Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
New Contributor
Posts: 8
Registered: ‎12-19-2008
My Device: Not Specified
Accepted Solution

BlackBerryStorm 9530 and BES 4.0 issue

[ Edited ]

I am fairly new to BES and blackberry phones.  I setup the BES server for my exchange 2007 SP1 server and connected three blackberry phone users to it.  We just added a blackberry Storm user to the BES.  His emails are getting redirected fine.  However, when his phone tries to go to the internet (e.g. www.google.com),it is being blocked by our corporate firewall. Upon further investigation, I found that all his internet requests go to the cell tower -> Verizon network -> Blackberry network -> BES server in our corporate network -> our corporate firewall -> internet.  How is this happening?

 

BES is installed in our corporate network for ONLY one reason: redirecting emails.  It SHOULD NOT do anything else? I am concerned. How can I lock the BES server so that it ONLY redirects emails?  I don't want any of our blackberry users to use our network resources for anything except sending and receving emails.  

 

We are not hosting any fancy apps or anything.  Like I said above, the only reason we have BES is for redirecting and receiving blackberry users emails to/from our exchange 2007. How can I secure the BES server.  What services should I remove/stop from BES?  BES document wasn't clear.

 

I appreciat it.

 

Thanks

Message Edited by pie8ter on 12-19-2008 04:01 PM
Guru III
Posts: 31,339
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: BlackBerryStorm 9530 and BES 4.0 issue

However, when his phone tries to go to the internet (e.g. www.google.com),it is being blocked by our corporate firewall.

 

 

 

It is like that for security, read the manual some more.

 

you can however use the other web browser on the BB HH.

It does have 2 browsers, one through BES and the other through carrier.

 

 

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


New Contributor
Posts: 8
Registered: ‎12-19-2008
My Device: Not Specified

Re: BlackBerryStorm 9530 and BES 4.0 issue

[ Edited ]

Okay I revisted the documentation.  I think I understand what's going on.  But I still don't see any place where I can completely disable BB's access to internet through corporate network.

 

I can enable the "pull authorization" rule and don't specify any web pattern.  This I think will prevent the BB's from going out to the internet, but I am still concerned about the fact BBs can even get to the intranet for web access.  Is there any application rule that can force the web browser on the BB to use only BIS.

 

This leads to me another question.  Since the MDS connnection service is responsible for helping the BBs to get to the internet or intranet websites, can I just disable it or uninstall it?  The documentation wasn't clear on what will happen if this service is disabled/uninstalled.  Is this service needed for email redirection?

 

One thing I can tell....enterprises with the BES put enormous amount of trust on RIM guys.  If they want, they can technically get full access to your messaging systems using the sessions over port 3101.

 

Thanks

Message Edited by pie8ter on 12-19-2008 11:08 PM
Message Edited by pie8ter on 12-19-2008 11:09 PM
Message Edited by pie8ter on 12-19-2008 11:10 PM
Forums Veteran I
Posts: 2,036
Registered: ‎12-04-2008
My Device: 8900

Re: BlackBerryStorm 9530 and BES 4.0 issue

[ Edited ]

Couple of things

 

You can disable mds, but it is going to effect more then just web browsing. You are going to run into massive headaches if you try to accomplish this. Is your company really secure?  There is so much more benefit to be able to access intranet/internet from your device, then not able to access. If your BES is behind your firewall/proxy internet gateway (that also does web filtering). Then your Blackberry's internet surfing will be filtered as well.

 

To the second part of your question about trusting the RIM guys, I'm not really sure how they could hijack sessions, you need to ensure that port 3101 is open outbound only. You do not need to open an inbound port on 3101 to this server.

Also on a personal note, BES technology is used by atleast 4 of the top fortune 5 companies, the US government and branches of the military, as I know this means nothing in means of it being secure, it should post as an example that it isn't just some useful blackberry program, BES is becoming mission critical.

 

 

Good luck though, 

Message Edited by bbhorrigan on 12-20-2008 10:06 AM
******************************************************************


If someone helped you give them kudos. Research all info!
Forums Veteran I
Posts: 2,036
Registered: ‎12-04-2008
My Device: 8900

Re: BlackBerryStorm 9530 and BES 4.0 issue

Great KB article on firewall/bes

 

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03735&sliceId=SAL_Pub...

******************************************************************


If someone helped you give them kudos. Research all info!
New Contributor
Posts: 8
Registered: ‎12-19-2008
My Device: Not Specified

Re: BlackBerryStorm 9530 and BES 4.0 issue

[ Edited ]

So is there any way for someone to force his/her BB to use BIS for internet access?  Previous post mentioned users can use the BIS version of the web browser.  But I am looking for a rule or an IT policy to force them to use BIS.  

 

The problem is some of our users use their own BB and don't want to be subjected to our corporate internet access policies.  And I will never make adjustments to my firewall rules so that they can surf the internet through the company network.  

 

I don't have port 3101 opened in my firewall for inbound connections.  Then how does RIM initiate a connection to push emails from the blackberry devices to our BES behind our firewall?  The only way I can think of is through session hijack.  This is similar to "connect my pc" or PCanywhere.

Message Edited by pie8ter on 12-20-2008 11:47 PM
Message Edited by pie8ter on 12-20-2008 11:50 PM
New Contributor
Posts: 8
Registered: ‎12-19-2008
My Device: Not Specified

Re: BlackBerryStorm 9530 and BES 4.0 issue

I asked the users to use their "internet browser" on the BBHH.  They can go to the internet through BIS.  Thanks for all your help.