Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
Posts: 5
Registered: ‎07-22-2011
My Device: Bold 9900
My Carrier: AT&T

What exactly does the "Proxy TLS" option do on Blackberry handhelds?

Hi there,

 

Can someone please explain what the "Proxy TLS" option does (under Options >> Security >> Advanced Security Settings >> TLS >> Proxy TLS

 

I'm experiencing difficulty finding documentation on the topic and need to understand how data traversal changes when that's enabled.   Based on the name alone, I infer that it routes browser traffic through a proxy (defined in the trusted server list below it). 

 

If so, does that affect traversal to my BES server? For example, if mobile users are connecting from hand-held device >> AT&T >> BES... would the proxy server come into play AFTER that?

 

 

Guru III
Posts: 31,513
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: What exactly does the "Proxy TLS" option do on Blackberry handhelds?

Transport Layer Security

 

page here on settings in BES

http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=en7228Policy_Referen...

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


Super Contributor
Posts: 278
Registered: ‎04-01-2008
My Device: Z30

Re: What exactly does the "Proxy TLS" option do on Blackberry handhelds?

To be more precise, the connection will always hit your proxy, only that with this option checked, the device initiates a direct connection to the backend server (still via your proxy) so all the action happens on the device and not on MDS-CS. If this option is not checked, then the device will simply make the connection to BES (MDS-CS) and let it handle the request Smiley Happy

 

In our environment, we had to force all our users to use TLS by default via the rimpublic.property file in the MDS-CS config as we had issues connecting to alot of secure sites together with the BloomBerg gateway and this resolved everything for us. There was a known issue at RIM and they provided us with a fix, see the following KB for more info:

 

http://www.blackberry.com/btsc/KB28342

 

I also found the following info which might be helpful to you, basically details what I said above:

 

"In an application opening a secure connection to a backend data source, a BlackBerry device can use Secure Sockets Layer (SSL) or the updated Transport Layer Security (TLS) to encrypt the data across the connection. Because TLS is merely an updated version of SSL, both are treated as one in this section. The BlackBerry platform supports these two options for SSL:

 

Proxy SSL Mode: The SSL connection is made between the MDS Connection Service (MDS-CS) and the backend data source. The data between the device and MDS-CS is still encrypted using Triple-DES or AES, but the data is converted to SSL before it’s placed on the internal network.

With this option, there is a brief moment in time where the data resides on the MDS server in an unencrypted state. This option is useful when you trust the integrity of the MDS server.

End-to-End SSL: The SSL connection is made from the BlackBerry device all the way through to the backend server with which the application is communicating. This option eliminates the period where the data is temporarily unencrypted during conversion performed by MDS-CS in Proxy SSL mode. Use this option when the only trusted entities in a transaction are the BlackBerry device application and the backend server to which the device is connecting.

 

Using this option places a greater load on the BlackBerry device and degrades the device’s performance and battery life."

   

Don't forget to hit like if I resolved your issue! Smiley Happy
New Contributor
Posts: 5
Registered: ‎07-22-2011
My Device: Bold 9900
My Carrier: AT&T

Re: What exactly does the "Proxy TLS" option do on Blackberry handhelds?

Thanks fermanagh.  I'm still trying to wrap my mind around this so perhaps a flow visualization would help (thanks for your patience).

 

Let's say for the purpose of discussion that I've got an app that needs to pull data down via an SSL connection (nothing fancy - just standard HTTPS TCP/443).  If I have TLS Proxy enabled, what would the flow be for the data? 

 

I'm thinking something like:

 

Wifi Off/Unavailable:

Device >> Carrier >> RIM >> BES (handled with MDS-CS) >> Internet / Remote server.

 

Wifi On/Available:

Device >> Wifi >> RIM >> BES (handled with MDS-CS) >> Internet / Remote server.

 

 

Now if I have TLS Proxy enabled... I'm thinking it would be....

 

 

Wifi Off/Unavailable:

Device >> Carrier >> BES >> Proxy >> Internet / Remote Server

 

Wifi On/Available:

Device >> Wifi >> BES >> Internet / Remote server.

 

Am I on the right track here? Or way off?

Highlighted
Super Contributor
Posts: 278
Registered: ‎04-01-2008
My Device: Z30

Re: What exactly does the "Proxy TLS" option do on Blackberry handhelds?

Your data flow is correct but not with TLS enabled. All internet/intranet browsing will always pass via MDS-CS, there are no 2 ways about it as it's a necessary component of the BES.

If you look in the MDS-CS logs, you'll see connection attempts to the proxy. You should see these types of loglines:

IPPPHANDLER = TLS

Remember that even with this mode enabled, MDS-CS still needs to do it's job of dealing with the packet and then talking to the proxy and then sending the request to the internet/intranet. As mentioned in my previous post, the proxy TLS option eliminates the period where the data is temporarily unencrypted during conversion performed by MDS-CS in Proxy SSL mode.

Don't forget to hit like if I resolved your issue! Smiley Happy