I did a quick search but could not find anything regarding this on the forum, and I'm not really sure that this is the right spot to post it in but I figured it fit better here then anywhere else.

A little background, I work for a law firm and we have a strict policy regarding blackberries. As a rule we don't allow personal PDA/Smartphone/BB devices access to the network, email, etc. This is due to the fact that when you make what a lawyer makes leaving behind a piddly $500 phone means you just have to go out and buy the newest model. Of course what escapes them is the fact that the BB or whatever has all their recent emails on them which can be a huge risk. At least with the BES we have the ability to enforce a security policy and if the device is still in service range we can remotely wipe it etc.

Anyways yesterday it was brought to my attention that we have a user who went out and purchased a BB Pearl, and as it turns out he is able to access his corporate account over what I assume is a BIS connection. All he has to do is setup a mail account with his corporate email/password and apparently BIS is able to determine the rest of the settings. I did some checking and it appears as though it is using the OWA settings to access the corporate email, we do allow out users to access their email from a web browser by going to exchange.*****.com, and from what I can tell by the email settings on the blackberry it is connecting to the same site to download corporate email to the device.

This issue with this is that it's one thing to access OWA from a web browser on desktop computer that retains no messages after logging out but its completely another that we could have who knows how many people using BB devices who are downloading their corporate emails directly to the devices with no security policy, and without the IT departments knowledge.

In the end maybe we're being paranoid but the fact is that this is an issue for us, so my question would be does anyone know how to prevent the BB's from being able to access these corporate accounts while still leaving OWA accessible??

Sorry for the long post and TIA,
James

--Edit--
Just as a side note, adding these people to the BES is a last resort type of option as our Managing Partner does not want to buy BES CAL's for users unless they are approved by him to have BB access.

Sounds like it is imitating OMA for access.
You can tell if you install the mobileadmin package on exchange.

We use SSL certs for OMA with ISA. No cert = no email. the cert is not installed on the domain controller so each user has to have it manually entered.

If you have no cert then anyone can access it with a password with most mobile devices.

Thanks for the reply knotty, it gave me a couple things to try, unfortunately I can now confirm that BIS does in fact use OWA (I disabled OMA to test) to access the exchange server. I can block access by disabling OWA and then deleting and trying to re-create the account the handheld, at which point it tells me it cannot connect to the server, however disabling OWA is not a viable option for us and as soon as I re-enable it the blackberry is able to connect again.

Preferably I would like to be able to fix this rather then work around it with security certs etc however at this point I am thinking that that might not be possible.

Still open to any ideas anyone has.

TIA,
James

You could block BIS server IPs at the firewall unless the devices are connecting direct to it.

Thinking out loud: IP address and domain name restrictions in OWAadmin in IIS ... hmmm ... not really sure that'll work... need to keep thinking ...

That's excatly what I've done is blocked the BIS servers located here

BlackBerry Search Results

via the IIS default website

It's not really an ideal solution but it seems to work, I can still "connect" the blackberry to the server however email sending and receiving does not work, so far that looks about as good as it's going to get.

Thanks for the help

James

Glad to know that worked, at least in a non-ideal way. The only other route I can think of is disabling OWA for that user, which is likely not an acceptable option for him/her.
Setting up BIS email access on a BB through an OWA connection is a pretty simple and interesting path, as you don't have to offer IMAP or POP, but I now see the dilemma you were facing. Good luck.

Here's a fresh idea. Tell them it's not allowed, and then see how many try to get away with it. Perhaps fine them or fire them.... they're lawyers, and should understand the implications.

Would be a great idea except for a few factors, one being that if they are managing partners then fine/fire is not an option as both would need the consent of all the other board members and it's just not going to happen. Two is that they are lawyers and they're going to do whatever they want whether they're allowed or not. Three is trying to monitor the people using them would be tedious as it would basically require going through the IIS logs on a daily basis and searching for the IP's listed in link in my previous posts.

