Simple answer: when handhelds use the BlackBerry Browser, their HTTP / HTTPS requests are proxied through the BES
Long answer: Copy and pasted from pp 46-47 of the "Feature and Technical Overview" document of BES 4.1 SP4 available at BlackBerry Technical Solution Center
The user requests content.
The user requests Internet or intranet content on the BlackBerry device.
The BlackBerry device sends the request.
The BlackBerry device sends the request over port 3101 to the BlackBerry Enterprise Server on which the user account resides. The BlackBerry Dispatcher sends the request to the BlackBerry MDS Connection Service over port 3200.
The BlackBerry MDS Connection Service retrieves the content.
The BlackBerry MDS Connection Service creates an HTTP session for the user and retrieves the requested content.
The BlackBerry MDS Connection Service converts the content and sends it to the BlackBerry Dispatcher.
The BlackBerry MDS Connection Service converts the content for viewing on the BlackBerry device and sends the content to the BlackBerry Dispatcher over port 3200.
The BlackBerry Dispatcher compresses and encrypts the content.
The BlackBerry Dispatcher compresses the content, encrypts it with the user's encryption key, and then sends it to the BlackBerry Router for delivery to the BlackBerry device.
The BlackBerry Router sends the content to the wireless network.
The BlackBerry Router sends the content over port 3101 to the wireless network, which verifies that the PIN belongs to a valid BlackBerry device that is registered on the wireless network.
The BlackBerry device returns a delivery confirmation.
The wireless network locates the BlackBerry device and delivers the content. The BlackBerry device sends a delivery confirmation to the BlackBerry Router. If the BlackBerry MDS Connection Service does not receive confirmation within the flow control timeout limit, it sends a cancellation to the wireless network for the pending content.
The BlackBerry device decompresses and decrypts the content.
The BlackBerry device decrypts and decompresses the content so that the user can view it. The BlackBerry device application detects the content and displays it on the BlackBerry device.