Unbelievably, I've had the whole "outlook client in the DMZ" conversation and they're ok with that...assuming they can set up point to point rules on the internal firewall, only opening the necessary ports between our BES servers and our Exchange servers & SQL environment.
Does the desktop handheld manager or desktop manager communicate with BES at all, or is it only with Exchange...I can't remember. That would ice it, LOL.
Moving the Router out to the DMZ is the one thing I'm holding on to. Also considering compromising a little and creating a BES segment (DMZ-like) that is separate from the corporate DMZ and separate from the internal LAN, but gives them the separation they want. Still a huge pain for managing the access control lists, though! Imagine the work that must be done every time a new application for BlackBerrys gets rolled out that needs to talk to some app server somewhere via MDS.
I've played with the Software Configuration and App Policy and think there is definite potential there. I'm not too worried about that latest "flaw" that certain media channels jumped all over...we run a very tight ship with our IT Policies and disabling App Loader/3rd party app downloads, etc. BUT, the Software Config and App Policy would help improve that security immensely if using a blacklist/whitelist type of approach.