Preventing BIS users from accessing mail via OWA
 

Does anyone have a solution for preventing users who are *NOT* connected to our BES from accessing corporate email via OWA? Since these BIS users aren't managed from the BES, I can't stop them via policy....

Help, please!

There's nothing you can do here short of disabling OWA for these users.

Even if they were on your BES, you still couldn't prevent them from setting up BIS. Your IT policy can force all mail sent from the device to go through BES, but you can't prevent someone from setting up BIS mail and receiving those message son their handheld.

Well, thats part of the problem.... I'm not worried about the BES users since they already get their work email on the device. My real concern are people with their personal BB's getting enough of a clue to add their work email that way. Once this happens, I lose control of the email and it's subsequent replies.

I guess I could enable logging in IIS to start figuring out where the requests are coming from (BIS servers) and start dropping traffic to/from those addresses at the edge of the network, but there may be too many to make this effective.

I'm confused...what exactly are you losing control of? If they access their work email via OWA on their BB, it's like accessing any other website, isn't it? There is still tracking within Exchange that goes on for those emails....

Or am I missing something?

I presume that you want to allow OWA for some users / from some external addresses but not others?

If so, then I guess that you could block HTTPS access from the servers that RIM uses for BIS email (I'm assuming that you don't have HTTP OTA enabled). From where I am (UK) a quick check of the last few days' logs shows only requests from 216.9.241.xxx.

I don't see how accessing OWA via BIS is any less secure than any other random web browser, though...

Yep.. exactly what I'm shooting for.

Interesting... If I can narrow down the BIS traffic to a block of addresses, that would be ideal & very easy to restrict.

While security is always a concern, my big deal here is email archiving and retention. I need to be able to retain a copy of every email (and store them for 6 years). OWA via BIS is a 'threat' because once the email is pushed out of my organization and gets onto the unmanaged handheld, the subsequent replies will not be archived.

I'm hoping the the BIS servers here in the US are all coming from a common netblock as well.

Thanks.

Put something in front of OWA that will require two-factor authentication like RSA.

Waiting on RIM to get back to me w/ netblocks of the NA BIS servers...

In the meantime, I've denied access to OWA from *.bis.na.blackberry.com

Let's see how much of a load the reverse lookups cause. With this enabled, it has to do a reverse DNS lookup on EVERY connection to determine if it's coming from *.bis.na.blackberry.com. If thats the source of the connection, it is dropped.

Wish me luck :)