BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 05-07-2009, 05:01 AM   #1 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default Bluecoat Proxy and BES MDS

Please Login to Remove!

We have recently moved to using Bluecoat Proxy Servers in our environment but believe the Authentication (Credentials) Caching on the Proxy is causing unexpected results when browsing from the handhelds.

Unfortunately, I'm not the technical resource who's responsible for the Proxy environment so please forgive me in advance if I've misunderstood something.

BES environment: BES 4.1.6 MR2 (MDS running on same server as BES), Exchange 2003 SP2 (not really relevant by hey), Windows Server 2003 SP2, BlackBerry 9000 (Bold) - Handheld OS 4.6.0.134 & 4.6.0.162
MDS Config: Support HTTP Authentication = TRUE, Authentication Timeout = 86400000 (the maximum 24 hours), Support HTTP Cookie Storage = TRUE, No Credentials applied to the Proxy Config so uses have to enter their own credentials for browsing.
Proxy environment: Blue Coat SG Appliance Model 810-B, Software Version SGOS 5.2.2.5 Proxy Edition

We want to retain HTTP Authentication on the MDS as some users have elevated access rights to some websites, while others do not.

We currently have the Proxy Server's Credential Caching period set to 15 minutes which I believe means the proxy will not request further authentication from the same originating IP address for that period. As webpage requests for BlackBerrys all originate from the BES/MDS we have found that users are piggybacking off the credentials of other users when browsing from the BlackBerry.

In our tests we gave one test user (BBUserA) access to a certain website and then prohibited access to that site for the second test user (BBUserB).

If the second test user (BBUserB) attempted to browse to the prohibited site, they were prompted to enter their credentials and then given the Block Page (as expected). If within the same 15 minute period, the first test user (BBUserA) then attempts to access the same site (for which they have been granted access) they are not prompted for any login credentials and immediately shown the Block Page.

We then waited 15 minutes. BBUserA attempted to load the page, was prompted for credentials and the page was shown (as expected). Within 15 minutes, BBUserB attempted to load the page, wasn't prompted for credentials and the website loaded (even though this user was prohibited from viewing this website).

We can only assume this is due to the Proxy Server's Authentication Caching. We don't really want to disable that feature on the Proxy, so I suppose the questions here are:

Does anyone else out there have the same configuration as us and know of a way to get the Bluecoat and MDS to work together so we can retain proxy authentication caching?

Is there some way of making the MDS present itself to the Proxy so it believes it is receiving requests from separate unique entities?
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Old 05-07-2009, 10:38 AM   #2 (permalink)
Knows Where the Search Button Is
 
Neo3000's Avatar
 
Join Date: Jul 2008
Model: 9000
PIN: N/A
Carrier: TMO
Posts: 32
Post Thanks: 0
Thanked 0 Times in 0 Posts
Cool Header logging

Hi,

We have a similar setup with BES and BlueCoat but we are not using credential caching.
It is possible to include PIN and/or email in the http header the MDS sends out to the proxy (refer to KB03275). I am not sure, if BlueCoat can take this header field into account when authenticating on the base of the IP.

I thought this feature could be used for enabling the proxy to log access per blackberry PIN - but this does not seem to be possible from the BlueCoat side.

Anyway, I would be interested to know if this helped and how you solved your problem.

Greetings,
Neo3000
__________________
BES 4.1.7 (20 servers), Domino 7.0.3 with 19000+ users
BES 5.0.2 (8 server), Exchange 2010 SP1 with 1000+ users
Offline  
Old 05-07-2009, 11:04 AM   #3 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default

Quote:
Originally Posted by Neo3000 View Post
Hi,

We have a similar setup with BES and BlueCoat but we are not using credential caching.
It is possible to include PIN and/or email in the http header the MDS sends out to the proxy (refer to KB03275). I am not sure, if BlueCoat can take this header field into account when authenticating on the base of the IP.

I thought this feature could be used for enabling the proxy to log access per blackberry PIN - but this does not seem to be possible from the BlueCoat side.

Anyway, I would be interested to know if this helped and how you solved your problem.

Greetings,
Neo3000


Excellent thanks Neo3000, that's the KB I've been looking for to investigate another issue we have.

I will chat with the guys who look after the Proxies and see if we can use this in anyway to address this problem.

Will update this thread when I have the results.
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Old 06-30-2009, 09:34 AM   #4 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default

Realise it has been some time since updating this thread.

We did resolve our issue of piggybacking by setting the Bluecoat Proxy Authentication Mode from 'ProxyIP' to 'Proxy' but have found some other issues in the process.

Users with passwords that exceed 14 characters are unable to authenticate through the BlackBerry Browser and any users with a colon ( in their password are also unable to authenticate.

In addition to this, we find that any user who enters their password incorrectly on the first credentials request but then enters their password correctly on the second request, is once again prompted for their credentials a third time, even though on the second request they entered the correct password.

Has anyone else had any issues with passwords and authentication through the BlackBerry Browser?
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Old 11-10-2009, 08:23 AM   #5 (permalink)
New Member
 
Join Date: Nov 2009
Model: 7100T
PIN: N/A
Carrier: vodafone
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default kinda similar issue

hi, i know this is a bit old now, but i have a similar-ish setup / issue:

our bluecoat proxy in transparent mode is set to 'cookie'

blackberry users are presented with an authentication form based on the client address (which is always the BES MDS box)

the BES MDS is set to accept cookies, http auth, sensible timeouts etc

this all works except...

PROBLEM:

when you navigate to a new site on the blackberry it prompts for credentials each time. it's fine so long as you stay within a domain, then it prompts for auth again.

any ideas on how to get around this?

thanks very much
Offline  
Old 11-11-2009, 07:36 AM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default

Found this explanation of Form-Cookie mode in the Bluecoat KB.

Form-Cookie: A form is presented to collect the user's credentials. The cookies are set on the OCS domain only, and the user is presented with the form for each new domain. This mode is most useful in reverse proxy scenarios where there are a limited number of domains.


Would this not suggest the behaviour you are seeing is as expected. Or have I misunderstood the explanation.
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Old 11-11-2009, 08:45 AM   #7 (permalink)
New Member
 
Join Date: Nov 2009
Model: 7100T
PIN: N/A
Carrier: vodafone
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

THANK YOU!!

you have sorted me out, that KB gave me the info i needed - what i have done is set the authentication to Form-Cookie-Redirect and now the auth persists accross domains...

cheers
Offline  
Old 11-11-2009, 08:48 AM   #8 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default

I meant to include a link to the KB, just realised I forgot so sorry about that.

Glad you have it sorted.

As you are in a similar configuration to us, do you know if you have any issues with passwords that are 15 characters or longer? Or if you use a Colon in the password, does this also fail?
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Old 11-19-2009, 11:15 AM   #9 (permalink)
Talking BlackBerry Encyclopedia
 
MisterGriffiths's Avatar
 
Join Date: Nov 2007
Location: London
Model: 9780
OS: 5.0.3.31
PIN: N/A
Carrier: O2
Posts: 208
Post Thanks: 5
Thanked 16 Times in 13 Posts
Default

That will learn me for giving help before getting my own question answered!!
__________________
BES 5.0.3 MR4
Exchange 2010 (SP1 RU3)
SQL 2008 R2
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.