BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 07-10-2008, 09:44 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2006
Model: 9800
Carrier: Rogers
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Disable BIS access to Exchange Server

Please Login to Remove!

I did a quick search but could not find anything regarding this on the forum, and I'm not really sure that this is the right spot to post it in but I figured it fit better here then anywhere else.

A little background, I work for a law firm and we have a strict policy regarding blackberries. As a rule we don't allow personal PDA/Smartphone/BB devices access to the network, email, etc. This is due to the fact that when you make what a lawyer makes leaving behind a piddly $500 phone means you just have to go out and buy the newest model. Of course what escapes them is the fact that the BB or whatever has all their recent emails on them which can be a huge risk. At least with the BES we have the ability to enforce a security policy and if the device is still in service range we can remotely wipe it etc.

Anyways yesterday it was brought to my attention that we have a user who went out and purchased a BB Pearl, and as it turns out he is able to access his corporate account over what I assume is a BIS connection. All he has to do is setup a mail account with his corporate email/password and apparently BIS is able to determine the rest of the settings. I did some checking and it appears as though it is using the OWA settings to access the corporate email, we do allow out users to access their email from a web browser by going to exchange.*****.com, and from what I can tell by the email settings on the blackberry it is connecting to the same site to download corporate email to the device.

This issue with this is that it's one thing to access OWA from a web browser on desktop computer that retains no messages after logging out but its completely another that we could have who knows how many people using BB devices who are downloading their corporate emails directly to the devices with no security policy, and without the IT departments knowledge.

In the end maybe we're being paranoid but the fact is that this is an issue for us, so my question would be does anyone know how to prevent the BB's from being able to access these corporate accounts while still leaving OWA accessible??

Sorry for the long post and TIA,
James

--Edit--
Just as a side note, adding these people to the BES is a last resort type of option as our Managing Partner does not want to buy BES CAL's for users unless they are approved by him to have BB access.

Last edited by jpom : 07-10-2008 at 09:47 AM.
Offline  
Old 07-10-2008, 01:15 PM   #2 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,753
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default

Sounds like it is imitating OMA for access.
You can tell if you install the mobileadmin package on exchange.

We use SSL certs for OMA with ISA. No cert = no email. the cert is not installed on the domain controller so each user has to have it manually entered.

If you have no cert then anyone can access it with a password with most mobile devices.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Old 07-10-2008, 02:11 PM   #3 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2006
Model: 9800
Carrier: Rogers
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the reply knotty, it gave me a couple things to try, unfortunately I can now confirm that BIS does in fact use OWA (I disabled OMA to test) to access the exchange server. I can block access by disabling OWA and then deleting and trying to re-create the account the handheld, at which point it tells me it cannot connect to the server, however disabling OWA is not a viable option for us and as soon as I re-enable it the blackberry is able to connect again.

Preferably I would like to be able to fix this rather then work around it with security certs etc however at this point I am thinking that that might not be possible.

Still open to any ideas anyone has.

TIA,
James
Offline  
Old 07-10-2008, 03:33 PM   #4 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,753
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default

You could block BIS server IPs at the firewall unless the devices are connecting direct to it.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Old 07-10-2008, 03:57 PM   #5 (permalink)
Knows Where the Search Button Is
 
OrangeNBlueBerry's Avatar
 
Join Date: Jun 2008
Location: Tennessee, USA
Model: 8330
Carrier: Verizon
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thinking out loud: IP address and domain name restrictions in OWAadmin in IIS ... hmmm ... not really sure that'll work... need to keep thinking ...
__________________
Amo tutte le cose italian
Offline  
Old 07-10-2008, 04:03 PM   #6 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2006
Model: 9800
Carrier: Rogers
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

That's excatly what I've done is blocked the BIS servers located here

BlackBerry Search Results

via the IIS default website

It's not really an ideal solution but it seems to work, I can still "connect" the blackberry to the server however email sending and receiving does not work, so far that looks about as good as it's going to get.

Thanks for the help

James
Offline  
Old 07-10-2008, 04:14 PM   #7 (permalink)
Knows Where the Search Button Is
 
OrangeNBlueBerry's Avatar
 
Join Date: Jun 2008
Location: Tennessee, USA
Model: 8330
Carrier: Verizon
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Glad to know that worked, at least in a non-ideal way. The only other route I can think of is disabling OWA for that user, which is likely not an acceptable option for him/her.
Setting up BIS email access on a BB through an OWA connection is a pretty simple and interesting path, as you don't have to offer IMAP or POP, but I now see the dilemma you were facing. Good luck.
__________________
Amo tutte le cose italian
Offline  
Old 07-10-2008, 04:21 PM   #8 (permalink)
BlackBerry Extraordinaire
 
CO_BBTechie's Avatar
 
Join Date: Jul 2007
Location: Denver
Model: 8310
Carrier: AT&T
Posts: 2,044
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here's a fresh idea. Tell them it's not allowed, and then see how many try to get away with it. Perhaps fine them or fire them.... they're lawyers, and should understand the implications.
__________________
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
Clifford Stoll
Offline  
Old 07-10-2008, 04:39 PM   #9 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2006
Model: 9800
Carrier: Rogers
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Would be a great idea except for a few factors, one being that if they are managing partners then fine/fire is not an option as both would need the consent of all the other board members and it's just not going to happen. Two is that they are lawyers and they're going to do whatever they want whether they're allowed or not. Three is trying to monitor the people using them would be tedious as it would basically require going through the IIS logs on a daily basis and searching for the IP's listed in link in my previous posts.

