Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
Contributor
crrussell3
Posts: 19
Registered: ‎04-15-2010
My Device: 8830

[Solved]Blackberry users receiving Corporate email when not on BESX Server

[ Edited ]

**Solved**

Added IP Address from KB11036 to firewall rule from thoses ip address to our owa external ip address on 443 and set to deny.

 

 

It has recently come to my attention that we have a few users that are receiving corporate email on their personal blackberries even though they are not on our BESX server.  How is this possible?  They have indicated to me they have been receiving emails on them since before I started with the company, so I don't know what a previous admin may have done.  During that time, I decommissioned our old BES Pro server and brought up our BESX server, so I know they weren't on the old on either.

 

According to the end users, what they do remember, is that they were told what information to put in and their phones started receiving emails.  I have disabled (months ago) IMAP, POP3, and Exchange Activesync protocols for each individual user, so I know they aren't setup using those methods (I haven't been able to look at a phone yet that is receiving email).

 

Any thoughts on how they are doing this?  And how I can stop it?

 

**Edit**

A little bit more information:

 

1. They are not using the Blackberry desktop redirecter, nor are they having their email forwarded from exchange to their blackberry.

2. They are not using a special app on their phone to do this, it is built-in blackberry functionality.

3. We have BESX 5.0, Exchange 2007 SP3, and Windows Server 2008.

4. Allowed Mailbox Features: OWA, MAPI

5. Disabled Mailbox Features: Exchange ActiveSync, Unified Messaging, POP3, IMAP4

Please use plain text.
Contributor
rueburbon
Posts: 16
Registered: ‎10-14-2009
My Device: Not Specified

Re: Blackberry users receiving Corporate email when not on BESX Server

Probably will need a lot more information on your environment to figure this out accurately, but my first feeling is that they are using a BIS solution.  This is where a RIM hosted server connects your Outlook Web Access page and "Syncs" email.  The Blackberry's then connect to the BIS page to download the Sync'ed email.

 

An easy way to find out would be to disable OWA and see if their emails stop.  I believe, depending on the device that they have, they could also be connecting directly to OWA.  I could be mistaken on that though.

Please use plain text.
Contributor
crrussell3
Posts: 19
Registered: ‎04-15-2010
My Device: 8830

Re: Blackberry users receiving Corporate email when not on BESX Server

 


rueburbon wrote:

Probably will need a lot more information on your environment to figure this out accurately, but my first feeling is that they are using a BIS solution.  This is where a RIM hosted server connects your Outlook Web Access page and "Syncs" email.  The Blackberry's then connect to the BIS page to download the Sync'ed email.

 

An easy way to find out would be to disable OWA and see if their emails stop.  I believe, depending on the device that they have, they could also be connecting directly to OWA.  I could be mistaken on that though.


 

Hmm, that is an interesting issue.  We don't want to limit OWA, as some users that is how they have to connect, as they use multiple computers and we don't want to setup Outlook on each on for them.  That being said, there is probabaly no way to stop this unless we disable OWA?  Nor is there a way to detect which users are doing this either I suppose?

 

Let me know what information you want.  I was just in the process of adding some info back to my original post as I forgot to put in basic enviornment info (oops).

Please use plain text.
Contributor
crrussell3
Posts: 19
Registered: ‎04-15-2010
My Device: 8830

Re: Blackberry users receiving Corporate email when not on BESX Server

[ Edited ]

Now that I understand they are accessing it via OWA, I was able to do some research and did the following:

 

1. As per KB11036 I denied access from the BIS IP Addresses to port 443 to our Exchange server which should block OWA access for BIS.

2. I am also in the process of testing our deployment for TMG 2010 which is setup as a Reverse Proxy, and am integrating OWA access into it, and it seems that also breaks BIS communication with OWA.

 

So many security holes to patch, at least another one hopefully bites the dust!

Please use plain text.
Guru III
knottyrope
Posts: 30,407
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Blackberry users receiving Corporate email when not on BESX Server

http://www.blackberry.com/btsc/KB11036 for the IP's of BIS and block users in IIS on your exchange server that hosts OWA or on your firewall before exchange would be a better place than putting the load on IIS.

 

I have recommended this for years so users will not have access to email while on BIS via OWA.

 

 

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 5.0.4 and BES 10.2.2 with Exchange 2010 and SQL 2008


Please use plain text.
Contributor
crrussell3
Posts: 19
Registered: ‎04-15-2010
My Device: 8830

Re: Blackberry users receiving Corporate email when not on BESX Server

Knottyrope,

As per my post above, I took the info from the KB11036 and created a rule on our firewall from those ip address to our owa external ip address and set to deny.  This should stop the few that are out there and prevent any new ones.

Please use plain text.
Guru III
knottyrope
Posts: 30,407
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Blackberry users receiving Corporate email when not on BESX Server

Yes it will stop them.:Devil2:

 

I prefer no OWA access at all. None of my users close their session on the internet access terminal here, why would they do it in the real world.:smileywink:

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 5.0.4 and BES 10.2.2 with Exchange 2010 and SQL 2008


Please use plain text.