| | Header logging
We have a similar setup with BES and BlueCoat but we are not using credential caching.
It is possible to include PIN and/or email in the http header the MDS sends out to the proxy (refer to KB03275). I am not sure, if BlueCoat can take this header field into account when authenticating on the base of the IP.
I thought this feature could be used for enabling the proxy to log access per blackberry PIN - but this does not seem to be possible from the BlueCoat side.
Anyway, I would be interested to know if this helped and how you solved your problem.
BES 4.1.7 (20 servers), Domino 7.0.3 with 19000+ users
BES 5.0.2 (8 server), Exchange 2010 SP1 with 1000+ users