I really do wish that it were as simple as telling them NO! but in the end I would rather act proactivly and block the IP's rather then having a situation where a user that may not have been noticed in the logs loses a blackberry that is connected to the corporate email even though it's not supposed to be.

Anybody whose worked with lawyers before can probably tell you that they are more like spoiled children who need to be babysat then adults with an ounce of common sense, or maybe that's just my experience.

Last edited by jpom : 07-10-2008 at 04:40 PM.
Offline  
Old 07-10-2008, 07:13 PM   #10 (permalink)
Knows Where the Search Button Is
 
OrangeNBlueBerry's Avatar
 
Join Date: Jun 2008
Location: Tennessee, USA
Model: 8330
Carrier: Verizon
Posts: 24
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Attorneys - HTTA - Holier Than Thou Attitude ... feel for you man...
__________________
Amo tutte le cose italian
Offline  
Old 07-11-2008, 06:36 AM   #11 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jpom View Post
That's excatly what I've done is blocked the BIS servers located here

BlackBerry Search Results

via the IIS default website

It's not really an ideal solution but it seems to work, I can still "connect" the blackberry to the server however email sending and receiving does not work, so far that looks about as good as it's going to get.

Thanks for the help

James
This is really the least invasive way to do it. It works and it works well.
Offline  
Old 07-30-2008, 04:02 PM   #12 (permalink)
New Member
 
Join Date: Jul 2008
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok I have tried this using this list of IP's:
IP Address Netmask
206.51.26.0 Netmask = 255.255.255.0
193.109.81.0 Netmask = 255.255.255.0
204.187.87.0 Netmask = 255.255.255.0
206.53.144.0 Netmask = 255.255.240.0
216.9.240.0 Netmask = 255.255.240.0
67.223.64.0 Netmask = 255.255.224.0
93.186.16.0 Netmask = 255.255.248.0

These were taken from this site:
blackberry_com/btsc/articles/644/KB11036_f.SAL_Public.html
SUBSTITUTE
blackberry_com
for
blackberry.com

This doesn't seem to work as after entering in these denied groups of IP's in IIS under the owa site it still is communicating with the blackberry.

On my blackberry I have:
my connection via BES
An added connection through personal mail setup. The personal mail setup still gets mail to and from it.

Any ideas?

Last edited by lawson23 : 07-30-2008 at 04:03 PM.
Offline  
Old 07-30-2008, 04:08 PM   #13 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,753
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default

via the IIS default website not OWA

Try that and test again
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Old 07-30-2008, 04:10 PM   #14 (permalink)
New Member
 
Join Date: Jul 2008
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It is the default website sorry I guess I should have clarified this specifically.

I also have restarted the website and World Wide Web Publishing Service.

Last edited by lawson23 : 07-30-2008 at 04:11 PM.
Offline  
Old 07-30-2008, 04:20 PM   #15 (permalink)
New Member
 
Join Date: Jul 2008
Model: 8703e
PIN: N/A
Carrier: Sprint PCS
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am actually interested in this as well. Can those IPs be blocked at the firewall level before they even hit OWA or BES?

I'm trying to get a picture of what the connection diagram looks like, let me know if this is accurate:

End User BB-->Wireless Provider-->RIM BIS Servers (IP tables above)-->Corporate Firewall-->Corporate BES-->Exchange FE/OWA Host
Offline  
Old 07-30-2008, 04:23 PM   #16 (permalink)
New Member
 
Join Date: Jul 2008
Model: 8703e
PIN: N/A
Carrier: Sprint PCS
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

One thing to add....we want to prohibit BIS access to Exchange, but we don't want to prohibit personal accounts such as Gmail, Hotmail, etc. Would this still be doable somehow by changing it at the OWS IIS level?
Offline  
Old 07-31-2008, 08:21 AM   #17 (permalink)
New Member
 
Join Date: Jul 2008
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok here is a picture of my denied list. All I did is applied this to the Default Web Site. Any ideas????
Attached Images
File Type: jpg denied list.JPG (37.9 KB, 76 views)
Offline  
Old 07-31-2008, 08:23 AM   #18 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,753
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default

If you lock the BIS servers at the firewall then they will never connect.
Just block BIS IP's incoming ports 80 and 443 for SSL.

Wonder if forms based authentication with SSL through ISA would help with this issue.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Old 08-11-2008, 06:36 PM   #19 (permalink)
New Member
 
Join Date: Aug 2008
Model: none
PIN: N/A
Carrier: none
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Not to highjack this thread but I have a related question. We have a couple users with BB now and I am curious about how the authentication works. Is the username and password only stored on the device or is it sent up to RIM where it then does the authentication for the user. Having company ID and PW's stored on a third parties server is a bit concerning to me. Any information you can provide would be appreciated.
Offline  
Old 08-11-2008, 07:10 PM   #20 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,753
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default

For BES no password or user accounts are stored at RIM.
It is PIN of the BB to SRP of the BES.

On BIS the password and user ID is on the phone, IIRC

For the web forwarding it is on RIMs servers.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.