12-19-2008 04:00 PM - edited 12-19-2008 04:01 PM
I am fairly new to BES and blackberry phones. I setup the BES server for my exchange 2007 SP1 server and connected three blackberry phone users to it. We just added a blackberry Storm user to the BES. His emails are getting redirected fine. However, when his phone tries to go to the internet (e.g. www.google.com),it is being blocked by our corporate firewall. Upon further investigation, I found that all his internet requests go to the cell tower -> Verizon network -> Blackberry network -> BES server in our corporate network -> our corporate firewall -> internet. How is this happening?
BES is installed in our corporate network for ONLY one reason: redirecting emails. It SHOULD NOT do anything else? I am concerned. How can I lock the BES server so that it ONLY redirects emails? I don't want any of our blackberry users to use our network resources for anything except sending and receving emails.
We are not hosting any fancy apps or anything. Like I said above, the only reason we have BES is for redirecting and receiving blackberry users emails to/from our exchange 2007. How can I secure the BES server. What services should I remove/stop from BES? BES document wasn't clear.
I appreciat it.
Solved! Go to Solution.
I'm rockin the BlackBerry PRIV, Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook,BT Headset HS-700
12-19-2008 04:36 PM
However, when his phone tries to go to the internet (e.g. www.google.com),it is being blocked by our corporate firewall.
It is like that for security, read the manual some more.
you can however use the other web browser on the BB HH.
It does have 2 browsers, one through BES and the other through carrier.
BESAdmin's, please make a signature with your BES environment info.
BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V
12-19-2008 10:59 PM - edited 12-19-2008 11:10 PM
Okay I revisted the documentation. I think I understand what's going on. But I still don't see any place where I can completely disable BB's access to internet through corporate network.
I can enable the "pull authorization" rule and don't specify any web pattern. This I think will prevent the BB's from going out to the internet, but I am still concerned about the fact BBs can even get to the intranet for web access. Is there any application rule that can force the web browser on the BB to use only BIS.
This leads to me another question. Since the MDS connnection service is responsible for helping the BBs to get to the internet or intranet websites, can I just disable it or uninstall it? The documentation wasn't clear on what will happen if this service is disabled/uninstalled. Is this service needed for email redirection?
One thing I can tell....enterprises with the BES put enormous amount of trust on RIM guys. If they want, they can technically get full access to your messaging systems using the sessions over port 3101.
12-20-2008 02:10 AM - edited 12-20-2008 10:06 AM
Couple of things
You can disable mds, but it is going to effect more then just web browsing. You are going to run into massive headaches if you try to accomplish this. Is your company really secure? There is so much more benefit to be able to access intranet/internet from your device, then not able to access. If your BES is behind your firewall/proxy internet gateway (that also does web filtering). Then your Blackberry's internet surfing will be filtered as well.
To the second part of your question about trusting the RIM guys, I'm not really sure how they could hijack sessions, you need to ensure that port 3101 is open outbound only. You do not need to open an inbound port on 3101 to this server.
Also on a personal note, BES technology is used by atleast 4 of the top fortune 5 companies, the US government and branches of the military, as I know this means nothing in means of it being secure, it should post as an example that it isn't just some useful blackberry program, BES is becoming mission critical.
Good luck though,
12-20-2008 02:13 AM
Great KB article on firewall/bes
12-20-2008 11:42 PM - edited 12-20-2008 11:50 PM
So is there any way for someone to force his/her BB to use BIS for internet access? Previous post mentioned users can use the BIS version of the web browser. But I am looking for a rule or an IT policy to force them to use BIS.
The problem is some of our users use their own BB and don't want to be subjected to our corporate internet access policies. And I will never make adjustments to my firewall rules so that they can surf the internet through the company network.
I don't have port 3101 opened in my firewall for inbound connections. Then how does RIM initiate a connection to push emails from the blackberry devices to our BES behind our firewall? The only way I can think of is through session hijack. This is similar to "connect my pc" or PCanywhere.