BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-04-2007, 05:19 PM   #1 (permalink)
CrackBerry Addict
 
Join Date: Oct 2006
Location: Fairfield, CT
Model: 9930
OS: 7.1.0.755
Carrier: VZW
Posts: 618
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default Preventing BIS users from accessing mail via OWA

Please Login to Remove!

Does anyone have a solution for preventing users who are *NOT* connected to our BES from accessing corporate email via OWA? Since these BIS users aren't managed from the BES, I can't stop them via policy....

Help, please!
__________________
BB devices I've owned: 957 : 7750 : 7250 : 8703e : 8830 : 9530 : 9630 : 9650 : 9930 : 64GB PB

BES 5.0.4 ~ BES 10.1
Offline  
Old 06-04-2007, 05:49 PM   #2 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by jgb@etree View Post
Does anyone have a solution for preventing users who are *NOT* connected to our BES from accessing corporate email via OWA? Since these BIS users aren't managed from the BES, I can't stop them via policy....

Help, please!
There's nothing you can do here short of disabling OWA for these users.

Even if they were on your BES, you still couldn't prevent them from setting up BIS. Your IT policy can force all mail sent from the device to go through BES, but you can't prevent someone from setting up BIS mail and receiving those message son their handheld.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 06-04-2007, 07:06 PM   #3 (permalink)
CrackBerry Addict
 
Join Date: Oct 2006
Location: Fairfield, CT
Model: 9930
OS: 7.1.0.755
Carrier: VZW
Posts: 618
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
There's nothing you can do here short of disabling OWA for these users.
Well, thats part of the problem.... I'm not worried about the BES users since they already get their work email on the device. My real concern are people with their personal BB's getting enough of a clue to add their work email that way. Once this happens, I lose control of the email and it's subsequent replies.

I guess I could enable logging in IIS to start figuring out where the requests are coming from (BIS servers) and start dropping traffic to/from those addresses at the edge of the network, but there may be too many to make this effective.
__________________
BB devices I've owned: 957 : 7750 : 7250 : 8703e : 8830 : 9530 : 9630 : 9650 : 9930 : 64GB PB

BES 5.0.4 ~ BES 10.1
Offline  
Old 06-04-2007, 07:10 PM   #4 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

I'm confused...what exactly are you losing control of? If they access their work email via OWA on their BB, it's like accessing any other website, isn't it? There is still tracking within Exchange that goes on for those emails....

Or am I missing something?
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 06-04-2007, 09:15 PM   #5 (permalink)
Ugg
Thumbs Must Hurt
 
Join Date: Dec 2006
Model: 8310
OS: 4.5
Carrier: O2
Posts: 197
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I presume that you want to allow OWA for some users / from some external addresses but not others?

If so, then I guess that you could block HTTPS access from the servers that RIM uses for BIS email (I'm assuming that you don't have HTTP OTA enabled). From where I am (UK) a quick check of the last few days' logs shows only requests from 216.9.241.xxx.

I don't see how accessing OWA via BIS is any less secure than any other random web browser, though...
Offline  
Old 06-05-2007, 06:19 AM   #6 (permalink)
CrackBerry Addict
 
Join Date: Oct 2006
Location: Fairfield, CT
Model: 9930
OS: 7.1.0.755
Carrier: VZW
Posts: 618
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by Ugg View Post
I presume that you want to allow OWA for some users / from some external addresses but not others?

If so, then I guess that you could block HTTPS access from the servers that RIM uses for BIS email (I'm assuming that you don't have HTTP OTA enabled). From where I am (UK) a quick check of the last few days' logs shows only requests from 216.9.241.xxx.

I don't see how accessing OWA via BIS is any less secure than any other random web browser, though...
Yep.. exactly what I'm shooting for.

Interesting... If I can narrow down the BIS traffic to a block of addresses, that would be ideal & very easy to restrict.

While security is always a concern, my big deal here is email archiving and retention. I need to be able to retain a copy of every email (and store them for 6 years). OWA via BIS is a 'threat' because once the email is pushed out of my organization and gets onto the unmanaged handheld, the subsequent replies will not be archived.

I'm hoping the the BIS servers here in the US are all coming from a common netblock as well.

Thanks.
__________________
BB devices I've owned: 957 : 7750 : 7250 : 8703e : 8830 : 9530 : 9630 : 9650 : 9930 : 64GB PB

BES 5.0.4 ~ BES 10.1
Offline  
Old 06-05-2007, 08:55 AM   #7 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

Put something in front of OWA that will require two-factor authentication like RSA.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 06-05-2007, 01:52 PM   #8 (permalink)
CrackBerry Addict
 
Join Date: Oct 2006
Location: Fairfield, CT
Model: 9930
OS: 7.1.0.755
Carrier: VZW
Posts: 618
Post Thanks: 0
Thanked 3 Times in 3 Posts
Default

Waiting on RIM to get back to me w/ netblocks of the NA BIS servers...

In the meantime, I've denied access to OWA from *.bis.na.blackberry.com

Let's see how much of a load the reverse lookups cause. With this enabled, it has to do a reverse DNS lookup on EVERY connection to determine if it's coming from *.bis.na.blackberry.com. If thats the source of the connection, it is dropped.

Wish me luck
__________________
BB devices I've owned: 957 : 7750 : 7250 : 8703e : 8830 : 9530 : 9630 : 9650 : 9930 : 64GB PB

BES 5.0.4 ~ BES 10.1
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.