Hello all
We have about 6 users with BB's using BIS (I believe this is the case since they no longer require a redirector on their pc's)
anyways, they all access email (on our exch 2003 server)
Since i am not all that familiar with BB's can someone explain to me if the communications between BB's and exchange is encrypted and or what type authentication takes place?
We are a small office and to date haven't paid too much attention to the security aspects of using these devices

thank you for any info/input

Like a BES, a BIS is the front end for the BlackBerry infrastructure. Every bit of data that goes over the infrastructure is definitely encrypted.

After asking a friend at a carrier, who asked a friend at RIM, all messages from the BIS to the handheld are also encrypted with the same algorithm.

From Exchange to the infrastructure is handled by your company.
Between BB's everything is encrypted.

for your reply

Would you happen to know how TLS works with BB's?
If i set it up on my exchange server, will the devices require any special config?

Well with TLS you need to exchange certificates proving your identity. You would most probably have to set up a PKI infrastructure and issue certificates to your Exchange server and each of your BB clients.

If you are running windows 2003 server there is a Certificate Authority included with it that will tie into your Active Directory and Exchange for certificate exchange.



Cheers.

I think what i would do is buy a 3rd party certificate
but what has me confused is how the whole thing works with BIS (essentially being a middleman)
if encryption is already in place for comm between BIS (servers) and the device, then how would the cert be presented to the BB's?
sorry, i'm new to this stuff
and again, thx for your help

It all depends how you are having BIS access your Exchange server.

The connection to the BIS <-> Handhelds is always encrypted, so let's take that out of the equation.

Now the other component is how is BIS accessing your Exchange server. Three choices, OWA, POP, or IMAP. My guess, and the way it is configured by default is through OWA. Now if your OWA server requires SSL, then BIS will HAVE to use SSL just like any other user connecting. So then you have your end to end connection totally encrypted. If you don't have SSL set up on OWA then you need to get a Cert signed by a CA, and configure it. There is plenty of help on the internet to get you Exchange server setup for that...

If you are having BIS use POP or IMAP to access the Exchange server (no real reason not to use the default OWA type connection though), then you need to configure and require TLS on those services on your Exchange front-end (or single server I'm guessing). It is usually just easier to use the OWA method.

The main advantage you gain by making sure the connection between the BIS and your Exchange organization are encrypted, is that passwords are NOT sent in the clear and any email that flows within your organization stays private the entire time.

hi, thx
i checked on user's BIS page setup and apparently it's using IMAP
Now, i'm ok with that since we do nor use OWA
but if i check that TLS requirement checkbox then i will still need to get a certificate right?
and how will the BIS server deal with my certificate?