01-16-2013 03:21 PM
Can someone please explain what the "Proxy TLS" option does (under Options >> Security >> Advanced Security Settings >> TLS >> Proxy TLS
I'm experiencing difficulty finding documentation on the topic and need to understand how data traversal changes when that's enabled. Based on the name alone, I infer that it routes browser traffic through a proxy (defined in the trusted server list below it).
If so, does that affect traversal to my BES server? For example, if mobile users are connecting from hand-held device >> AT&T >> BES... would the proxy server come into play AFTER that?
I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700
01-16-2013 03:48 PM
Transport Layer Security
page here on settings in BES
BESAdmin's, please make a signature with your BES environment info.
BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V
01-17-2013 12:00 PM
To be more precise, the connection will always hit your proxy, only that with this option checked, the device initiates a direct connection to the backend server (still via your proxy) so all the action happens on the device and not on MDS-CS. If this option is not checked, then the device will simply make the connection to BES (MDS-CS) and let it handle the request
In our environment, we had to force all our users to use TLS by default via the rimpublic.property file in the MDS-CS config as we had issues connecting to alot of secure sites together with the BloomBerg gateway and this resolved everything for us. There was a known issue at RIM and they provided us with a fix, see the following KB for more info:
I also found the following info which might be helpful to you, basically details what I said above:
"In an application opening a secure connection to a backend data source, a BlackBerry device can use Secure Sockets Layer (SSL) or the updated Transport Layer Security (TLS) to encrypt the data across the connection. Because TLS is merely an updated version of SSL, both are treated as one in this section. The BlackBerry platform supports these two options for SSL:
Proxy SSL Mode: The SSL connection is made between the MDS Connection Service (MDS-CS) and the backend data source. The data between the device and MDS-CS is still encrypted using Triple-DES or AES, but the data is converted to SSL before it’s placed on the internal network.
With this option, there is a brief moment in time where the data resides on the MDS server in an unencrypted state. This option is useful when you trust the integrity of the MDS server.
End-to-End SSL: The SSL connection is made from the BlackBerry device all the way through to the backend server with which the application is communicating. This option eliminates the period where the data is temporarily unencrypted during conversion performed by MDS-CS in Proxy SSL mode. Use this option when the only trusted entities in a transaction are the BlackBerry device application and the backend server to which the device is connecting.
Using this option places a greater load on the BlackBerry device and degrades the device’s performance and battery life."
01-17-2013 12:28 PM
Thanks fermanagh. I'm still trying to wrap my mind around this so perhaps a flow visualization would help (thanks for your patience).
Let's say for the purpose of discussion that I've got an app that needs to pull data down via an SSL connection (nothing fancy - just standard HTTPS TCP/443). If I have TLS Proxy enabled, what would the flow be for the data?
I'm thinking something like:
Device >> Carrier >> RIM >> BES (handled with MDS-CS) >> Internet / Remote server.
Device >> Wifi >> RIM >> BES (handled with MDS-CS) >> Internet / Remote server.
Now if I have TLS Proxy enabled... I'm thinking it would be....
Device >> Carrier >> BES >> Proxy >> Internet / Remote Server
Device >> Wifi >> BES >> Internet / Remote server.
Am I on the right track here? Or way off?
01-17-2013 12:42 PM
Your data flow is correct but not with TLS enabled. All internet/intranet browsing will always pass via MDS-CS, there are no 2 ways about it as it's a necessary component of the BES.
If you look in the MDS-CS logs, you'll see connection attempts to the proxy. You should see these types of loglines:
IPPPHANDLER = TLS
Remember that even with this mode enabled, MDS-CS still needs to do it's job of dealing with the packet and then talking to the proxy and then sending the request to the internet/intranet. As mentioned in my previous post, the proxy TLS option eliminates the period where the data is temporarily unencrypted during conversion performed by MDS-CS in Proxy SSL mode.