BES has to reach https://www.blackberry.com/Desktop/D...XML/Device.xml
which is a secure site and that needs the https port ( =443) open (outgoing). So if you can reach this site on Internet Explorer on BES, the process for updating device.xml on BES itself will most probably also be able to reach it.
To check if the device.xml has updated, in the main BES database, there's a GlobalSettings table with a number of columns...but two very important ones: deviceXML and vendorXML. These columns actually hold all the XML content.
Check if those contain your devices.