Only self-hosted Blackboard Learn clients need to modify their firewall allowed list for Mobile access.
Blackboard Mobile products may require some modifications to your institution's network configuration (firewall/IP allowed list) to permit data to move between Blackboard Learn and Blackboard's Mobile products. The Blackboard app and Blackboard Instructor app utilize two cloud services: MLCS and mBaaS. Both services are maintained by Blackboard.
MLCS is the Blackboard Mobile Web Services Building Block registration service that handles the school search during authentication. mBaaS is a backend service that handles all other data requests between Blackboard Learn and the Blackboard app.
The Mobile Learn Central Service (MLCS) is hosted in the Amazon Web Services (AWS) cloud. Due to the dynamic nature of the scaling features of the AWS cloud, outbound traffic is sent via proxy through a series of static IP NATs to provide a more manageable set of firewall exception points.
The Mobile B2 must communicate outbound with the following hostnames:
The Learn server(s) must accept inbound traffic from the following hostname/static IPs:
If a firewall exception is made for the "*.medu.com" wildcard domain, this rule will cover all outbound and inbound requirements for Mobile B2 registration.
For mBaaS, end-user devices and client servers must communicate bi-directionally with the following hostname/IPs:
- 22.214.171.124 (North America and South America traffic NAT)
- 126.96.36.199 (Europe and Africa traffic NAT)
- 188.8.131.52 (Asia traffic NAT)
- 184.108.40.206 (Australia and Oceania traffic NAT)
- 220.127.116.11 (Japan traffic NAT)
- 18.104.22.168 (Canada traffic NAT)
- 22.214.171.124 (Africa traffic NAT)
These services call outbound to client servers via a static IP NAT, which are listed above. DNS lookups for "mbaas.mobile.medu.com" will not resolve to the NAT IPs listed.
Example: An end user's Mobile device sends requests to mbaas.mobile.medu.com, which is routed to the closest of the regional mBaaS AWS deployments. MBaaS then calls to the client server(s) through an outbound NAT with IP per above depending on which regional deployment is being used (i.e. - where in the world the end-user is located).
The creation and maintenance of Blackboard Mobile applications is unique and complex because Blackboard Learn servers are not a single set of SaaS machines hosted by Blackboard. Our Mobile applications need to work against a variety of different Blackboard Learn instances, where each instance may be at a different version and patch level. In order to work properly against all of these variations, our Mobile applications need to understand all of the features, bugs, and institutional customizations for every production Learn instance. This created a lot of bloat in our previous Mobile applications and made support challenging, as Blackboard can neither force an upgrade/patch on an individual institution's Learn instance nor on a student's or instructor's Mobile device.
To alleviate these issues, Blackboard reworked the way our Mobile applications interact with Blackboard Learn instances. Blackboard created a Mobile Backend as a Service (mBaaS) that runs on AWS. mBaaS allows our Mobile applications to interact with a single set of servers that can abstract various Blackboard Learn versions, bugs, patches, and so on. If a client upgrades a Blackboard Learn instance that introduces a bug, Blackboard can now respond by patching a single service immediately rather than creating new versions of our Mobile applications that need to be approved, released, and downloaded from the app stores.
mBaaS is designed to better service our clients by reacting to changes quickly from a single code line. mBaaS is not a storage service. While we may cache some information for a small amount of time to create a better user experience, there is no permanent storage on this service. All PII data transmitted and cached through mBaaS is SSL-encrypted and in compliance with FERPA and other similar international laws.
mBaaS servers are currently located in the United States, Canada, Germany, Singapore, Japan, Australia, and South Africa. Blackboard uses AWS Route 53 GEO DNS to route client traffic to the closest globally deployed mBaaS. For example, traffic from EU Mobile users routes to the EU mBaaS and calls are then made to the respective Learn instance. Many countries don't want their traffic routed through the United States, and we've implemented this routing to help alleviate those concerns.
Note that the architecture of the mBaaS relay marks a change in Blackboard’s Mobile strategy from previous Mobile products. The role-based Blackboard app and Blackboard Instructor app utilize mBaaS. However, the discontinued Bb Grader app and discontinued Mobile Learn app operated differently in the past and previously routed all connections directly to the Blackboard Learn environment.
We are excited to see this technology utilized for our Mobile applications, and we will continue to provide a high level of service to our clients with our mBaaS layer.