View Single Post
Old 05-07-2009, 04:01 AM   #1 (permalink)
MisterGriffiths
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default Bluecoat Proxy and BES MDS

Please Login to Remove!

We have recently moved to using Bluecoat Proxy Servers in our environment but believe the Authentication (Credentials) Caching on the Proxy is causing unexpected results when browsing from the handhelds.

Unfortunately, I'm not the technical resource who's responsible for the Proxy environment so please forgive me in advance if I've misunderstood something.

BES environment: BES 4.1.6 MR2 (MDS running on same server as BES), Exchange 2003 SP2 (not really relevant by hey), Windows Server 2003 SP2, BlackBerry 9000 (Bold) - Handheld OS 4.6.0.134 & 4.6.0.162
MDS Config: Support HTTP Authentication = TRUE, Authentication Timeout = 86400000 (the maximum 24 hours), Support HTTP Cookie Storage = TRUE, No Credentials applied to the Proxy Config so uses have to enter their own credentials for browsing.
Proxy environment: Blue Coat SG Appliance Model 810-B, Software Version SGOS 5.2.2.5 Proxy Edition

We want to retain HTTP Authentication on the MDS as some users have elevated access rights to some websites, while others do not.

We currently have the Proxy Server's Credential Caching period set to 15 minutes which I believe means the proxy will not request further authentication from the same originating IP address for that period. As webpage requests for BlackBerrys all originate from the BES/MDS we have found that users are piggybacking off the credentials of other users when browsing from the BlackBerry.

In our tests we gave one test user (BBUserA) access to a certain website and then prohibited access to that site for the second test user (BBUserB).

If the second test user (BBUserB) attempted to browse to the prohibited site, they were prompted to enter their credentials and then given the Block Page (as expected). If within the same 15 minute period, the first test user (BBUserA) then attempts to access the same site (for which they have been granted access) they are not prompted for any login credentials and immediately shown the Block Page.

We then waited 15 minutes. BBUserA attempted to load the page, was prompted for credentials and the page was shown (as expected). Within 15 minutes, BBUserB attempted to load the page, wasn't prompted for credentials and the website loaded (even though this user was prohibited from viewing this website).

We can only assume this is due to the Proxy Server's Authentication Caching. We don't really want to disable that feature on the Proxy, so I suppose the questions here are:

Does anyone else out there have the same configuration as us and know of a way to get the Bluecoat and MDS to work together so we can retain proxy authentication caching?

Is there some way of making the MDS present itself to the Proxy so it believes it is receiving requests from separate unique entities?
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline   Reply With Quote