BlackBerry Forums Support Community

jpom · 07-10-2008, 09:44 AM

I did a quick search but could not find anything regarding this on the forum, and I'm not really sure that this is the right spot to post it in but I figured it fit better here then anywhere else.

A little background, I work for a law firm and we have a strict policy regarding blackberries. As a rule we don't allow personal PDA/Smartphone/BB devices access to the network, email, etc. This is due to the fact that when you make what a lawyer makes leaving behind a piddly $500 phone means you just have to go out and buy the newest model. Of course what escapes them is the fact that the BB or whatever has all their recent emails on them which can be a huge risk. At least with the BES we have the ability to enforce a security policy and if the device is still in service range we can remotely wipe it etc.

Anyways yesterday it was brought to my attention that we have a user who went out and purchased a BB Pearl, and as it turns out he is able to access his corporate account over what I assume is a BIS connection. All he has to do is setup a mail account with his corporate email/password and apparently BIS is able to determine the rest of the settings. I did some checking and it appears as though it is using the OWA settings to access the corporate email, we do allow out users to access their email from a web browser by going to exchange.*****.com, and from what I can tell by the email settings on the blackberry it is connecting to the same site to download corporate email to the device.

This issue with this is that it's one thing to access OWA from a web browser on desktop computer that retains no messages after logging out but its completely another that we could have who knows how many people using BB devices who are downloading their corporate emails directly to the devices with no security policy, and without the IT departments knowledge.

In the end maybe we're being paranoid but the fact is that this is an issue for us, so my question would be does anyone know how to prevent the BB's from being able to access these corporate accounts while still leaving OWA accessible??

Sorry for the long post and TIA,
James

--Edit--
Just as a side note, adding these people to the BES is a last resort type of option as our Managing Partner does not want to buy BES CAL's for users unless they are approved by him to have BB access.

knottyrope · 07-10-2008, 01:15 PM

Sounds like it is imitating OMA for access.
You can tell if you install the mobileadmin package on exchange.

We use SSL certs for OMA with ISA. No cert = no email. the cert is not installed on the domain controller so each user has to have it manually entered.

If you have no cert then anyone can access it with a password with most mobile devices.

jpom · 07-10-2008, 02:11 PM

Thanks for the reply knotty, it gave me a couple things to try, unfortunately I can now confirm that BIS does in fact use OWA (I disabled OMA to test) to access the exchange server. I can block access by disabling OWA and then deleting and trying to re-create the account the handheld, at which point it tells me it cannot connect to the server, however disabling OWA is not a viable option for us and as soon as I re-enable it the blackberry is able to connect again.

Preferably I would like to be able to fix this rather then work around it with security certs etc however at this point I am thinking that that might not be possible.

Still open to any ideas anyone has.

TIA,
James

knottyrope · 07-10-2008, 03:33 PM

You could block BIS server IPs at the firewall unless the devices are connecting direct to it.

OrangeNBlueBerry · 07-10-2008, 03:57 PM

Thinking out loud: IP address and domain name restrictions in OWAadmin in IIS ... hmmm ... not really sure that'll work... need to keep thinking ...

jpom · 07-10-2008, 04:03 PM

That's excatly what I've done is blocked the BIS servers located here

BlackBerry Search Results

via the IIS default website

It's not really an ideal solution but it seems to work, I can still "connect" the blackberry to the server however email sending and receiving does not work, so far that looks about as good as it's going to get.

Thanks for the help

James

OrangeNBlueBerry · 07-10-2008, 04:14 PM

Glad to know that worked, at least in a non-ideal way. The only other route I can think of is disabling OWA for that user, which is likely not an acceptable option for him/her.
Setting up BIS email access on a BB through an OWA connection is a pretty simple and interesting path, as you don't have to offer IMAP or POP, but I now see the dilemma you were facing. Good luck.

CO_BBTechie · 07-10-2008, 04:21 PM

Here's a fresh idea. Tell them it's not allowed, and then see how many try to get away with it. Perhaps fine them or fire them.... they're lawyers, and should understand the implications.

jpom · 07-10-2008, 04:39 PM

Would be a great idea except for a few factors, one being that if they are managing partners then fine/fire is not an option as both would need the consent of all the other board members and it's just not going to happen. Two is that they are lawyers and they're going to do whatever they want whether they're allowed or not. Three is trying to monitor the people using them would be tedious as it would basically require going through the IIS logs on a daily basis and searching for the IP's listed in link in my previous posts.