I really do wish that it were as simple as telling them NO! but in the end I would rather act proactivly and block the IP's rather then having a situation where a user that may not have been noticed in the logs loses a blackberry that is connected to the corporate email even though it's not supposed to be.

Anybody whose worked with lawyers before can probably tell you that they are more like spoiled children who need to be babysat then adults with an ounce of common sense, or maybe that's just my experience.

Attorneys - HTTA - Holier Than Thou Attitude ... feel for you man...

This is really the least invasive way to do it. It works and it works well.

Ok I have tried this using this list of IP's:
IP Address Netmask
206.51.26.0 Netmask = 255.255.255.0
193.109.81.0 Netmask = 255.255.255.0
204.187.87.0 Netmask = 255.255.255.0
206.53.144.0 Netmask = 255.255.240.0
216.9.240.0 Netmask = 255.255.240.0
67.223.64.0 Netmask = 255.255.224.0
93.186.16.0 Netmask = 255.255.248.0

These were taken from this site:
blackberry_com/btsc/articles/644/KB11036_f.SAL_Public.html
SUBSTITUTE
blackberry_com
for
blackberry.com

This doesn't seem to work as after entering in these denied groups of IP's in IIS under the owa site it still is communicating with the blackberry.

On my blackberry I have:
my connection via BES
An added connection through personal mail setup. The personal mail setup still gets mail to and from it.

Any ideas?

via the IIS default website not OWA

Try that and test again

It is the default website sorry I guess I should have clarified this specifically.

I also have restarted the website and World Wide Web Publishing Service.

I am actually interested in this as well. Can those IPs be blocked at the firewall level before they even hit OWA or BES?

I'm trying to get a picture of what the connection diagram looks like, let me know if this is accurate:

End User BB-->Wireless Provider-->RIM BIS Servers (IP tables above)-->Corporate Firewall-->Corporate BES-->Exchange FE/OWA Host

One thing to add....we want to prohibit BIS access to Exchange, but we don't want to prohibit personal accounts such as Gmail, Hotmail, etc. Would this still be doable somehow by changing it at the OWS IIS level?

Ok here is a picture of my denied list. All I did is applied this to the Default Web Site. Any ideas????

If you lock the BIS servers at the firewall then they will never connect.
Just block BIS IP's incoming ports 80 and 443 for SSL.

Wonder if forms based authentication with SSL through ISA would help with this issue.

Not to highjack this thread but I have a related question. We have a couple users with BB now and I am curious about how the authentication works. Is the username and password only stored on the device or is it sent up to RIM where it then does the authentication for the user. Having company ID and PW's stored on a third parties server is a bit concerning to me. Any information you can provide would be appreciated.

For BES no password or user accounts are stored at RIM.
It is PIN of the BB to SRP of the BES.

On BIS the password and user ID is on the phone, IIRC

For the web forwarding it is on RIMs servers.

I have to admit, I find it a bit funny and slightly hypocritical that you have an open OWA page, but don't want users accessing it on their blackberry. From a security standpoint, you should most definitely require a SSL Cert or put a RSA or some other security protocol on that. Without it, users can access it using any web based device, Blackberry's included.

Certainly there are ways to prevent it or make it difficult as mentioned in this thread, but it seems to me that you are still leaving it open to Windows Mobile, iPhone or any other internet capable device. If you are really worried about it, lock down OWA. If you don't, you aren't solving the problem.

bakerfall, yeah that was said already kinda

I have found out why my request are not being blocked by my IIS restriction. I'm posting so someone may be helped by this information in the future.

In my ISA box my 443 rule says that all request to the server act as if it is coming from the ISA box. So if I look at my logging in IIS I see the c-ip across the board for every request is the ip of my ISA box (internal IP).

Lawson I did mention block it at the firewall after your 7-31-08 post.

ISA can do this with ease and might do a better job of it.