in the top left, review the summary of changes, and click “Accept Changes”:
24
10. Select “Network & Host Name” from the main page:
11. Select your network interface and click “Configure…”:
25
12. Choose “IPv4 Settings” tab and configure the network as required with a static IP address:
26
13. Click “Save”, then “Done” in the top-left. On the main page, click “Root Password”:
14. Create a strong password. Select the “Allow root SSH login with password” check box:
15. Click “Done” in the top left. Select “Begin Installation” to begin the Red Hat installation.