I really do wish that it were as simple as telling them NO! but in the end I would rather act proactivly and block the IP's rather then having a situation where a user that may not have been noticed in the logs loses a blackberry that is connected to the corporate email even though it's not supposed to be.

Anybody whose worked with lawyers before can probably tell you that they are more like spoiled children who need to be babysat then adults with an ounce of common sense, or maybe that's just my experience.

OrangeNBlueBerry · 07-10-2008, 07:13 PM

Attorneys - HTTA - Holier Than Thou Attitude ... feel for you man...

hdawg · 07-11-2008, 06:36 AM

Quote:

Originally Posted by jpom

That's excatly what I've done is blocked the BIS servers located here

BlackBerry Search Results

via the IIS default website

It's not really an ideal solution but it seems to work, I can still "connect" the blackberry to the server however email sending and receiving does not work, so far that looks about as good as it's going to get.

Thanks for the help

James

This is really the least invasive way to do it. It works and it works well.

lawson23 · 07-30-2008, 04:02 PM

Ok I have tried this using this list of IP's:
IP Address Netmask
206.51.26.0 Netmask = 255.255.255.0
193.109.81.0 Netmask = 255.255.255.0
204.187.87.0 Netmask = 255.255.255.0
206.53.144.0 Netmask = 255.255.240.0
216.9.240.0 Netmask = 255.255.240.0
67.223.64.0 Netmask = 255.255.224.0
93.186.16.0 Netmask = 255.255.248.0

These were taken from this site:
blackberry_com/btsc/articles/644/KB11036_f.SAL_Public.html
SUBSTITUTE
blackberry_com
for
blackberry.com

This doesn't seem to work as after entering in these denied groups of IP's in IIS under the owa site it still is communicating with the blackberry.

On my blackberry I have:
my connection via BES
An added connection through personal mail setup. The personal mail setup still gets mail to and from it.

Any ideas?

knottyrope · 07-30-2008, 04:08 PM

via the IIS default website not OWA

Try that and test again

lawson23 · 07-30-2008, 04:10 PM

It is the default website sorry I guess I should have clarified this specifically.

I also have restarted the website and World Wide Web Publishing Service.

shashinp5 · 07-30-2008, 04:20 PM

I am actually interested in this as well. Can those IPs be blocked at the firewall level before they even hit OWA or BES?

I'm trying to get a picture of what the connection diagram looks like, let me know if this is accurate:

End User BB-->Wireless Provider-->RIM BIS Servers (IP tables above)-->Corporate Firewall-->Corporate BES-->Exchange FE/OWA Host

shashinp5 · 07-30-2008, 04:23 PM

One thing to add....we want to prohibit BIS access to Exchange, but we don't want to prohibit personal accounts such as Gmail, Hotmail, etc. Would this still be doable somehow by changing it at the OWS IIS level?

lawson23 · 07-31-2008, 08:21 AM

Ok here is a picture of my denied list. All I did is applied this to the Default Web Site. Any ideas????

knottyrope · 07-31-2008, 08:23 AM

If you lock the BIS servers at the firewall then they will never connect.
Just block BIS IP's incoming ports 80 and 443 for SSL.

Wonder if forms based authentication with SSL through ISA would help with this issue.

dpuckett · 08-11-2008, 06:36 PM

Not to highjack this thread but I have a related question. We have a couple users with BB now and I am curious about how the authentication works. Is the username and password only stored on the device or is it sent up to RIM where it then does the authentication for the user. Having company ID and PW's stored on a third parties server is a bit concerning to me. Any information you can provide would be appreciated.

knottyrope · 08-11-2008, 07:10 PM

For BES no password or user accounts are stored at RIM.
It is PIN of the BB to SRP of the BES.

On BIS the password and user ID is on the phone, IIRC

For the web forwarding it is on RIMs servers.

BlackBerry Forums Support Community

Disable BIS access to Exchange Server